frank:x:1001:1001::/home/frank:/bin/bash

developer:x:1002:

frank:$6$i9gjM4Md4MuelZCd$7jJa8Cd2bbADFH4dwtfvTvJLOYCCCBf/.jYbK1IMYx7Wh4fErXcc2xQV...

developer:$6$7QUIhUX1WdO6$H7kOYgsboLkDseFHpk04lwAtweSUQHipoxIgo83QNDxYtYwgmZTCU0qSC...

# useradd frank

# passwd frank
Changing password for user frank.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

cat /etc/passwd | grep frank
grep frank /etc/passwd

# id frank
uid=1000(frank) gid=1000(frank) groups=1000(frank)
# groups frank
frank : frank

# userdel -r frank

# groupadd -g 1090 developer

# groupdel developer

Introduction
Managing users and groups on a Linux machine is one of the key aspects of system administration.
In fact, Linux is a multi-user operating system in which multiple users can use the same machine at
the same time.
Information about users and groups is stored in four files within the /etc/ directory tree:
/etc/passwd
a file of seven colon-delimited fields containing basic information about users
/etc/group
a file of four colon-delimited fields containing basic information about groups
/etc/shadow
a file of nine colon-delimited fields containing encrypted user passwords
/etc/gshadow
a file of four colon-delimited fields file containing encrypted group passwords
Linux Essentials (Version 1.6) | 5.2 Creating Users and Groups
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 373
All of these files are updated by a suite of command-line tools for user and group management,
which we’ll discuss later in this lesson. They can also be managed by graphical applications, specific
to each Linux distribution, which provide simpler and more immediate management interfaces.
WARNING Even though the files are plain text, do not edit them directly. Always use the
tools provided with your distribution for this purpose.
The File /etc/passwd
/etc/passwd is a world-readable file that contains a list of users, each on a separate line:
frank:x:1001:1001::/home/frank:/bin/bash
Each line consists of seven colon-delimited fields:
Username
The name used when the user logs into the system.
Password
The encrypted password (or an x if shadow passwords are used).
User ID (UID)
The ID number assigned to the user in the system.
Group ID (GID)
The primary group number of the user in the system.
GECOS
An optional comment field, which is used to add extra information about the user (such as the
full name). The field can contain multiple comma-separated entries.
Home directory
The absolute path of the user’s home directory.
Shell
The absolute path of the program that is automatically launched when the user logs into the
system (usually an interactive shell such as /bin/bash).
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
374 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
The File /etc/group
/etc/group is a world-readable file that contains a list of groups, each on a separate line:
developer:x:1002:
Each line consists of four colon-delimited fields:
Group Name
The name of the group.
Group Password
The encrypted password of the group (or an x if shadow passwords are used).
Group ID (GID)
The ID number assigned to the group in the system.
Member list
A comma-delimited list of users belonging to the group, except those for whom this is the
primary group.
The File /etc/shadow
/etc/shadow is a file readable only by root and users with root privileges and contains the encrypted
passwords of the users, each on a separate line:
frank:$6$i9gjM4Md4MuelZCd$7jJa8Cd2bbADFH4dwtfvTvJLOYCCCBf/.jYbK1IMYx7Wh4fErXcc2xQVU
2N1gb97yIYaiqH.jjJammzof2Jfr/:18029:0:99999:7:::
Each line consists of nine colon-delimited fields:
Username
The name used when user logs into the system.
Encrypted password
The encrypted password of the user (if the value is !, the account is locked).
Linux Essentials (Version 1.6) | 5.2 Creating Users and Groups
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 375
Date of last password change
The date of the last password change, as number of days since 01/01/1970. A value of 0 means
that the user must change the password at the next access.
Minimum password age
The minimum number of days, after a password change, which must pass before the user will be
allowed to change the password again.
Maximum password age
The maximum number of days that must pass before a password change is required.
Password warning period
The number of days, before the password expires, during which the user is warned that the
password must be changed.
Password inactivity period
The number of days after a password expires during which the user should update the password.
After this period, if the user does not change the password, the account will be disabled.
Account expiration date
The date, as number of days since 01/01/1970, in which the user account will be disabled. An
empty field means that the user account will never expire.
A reserved field
A field that is reserved for future use.

