Enterprise User Lifecycle
Standard workflow for production user administration:
Create User ──► Assign Password ──► Assign Groups ──► Grant sudo ──► Disable/Delete Account
Commands for Each Stage
- Create:
sudo useradd -m -s /bin/bash john - Password:
sudo passwd john - Groups:
sudo usermod -aG developers john - Sudo:
sudo usermod -aG sudo johnor edit sudoers - Disable:
sudo usermod -L johnorsudo passwd -l john - Delete:
sudo userdel -r john(removes home directory)
Learning Objectives
- Understand Linux user types.
- Learn UID and GID concepts.
- Understand primary and secondary groups.
- Explore the account database files.
- Identify user information using common commands.
Prerequisites
Complete Chapters 1–3 before starting this chapter.
1. Introduction
Linux is designed as a multi-user operating system. Every process, file and service runs under a user account. User and group management provides accountability, security and controlled access to system resources.
2. Types of Linux Users
| User Type | Purpose | Example |
|---|---|---|
| Root | Full administrative control. | root |
| Regular User | Interactive login and daily work. | ashu |
| System User | Operating system services. | daemon |
| Service Account | Applications and databases. | mysql, nginx |
Users ──► Root | Regular Users | System Users | Service Accounts
3. Understanding UID & GID
Linux identifies users and groups using numeric IDs rather than names.
| Term | Description |
|---|---|
| UID | Unique User Identifier. |
| GID | Unique Group Identifier. |
| UID 0 | Reserved for the root user. |
$ id
uid=1000(ashu) gid=1000(ashu) groups=1000(ashu),27(sudo)
4. Primary vs Secondary Groups
Each user belongs to one primary group and may belong to multiple secondary groups. Primary group context handles the owner ID of newly created files, while secondary group context allows administrators to grant shared access without changing core file ownership parameters.
5. User Information Files
| File | Purpose |
|---|---|
| /etc/passwd | User account information. |
| /etc/group | Group definitions. |
| /etc/shadow | Encrypted password information. |
| /etc/gshadow | Secure group password data. |
root:x:0:0:root:/root:/bin/bash
Fields: Username, Password Placeholder, UID, GID, Comment, Home Directory, Login Shell.
6. Useful Information Commands
| Command | Purpose |
|---|---|
| whoami | Display current username. |
| id | Display UID, GID and groups. |
| groups | List group membership. |
| getent passwd | Display user database lines cleanly. |
| getent group | Display group database fields cleanly. |
7. Hands-on Practice
- Run
whoami,id, andgroups. - View the first few entries in
/etc/passwd. - Identify your account UID and primary group mappings.
8. Common Beginner Mistakes
- Confusing usernames with numeric system UIDs.
- Assuming every account is an interactive login user profile.
- Editing
/etc/passwdmanually without extreme caution. - Forgetting the append (
-a) option withusermod -G.
9. Account Lifecycle Creation (useradd, usermod)
Create new system accounts via useradd and modify them via usermod configurations:
useradd -m -s /bin/bash david # Create account with home folder and bash shell
usermod -aG developers john # Safely append user john to secondary group
usermod -s /bin/zsh john # Switch current login shell properties cleanly
10. Password Aging Configurations (chage)
Audit and enforce robust account credential security settings using the chage utility:
| Option | Purpose |
|---|---|
| -l | Display user account password aging details. |
| -M | Define maximum password age lifetime values. |
| -m | Define minimum password update intervals. |
| -E | Define explicit account expiration date constraints. |
chage -M 90 appadmin # Force account password reset every 90 days
11. Group Administration (groupadd, gpasswd)
Create corporate shared security groupings via groupadd developers. Assign or remove member profiles from existing groups using gpasswd settings:
gpasswd -a john developers # Add user john to developers group context
gpasswd -d john developers # Erase user john from developers group context
12. Switch Identities (su, sudo, visudo)
Use su - to switch identities while loading full environment parameters safely. Authorize individual user accounts or full group directories to run administrative tools via sudo without logging directly into root. **Always** apply ruleset adjustments using the syntax-validating visudo control editor.
%developers ALL=(ALL) ALL # Authorize all developers to execute commands via sudo
13. Production Login Outages
| Issue Encountered | Possible Root Cause | Suggested Diagnostics Check |
|---|---|---|
| Login failures | Incorrect credentials input | passwd / passwd -S |
| Account locked out | Locked system password state | passwd -u validation |
| Credentials expired | Password lifetime age metrics | chage -l checking |
| Permission denied | Sudo or group configuration rule fault | groups / sudo -l tracking |
Commands Covered in This Chapter
useradd- Create new user accountusermod- Modify user account settingsuserdel- Delete user account profilespasswd- Change or inspect account passwordsgroupadd- Create new system group definitionsgroupmod- Modify system group detailsgroupdel- Delete system group identitiesgpasswd- Administer user memberships in groupsid- Display user and group numeric IDsgroups- Show current group membershipschage- Change password expiration parameterssu- Switch user identity contextssudo- Execute commands with elevated permissions