User Management

Linux is multi-user. Every person, service, and application can have its own account with its own permissions.

Understanding Users

Terminal

$whoami

john

$id

uid=1000(john) gid=1000(john) groups=1000(john),27(sudo),docker

Every user has:

UID - Unique ID number (0 = root)
GID - Primary group ID
Home directory - Usually /home/username
Shell - Default command interpreter

View All Users

Terminal

$cat /etc/passwd | head -5

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync

Format: username:password:UID:GID:info:home:shell

The x means password is in /etc/shadow (encrypted).

Create a User

Terminal

$sudo useradd -m -s /bin/bash newuser

$# -m creates home directory

$# -s sets default shell

Or use the interactive version:

Terminal

$sudo adduser newuser

Adding user 'newuser'... Adding new group 'newuser' (1001)... Adding new user 'newuser' (1001)... Creating home directory '/home/newuser'... Enter new UNIX password:

adduser vs useradd

adduser is friendlier (interactive, creates home dir). useradd is lower-level (needs flags). On Debian/Ubuntu, prefer adduser.

Set/Change Password

Terminal

$sudo passwd newuser

New password: Retype new password: passwd: password updated successfully

Force password change on next login:

Terminal

$sudo passwd -e newuser

(password expired, must change at login)

Modify User

Terminal

$# Change shell

$sudo usermod -s /bin/zsh john

$# Add to group

$sudo usermod -aG docker john

$# Change home directory

$sudo usermod -d /home/newjohn -m john

Use -aG for Groups

usermod -G docker replaces all groups. usermod -aG docker appends to existing groups. The -a is critical!

Delete User

Terminal

$# Keep home directory

$sudo userdel olduser

$# Remove home directory too

$sudo userdel -r olduser

Or interactive:

Terminal

$sudo deluser --remove-home olduser

Lock/Unlock Account

Terminal

$# Lock (disable login)

$sudo passwd -l baduser

$# Unlock

$sudo passwd -u baduser

Or use usermod:

Terminal

$sudo usermod -L baduser

(lock)

$sudo usermod -U baduser

(unlock)

Switch User

Terminal

$su - john

(switch to john, load their environment)

$su john

(switch to john, keep current environment)

$sudo -u john command

(run single command as john)

Practical: Create Deploy User

hljs bash

#!/bin/bash
# Create a deploy user for applications

# Create user with no password login
sudo useradd -m -s /bin/bash deploy

# Add to relevant groups
sudo usermod -aG www-data deploy
sudo usermod -aG docker deploy

# Set up SSH key access instead of password
sudo mkdir -p /home/deploy/.ssh
sudo touch /home/deploy/.ssh/authorized_keys
sudo chown -R deploy:deploy /home/deploy/.ssh
sudo chmod 700 /home/deploy/.ssh
sudo chmod 600 /home/deploy/.ssh/authorized_keys

# Disable password login
sudo passwd -l deploy

echo "Deploy user created. Add SSH public keys to /home/deploy/.ssh/authorized_keys"

Knowledge Check

What does 'usermod -aG docker john' do?

Quick Reference

Command	Purpose
`useradd -m user`	Create user
`adduser user`	Create user (interactive)
`passwd user`	Set password
`usermod -aG group user`	Add to group
`userdel -r user`	Delete user + home
`passwd -l user`	Lock account
`su - user`	Switch user

Key Takeaways

adduser is friendlier than useradd
Always use -aG (append) when adding to groups
passwd -l locks accounts without deleting
Service accounts often use /usr/sbin/nologin shell
Create dedicated users for applications
Use SSH keys instead of passwords when possible

Next: managing groups.

User Management

Linux is multi-user. Every person, service, and application can have its own account with its own permissions.

Understanding Users

Terminal

$whoami

john

$id

uid=1000(john) gid=1000(john) groups=1000(john),27(sudo),docker

Every user has:

UID - Unique ID number (0 = root)
GID - Primary group ID
Home directory - Usually /home/username
Shell - Default command interpreter

View All Users

Terminal

$cat /etc/passwd | head -5

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync

Format: username:password:UID:GID:info:home:shell

The x means password is in /etc/shadow (encrypted).

Create a User

Terminal

$sudo useradd -m -s /bin/bash newuser

$# -m creates home directory

$# -s sets default shell

Or use the interactive version:

Terminal

$sudo adduser newuser

Adding user 'newuser'... Adding new group 'newuser' (1001)... Adding new user 'newuser' (1001)... Creating home directory '/home/newuser'... Enter new UNIX password:

adduser vs useradd

adduser is friendlier (interactive, creates home dir). useradd is lower-level (needs flags). On Debian/Ubuntu, prefer adduser.

Set/Change Password

Terminal

$sudo passwd newuser

New password: Retype new password: passwd: password updated successfully

Force password change on next login:

Terminal

$sudo passwd -e newuser

(password expired, must change at login)

Modify User

Terminal

$# Change shell

$sudo usermod -s /bin/zsh john

$# Add to group

$sudo usermod -aG docker john

$# Change home directory

$sudo usermod -d /home/newjohn -m john

Use -aG for Groups

usermod -G docker replaces all groups. usermod -aG docker appends to existing groups. The -a is critical!

Delete User

Terminal

$# Keep home directory

$sudo userdel olduser

$# Remove home directory too

$sudo userdel -r olduser

Or interactive:

Terminal

$sudo deluser --remove-home olduser

Lock/Unlock Account

Terminal

$# Lock (disable login)

$sudo passwd -l baduser

$# Unlock

$sudo passwd -u baduser

Or use usermod:

Terminal

$sudo usermod -L baduser

(lock)

$sudo usermod -U baduser

(unlock)

Switch User

Terminal

$su - john

(switch to john, load their environment)

$su john

(switch to john, keep current environment)

$sudo -u john command

(run single command as john)

Practical: Create Deploy User

hljs bash

#!/bin/bash
# Create a deploy user for applications

# Create user with no password login
sudo useradd -m -s /bin/bash deploy

# Add to relevant groups
sudo usermod -aG www-data deploy
sudo usermod -aG docker deploy

# Set up SSH key access instead of password
sudo mkdir -p /home/deploy/.ssh
sudo touch /home/deploy/.ssh/authorized_keys
sudo chown -R deploy:deploy /home/deploy/.ssh
sudo chmod 700 /home/deploy/.ssh
sudo chmod 600 /home/deploy/.ssh/authorized_keys

# Disable password login
sudo passwd -l deploy

echo "Deploy user created. Add SSH public keys to /home/deploy/.ssh/authorized_keys"

Knowledge Check

What does 'usermod -aG docker john' do?

Quick Reference

Command	Purpose
`useradd -m user`	Create user
`adduser user`	Create user (interactive)
`passwd user`	Set password
`usermod -aG group user`	Add to group
`userdel -r user`	Delete user + home
`passwd -l user`	Lock account
`su - user`	Switch user

Key Takeaways

adduser is friendlier than useradd
Always use -aG (append) when adding to groups
passwd -l locks accounts without deleting
Service accounts often use /usr/sbin/nologin shell
Create dedicated users for applications
Use SSH keys instead of passwords when possible

Next: managing groups.