The File /etc/gshadow
/etc/gshadow is a file readable only by root and by users with root privileges that contains
encrypted passwords for groups, each on a separate line:
developer:$6$7QUIhUX1WdO6$H7kOYgsboLkDseFHpk04lwAtweSUQHipoxIgo83QNDxYtYwgmZTCU0qSC
uCkErmyR263rvHiLctZVDR7Ya9Ai1::
Each line consists of four colon-delimited fields:
Group name
The name of the group.
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
376 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
Encrypted password
The encrypted password for the group (it is used when a user, who is not a member of the group,
wants to join the group using the newgrp command—if the password starts with !, no one is
allowed to access the group with newgrp).
Group administrators
A comma-delimited list of the administrators of the group (they can change the password of the
group and can add or remove group members with the gpasswd command).
Group members
A comma-delimited list of the members of the group.
Now that we’ve seen where user and group information is stored, let’s talk about the most important
command-line tools to update these files.
Adding and Deleting User Accounts
In Linux, you add a new user account with the useradd command, and you delete a user account
with the userdel command.
If you want to create a new user account named frank with a default setting, you can run the
following:
# useradd frank
After creating the new user, you can set a password using passwd:
# passwd frank
Changing password for user frank.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Both of these commands require root authority. When you run the useradd command, the user and
group information stored in password and group databases are updated for the newly created user
account and, if specified, the home directory of the new user is created as well as a group with the
same name as the user account.
Linux Essentials (Version 1.6) | 5.2 Creating Users and Groups
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 377
TIP
Remember that you can always use the grep utility to filter the password and group
databases, displaying only the entry that refers to a specific user or group. For the
above example you can use
cat /etc/passwd | grep frank
or
grep frank /etc/passwd
to see basic information on the newly created frank account.
The most important options which apply to the useradd command are:
-c
Create a new user account with custom comments (for example full name).
-d
Create a new user account with a custom home directory.
-e
Create a new user account by setting a specific date on which it will be disabled.
-f
Create a new user account by setting the number of days after the password expires during
which the user should update the password.
-g
Create a new user account with a specific GID
-G
Create a new user account by adding it to multiple secondary groups.
-m
Create a new user account with its home directory.
-M
Create a new user account without its home directory.
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
378 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
-s
Create a new user account with a specific login shell.
-u
Create a new user account with a specific UID.
Once the new user account is created, you can use the id and groups commands to find out its UID,
GID and the groups to which it belongs.
# id frank
uid=1000(frank) gid=1000(frank) groups=1000(frank)
# groups frank
frank : frank
TIP
Remember to check and eventually edit the /etc/login.defs file, which defines the
configuration parameters that control the creation of users and groups. For example,
you can set the range of UIDs and GIDs that can be assigned to new user and group
accounts, specify that you don’t need to use the -m option to create the new user’s
home directory and if the system should automatically create a new group for each
new user.
If you want to delete a user account, you can use the userdel command. In particular, this command
updates the information stored in the account databases, deleting all entries referring to the specified
user. The -r option also removes the user’s home directory and all of its contents, along with the
user’s mail spool. Other files, located elsewhere, must be searched for and deleted manually.
# userdel -r frank
As before, you need root authority to delete user accounts.

The Skeleton Directory
When you add a new user account, even creating its home directory, the newly created home
directory is populated with files and folders that are copied from the skeleton directory (by default
/etc/skel). The idea behind this is simple: a system administrator wants to add new users having
the same files and directories in their home. Therefore, if you want to customize the files and folders
that are created automatically in the home directory of the new user accounts, you must add these
new files and folders to the skeleton directory.
Linux Essentials (Version 1.6) | 5.2 Creating Users and Groups
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 379
TIP
Note that the profile files that are usually found in the skeleton directory are hidden
files. Therefore, if you want to list all the files and folders in the skeleton directory,
which will be copied to the home dir of the newly created users, you must use the ls
-Al command.
Adding and Deleting Groups
As for group management, you can add or delete groups using the groupadd and groupdel
commands.
If you want to create a new group named developer, you can run the following command as root:
# groupadd -g 1090 developer
The -g option of this command creates a group with a specific GID.
If you want to delete the developer group, you can run the following:
# groupdel developer
WARNING
Remember that when you add a new user account, the primary group and the
secondary groups to which it belongs must exist before launching the
useradd command. Also, you cannot delete a group if it is the primary group
of a user account.
The passwd Command
This command is primarily used to change a user’s password. Any user can change their password,
but only root can change any user’s password.
Depending on the passwd option used, you can control specific aspects of password aging:
-d
Delete the password of a user account (thus setting an empty password, making it a passwordless
account).
-e
Force the user account to change the password.
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
380 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
-l
Lock the user account (the encrypted password is prefixed with an exclamation mark).
-u
Unlock the user account (it removes the exclamation mark).
-S
Output information about the password status for a specific account.
These options are available only for root. To see the full list of options, refer to the man pages.

