Linux Tutorials

Managing Linux Users & Groups

managing users groups in Linux

As we all know Linux is a multi-user operating system. If you have multiple users operating on a desktop or a server, you can easily create multiple users accounts and grant permissions as per each account.

In this article, you will learn –

  • how to manage users and groups on a Linux system
  • create a new user account in Linux
  • add user to a group in Linux
  • create user group in Linux
  • remove user group in Linux

But before we head to the tutorial part, let me tell you why it is important to have a separate user account from the security point of view. Many users, when installing a Linux server, start to use root account from the first bootup which is not recommended.

Using root account for performing day-to-day server tasks is not a good idea. The root user is an administrative account and having it logged in means at least once the user would execute a wrong command mistakenly and the root user would just do it, mostly without even asking for a confirmation. Whereas, if you are logged in as a non-root user, the user has fewer privileges on the system hence making it less likely that the user does anything terrible.

Secondly, managing multiple users in Linux is easier by adding users to a group or groups than managing individual users. This brings us to talk about Linux user groups. Well, it might be boring for some desktop users but for system admins, it’s an extremely useful feature.

Linux User Groups

Managing multiple users for a system administrator is a hectic task, especially when different users belong to different departments. An admin may want to allow one type of users to have access to a directory whereas other types of users have access to other directories on the server. Or, an admin may also want to have different types of users have different types of permissions at one directory. It can be achieved by creating user groups in Linux.

Let’s say we have a software development company. There is a central server where all the project directories exist. We only want to allow python programmers to have access to the Python directory where all the python code exists.

For illustration purposes, we will create a new user named sandy. Sandy is a python developer who requires access to the Python code directory on our server. So let’s create his account first.

Create a new user in Linux

Creating a new user in Linux is extremely easy from GUI.

For example, I am using Manjaro Linux (Deepin) and creating a new user is like creating a new note in any note-taking application. Just type the username & password and that’s it.

Accounts Settings in Manjaro Linux
Accounts Settings in Manjaro Linux
Create a new user in Linux
Create a new user in Linux
Create new user in Linux
Create new user in Linux

But if you need to create a new user on a Linux server, the following two commands can do the job –

  • useradd
  • adduser

useradd – This command is available in all Linux distros. It accepts different arguments to create a new user in Linux. If run without arguments, the command will create a user account without a home directory, shell extension, etc.

Though, you can set the default options in /etc/default/useradd so that each time a user is created, the command takes the default values from /etc/default/useradd automatically.

adduser – A command written in perl that uses useradd in the backend. Unlike useradd, it only requires the username and runs a setup in the terminal to create a user. It is easier than useradd.

adduser is only available in Ubuntu and other Debian based Linux distributions.

How to use useradd?

useradd -m sandy

The above command will create a user account with a home directory at /home/sandy. Now set the password for the user.

sudo passwd sandy

And that’s it. A user has been created. If you want to create a different home directory for the user, the -d parameter is for that.

sudo useradd -d /home/james sandy

You can also set the shell in the useradd command. Just use the -s parameter.

sudo useradd -d /home/james -s /bin/bash sandy

How to use adduser?

As I mentioned above, adduser is way easier than useradd. It only requires the username. adduser asks questions and sets the input values as the parameter values in useradd command.

sudo adduser sandy

If you are using Ubuntu or other Debian based distros, go ahead with adduser command. This command was created to simplify the user creation process on Linux systems.

Add User group in Linux

Now we can create a group called ‘python-programmers’, add sandy, our python developer to this group and then grant him access to the Python directory.

groupadd python-programmer

Add user to a group in Linux

Add sandy to the python-programmer group.

sudo usermod -aG python-programmer sandy

Add group to a directory in Linux

Change the group of the Python directory that exists under $HOME/Projects/Python.

sudo chown -R :python-programmer $HOME/Projects/Python

Add Permissions To Directory

Now add read & write permission to the directory for the group users.

sudo chmod -R g+w $HOME/Projects/Python

Remove Permissions From Directory

And finally, disallow other users to access the Python directory.

sudo chmod -R o-x Python

And the job is done! Now the Python directory can either be accessed by the root user or any user under the ‘python-programmers’ group.

But there is a problem!

The above procedure will do the job. It will grant access to users of python-programmers to the Python directory but there is a problem. The above approach will only allow one group of users to have access to the Python directory at a time. If you want to allow some other developers access to the Python directory, you will have to remove access from the previous group and set the new group as the owner of the directory.

To resolve this problem and allow access to multiple types of users at a time, we can use access control lists.

Access control lists

Let’s say we have a group of auditors in our company. We want to allow the users under the group auditors to have ‘read’ access to the Python directory without removing any other group from it.

setfacl -m g:auditors:rx -R $HOME/Projects/Python

And that is it. Now the users of the python-programmers group have read & write access and users of auditors group have read access on the Python directory. If you want to allow auditors to also have write access, just add the w in the above command.

setfacl -m g:auditors:rwx -R $HOME/Projects/Python

Remove user in Linux

You may also need to remove a user in Linux. It can be done using userdel command.

userdel sandy

Warning

Deleting a user is a non-recoverable action. So make sure to backup important files and settings before removing any user. By default, the command will not remove the user’s home directory.

