Linux User & Group Management
Published: December 2023 | Topic: System Administration & Security for DevOps
Effective user and group management is fundamental to Linux system security and administration. As a DevOps engineer, you need to understand how to create and manage users, control access through groups, implement privilege escalation with sudo, and secure authentication systems. This knowledge is crucial for maintaining secure, multi-user environments in production systems.
Understanding Linux Users & Groups
Linux is a multi-user operating system where every process and file is owned by a user and associated with a group. This fundamental concept enables:
- Security: Isolating users and processes from each other
- Accountability: Tracking who did what on the system
- Resource Management: Controlling access to files, directories, and system resources
- Collaboration: Allowing groups of users to work together securely
1. User Management: Creating and Managing Users
What are Linux Users?
A user in Linux is an entity that can run processes and own files. Each user has:
- Username: Human-readable identifier (e.g., "alice")
- User ID (UID): Numeric identifier used by the system
- Home Directory: Personal workspace at /home/username
- Login Shell: Default shell when user logs in
- Password: Authentication credential (stored encrypted)
Username
alice
alice
→
User ID
UID: 1001
UID: 1001
→
Home Directory
/home/alice
/home/alice
Creating Users
# Create a new user with default settings
$ sudo useradd alice
# Create user with specific home directory
$ sudo useradd -m -d /home/alice alice
# Create user with specific UID
$ sudo useradd -u 1501 bob
# Create user with specific shell
$ sudo useradd -s /bin/bash charlie
# Create system user (no login, UID < 1000)
$ sudo useradd -r -s /usr/sbin/nologin appuser
$ sudo useradd alice
# Create user with specific home directory
$ sudo useradd -m -d /home/alice alice
# Create user with specific UID
$ sudo useradd -u 1501 bob
# Create user with specific shell
$ sudo useradd -s /bin/bash charlie
# Create system user (no login, UID < 1000)
$ sudo useradd -r -s /usr/sbin/nologin appuser
Managing User Accounts
Set/Change Password
$ sudo passwd alice
# Interactive password setup
$ echo "password123" | sudo passwd --stdin alice
# Non-interactive (not recommended)
# Interactive password setup
$ echo "password123" | sudo passwd --stdin alice
# Non-interactive (not recommended)
Modify User
$ sudo usermod -s /bin/zsh alice
# Change shell
$ sudo usermod -d /new/home alice
# Change home directory
$ sudo usermod -L alice
# Lock account
# Change shell
$ sudo usermod -d /new/home alice
# Change home directory
$ sudo usermod -L alice
# Lock account
Delete User
$ sudo userdel alice
# Delete user, keep home directory
$ sudo userdel -r alice
# Delete user and home directory
$ sudo userdel -f -r alice
# Force delete even if logged in
# Delete user, keep home directory
$ sudo userdel -r alice
# Delete user and home directory
$ sudo userdel -f -r alice
# Force delete even if logged in
⚠️ System Users vs Regular Users
Regular Users: UID ≥ 1000, used for human users, have login shell, home directory
System Users: UID < 1000, used for services/daemons, often no login shell, no home directory
# Check UID ranges
$ grep -E "^UID_MIN|^UID_MAX" /etc/login.defs
UID_MIN 1000
UID_MAX 60000
$ grep -E "^UID_MIN|^UID_MAX" /etc/login.defs
UID_MIN 1000
UID_MAX 60000
2. Group Management: Creating and Managing Groups
What are Linux Groups?
Groups are collections of users that share common access permissions. They simplify permission management by allowing you to grant access to multiple users at once.
Group Hierarchy Example
developers Group
GID: 1001
GID: 1001
↓
alice
bob
charlie
↓
Shared Access to Project Files
Creating and Managing Groups
Create Groups
$ sudo groupadd developers
# Create group
$ sudo groupadd -g 2001 admins
# Create with specific GID
$ sudo groupadd -r systemgroup
# Create system group
# Create group
$ sudo groupadd -g 2001 admins
# Create with specific GID
$ sudo groupadd -r systemgroup
# Create system group
Manage Group Members
$ sudo usermod -aG developers alice
# Add user to group
$ sudo gpasswd -d alice developers
# Remove user from group
$ sudo gpasswd -A alice developers
# Make user group admin
# Add user to group
$ sudo gpasswd -d alice developers
# Remove user from group
$ sudo gpasswd -A alice developers
# Make user group admin
View Group Info
$ groups alice
# Show groups user belongs to
$ getent group developers
# Show group information
$ id alice
# Show user ID and group memberships
# Show groups user belongs to
$ getent group developers
# Show group information
$ id alice
# Show user ID and group memberships
Primary vs Supplementary Groups
Primary Group
- Each user has exactly one primary group
- New files created by user belong to this group
- Defined in /etc/passwd (4th field)
- User can change primary group with
newgrp
$ id -gn alice
# Show primary group name
$ usermod -g developers alice
# Change primary group
# Show primary group name
$ usermod -g developers alice
# Change primary group
Supplementary Groups
- User can belong to multiple supplementary groups
- Used for additional permissions
- Defined in /etc/group file
- User inherits group permissions
$ groups alice
# Show all groups
$ usermod -aG sudo,docker alice
# Add to supplementary groups
# Show all groups
$ usermod -aG sudo,docker alice
# Add to supplementary groups
3. sudo and Privilege Escalation
What is sudo?
