Linux Users and Groups
Learn how Linux accounts and groups work, and how to manage users, passwords, sudo access, and account files.
Why User Management Matters
Linux is designed for multiple users. Even on a single server, different services, admins, and automation systems may run under different accounts. Good account management improves security, auditing, and operational safety.
Instead of giving every process full root access, Linux encourages controlled access through users, groups, and privilege escalation tools.
Core Identity Commands
Start with the commands that tell you who you are.
whoami
id
whoami prints your current username. id shows your numeric user ID, primary group, and supplementary groups.
Example output:
uid=1001(devops) gid=1001(devops) groups=1001(devops),27(sudo),998(docker)
This tells you not only the user name, but also what groups affect your permissions.
Creating and Removing Users
Use useradd to create a user account.
sudo useradd -m -s /bin/bash deploy
Common options:
-mcreates the home directory-ssets the login shell
Set a password with:
sudo passwd deploy
Remove a user with:
sudo userdel deploy
sudo userdel -r deploy
-r also removes the home directory.
Tip: Be careful with
userdel -rbecause it removes the user’s home data too.
Modifying Users with usermod
usermod updates existing accounts.
sudo usermod -aG docker deploy
sudo usermod -s /bin/zsh deploy
The -aG combination appends the user to supplementary groups. This is important: using -G without -a can replace existing group memberships.
Working with Groups
Groups make permission management easier.
Create a group:
sudo groupadd developers
Add a user to it:
sudo usermod -aG developers deploy
Groups are useful when multiple users need access to the same application directories, logs, or deployment scripts.
sudo vs su
sudo
sudo runs a command with elevated privileges, typically as root.
sudo systemctl restart nginx
sudo cat /etc/shadow
It is preferred because it gives controlled, auditable elevation for specific commands.
su
su switches to another user account.
su - deploy
sudo su -
su - starts a full login shell for the target user.
In modern administration, sudo is usually favored over sharing the root password.
Important Account Files
/etc/passwd
/etc/passwd stores basic account information such as username, UID, GID, home directory, and login shell.
cat /etc/passwd
A sample entry looks like this:
deploy:x:1002:1002:Deployment User:/home/deploy:/bin/bash
/etc/shadow
/etc/shadow stores password hashes and password policy information.
sudo cat /etc/shadow
This file is restricted because password hashes are sensitive.
Note:
/etc/passwdis readable by normal users on many systems, but/etc/shadowshould be protected.
Managing Sudo Access
Sudo permissions are often configured through /etc/sudoers or files in /etc/sudoers.d/.
Always edit sudo rules with:
sudo visudo
visudo checks syntax before saving. That matters because a broken sudoers file can lock administrators out of privileged access.
A common pattern is group-based sudo access, such as allowing members of a sudo or wheel group to elevate privileges.
Real-World Scenarios
Granting Docker Access
A CI user needs to run Docker commands without typing sudo each time.
sudo usermod -aG docker ci-runner
The user may need to log out and back in before the new group membership applies.
Creating a Deployment Account
You might create a dedicated account that owns application files and runs deployment scripts.
sudo useradd -m -s /bin/bash deploy
sudo passwd deploy
sudo usermod -aG developers deploy
This keeps deployment activity separate from personal admin accounts.
Best Practices
- avoid direct root logins when possible
- prefer
sudoover sharing root credentials - assign access through groups instead of one-off permission hacks
- review
/etc/passwd,/etc/shadow, and sudo rules carefully - use service accounts for applications and automation
Test Your Understanding
Let's see how well you understood the concepts! These exercises will help reinforce what you just learned.
Exercise 1: Preserving existing groups
Question: Why is usermod -aG docker deploy safer than using -G docker without -a?
Exercise 1: Preserving existing groups
Choose why the append flag matters when modifying supplementary group membership.
Exercise 2: Distinguishing passwd and shadow
Question: Which file from the lesson stores password hashes and therefore needs tighter protection?
Exercise 2: Distinguishing passwd and shadow
Identify which account file contains password hashes.
Exercise 3: Avoiding broken sudoers files
Question: What is the key reason to use visudo when changing sudo rules?
Exercise 3: Avoiding broken sudoers files
Choose why visudo is the recommended editor for sudo configuration.