Notice

Before you remove any user in Linux, make sure no other process is being used by the user. Otherwise, you’ll get the following error –

userdel: The user sandy is being used by process 3861

List all processes of a user in Linux

ps -u sandy

Output -

  PID TTY          TIME CMD
 4831 ?        00:00:00 systemd
 4832 ?        00:00:00 (sd-pam)
 4845 ?        00:00:00 gnome-keyring-d
 4849 tty5     00:00:00 gdm-x-session
 4851 tty5     00:00:10 Xorg
 4856 ?        00:00:00 dbus-daemon
 4860 tty5     00:00:00 gnome-session-b
 4958 ?        00:00:00 ssh-agent
 4961 ?        00:00:00 gvfsd
 4966 ?        00:00:00 gvfsd-fuse
 4975 ?        00:00:00 at-spi-bus-laun
 4980 ?        00:00:00 dbus-daemon
 4983 ?        00:00:00 at-spi2-registr
 4997 ?        00:00:00 gnome-keyring-d
 5012 tty5     00:00:21 gnome-shell
 5023 ?        00:00:00 pulseaudio
 5032 tty5     00:00:00 ibus-daemon
 5034 ?        00:00:00 xdg-permission-
 5042 tty5     00:00:00 ibus-dconf
 5044 ?        00:00:00 gnome-shell-cal
 5046 tty5     00:00:00 ibus-x11
 5050 ?        00:00:00 ibus-portal
 5057 ?        00:00:00 evolution-sourc
 5066 ?        00:00:00 dconf-service
 5073 ?        00:00:00 goa-daemon
 5084 ?        00:00:00 goa-identity-se
 5094 ?        00:00:00 gvfs-udisks2-vo
 5099 ?        00:00:00 gvfs-gphoto2-vo
 5103 ?        00:00:00 gvfs-goa-volume
 5107 ?        00:00:00 gvfs-afc-volume
 5112 ?        00:00:00 gvfs-mtp-volume
 5116 tty5     00:00:00 gsd-power
 5117 tty5     00:00:00 gsd-print-notif
 5119 tty5     00:00:00 gsd-rfkill
 5121 tty5     00:00:00 gsd-screensaver
 5125 tty5     00:00:00 gsd-sharing
 5128 tty5     00:00:00 gsd-smartcard
 5130 tty5     00:00:00 gsd-xsettings
 5131 tty5     00:00:00 gsd-wacom
 5139 tty5     00:00:00 gsd-sound
 5144 tty5     00:00:00 gsd-a11y-settin
 5147 tty5     00:00:00 gsd-color
 5150 tty5     00:00:00 gsd-clipboard
 5154 tty5     00:00:00 gsd-housekeepin
 5155 tty5     00:00:00 gsd-datetime
 5160 tty5     00:00:00 gsd-media-keys
 5162 tty5     00:00:00 gsd-keyboard
 5164 tty5     00:00:00 gsd-mouse
 5186 tty5     00:00:00 gsd-printer
 5217 tty5     00:00:00 gsd-disk-utilit
 5219 tty5     00:00:01 nautilus-deskto
 5232 ?        00:00:00 gvfsd-trash
 5254 ?        00:00:00 evolution-calen
 5267 ?        00:00:00 evolution-calen
 5282 ?        00:00:00 evolution-addre
 5289 ?        00:00:00 evolution-addre
 5310 tty5     00:00:00 ibus-engine-sim
 5311 ?        00:00:00 gvfsd-metadata
 5364 ?        00:00:00 gvfsd-network
 5375 ?        00:00:00 gvfsd-dnssd
 5443 tty5     00:00:00 update-notifier
 5461 tty5     00:00:02 gnome-software
 5563 ?        00:00:03 nautilus
 5951 tty5     00:00:00 deja-dup-monito

Or there is another command to list users’ processes in Linux, pgrep.

pgrep -u sandy

Output -

4831
4832
4845
4849
4851
4856
4860
4958
4961
4966
4975
4980
4983
4997
5012
5023
5032
5034
5042

Kill all process being used by the user

killall command will kill all the users’ processes.

killall -u sandy

Remove a Linux user

After all the users’ processes killed, the user can be deleted without any error.

userdel sandy

As I mentioned above, by default the command will not remove the user’s home directory. To also remove the user’s home directory, add –-r argument to the command.

userdel -r sandy

Remove user from a group in Linux

If you decide to snatch away rights from a user, simply remove the user from the group.

sudo gpasswd -d sandy python-programmers

It the user is member of the group, it will output the following –

Removing user sandy from group python-programmers

Remove a group in Linux

If you want to remove a group in Linux, just use groupdel command.

groupdel username

If the deleting group is the primary group for any of the users on the system, the group can not be deleted. In that case, change the primary group of that user.

Delete auditors group from the system.

groupdel auditors

Conclusion

So there you have it. It is not very hard to manage users & groups on a Linux system. Once you learn to manage users, you can keep your files safe & private without using any third-party library or service.

If you feel I have left something in the article, please let me know in the comment section below. I will update this article every three months and include your tips(with your name).

If you have not understood any step, please let me know in the comment section below. If you are a nerd and found a mistake in the article, please feel free to tell me using the Contact us page.

Our sponsor - Deploy your server within 3 minutes


Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More