sudo (superuser do) allows permitted users to execute commands as another user, typically the root user. It provides controlled, auditable privilege escalation without sharing the root password.
Why sudo is Better Than su
- Audit Trail: All sudo commands are logged
- Granular Control: Can limit commands users can run
- No Password Sharing: Users use their own password
- Time Limits: Can require re-authentication
- Root Protection: Prevents accidental system damage
sudo Configuration: /etc/sudoers
The sudoers file defines who can run what commands as whom. Always use visudo to edit this file!
# Basic sudoers syntax:
user host=(runas) command
# Examples:
alice ALL=(ALL) ALL
# Alice can run any command as any user on any host
bob ALL=(root) /usr/bin/systemctl
# Bob can run systemctl as root
%developers ALL=(ALL) NOPASSWD: /usr/bin/apt
# Developers group can run apt without password
user host=(runas) command
# Examples:
alice ALL=(ALL) ALL
# Alice can run any command as any user on any host
bob ALL=(root) /usr/bin/systemctl
# Bob can run systemctl as root
%developers ALL=(ALL) NOPASSWD: /usr/bin/apt
# Developers group can run apt without password
Common sudo Commands
Basic sudo Usage
$ sudo command
# Run command as root
$ sudo -u alice command
# Run command as user alice
$ sudo -i
# Start interactive root shell
# Run command as root
$ sudo -u alice command
# Run command as user alice
$ sudo -i
# Start interactive root shell
sudo Configuration
$ sudo visudo
# Safely edit sudoers file
$ sudo -l
# List allowed sudo commands
$ sudo -k
# Invalidate sudo timestamp
# Safely edit sudoers file
$ sudo -l
# List allowed sudo commands
$ sudo -k
# Invalidate sudo timestamp
sudo Logs
# View sudo logs
$ sudo grep sudo /var/log/auth.log
# or /var/log/secure on RHEL
$ journalctl _COMM=sudo
# View sudo logs with journalctl
$ sudo grep sudo /var/log/auth.log
# or /var/log/secure on RHEL
$ journalctl _COMM=sudo
# View sudo logs with journalctl
Practical sudo Examples for DevOps
# Allow user to manage services without full root access
deployuser ALL=(root) NOPASSWD: /usr/bin/systemctl restart nginx, \ /usr/bin/systemctl status nginx
# Allow developers to run Docker without password
%docker ALL=(ALL) NOPASSWD: /usr/bin/docker
# Allow monitoring user to check system stats
monitor ALL=(ALL) /usr/bin/top, /usr/bin/htop, \ /usr/bin/df, /usr/bin/free
deployuser ALL=(root) NOPASSWD: /usr/bin/systemctl restart nginx, \ /usr/bin/systemctl status nginx
# Allow developers to run Docker without password
%docker ALL=(ALL) NOPASSWD: /usr/bin/docker
# Allow monitoring user to check system stats
monitor ALL=(ALL) /usr/bin/top, /usr/bin/htop, \ /usr/bin/df, /usr/bin/free
4. Password Management & Security
What is Password Security in Linux?
Linux password security involves storing passwords securely, enforcing password policies, and managing password aging. Passwords are never stored in plain text - they're hashed using cryptographic algorithms.
