Managing users and groups on Linux
Every process on Linux runs as some user. Files belong to users and groups. Understanding how to manage these is fundamental to running a multi-user system, even if that system is just your own server with a couple of service accounts.
User basics
Add a user:
useradd -m -s /bin/bash newuser
-m creates the home directory. -s sets the login shell. Without -m, the user gets no home directory and things get confusing fast.
On Debian/Ubuntu systems, adduser is a friendlier wrapper that asks for a password and creates the home directory interactively:
adduser newuser
Set or change a password:
passwd newuser
Lock an account (disable login without deleting):
passwd -l newuser
Unlock it:
passwd -u newuser
What’s in /etc/passwd
Each line in /etc/passwd represents one user:
newuser:x:1001:1001::/home/newuser:/bin/bash
Fields separated by colons: username, password (x means shadow), UID, GID, GECOS (comment), home directory, shell.
The actual password hash lives in /etc/shadow, readable only by root. If you see a password hash directly in /etc/passwd, that’s a security problem.
Groups
Groups control access to shared resources. A user has one primary group and can belong to many supplementary groups.
Create a group:
groupadd developers
Add a user to a group:
usermod -aG developers newuser
The -a flag is important. Without it, usermod -G replaces the user’s supplementary groups instead of adding to them. I’ve locked myself out of sudo this way.
Check what groups a user belongs to:
groups newuser
# or
id newuser
The sudo group
On Ubuntu, users in the sudo group can run commands as root:
usermod -aG sudo newuser
The sudoers file (/etc/sudoers) controls exactly what sudo can do. Always edit it with visudo, which checks syntax before saving. A bad sudoers file can lock everyone out of root access.
Modifying users
Change a user’s shell:
usermod -s /bin/zsh newuser
Change their home directory:
usermod -d /home/newlocation -m newuser
The -m moves the existing files to the new location.
Expire an account on a specific date:
usermod -e 2025-12-31 contractworker
Deleting users
Remove a user:
userdel newuser
Remove the user and their home directory:
userdel -r newuser
Without -r, the home directory stays behind with all its files. Sometimes that’s what you want (keeping data), sometimes it’s orphaned files nobody owns anymore.
Skeleton directory
When a new user is created, files from /etc/skel/ are copied to their home directory. This is where you put default .bashrc, .profile, or any other files you want every new user to have.
System accounts
Not every user is a person. Services like nginx, postgres, and redis each have their own accounts. These are usually created with UIDs below 1000 and /usr/sbin/nologin or /bin/false as their shell, so nobody can log in as them.
useradd -r -s /usr/sbin/nologin myservice
The -r flag creates a system account with a low UID.
Common mistakes
Using usermod -G without -a. You meant to add a group, but you replaced all supplementary groups. Now the user lost sudo access or other group memberships.
Deleting a user without -r. You end up with orphaned files owned by a UID that no longer maps to a username.
Editing /etc/passwd directly. Use vipw if you must. It locks the file and checks syntax. A typo in passwd can break logins.
Remarks
Users and groups are the access control foundation of Linux. The commands are straightforward: useradd, usermod, userdel, groupadd. The tricky part is remembering the flags (-aG, -m, -r) and not making destructive mistakes. When in doubt, id username and groups username show you the current state.
Related Posts
Vim survival guide for Linux admins
The minimum vim knowledge you need to survive on a Linux server. Editing config files without wanting to throw your keyboard.
Linux memory management: free, vmstat, and /proc
Understanding how Linux uses memory. Reading free correctly, using vmstat, and what /proc/meminfo actually tells you.
tmux: terminal multiplexing made simple
Using tmux to manage terminal sessions. Panes, windows, and why your SSH sessions should survive disconnects.