Guided Exercises
1. For each of the following entries, indicate the file to which it refers:
◦ developer:x:1010:frank,grace,dave
◦ root:x:0:0:root:/root:/bin/bash
◦ henry:$1$.AbCdEfGh123456789A1b2C3d4.:18015:20:90:5:30::
◦ henry:x:1000:1000:User Henry:/home/henry:/bin/bash
◦ staff:!:dave:carol,emma
2. Observe the following output to answer the next seven questions:
# cat /etc/passwd | tail -3
dave:x:1050:1050:User Dave:/home/dave:/bin/bash
carol:x:1051:1015:User Carol:/home/carol:/bin/sh
henry:x:1052:1005:User Henry:/home/henry:/bin/tcsh
# cat /etc/group | tail -3
web_admin:x:1005:frank,emma
web_developer:x:1010:grace,kevin,christian
dave:x:1050:
# cat /etc/shadow | tail -3
dave:$6$AbCdEfGh123456789A1b2C3D4e5F6G7h8i9:0:20:90:7:30::
carol:$6$q1w2e3r4t5y6u7i8AbcDeFgHiLmNoPqRsTu:18015:0:60:7:::
henry:!$6$123456789aBcDeFgHa1B2c3d4E5f6g7H8I9:18015:0:20:5:::
# cat /etc/gshadow | tail -3
web_admin:!:frank:frank,emma
web_developer:!:kevin:grace,kevin,christian
dave:!::
◦ What is the User ID (UID) and Group ID (GID) of carol?
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
382 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
◦ What shell is set for dave and henry?
◦ What is the name of the primary group of henry?
◦ What are the members of the web_developer group? Which of these are group
administrators?
◦ Which user cannot log into the system?
◦ Which user should change the password the next time he will log into the system?
◦ How many days must pass before a password change is required for carol?
Linux Essentials (Version 1.6) | 5.2 Creating Users and Groups
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 383
Explorational Exercises
1. Working as root, run the useradd -m dave command to add a new user account. What
operations does this command perform? Assume that CREATE_HOME and USERGROUPS_ENAB in
/etc/login.defs are set to yes.
2. Now that you have created the dave account, can this user login to the system?
3. Identify the User ID (UID) and Group ID (GID) of dave and all members of the dave group.
4. Create the sys_admin, web_admin and db_admin groups and identify their Group IDs (GIDs).
5. Add a new user account named carol with UID 1035 and set sys_admin as its primary group and
web_admin and db_admin as its secondary groups.
6. Delete the dave and carol user accounts and the sys_admin, web_admin and db_admin groups that
you have previously created.
7. Run the ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadow command and describe the
output that it gives you in terms of file permissions. Which of these four files are shadowed for
security reasons? Assume your system uses shadow passwords.
8. Run the ls -l /usr/bin/passwd command. Which special bit is set and what is its meaning?
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
384 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
Summary
In this lesson, you learned:
• The fundamentals of user and group management in Linux
• Manage user and group information stored in password and group databases
• Maintain the skeleton directory
• Add and remove user accounts
• Add and remove group accounts
• Change the password of user accounts
The following commands were discussed in this lesson:
useradd
Create a new user account.
groupadd
Create a new group account.
userdel
Delete a user account.
groupdel
Delete a group account.
passwd
Change the password of user accounts and control all aspects of password aging.

