If you have ever done any system administration, chances are you have added an account or a group. However, both tasks offer possibilities beyond the plain command. Not only do numerous options exist to modify the basic command, but a variety of other commands are available for manipulating users and groups and viewing their activities.

Users and groups are means of controlling access to a Linux system. A user account gives normal access to a system, whereas user membership in a group gives access to different hardware, subsystems, and files. Typically, each user account is matched with a group of the same name, so that users can access the files in their home directory. In some distributions, only the ordinary user created during installation has full non-root access, and you might have to add new users to each group to which the first user belongs.

Adding and Deleting

In Debian-based distributions, the easiest way to create a new user is with adduser, a script that leads you through the process. After you enter the command adduser NAME, you are prompted for a name, a password, and optional contact information that in effect turns a list of users into a contact list. Other information, such as the user ID (UID), is created for you, starting with 1000 (Figure 1). Non-Debian distributions also include adduser, but in most cases it is an alias for useradd.

Figure 1: The adduser tool (not to be confused with useradd) provides a wizard-like script for creating users.

In all distributions, the basic command for creating users is useradd. However, unlike adduser, entering the command and a username is not enough. To start, you need to create a home directory for the account with --create-home (-m). If you do not want the home directory to be a subfolder of /home, you need to specify the base directory with --base-dir DIRECTORY (-b). When making a home directory, you probably want to include the option --skel DIRECTORY (-k) to add default files to it.

Additionally, you'll probably want to specify the password with --password PASSWORD (-p) and groups beside the account's own group with --group GROUPS (-G). Other characteristics of the account will be those listed by entering useradd -D, an option that can also be used for editing the defaults with useradd -D OPTION. You can also specify the account's shell with --shell SHELL (-s) and its UID with --uid UID (-u) (Figure 2).

Figure 2: The useradd command requires careful planning of options to set up a new user.

The useradd command can also set a couple of options for user's passwords, although they seem to be little used on smaller systems. For example, with --expire DATE (-e), you can set the date on which an account's password expires. Usually, you will want to accompany --expire with --inactive DAYS (-f), to set the number of days after expiration to disable an account. When the account is disabled, its files are preserved, but the user cannot log in.

Except for the options for password expiration, groups have a similar set of commands. Both the Debian addgroup command and the more generally used groupadd have options similar to adduser. In both, you can specify the group ID (GID) and a password. The main difference from the basic user commands is that in both group commands you can use the --system option to create a group that helps to run the system, instead of one to which users can be assigned.

To remove users, Debian-based systems have groupdel, with the convenient option --backup-to DIRECTORY, which automatically removes all groups the user is in. The exception is the user's private group, which cannot be deleted until the user is removed. The userdel command has the option to --remove the home directory or, in case the user has files elsewhere in the system, to --remove-all-files. By contrast, userdel has only the options to --force (-f) deletion or --remove to delete the user's home directory.

Usermod and Groupmod

The usermod and groupmod commands are for editing users and groups after they are created. Many of the usermod options mirror those of useradd, including --shell SHELL (-s), --uid UID (-u), --expiredate DATE, and --inactive DAYS (-f).

To this set of commands, usermod adds --login NAME (-l), which can only be changed when the user is not logged in, and --password PASSWORD (-p).

Other options change the groups to which the account belongs. With --gid GROUP (-g), the root user can change the initial group name or GID for an account. Group membership is modified by GROUPS (-G), in preference to editing /etc/group in a text editor, which does not update /etc/gshadow. The groups are specified in a comma-separated list with no whitespace.

An especially useful option for usermod is --lock (-L), which prevents anyone from using the account to log in. The lock is represented by adding an exclamation mark (!) at the start of the password. The lock is applied with no warning or confirmation message and can be removed with --unlock (-U). As you might expect, neither can used together or with --password (-p), although changing the password would be just as effective in preventing the account from being used.

The groupmod command has far fewer options than usermod, possibly because it can potentially have farther-reaching effects – in fact, on systems that use sudo rather the root account, careless use could leave you unable to do any administration. At any rate, groupmod uses only three options: --gid to change the GID, -n to change the group name, and --password (-p) to add or change the group password – an option that may be useful on a large system but often not the average home setup.

Other Administration Commands

Several other commands for both users and groups also exist. For example, groups USER lists the different groups to which the specified user belong. The same information can be obtained from id USER. At one time, the users command could be used to see user activity listed in the logs. However, because the logs are binary now that Systemd is used in most major distributions, you need to use journalctl to read them or obtain some of the same information with a combination of finger and who instead.

On systems that use shadow files to help conceal passwords, you can use a set of four commands to set up and edit the system, making sure that key files are in sync.

• --pwconv creates /etc/shadow from /etc/passwd.
• --pwunconv creates /etc/passwd from /etc/passwd and /etc/shadow, then removes shadow.
• --grpconv creates /etc/gshadow from /etc/group.
• --grpunconv creates /etc/group from etc/group and etc/gshadow, then removes gshadow.

On larger systems, where user accounts are created and deleted regularly, these commands can help avoid possible problems.

A somewhat safer alternative for syncing files is grpck. This command edits /etc/group and /etc/gshadow, the file that helps hide group information on some systems (Figure 3). To be specific, grpck checks the validity and uniqueness of each group's name, GID, and members, as well as looking for matching entries in /etc/gshadow and removing duplications or obsolete or corrupted information.

Figure 3: Using grpck --read-only lists differences between /etc/group and /etc/gshadow but does not make any changes.

With the addition of the --read-only (-r) option, grpck lists entries that need correcting without making any changes – an option that should be run first to avoid any problems. The command can also use --sort (-s) to arrange information alphabetically, instead of adding newer entries at the bottom of the list.