Chapter 8. Managing Users and Groups


On a Linux system, both human users and system processes have user accounts. Some system processes need user accounts to control privileges and access rights, just like human users.

Remember the most fundamental Linux security principles:

  1. Use the minimum necessary privileges to get the job done.

  2. Strong passwords work.

Following these two principles will prevent all sorts of aggravation and mishaps.

Linux has a collection of utilities for managing users and groups: useradd, groupadd, userdel, groupdel, usermod, groupmod, passwd, chfn, and chsh. These are part of the “Shadow Suite.”

The Shadow Suite was created by Julianne Frances Haugh to improve password security and to make user account management easier. In the olden days, all the relevant files had to be edited individually, and encrypted passwords were stored in /etc/passwd . But because /etc/passwd must remain world-readable, storing passwords in it, even if they’re encrypted, is asking for trouble. Anyone who copies it can then crack the passwords at their leisure. Relocating the encrypted passwords to /etc/shadow, which is accessible only by root, adds a useful layer of protection.

useradd behaves differently on different systems. Traditionally, it lumped all new users into the same login group, users (100). This meant that all home directories were wide open by default, because users all belonged to the same group. Red Hat changed this with their “User Private Group” scheme. Red ...

Get Linux Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.