Answers to Guided Exercises
1. For each of the following entries, indicate the file to which it refers:
◦ developer:x:1010:frank,grace,dave
/etc/group
◦ root:x:0:0:root:/root:/bin/bash
/etc/passwd
◦ henry:$1$.AbCdEfGh123456789A1b2C3d4.:18015:20:90:5:30::
/etc/shadow
◦ henry:x:1000:1000:User Henry:/home/henry:/bin/bash
/etc/passwd
◦ staff:!:dave:carol,emma
/etc/gshadow
2. Observe the following output to answer the next seven questions:
# cat /etc/passwd | tail -3
dave:x:1050:1050:User Dave:/home/dave:/bin/bash
carol:x:1051:1015:User Carol:/home/carol:/bin/sh
henry:x:1052:1005:User Henry:/home/henry:/bin/tcsh
# cat /etc/group | tail -3
web_admin:x:1005:frank,emma
web_developer:x:1010:grace,kevin,christian
dave:x:1050:
# cat /etc/shadow | tail -3
dave:$6$AbCdEfGh123456789A1b2C3D4e5F6G7h8i9:0:20:90:7:30::
carol:$6$q1w2e3r4t5y6u7i8AbcDeFgHiLmNoPqRsTu:18015:0:60:7:::
henry:!$6$123456789aBcDeFgHa1B2c3d4E5f6g7H8I9:18015:0:20:5:::
# cat /etc/gshadow | tail -3
web_admin:!:frank:frank,emma
web_developer:!:kevin:grace,kevin,christian
dave:!::
◦ What is the User ID (UID) and Group ID (GID) of carol?
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
386 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
The UID is 1051 and the GID is 1015 (the third and fourth fields in /etc/passwd).
◦ What shell is set for dave and henry?
dave uses /bin/bash and henry uses /bin/tcsh (the seventh field in /etc/passwd).
◦ What is the name of the primary group of henry?
The group name is web_admin (the first field in /etc/group).
◦ What are the members of the web_developer group? Which of these are group
administrators?
The members are grace, kevin and christian (the fourth field in /etc/group), but only
kevin is the administrator of the group (the third field in /etc/gshadow).
◦ Which user cannot log into the system?
The henry user account is locked (it has an exclamation mark in front of the password
hashes in /etc/shadow).
◦ Which user should change the password the next time he will log into the system?
If the third field (Date of Last Password Change) in /etc/shadow is 0, the user should change
his password the next time he will log into the system. Therefore, dave must change his
password.
◦ How many days must pass before a password change is required for carol?
60 days (the fifth field in /etc/shadow).
Linux Essentials (Version 1.6) | 5.2 Creating Users and Groups
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 387
Answers to Explorational Exercises
1. Working as root, run the useradd -m dave command to add a new user account. What
operations does this command perform? Assume that CREATE_HOME and USERGROUPS_ENAB in
/etc/login.defs are set to yes.
The command adds a new user, named dave, to the list of users in the system. The home
directory of dave is created (by default /home/dave) and the files and directories contained in the
skeleton directory are copied to the home directory. Finally, new group is created with the same
name as the user account.
2. Now that you have created the dave account, can this user login to the system?
No, because the dave account is locked (see the exclamation mark in /etc/shadow).
# cat /etc/shadow | grep dave
dave:!:18015:0:99999:7:::
If you set a password for dave, the account will be unlocked. You can do this using the passwd
command.
# passwd dave
Changing password for user dave.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
3. Identify the User ID (UID) and Group ID (GID) of dave and all members of the dave group.
# cat /etc/passwd | grep dave
dave:x:1015:1019::/home/dave:/bin/sh
# cat /etc/group | grep 1019
dave:x:1019:
The UID and GID of dave are 1015 and 1019 respectively (the third and fourth fields in
/etc/passwd) and the dave group has no members (the fourth field in /etc/group is empty).
4. Create the sys_admin, web_admin and db_admin groups and identify their Group IDs (GIDs).
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
388 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
# groupadd sys_admin
# groupadd web_admin
# groupadd db_admin
# cat /etc/group | grep admin
sys_admin:x:1020:
web_admin:x:1021:
db_admin:x:1022:
The GIDs for the sys_admin, web_admin and db_admin groups are 1020, 1021 and 1022
respectively.
5. Add a new user account named carol with UID 1035 and set sys_admin as its primary group and
web_admin and db_admin as its secondary groups.
# useradd -u 1035 -g 1020 -G web_admin,db_admin carol
# id carol
uid=1035(carol) gid=1020(sys_admin)
groups=1020(sys_admin),1021(web_admin),1022(db_admin)
6. Delete the dave and carol user accounts and the sys_admin, web_admin and db_admin groups that
you have previously created.
# userdel -r dave
# userdel -r carol
# groupdel sys_admin
# groupdel web_admin
# groupdel db_admin
7. Run the ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadow command and describe the
output that it gives you in terms of file permissions. Which of these four files are shadowed for
security reasons? Assume your system uses shadow passwords.
# ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadow
-rw-r–r– 1 root root 853 mag 1 08:00 /etc/group
-rw-r—– 1 root shadow 1203 mag 1 08:00 /etc/gshadow
-rw-r–r– 1 root root 1354 mag 1 08:00 /etc/passwd
-rw-r—– 1 root shadow 1563 mag 1 08:00 /etc/shadow
The /etc/passwd and /etc/group files are world readable and are shadowed for security reasons.
Linux Essentials (Version 1.6) | 5.2 Creating Users and Groups
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 389
When shadow passwords are used, you can see an x in the second field of these files because the
encrypted passwords for users and groups are stored in /etc/shadow and /etc/gshadow, which
are readable only by root and, in some systems, also by members belonging to the shadow group.
8. Run the ls -l /usr/bin/passwd command. Which special bit is set and what is its meaning?
# ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 42096 mag 17 2015 /usr/bin/passwd
The passwd command has the SUID bit set (the fourth character of this line), which means that
the command is executed with the privileges of the file’s owner (thus root). This is how ordinary
users can change their password.