⚠️ Password Storage Methods
Linux supports multiple password hashing algorithms:
- MD5: Insecure, deprecated
- SHA-256/SHA-512: Current standard (used in /etc/shadow)
- bcrypt: More secure, slower to compute
- Argon2: Most secure, memory-hard algorithm
Password Policies
Password Aging with chage
$ sudo chage -l alice
# List password aging info
$ sudo chage -M 90 alice
# Password expires after 90 days
$ sudo chage -m 7 alice
# Minimum 7 days between changes
# List password aging info
$ sudo chage -M 90 alice
# Password expires after 90 days
$ sudo chage -m 7 alice
# Minimum 7 days between changes
Password Quality with pam_pwquality
# Configure in /etc/security/pwquality.conf
minlen = 12
minclass = 3
maxrepeat = 2
# Requires 12 chars, 3 character classes
minlen = 12
minclass = 3
maxrepeat = 2
# Requires 12 chars, 3 character classes
Account Locking
$ sudo passwd -l alice
# Lock account
$ sudo passwd -u alice
# Unlock account
$ sudo usermod -L alice
# Alternative lock method
# Lock account
$ sudo passwd -u alice
# Unlock account
$ sudo usermod -L alice
# Alternative lock method
Password Security Best Practices
DevOps Password Security Guidelines
- Use SSH keys instead of passwords for server access
- Enforce strong password policies (min length 12, mixed characters)
- Implement password aging (90 days maximum)
- Disable root SSH login in /etc/ssh/sshd_config
- Use fail2ban to prevent brute force attacks
- Regularly audit user accounts and remove inactive ones
- Monitor auth logs for suspicious activity
- Use sudo instead of sharing root password
SSH Key Authentication
# Generate SSH key pair
$ ssh-keygen -t ed25519 -C "alice@server"
# Copy public key to server
$ ssh-copy-id alice@server
# Disable password authentication (in /etc/ssh/sshd_config)
PasswordAuthentication no
PubkeyAuthentication yes
$ ssh-keygen -t ed25519 -C "alice@server"
# Copy public key to server
$ ssh-copy-id alice@server
# Disable password authentication (in /etc/ssh/sshd_config)
PasswordAuthentication no
PubkeyAuthentication yes
5. Understanding /etc/passwd and /etc/group
What are /etc/passwd and /etc/group?
These are fundamental system files that define users and groups on Linux systems. Understanding their format is essential for system administration and troubleshooting.
/etc/passwd - User Database
Contains user account information. World-readable but should not contain passwords (they're in /etc/shadow).
Format:
username:password:UID:GID:GECOS:homedir:shell
Example:
alice:x:1001:1001:Alice Developer:/home/alice:/bin/bash
# Fields:
1. username: alice
2. password: x (means password in /etc/shadow)
3. UID: 1001
4. GID: 1001 (primary group)
5. GECOS: Full name/description
6. homedir: /home/alice
7. shell: /bin/bash
username:password:UID:GID:GECOS:homedir:shell
Example:
alice:x:1001:1001:Alice Developer:/home/alice:/bin/bash
# Fields:
1. username: alice
2. password: x (means password in /etc/shadow)
3. UID: 1001
4. GID: 1001 (primary group)
5. GECOS: Full name/description
6. homedir: /home/alice
7. shell: /bin/bash
/etc/group - Group Database
Contains group definitions and memberships.
Format:
groupname:password:GID:members
Example:
developers:x:1001:alice,bob,charlie
sudo:x:27:alice,bob
# Fields:
1. groupname: developers
2. password: x (rarely used)
3. GID: 1001
4. members: Comma-separated usernames
groupname:password:GID:members
Example:
developers:x:1001:alice,bob,charlie
sudo:x:27:alice,bob
# Fields:
1. groupname: developers
2. password: x (rarely used)
3. GID: 1001
4. members: Comma-separated usernames
/etc/shadow - Secure Password Storage
Contains encrypted passwords and password aging information. Readable only by root.
