Skip to main content
Linux Command Line – Complete Beginner to Advanced Guide
CHAPTER 15 Beginner

Linux Users and Groups

Updated: May 16, 2026
25 min read

# CHAPTER 15

Linux Users and Groups

1. Introduction

Linux is the backbone of enterprise computing because it was designed for simultaneous multi-tenancy. A single high-performance Linux database server might host fifty different web developers writing code at the exact same time. If user accounts are not strictly compartmentalized, Developer A could accidentally overwrite Developer B's code, or worse, execute a script that crashes the entire server. System administration fundamentally relies on rigorous Identity and Access Management (IAM). In this chapter, we will learn how to create and destroy user accounts with useradd, manage cryptographic credentials via passwd, and logically organize users into Access Control Groups to streamline complex permissions.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Identify system users versus human users in the /etc/passwd file.
  • Create, modify, and delete user accounts using useradd, usermod, and userdel.
  • Secure user accounts using the passwd command.
  • Create and manage logical groups using groupadd.
  • Add existing users to specific groups to grant inherited permissions.
  • Understand the security implications of adding a user to the sudo group.

3. The /etc/passwd File

Where does Linux store the list of everyone allowed to use the computer? It is stored in a simple text file: /etc/passwd. If you type cat /etc/passwd, you will see a massive list. *Example line:* alex:x:1001:1001:Alex Smith,,,:/home/alex:/bin/bash
  • alex: The username.
  • x: Indicates the password is encrypted and stored safely in a different file (/etc/shadow).
  • 1001: The User ID (UID). Linux doesn't care about the name "alex"; it only cares about the number 1001.
  • /home/alex: The user's home directory.
  • /bin/bash: The default shell the user receives when logging in.

*Note: You will see users like syslog or www-data. These are non-human "System Accounts" created automatically to run background services securely.*

4. Creating and Managing Users

As the administrator (using sudo), you control the user lifecycle.

1. Creating a User (useradd vs adduser): In Ubuntu/Debian, always use the friendly adduser script. It automatically builds the home directory and asks for a password.

bash
1 
sudo adduser sarah

*(In CentOS/RHEL, you must use the underlying useradd command and set the password manually).*

2. Changing Passwords (passwd): To change your own password, type passwd. To reset Sarah's forgotten password, the admin types:

bash
1 
sudo passwd sarah

3. Deleting a User (userdel): When an employee leaves the company, you must terminate their access.

bash
12 
# Delete the user account, AND use -r to securely wipe their home directory
sudo userdel -r sarah

5. Managing Groups

If you have 20 developers who all need access to the /var/www/html web folder, you do not write 20 separate chmod rules. You create a single Group, give the group access to the folder, and simply toss the 20 developers into the group.

1. Creating a Group:

bash
1 
sudo groupadd developers

2. Adding a User to a Group (usermod): To modify an existing user, use usermod. We will use the -a (append) and -G (Groups) flags.

bash
12 
# Add the user 'alex' to the 'developers' group
sudo usermod -aG developers alex

*(You can verify which groups a user belongs to by typing groups alex).*

6. The Ultimate Group: sudo

How does a normal user get permission to use the sudo command? They must belong to the administrative group.
  • On Ubuntu/Debian, this group is called sudo.
  • On CentOS/RHEL, this group is called wheel.
If you want to promote a junior engineer to a full system administrator:
bash
1 
sudo usermod -aG sudo junior_admin

7. Diagrams/Visual Suggestions

*Visual Concept: The Group Inheritance Model* Draw a large box labeled "Group: developers". Inside the box, draw three user icons (Alice, Bob, Charlie). Draw an arrow from the "developers" box to a folder labeled /var/www/html. On the arrow, write "Permission: Read/Write". This visual perfectly illustrates how Identity Access Management (IAM) centralizes security policies. You don't assign rights to the person; you assign rights to the box.

8. Best Practices

  • The Danger of usermod without -a: When adding a user to a group, you must ALWAYS use -aG (Append Group). If you only type usermod -G developers alex, Linux will ruthlessly rip 'alex' out of every single other group they belong to (including the sudo group) and place them ONLY in the developers group. The -a flag ensures you are *adding* to their existing groups.

9. Common Mistakes

  • Applying group changes without logging out: If you add yourself to the docker group using usermod, and immediately try to run a Docker command, it will fail with "Permission Denied." Group assignments are evaluated ONLY at the exact moment a user logs in. You must log completely out of the terminal and SSH back in for the new group permissions to activate.

10. Mini Project: Departmental Isolation

Let's build a corporate hierarchy:
  1. 1. Create a restricted folder: sudo mkdir /opt/financedata.
  1. 2. Create a specific group: sudo groupadd financeteam.
  1. 3. Change the folder's group ownership: sudo chown root:financeteam /opt/financedata.
  1. 4. Lock out the rest of the world (Permissions = 770): sudo chmod 770 /opt/financedata.
  1. 5. Create a new user: sudo adduser bob.
  1. 6. Log in as Bob (su - bob) and try to cd /opt/financedata. (Permission Denied!).
  1. 7. Exit back to admin (exit). Add Bob to the group: sudo usermod -aG financeteam bob.
  1. 8. Log back in as Bob, and he now has secure, exclusive access to the folder!

11. Practice Exercises

  1. 1. Locate and inspect the /etc/passwd file on a Linux system. Identify the User ID (UID) of the root account. What number is it?
  1. 2. Explain the catastrophic operational result of executing the command usermod -G webadmins john without including the -a flag.

12. MCQs with Answers

Question 1

When an employee is terminated, which command ensures that their Linux user account is deleted AND their personal /home directory is completely eradicated from the hard drive?

Question 2

To grant a standard user the ability to execute administrative commands requiring elevated root privileges, to which specific group must they be added on an Ubuntu system?

13. Interview Questions

  • Q: You execute a command to add a user to the docker group. You verify the command was successful via the /etc/group file. However, the user still receives "Permission Denied" errors when trying to execute Docker commands. What simple step was missed?
  • Q: Explain the structural architecture of the /etc/passwd file. Why are there numerous accounts (like apache or sshd) listed in this file that are never utilized by human beings?
  • Q: Contrast the operational functionality of chown (from Chapter 6) with usermod. How do these two commands work together to provide access to a restricted corporate directory?

14. FAQs

Q: Can I force a user to change their password the very first time they log in? A: Yes! This is a standard security practice for new hires. You set a generic password, and then type sudo passwd -e [username] (Expire). The very first time the user connects via SSH, the Linux kernel will halt the login process and force them to invent a new, private password before granting access.

15. Summary

In Chapter 15, we established the administrative guardrails of a multi-tenant operating system. We audited the /etc/passwd ledger, identifying the numeric User IDs that drive kernel-level security. We executed the full lifecycle of identity management, provisioning accounts with adduser, securing them with passwd, and cleanly wiping them with userdel -r. Most importantly, we implemented scalable Access Control architectures via groupadd and usermod, ensuring that file permissions are governed logically by broad organizational roles rather than chaotic, individualized access rules.

16. Next Chapter Recommendation

Your users are configured and writing code. But is the server buckling under the weight of their activity? You must check the vitals. Proceed to Chapter 16: Monitoring and System Logs.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Bash Scripting Basics
Next Chapter Monitoring and System Logs

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5

🧪 Related Labs 3