wEEK 8
User and Group Management
Learning Focus
This week introduces how Linux handles users and groups. You’ll learn how to add and manage accounts, assign permissions, and understand the files that define access. These concepts are critical for system administration and for keeping systems secure and organized.
U-G-R-A (Users → Groups → Roles → Access)
T — Text Files
Linux is a multi-user operating system, which means multiple people or services can use the same machine at the same time — each through a unique user account.
Every user has their own environment, permissions, and data boundaries. Understanding how Linux represents and manages users is foundational for both security and system organization.
1. What is a User Account?
A user account defines who is accessing the system and what that person (or process) can do.
Each account is identified by:
Field | Description | Example |
|---|---|---|
| Username | Human-readable name used for login. | olena, testuser |
| UID (User ID) | Numeric identifier assigned by the system. | 1000 |
| Primary Group (GID) | Default group the user belongs to. | 1000 |
| Home Directory | Personal folder for files and configurations. | /home/olena |
| Shell | Program used to interact with the system. | /bin/bash |
All this information is stored in the file /etc/passwd, which Linux reads during login.
2. System Users vs. Regular Users
Linux distinguishes between different kinds of users:
| Type | UID Range | Purpose |
|---|---|---|
| System accounts | 0–999 | Used by services and background processes (e.g., daemon, syslog, mysql). |
| Regular users | 1000+ | Created for human users who log in interactively. |
| Root | 0 | The superuser — full system control. |
System accounts are not for people — they isolate services for safety. For example, the web server runs as www-data, not as root, so if compromised, the attacker can’t access everything.
3. The Root Account
The root account is the most powerful user in Linux.
It bypasses all permission checks — root can modify system files, install packages, or even delete the entire filesystem.
Because of that, normal users do not log in as root directly. Instead, they use the sudo command to execute individual administrative tasks with elevated privileges.
sudo useradd -m -s /bin/bash testuser
Here, sudo temporarily gives administrative rights to create a new user.
This approach enforces the principle of least privilege — users only get the access they need, reducing the risk of accidents or exploits.
4. Viewing User Information
You can inspect the users currently defined on your system using several commands:
| Command | Description | Example Output |
|---|---|---|
who | Shows who is currently logged in. | olena pts/0 2025-10-05 09:00 |
id | Displays your UID, GID, and groups. | uid=1000(olena) gid=1000(olena) groups=1000(olena),27(sudo) |
groups | Lists all groups you belong to. |
|
To view all user entries: cat /etc/passwd | less
Each line in this file has 7 fields separated by colons: username:x:UID:GID:comment:home_directory:shell
Example: testuser:x:1001:1001:Test User:/home/testuser:/bin/bash
The “x” in the password field indicates that the real password is stored securely in /etc/shadow, accessible only to root.
5. Key Files for User Management
| File | Purpose | Permissions |
|---|---|---|
/etc/passwd | Lists all user accounts and basic info. | Readable by everyone. |
/etc/shadow | Stores encrypted passwords and aging info. | Readable only by root. |
/etc/group | Defines all groups and which users belong to them. | Readable by everyone. |
System administrators use these files (directly or indirectly) when managing authentication, permissions, and user access policies.
G – Groups
While user accounts define who you are, groups define what you can access.
Groups in Linux make it possible to organize users and assign permissions collectively, instead of configuring each account separately. This is essential for managing shared systems efficiently and securely.
1. What is a Group?
A group is a logical collection of users that share common permissions.
Groups are often created for shared projects or departments so that users within the group can access the same files or directories without changing individual permissions.
For example:
The developers group could have access to project code in
/opt/projects/.The students group could share course files in
/srv/class_data/.The sudo group allows users to perform administrative tasks.
Each group has:
| Field | Description | Example |
|---|---|---|
| Group Name | Human-readable name used for permissions. | projectgroup |
| GID (Group ID) | Numeric identifier for the group. | 1001 |
| Members | Users belonging to this group. | alice, bob |
Groups simplify permission management by treating access control as a team-based concept rather than a per-user configuration.