Format:
username:password:lastchange:minage:maxage:warning:inactive:expire:reserved
Example:
alice:$6$salt$hashedpassword:18500:0:90:7:30:19475:
# Important fields:
1. username: alice
2. password: $6$salt$hashedpassword ($6 = SHA-512)
3. lastchange: Days since Jan 1, 1970 password was changed
4. minage: Min days between changes (0 = any time)
5. maxage: Max days password valid (90)
6. warning: Days before expiry to warn user (7)
7. inactive: Days after expiry until account is disabled (30)
8. expire: Date when account expires (YYYY-MM-DD)
username:password:lastchange:minage:maxage:warning:inactive:expire:reserved
Example:
alice:$6$salt$hashedpassword:18500:0:90:7:30:19475:
# Important fields:
1. username: alice
2. password: $6$salt$hashedpassword ($6 = SHA-512)
3. lastchange: Days since Jan 1, 1970 password was changed
4. minage: Min days between changes (0 = any time)
5. maxage: Max days password valid (90)
6. warning: Days before expiry to warn user (7)
7. inactive: Days after expiry until account is disabled (30)
8. expire: Date when account expires (YYYY-MM-DD)
Working with Authentication Files
View User/Group Info
$ getent passwd alice
# View user entry
$ getent group developers
# View group entry
$ sudo grep alice /etc/shadow
# View shadow entry (root only)
# View user entry
$ getent group developers
# View group entry
$ sudo grep alice /etc/shadow
# View shadow entry (root only)
Manual User Creation
# Advanced: Manual user creation
$ echo "testuser:x:1005:1005::/home/testuser:/bin/bash" >> /etc/passwd
$ echo "testuser:x:1005:" >> /etc/group
$ sudo mkdir /home/testuser
$ sudo chown testuser:testuser /home/testuser
$ echo "testuser:x:1005:1005::/home/testuser:/bin/bash" >> /etc/passwd
$ echo "testuser:x:1005:" >> /etc/group
$ sudo mkdir /home/testuser
$ sudo chown testuser:testuser /home/testuser
Note: Use standard tools when possible!
Password Hash Generation
# Generate password hash
$ openssl passwd -6 -salt $(openssl rand -base64 12)
# or
$ mkpasswd -m sha-512
$ openssl passwd -6 -salt $(openssl rand -base64 12)
# or
$ mkpasswd -m sha-512
⚠️ Security Considerations
- /etc/passwd: World-readable - don't store sensitive info in GECOS field
- /etc/shadow: Root-only readable - contains password hashes
- /etc/group: World-readable - be careful with group memberships
- Backup these files before making manual changes
- Use vipw/vigr for safe editing (locks files during edit)
# Safe editing commands
$ sudo vipw # Edit /etc/passwd
$ sudo vigr # Edit /etc/group
$ sudo vipw -s # Edit /etc/shadow
$ sudo vipw # Edit /etc/passwd
$ sudo vigr # Edit /etc/group
$ sudo vipw -s # Edit /etc/shadow
Complete User Management Workflow
DevOps Scenario: Setting Up a New Developer
Complete workflow for adding a new developer with appropriate permissions:
# 1. Create user account
$ sudo useradd -m -s /bin/bash -c "John Developer" johnd
$ sudo passwd johnd
# Set secure password
# 2. Add to necessary groups
$ sudo usermod -aG developers,ssh,docker johnd
# 3. Configure sudo access
$ sudo visudo
# Add to sudoers:
johnd ALL=(ALL) NOPASSWD: /usr/bin/docker, /usr/bin/systemctl
# 4. Set up SSH keys
$ sudo mkdir -p /home/johnd/.ssh
$ sudo chmod 700 /home/johnd/.ssh
$ echo "ssh-ed25519 AAA... johnd@laptop" | sudo tee /home/johnd/.ssh/authorized_keys
$ sudo chmod 600 /home/johnd/.ssh/authorized_keys
$ sudo chown -R johnd:johnd /home/johnd/.ssh
# 5. Set password policy
$ sudo chage -M 90 -m 7 -W 7 johnd
# 6. Verify setup
$ id johnd
$ sudo -l -U johnd
$ sudo chage -l johnd
$ sudo useradd -m -s /bin/bash -c "John Developer" johnd
$ sudo passwd johnd
# Set secure password
# 2. Add to necessary groups
$ sudo usermod -aG developers,ssh,docker johnd
# 3. Configure sudo access
$ sudo visudo
# Add to sudoers:
johnd ALL=(ALL) NOPASSWD: /usr/bin/docker, /usr/bin/systemctl
# 4. Set up SSH keys
$ sudo mkdir -p /home/johnd/.ssh
$ sudo chmod 700 /home/johnd/.ssh
$ echo "ssh-ed25519 AAA... johnd@laptop" | sudo tee /home/johnd/.ssh/authorized_keys
$ sudo chmod 600 /home/johnd/.ssh/authorized_keys
$ sudo chown -R johnd:johnd /home/johnd/.ssh
# 5. Set password policy
$ sudo chage -M 90 -m 7 -W 7 johnd
# 6. Verify setup
$ id johnd
$ sudo -l -U johnd
$ sudo chage -l johnd
Troubleshooting User & Group Issues
Can't Login
# Check account status
$ sudo passwd -S username
# Check shell in /etc/passwd
$ getent passwd username
# Check home directory permissions
$ ls -ld /home/username
$ sudo passwd -S username
# Check shell in /etc/passwd
$ getent passwd username
# Check home directory permissions
$ ls -ld /home/username
Permission Denied
# Check user groups
$ groups username
