107.1 Manage User and Group Accounts and Related System Files

Weight: 5

Goal: Add, remove, suspend, and change user accounts.

This is a high-weight objective — expect several questions on the exam.

1. The Four Core User/Group Files

Linux stores account information in four plain text files in /etc. Know them cold.

File Contents Permissions
/etc/passwd One line per user: account info (no password). World-readable (644).
/etc/shadow One line per user: encrypted password and aging info. Root-only (640 or 400).
/etc/group One line per group: group name, GID, member list. World-readable (644).
/etc/gshadow Encrypted group passwords and group admins. Root-only.

The “shadow” files exist because the password and group files are world-readable, and password hashes must not be exposed to ordinary users.

2. /etc/passwd — User Accounts

Each line has seven colon-separated fields:

username:password:UID:GID:GECOS:home_directory:login_shell

Example:

alice:x:1001:1001:Alice Smith,,,:/home/alice:/bin/bash
Field Meaning
username Login name.
password An x means the real password is in /etc/shadow. (Historically the hash was here.)
UID Numeric user ID. 0 is root. Service users are usually 1–999; regular users start at 1000.
GID The user’s primary group ID (matches an entry in /etc/group).
GECOS Comment field: full name, room, phone — typically just the full name.
home_directory Path to the user’s home, e.g. /home/alice.
login_shell Default shell, e.g. /bin/bash. Use /usr/sbin/nologin or /bin/false to prevent login.

UID conventions

3. /etc/shadow — Encrypted Passwords and Aging

Each line has nine colon-separated fields:

username:password:last_change:min:max:warn:inactive:expire:reserved

Example:

alice:$6$abc...$xyz...:19400:0:99999:7:::
Field Meaning
username Must match /etc/passwd.
password Hashed password. Special values: * or ! = account locked / no password set; empty = no password required (dangerous).
last_change Date of the last password change, in days since 1 Jan 1970.
min Minimum days between password changes (0 = can change anytime).
max Maximum days a password is valid before it must be changed.
warn Days before expiry to start warning the user.
inactive Days after password expires that the account is still usable; after that it is disabled.
expire Absolute account expiration date (days since 1970). After this date the account is disabled regardless of password.
reserved Reserved for future use.

The hash starts with an algorithm identifier: $1$ = MD5, $5$ = SHA-256, $6$ = SHA-512 (the modern default).

4. /etc/group — Groups

Each line has four colon-separated fields:

groupname:password:GID:member_list

Example:

developers:x:1500:alice,bob,carol
Field Meaning
groupname Name of the group.
password Almost always x (real one in /etc/gshadow) or empty.
GID Numeric group ID.
member_list Comma-separated usernames who are secondary members of this group.

A user’s primary group is the GID in their /etc/passwd line — it is not repeated in /etc/group’s member list. Every other group the user belongs to is a secondary (supplementary) group, and those memberships appear here.

5. /etc/gshadow — Group Shadow File

Format:

groupname:password:administrators:members

Rarely edited by hand. Stores hashed group passwords and lists of group admins. Most systems do not use group passwords at all.

6. Creating Users: useradd and adduser

useradd — the low-level tool

# useradd [options] username
useradd alice                       # create user "alice" with system defaults
useradd -m alice                    # also create the home directory
useradd -m -s /bin/bash alice       # set the login shell
useradd -m -c "Alice Smith" alice   # set the GECOS comment
useradd -u 1500 alice               # specify the UID
useradd -g developers alice         # set the primary group
useradd -G wheel,sudo alice         # set supplementary groups
useradd -d /srv/alice alice         # specify the home directory
useradd -e 2026-12-31 alice         # set account expiration date
useradd -r daemonuser               # create a system account (no aging, low UID)

Important: useradd alone does not set a password. Run passwd alice afterwards, or the account will be locked.

When -m is used, files from /etc/skel/ are copied into the new home directory (see objective 105.1).

Defaults: /etc/default/useradd and /etc/login.defs

adduser — the friendly wrapper

On Debian/Ubuntu, adduser is a friendlier script that calls useradd for you. It creates the home, copies skel files, prompts for a password and GECOS info, etc.

adduser alice

The exam may mention both, so know that useradd is the standard command and adduser is a higher-level helper.

7. Modifying Users: usermod

# usermod [options] username
usermod -l newname oldname          # rename the account
usermod -d /home/new -m alice       # change home dir, move contents
usermod -s /bin/zsh alice           # change login shell
usermod -c "Alice Jones" alice      # change GECOS comment
usermod -u 2000 alice               # change UID
usermod -g newgroup alice           # change primary group
usermod -G wheel,sudo alice         # REPLACE supplementary groups
usermod -aG docker alice            # APPEND to supplementary groups (-a needs -G)
usermod -L alice                    # LOCK the account
usermod -U alice                    # UNLOCK the account
usermod -e 2026-12-31 alice         # set account expiration

Exam trap: usermod -G groups replaces the supplementary group list. To add a user to a new group without losing existing memberships, use -aG together.