2. Types of Groups
Linux uses two main types of groups:
| Type | Description | Example |
|---|---|---|
| Primary Group | The default group a user belongs to when they are created (usually the same name as the user). | User olena → group olena |
| Supplementary (Secondary) Groups | Additional groups a user can join for shared access. | sudo, projectgroup, team |
Each file in Linux has both a user owner and a group owner.
When you list files with ls -l, the second ownership field corresponds to the group:
-rw-rw-r-- 1 alice team 512 Oct 5 notes.txt
In this example, alice is the user owner, and team is the group owner.
3. Viewing Groups
To view all groups on the system, type:
cat /etc/group | less
Each line in /etc/group has the format:group_name:x:GID:user_list
Example:team:x:1003:alice,bob
The x stands for a password placeholder (no longer used in most systems).
The user_list shows all members of that group.
To view which groups you belong to, type groups.
To view another user’s memberships, type groups testuser.
4. Creating and Managing Groups
To create a new group, type sudo groupadd projectgroup.
This adds a new entry to /etc/group and assigns it a unique numeric GID.
To rename a group, type sudo groupmod -n devgroup projectgroup.
To delete a group, type sudo groupdel devgroup.
When deleting a group, be careful — if files are owned by that group, they will retain the old GID, which could cause orphaned permissions.
5. Adding Users to Groups
To give a user access to a shared directory or permission level, add them to a group.
Type sudo usermod -aG projectgroup testuser.
-a means append, keeping the user’s other group memberships.
-G specifies which group(s) to add.
If you forget the -a flag, the user’s previous group memberships will be replaced instead of added.
To confirm, type groups testuser, and you should see projectgroup listed.
6. Why Groups Matter
Groups are central to Linux’s Discretionary Access Control (DAC) model, where owners decide which users or groups can read, write, or execute a file.
For example, type ls -l report.txt and you might see:
-rw-r----- 1 alice team 4096 Oct 5 10:32 report.txt
Here:
User (alice) can read and write.
Group (team) can read only.
Others have no access.
By assigning users to team, you automatically grant them read access without needing to change file ownership for each user.
R – Roles (Assign Users to Groups)
In Linux, a user’s role is defined by the combination of their group memberships.
While a user account identifies who someone is, groups determine what they can do. Assigning users to groups is how Linux grants specific access rights — this is what turns “users and groups” into an actual permission system.
Think of it as a role-based model:
Users represent individual identities.
Groups represent functional roles (like “students,” “developers,” or “admins”).
Roles are created by adding users to one or more groups.
1. Why Roles Matter
Most Linux systems don’t assign permissions directly to users — instead, access is granted to groups. This makes administration more efficient and consistent.
For example:
Instead of granting every developer access to
/opt/projects/, the developers group is given permission, and each developer is simply added to that group.When a new developer joins, you don’t change file permissions — you just add their account to the group.
This Role-Based Access Control (RBAC) approach ensures security, consistency, and scalability as systems grow.
2. Adding a User to a Group
To assign a role, you add a user to an existing group.
Type sudo usermod -aG projectgroup testuser.
Explanation:
usermod – modifies an existing user account.
-a – appends the group (keeps existing memberships).
-G – specifies the target group or groups.
If you omit -a, the user’s previous group memberships will be replaced — a common mistake that can accidentally remove critical access.
To confirm group membership, type groups testuser.
You should see the group name (for example, projectgroup) listed.
3. Assigning Multiple Roles
A user can belong to multiple groups, giving them multiple roles.
Type sudo usermod -aG dev,design,sudo alice.
This adds alice to the dev, design, and sudo groups, letting her act as a developer, designer, and administrator depending on the context.
To check all memberships, type id alice.
The output will display the user’s UID, primary group, and all supplementary groups.
4. Viewing Role Relationships
To understand which users have which roles, view the /etc/group file.
Type cat /etc/group | less.
Each group entry lists its members, helping administrators verify access patterns.