# Check file ownership
$ ls -l file
# Check sudo access
$ sudo -l -U username
$ groups username
# Check file ownership
$ ls -l file
# Check sudo access
$ sudo -l -U username
Password Issues
# Check password aging
$ sudo chage -l username
# Check account lock
$ sudo passwd -S username
# Reset password
$ sudo passwd username
$ sudo chage -l username
# Check account lock
$ sudo passwd -S username
# Reset password
$ sudo passwd username
sudo Not Working
# Check sudoers syntax
$ sudo visudo -c
# Check user sudo privileges
$ sudo -l -U username
# Check sudo logs
$ sudo tail -f /var/log/auth.log | grep sudo
$ sudo visudo -c
# Check user sudo privileges
$ sudo -l -U username
# Check sudo logs
$ sudo tail -f /var/log/auth.log | grep sudo
Security Best Practices for DevOps
User & Group Management Security Guidelines
- Principle of Least Privilege: Give users only the permissions they need
- Use Groups: Manage permissions through groups, not individual users
- Regular Audits: Review user accounts and permissions quarterly
- Disable Inactive Accounts: Lock or remove unused accounts
- Use SSH Keys: Disable password authentication for SSH
- Monitor Authentication Logs: Set up alerts for failed login attempts
- Secure /etc/shadow: Ensure it's only readable by root (permissions 640)
- Use sudo Instead of su: Better auditing and control
- Implement Password Policies: Require strong passwords and regular changes
- Separate Service Accounts: Run each service under its own user account
- Backup Authentication Files: Before making bulk changes
- Test in Staging: Test user/group changes in staging first
Essential Commands Cheat Sheet
User Management
$ useradd username # Create user
$ usermod -aG group username # Add to group
$ userdel -r username # Delete user
$ passwd username # Change password
$ chage -l username # Password aging info
$ usermod -aG group username # Add to group
$ userdel -r username # Delete user
$ passwd username # Change password
$ chage -l username # Password aging info
Group Management
$ groupadd groupname # Create group
$ groupdel groupname # Delete group
$ gpasswd -a user group # Add user to group
$ getent group groupname # Show group info
$ newgrp groupname # Switch primary group
$ groupdel groupname # Delete group
$ gpasswd -a user group # Add user to group
$ getent group groupname # Show group info
$ newgrp groupname # Switch primary group
Information & Verification
$ id username # User ID and groups
$ whoami # Current user
$ groups username # User's groups
$ getent passwd username # User entry
$ w # Who is logged in
$ whoami # Current user
$ groups username # User's groups
$ getent passwd username # User entry
$ w # Who is logged in
Sudo & Privileges
$ sudo command # Run as root
$ sudo -l # List sudo privileges
$ visudo # Edit sudoers safely
$ su - username # Switch user
$ sudo -i # Login as root
$ sudo -l # List sudo privileges
$ visudo # Edit sudoers safely
$ su - username # Switch user
$ sudo -i # Login as root
Practice Scenarios for DevOps Engineers
- A developer needs access to restart Nginx and view logs, but not full root access. How do you configure this?
- You need to create a service account for a new application. What UID range should you use and what shell?
- Several users report "Permission denied" when trying to write to a shared directory. How do you troubleshoot?
- You suspect an account has been compromised. What steps do you take to secure it?
- How would you migrate all users from one group to another without affecting their primary groups?
- A user's password has expired and they can't log in remotely. How can you help them?
- You need to give temporary root access to a contractor for 24 hours. What's the safest approach?
- How do you audit which users have sudo privileges and what commands they can run?
Key Takeaways
- Users and groups are fundamental to Linux security and resource management
- UIDs and GIDs are numeric identifiers the system uses internally
- sudo provides controlled privilege escalation with auditing capabilities
- /etc/passwd, /etc/group, /etc/shadow store user/group information securely
- Password policies are essential for system security
- SSH keys are more secure than passwords for remote access
- Regular audits of user accounts and permissions prevent security issues
- Groups simplify permission management for teams and services
Mastering user and group management is essential for maintaining secure, well-organized Linux systems in DevOps environments. Always follow the principle of least privilege and implement proper auditing and monitoring.
No comments:
Post a Comment