As we all know, Linux is a multi-user operating system. If you have multiple users operating on a desktop or a server, you can easily create multiple users accounts and grant permissions as per each account.
In this article, you will learn –
- how to manage users and groups on a Linux system
- create a new user account in Linux
- add user to a group in Linux
- create user group in Linux
- remove user group in Linux
But before we head to the tutorial part, let me tell you why it is important to have a separate user account from a security point of view. When installing a Linux server, many users start to use the root account from the first bootup, which is not recommended.
Using a root account for performing day-to-day server tasks is not a good idea. The root user is an administrative account. Having it logged in means at least once the user would execute a wrong command mistakenly, and the root user would do it, mostly without even asking for a confirmation. Whereas, if you are logged in as a non-root user, the user has fewer privileges on the system, making it less likely to do anything terrible.
Secondly, managing multiple users in Linux is easier by adding users to a group or groups than managing individual users. This brings us to talk about Linux user groups. It might be boring for some desktop users, but it’s a handy feature for system admins.
Linux User Groups
Managing multiple users for a system administrator is a hectic task, especially when different users belong to different departments. An admin may want to allow one type of users to have access to a directory, whereas other types of users have access to other directories on the server. Or, an admin may also want to have different types of users with different permissions in one directory. It can be achieved by creating user groups in Linux.
Let’s say we have a software development company. There is a central server where all the project directories exist. We only want to allow python programmers to have access to the Python directory where all the python code exists.
For illustration purposes, we will create a new user named sandy. Sandy is a python developer who requires access to the Python code directory on our server. So let’s create his account first.
Create a new user in Linux
Creating a new user in Linux is extremely easy from GUI.
For example, I am using Manjaro Linux (Deepin), and creating a new user is like creating a new note in any note-taking application. Just type the username & password, and that’s it.
But if you need to create a new user on a Linux server, the following two commands can do the job –
useradd – This command is available in all Linux distros. It accepts different arguments to create a new user in Linux. If run without arguments, the command will create a user account without a home directory, shell extension, etc.
Though, you can set the default options in
/etc/default/useradd so that each time a user is created, the command takes the default values from
adduser – A command written in perl that uses
useradd in the backend. Unlike
useradd, it only requires the username and runs a setup in the terminal to create a user. It is easier than useradd.
adduser is only available in Ubuntu and other Debian-based Linux distributions.
How to use useradd?
useradd -m sandy
The above command will create a user account with a home directory at
/home/sandy. Now set the password for the user.
sudo passwd sandy
And that’s it. A user has been created. If you want to create a different home directory for the user, the
-d parameter is for that.
sudo useradd -d /home/james sandy
You can also set the shell in the useradd command. Just use the
sudo useradd -d /home/james -s /bin/bash sandy
How to use adduser?
As I mentioned above,
adduser is way easier than
useradd. It only requires the username.
adduser asks questions and sets the input values as the parameter values in useradd command.
sudo adduser sandy
If you are using Ubuntu or other Debian-based distros, go ahead with
adduser command. This command was created to simplify the user creation process on Linux systems.
Add User group in Linux
Now we can create a group called ‘python-programmers’, add sandy, our python developer, to this group, and then grant him access to the Python directory.
Add user to a group in Linux
Add sandy to the python-programmer group.
sudo usermod -aG python-programmer sandy
Add group to a directory in Linux
Change the group of the Python directory that exists under
sudo chown -R :python-programmer $HOME/Projects/Python
Add Permissions To Directory
Now add read & write permission to the directory for the group users.
sudo chmod -R g+w $HOME/Projects/Python
Remove Permissions From Directory
And finally, disallow other users to access the Python directory.
sudo chmod -R o-x Python
And the job is done! Now the Python directory can either be accessed by the root user or any user under the ‘python-programmers’ group.
But there is a problem!
The above procedure will do the job. It will grant access to users of python-programmers to the Python directory, but there is a problem. The above approach will only allow one group of users to access the Python directory at a time. If you want to allow some other developers access to the Python directory, you will have to remove access from the previous group and set the new group as the directory owner.
To resolve this problem and allow access to multiple types of users at a time, we can use access control lists.
Access control lists
Let’s say we have a group of auditors in our company. We want to allow the group auditors to have ‘read’ access to the Python directory without removing any other group from it.
setfacl -m g:auditors:rx -R $HOME/Projects/Python
And that is it. Now the users of the python-programmers group have read & write access, and users of the auditors’ group have read access on the Python directory. If you want to allow auditors also to have write access, add the w in the above command.
setfacl -m g:auditors:rwx -R $HOME/Projects/Python
Remove user in Linux
You may also need to remove a user in Linux. It can be done using
Deleting a user is a non-recoverable action. So make sure to backup important files and settings before removing any user. By default, the command will not remove the user’s home directory.