Example line:team:x:1003:alice,bob
This shows that both alice and bob share the team role.
5. Removing a Role
If a user’s responsibilities change, you can remove them from a group to revoke that role.
Type sudo gpasswd -d testuser projectgroup.
This deletes testuser from the projectgroup group.
Removing group membership immediately affects access to files and directories tied to that group’s permissions.
6. Real-World Example
Consider a shared research environment:
Researchers group: full read/write access to
/data/projects/.Students group: read-only access to
/data/projects/.Admins group: system-level control and maintenance.
By assigning each user to the appropriate groups, the administrator controls access precisely:
Add students to the students group.
Add staff to the researchers group.
Restrict administrative privileges to admins only.
This structure allows hundreds of users to work safely on the same system without interfering with each other.
Navigate the tree
A – Access and Switching
Once users and groups are created and roles are assigned, the final step is to understand access — how Linux enforces permissions and how users can switch identities securely.
Access control determines who can read, write, or execute files, and switching between users allows administrators to test configurations and manage accounts effectively.
1. Understanding Access in Linux
Every file and directory in Linux is owned by a user and a group.
Permissions are divided into three categories:
| Category | Applies To | Example |
|---|---|---|
| User (u) | The file’s owner | The person who created the file |
| Group (g) | Members of the file’s group | Users who share the same group |
| Others (o) | Everyone else on the system | All remaining users |
Each category can have three types of permissions:
| Symbol | Meaning | Example |
|---|---|---|
| r | Read | View contents of a file or list a directory |
| w | Write | Modify or delete contents |
| x | Execute | Run a file or enter a directory |
To view file permissions, type ls -l.
Example output:-rw-r----- 1 alice team 4096 Oct 5 10:32 report.txt
This means:
alice (user) can read and write.
Members of team (group) can read only.
others have no access.
Access control is one of the most important parts of Linux security because it ensures that only authorized users can read or change system data.
2. Checking Who You Are
When managing accounts, it’s essential to know your current identity and what permissions you have.
To display your current username, type whoami.
To view your numeric ID, primary group, and all supplementary groups, type id.
To see all users currently logged in, type who.
These commands are commonly used by system administrators to confirm which account is active before making changes.
3. Switching Users
Sometimes administrators need to temporarily act as another user to test permissions or perform administrative tasks.
The su (substitute user) command allows switching into another account.
To switch into a user account, type sudo su – testuser.
The dash (-) ensures the full environment of testuser is loaded, including their home directory and shell configuration.
The prompt will change to show the new username, for example:testuser@hostname:~$
You are now operating as testuser.
To return to your own account, type exit.
This closes the shell session and returns you to your original user.
4. Using sudo for Temporary Access
Rather than switching accounts entirely, administrators often use sudo to run a single command with elevated privileges.
For example:
sudo cat /etc/shadow
This allows one-time administrative access without leaving your own account.
Users who can use sudo are typically part of the sudo group.
To check whether your account has this role, type groups and look for sudo in the output.
5. Testing Access Between Users
After assigning users to groups, it’s good practice to test their access.
For example:
Log in as alice and try to open a file owned by team.
Log in as bob and verify whether he can modify or only view it.
This helps confirm that permissions and group roles were configured correctly.
To simulate this, you can switch between accounts:
sudo su – alice
sudo su – bob
Use whoami and groups each time to confirm which account is active and what roles it has.
6. Access Control Files
The following files define how users and groups authenticate and what they can access:
| File | Purpose |
|---|---|
| /etc/passwd | Lists all users and their basic information. |
| /etc/shadow | Stores encrypted passwords and expiration settings (readable only by root). |
| /etc/group | Defines all system groups and their members. |
| /etc/sudoers | Controls which users can execute commands as root using sudo. |
The /etc/sudoers file is especially important — it determines who can use administrative privileges safely. Changes to this file should always be made using the visudo command to avoid syntax errors.
This concludes Lecture 8. Please return to Blackboard to access the Week 8 materials.