8. Deleting Users: userdel

userdel alice                       # remove user, keep home directory and mail
userdel -r alice                    # remove user, home directory, and mail
userdel -f alice                    # force removal even if logged in

-r is the one you must remember: it also deletes /home/alice and /var/spool/mail/alice.

9. Group Management: groupadd, groupmod, groupdel

groupadd developers                 # create a group
groupadd -g 1500 developers         # specify the GID
groupadd -r systemgroup             # create a system group (low GID)

groupmod -n newname oldname         # rename a group
groupmod -g 1600 developers         # change a group's GID

groupdel developers                 # delete a group

You cannot delete a group that is the primary group of any user.

gpasswd — manage group membership and admins

gpasswd -a alice developers         # add alice to the developers group
gpasswd -d alice developers         # remove alice from developers
gpasswd -A bob developers           # make bob a group administrator
gpasswd developers                  # set a group password (rarely used)

10. Passwords and Aging: passwd and chage

passwd — change a password

passwd                              # change YOUR password
passwd alice                        # root changes alice's password
passwd -l alice                     # LOCK alice (prepends ! to the hash)
passwd -u alice                     # UNLOCK alice
passwd -d alice                     # DELETE password — no password required (dangerous)
passwd -e alice                     # EXPIRE password — alice must change at next login
passwd -S alice                     # show password STATUS

passwd -S output looks like:

alice PS 2026-01-15 0 99999 7 -1

The letters mean: PS = password set, LK = locked, NP = no password.

chage — change password aging

chage (CHange AGE) edits the aging fields in /etc/shadow in a friendly way.

chage -l alice                      # LIST aging info for alice
chage alice                         # interactive mode (asks each field)
chage -M 90 alice                   # MAX days: must change every 90 days
chage -m 7 alice                    # MIN days between changes
chage -W 14 alice                   # WARN 14 days before expiry
chage -I 30 alice                   # INACTIVE: 30 days after expiry, lock account
chage -E 2026-12-31 alice           # account EXPIRATION date
chage -d 0 alice                    # force password change at next login

Memorize the flag-to-field mapping:

Flag /etc/shadow field
-m Minimum days
-M Maximum days
-W Warning days
-I Inactive days
-E Expiration date
-d Last change date

11. Information Commands

Command Shows
id UID, GID, and groups of a user. id alice
whoami Your effective username.
who Who is currently logged in (from /var/run/utmp).
w Who is logged in and what they’re doing.
users Just the names of currently logged-in users.
last History of logins (from /var/log/wtmp).
groups alice Groups alice belongs to.
getent passwd alice Look up alice in the system’s user databases (passwd, LDAP, etc.).
getent group developers Same, for groups.

getent is important when the system uses NSS (Name Service Switch) — for example, when users come from LDAP or NIS, not just /etc/passwd. Always use getent instead of grep /etc/passwd if you want a complete answer.

12. Suspending vs. Deleting an Account

The objective explicitly mentions suspending accounts. Several ways to do it:

Method What it does
passwd -l alice Locks the password (prepends ! to the hash). User can’t log in with a password — but key-based SSH may still work.
usermod -L alice Same effect as passwd -l.
usermod -e 1 Sets account expiration to a date in the past — account fully disabled.
Change shell to /usr/sbin/nologin User can’t get an interactive shell.
chage -E 0 alice Sets expiration to the epoch — account disabled.

To resume the account: passwd -u alice or usermod -U alice.

13. Quick Reference for the Exam

Files:

Commands:

14. Likely Exam Questions (Self-Check)

  1. How many fields does /etc/passwd have, and what are they? Seven: username:password:UID:GID:GECOS:home:shell.

  2. What does an x in the password field of /etc/passwd mean? The real password hash is stored in /etc/shadow.

  3. Where is the encrypted password actually stored? In /etc/shadow.

  4. What is the difference between usermod -G and usermod -aG? -G replaces the supplementary group list. -aG appends to it.

  5. You want to delete alice and her home directory in one command. What is it? userdel -r alice.

  6. How do you lock an account so the user cannot log in with a password? passwd -l alice or usermod -L alice.

  7. What flag of chage sets the maximum password age (days)? -M.

  8. What does chage -d 0 alice do? Forces alice to change her password at the next login.

  9. What is the typical starting UID for regular human users on a modern Linux? 1000.

  10. Where are the defaults for useradd configured? In /etc/default/useradd (and system-wide policy in /etc/login.defs).

  11. What command is preferred over grep /etc/passwd to look up a user when LDAP or NIS may be in use? getent passwd username.

  12. What does id alice show? Alice’s UID, primary GID, and all supplementary groups.

  13. Which file contains the date of the last password change? /etc/shadow (field 3, in days since 1 Jan 1970).

  14. What number identifies the root user? UID 0.

  15. Why can system accounts often not log in? Their login shell is set to /usr/sbin/nologin or /bin/false, and/or their password is locked.