Before you remove any user in Linux, make sure the user is using no other process. Otherwise, you’ll get the following error –
userdel: The user sandy is being used by process 3861
List all processes of a user in Linux
ps -u sandy Output - PID TTY TIME CMD 4831 ? 00:00:00 systemd 4832 ? 00:00:00 (sd-pam) 4845 ? 00:00:00 gnome-keyring-d 4849 tty5 00:00:00 gdm-x-session 4851 tty5 00:00:10 Xorg 4856 ? 00:00:00 dbus-daemon 4860 tty5 00:00:00 gnome-session-b 4958 ? 00:00:00 ssh-agent 4961 ? 00:00:00 gvfsd 4966 ? 00:00:00 gvfsd-fuse 4975 ? 00:00:00 at-spi-bus-laun 4980 ? 00:00:00 dbus-daemon 4983 ? 00:00:00 at-spi2-registr 4997 ? 00:00:00 gnome-keyring-d 5012 tty5 00:00:21 gnome-shell 5023 ? 00:00:00 pulseaudio 5032 tty5 00:00:00 ibus-daemon 5034 ? 00:00:00 xdg-permission- 5042 tty5 00:00:00 ibus-dconf 5044 ? 00:00:00 gnome-shell-cal 5046 tty5 00:00:00 ibus-x11 5050 ? 00:00:00 ibus-portal 5057 ? 00:00:00 evolution-sourc 5066 ? 00:00:00 dconf-service 5073 ? 00:00:00 goa-daemon 5084 ? 00:00:00 goa-identity-se 5094 ? 00:00:00 gvfs-udisks2-vo 5099 ? 00:00:00 gvfs-gphoto2-vo 5103 ? 00:00:00 gvfs-goa-volume 5107 ? 00:00:00 gvfs-afc-volume 5112 ? 00:00:00 gvfs-mtp-volume 5116 tty5 00:00:00 gsd-power 5117 tty5 00:00:00 gsd-print-notif 5119 tty5 00:00:00 gsd-rfkill 5121 tty5 00:00:00 gsd-screensaver 5125 tty5 00:00:00 gsd-sharing 5128 tty5 00:00:00 gsd-smartcard 5130 tty5 00:00:00 gsd-xsettings 5131 tty5 00:00:00 gsd-wacom 5139 tty5 00:00:00 gsd-sound 5144 tty5 00:00:00 gsd-a11y-settin 5147 tty5 00:00:00 gsd-color 5150 tty5 00:00:00 gsd-clipboard 5154 tty5 00:00:00 gsd-housekeepin 5155 tty5 00:00:00 gsd-datetime 5160 tty5 00:00:00 gsd-media-keys 5162 tty5 00:00:00 gsd-keyboard 5164 tty5 00:00:00 gsd-mouse 5186 tty5 00:00:00 gsd-printer 5217 tty5 00:00:00 gsd-disk-utilit 5219 tty5 00:00:01 nautilus-deskto 5232 ? 00:00:00 gvfsd-trash 5254 ? 00:00:00 evolution-calen 5267 ? 00:00:00 evolution-calen 5282 ? 00:00:00 evolution-addre 5289 ? 00:00:00 evolution-addre 5310 tty5 00:00:00 ibus-engine-sim 5311 ? 00:00:00 gvfsd-metadata 5364 ? 00:00:00 gvfsd-network 5375 ? 00:00:00 gvfsd-dnssd 5443 tty5 00:00:00 update-notifier 5461 tty5 00:00:02 gnome-software 5563 ? 00:00:03 nautilus 5951 tty5 00:00:00 deja-dup-monito
Or there is another command to list users’ processes in Linux,
pgrep -u sandy Output - 4831 4832 4845 4849 4851 4856 4860 4958 4961 4966 4975 4980 4983 4997 5012 5023 5032 5034 5042
Kill all process being used by the user
killall command will kill all the users’ processes.
killall -u sandy
Remove a Linux user
After all the users’ processes are killed, the user can be deleted without any error.
As I mentioned above, by default, the command will not remove the user’s home directory. To also remove the user’s home directory, add –
-r argument to the command.
userdel -r sandy
Remove user from a group in Linux
If you decide to snatch away rights from a user, remove the user from the group.
sudo gpasswd -d sandy python-programmers
If the user is a member of the group, it will output the following –
Removing user sandy from group python-programmers
Remove a group in Linux
If you want to remove a group in Linux, use
If the deleting group is the primary group for any of the users on the system, the group can not be deleted. In that case, change the primary group of that user.
Delete auditors group from the system.
So there you have it. It is not very hard to manage users & groups on a Linux system. Once you learn to manage users, you can keep your files safe & private without using any third-party library or service.
If you feel I have left something in the article, please tell me in the comment section below. I will update this article every three months and include your tips(with your name).
If you have not understood any steps, please let me know in the comment section below. If you are a nerd and found a mistake in the article, please tell me using the Contact us page.