OS Notes
Linux user management — creating and managing users, groups, authentication files (/etc/passwd, /etc/shadow), user environment configuration, and account administration commands.
Introduction
Linux is a multi-user operating system designed from its inception to support many users simultaneously. The user management system controls who can log in, what resources they can access, and how they are organized. Every file is owned by a user and a group. Every process runs as a specific user. The entire permission system depends on proper user and group management.
As a system administrator, user management is one of your most frequent tasks — creating accounts for new employees, removing departed ones, managing group memberships for project access, enforcing password policies, and auditing who has access to what.
User Account Structure
Every user account in Linux has the following properties:
- Username: Human-readable identifier (alice, bob, www-data)
- UID (User ID): Numeric identifier the kernel actually uses (internally, the kernel knows users by UID, not name)
- GID (Primary Group ID): The user's default group
- Home Directory: Personal workspace (/home/alice)
- Login Shell: Command interpreter started at login (/bin/bash, /bin/zsh)
- Password: Stored separately as a salted hash
Important UIDs
| UID | Purpose |
|---|---|
| 0 | root (superuser — full system access) |
| 1-999 | System/service accounts (non-interactive) |
| 1000+ | Regular human users |
Configuration Files
/etc/passwd — User Database
# Format: username:password_placeholder:UID:GID:comment:home:shell
alice:x:1001:1001:Alice Smith:/home/alice:/bin/bash
bob:x:1002:1002:Bob Jones:/home/bob:/bin/zsh
www-data:x:33:33:Web Server:/var/www:/usr/sbin/nologin- The
xin the password field means the actual password is in/etc/shadow /usr/sbin/nologinprevents interactive login (for service accounts)- This file is world-readable (everyone needs to resolve UIDs to names)
/etc/shadow — Password Storage
# Format: username:hashed_password:last_change:min:max:warn:inactive:expire
alice:$6$rounds=5000$salt$hash...:19150:0:99999:7:::
bob:$6$rounds=5000$salt$hash...:19140:0:90:7:30::
nologin_user:!:19100:::::$6$= SHA-512 algorithm;$5$= SHA-256;$y$= yescrypt!or*= account locked (no password login possible)- Only root can read this file (permissions: 640)
- Fields after hash: password age, expiry, and warning settings
/etc/group — Group Database
# Format: groupname:password:GID:member_list
developers:x:1010:alice,bob,charlie
admins:x:1011:alice
www-data:x:33:/etc/gshadow — Group Password Storage
Rarely used; allows group-level passwords for shared access.
User Management Commands
Creating Users
# Create user with defaults (home dir, shell, group)
useradd alice
# Create with specific options
useradd -m -d /home/alice -s /bin/bash -c "Alice Smith" -G developers,docker alice
# -m: create home directory
# -d: specify home directory path
# -s: login shell
# -c: comment (full name)
# -G: supplementary groups
# Set password interactively
passwd alice
# Create system user (no home, no login)
useradd -r -s /usr/sbin/nologin myserviceModifying Users
# Change shell
usermod -s /bin/zsh alice
# Add to supplementary group (without removing from existing groups)
usermod -aG docker alice # -a = append, CRITICAL — without it, replaces all groups
# Lock account (prevent login)
usermod -L alice
# Unlock account
usermod -U alice
# Set account expiry date
usermod -e 2026-12-31 contractor_bob
# Change home directory
usermod -d /new/home -m alice # -m moves files to new locationDeleting Users
# Remove user (keep home directory)
userdel alice
# Remove user AND home directory
userdel -r alice
# Before deleting, find all files owned by user
find / -user alice -type f 2>/dev/nullPassword Management
# Set password
passwd alice
# Force password change on next login
passwd -e alice
# Set password policies
chage -M 90 alice # Max 90 days before must change
chage -m 7 alice # Min 7 days between changes
chage -W 14 alice # Warn 14 days before expiry
chage -I 30 alice # Lock 30 days after expiry
# View password aging info
chage -l aliceGroup Management
# Create group
groupadd developers
# Create with specific GID
groupadd -g 2000 project_x
# Add user to group
usermod -aG developers alice
# Remove user from group
gpasswd -d bob developers
# Delete group
groupdel old_project
# List user's groups
groups alice
id alice
# uid=1001(alice) gid=1001(alice) groups=1001(alice),1010(developers),998(docker)User Environment
When a user logs in, several files configure their environment:
# System-wide (applied to ALL users)
/etc/profile # Login shells
/etc/bash.bashrc # Interactive bash shells
/etc/environment # System-wide environment variables
# Per-user (in home directory)
~/.bash_profile # Login shell (runs once)
~/.bashrc # Interactive shell (runs each new terminal)
~/.bash_logout # Runs on logout
# Execution order for login shell:
# /etc/profile → ~/.bash_profile → (which usually sources ~/.bashrc)Skeleton Directory
When creating a user with -m, files from /etc/skel/ are copied to the new home directory:
ls -la /etc/skel/
# .bashrc, .profile, .bash_logout — default environment files
# Customize these to set defaults for all new usersPractical Scenarios
Onboarding New Developer
#!/bin/bash
# new_developer.sh — Create developer account
USERNAME="$1"
FULLNAME="$2"
useradd -m -s /bin/bash -c "$FULLNAME" -G developers,docker,git "$USERNAME"
passwd -e "$USERNAME" # Force password change on first login
mkdir -p "/home/$USERNAME/.ssh"
chmod 700 "/home/$USERNAME/.ssh"
chown "$USERNAME:$USERNAME" "/home/$USERNAME/.ssh"
echo "Account created for $FULLNAME ($USERNAME)"Offboarding Employee
#!/bin/bash
# remove_employee.sh — Safely remove departed user
USERNAME="$1"
# Disable account immediately
usermod -L "$USERNAME"
# Kill active sessions
pkill -u "$USERNAME"
# Archive home directory
tar -czf "/archive/${USERNAME}_$(date +%Y%m%d).tar.gz" "/home/$USERNAME"
# Remove account (keep home for 30 days then delete)
# userdel -r "$USERNAME" # uncomment when ready
echo "Account $USERNAME disabled and archived"Security Best Practices
- Use strong password policies: Minimum length, complexity, regular rotation
- Disable root login: Use sudo instead; track who does what
- Lock inactive accounts: Automate disabling accounts not used for 90+ days
- Audit group memberships: Regularly review who is in privileged groups
- Use service accounts: Run daemons as dedicated users with minimal permissions
- Monitor /etc/passwd and /etc/shadow: Alert on unexpected changes (file integrity monitoring)
Key Takeaways
- Every user has a UID, primary group, home directory, and shell
- /etc/passwd is readable by all; /etc/shadow stores hashes and is root-only
- Always use
usermod -aG(with -a) to add groups without removing existing ones - Password aging (chage) enforces regular password updates
- System users (UID < 1000) run services and should not have login shells
- Automate onboarding/offboarding to ensure consistency and security
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for User Management - Users and Groups.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Operating Systems topic.
Search Terms
operating-systems, operating systems, operating, systems, linux, and, unix, user
Related Operating Systems Topics