04_Linux Users and Groups Management
Transcript 04_Linux Users and Groups Management
Linux Users and Groups
• Ubuntu Linux uses groups to help you manage users,
set permissions on those users, and even monitor how
much time they are spending in front of the PC.
• Normally Linux computers have two user accounts—
your own user account, and the root account, which is
the super user that can access everything on the PC,
make system changes, and administer other users.
Ubuntu works a little differently, though—you can’t
login directly as root by default, and you use
the sudo command to switch to root-level access when
you need to make a change.
How Linux User Accounts Work
• Linux stores a list of all users in the
‘/etc/groups’ file. You can run this command
in the Terminal to to view and edit the groups
and users in your system:
– sudo nano /etc/groups
How Linux User Accounts Work
By default, all user home directories are
created and maintained in the /home
However, the root user’s home directory is
User Accounts storage
• Local This option stores user accounts in the
/etc/passwd file. This has been the default
configuration used by Linux systems for many years.
– /etc/passwd This file contains the user account
information for your system.
– /etc/shadow This file contains passwords for your
– /etc/group This file contains your system’s groups
• By default, one account has elevated
privileges to issue any command, access any
file, and perform every function
• Superuser, a.k.a. root
• User and group number 0
• Must limit use of root
– Inexperienced users can cause serious harm
– Use of root for non-privileged tasks unnecessary
and can be open to attack
– Security and privacy violations – root can look at
• Limit what root can do remotely
• Ensure a strong password
• What usually works best is short periods of
superuser privilege, only when necessary
• Obtain privileges, complete task, relinquish
• Most common ways are su and sudo
• Can also use the setuid/setgid method, but
• Short for substitute or switch user
• Syntax: su [options] [username]
– If username is omitted, root is assumed
• After issuing command, prompted for that
• A new shell opened with the privileges of that
• Once done issuing commands, must type exit
• Allows you to issue a single command as another
sudo [options] [-u user] command
• Again, if no user specified, root assumed
• New shell opened with user’s privileges
• Specified command executed
• Shell exited
• Must configure a user to run commands as
another user when using sudo
• Permissions stored in /etc/sudoers
• Use utility visudo to edit this file (run as
• Permissions granted to users or groups, to
certain commands or all, and with or without
password being required
Other permissions models
• Some Linux distributions such as Ubuntu
obscure away the root account altogether
• By default the end user doesn’t know the root
– Can’t login as root
– Can’t su
• Must rely on sudo (and the graphical
gksudo) to obtain privilege, along with
‘Unlock’ functions in GUI
Creating and Managing User Accounts
useradd options username
ken account is created using the default parameters
contained in the following configuration files:
/etc/login.defs This file contains values that can be
used for the GID and UID parameters when creating
an account with useradd.
It also contains defaults for creating passwords in
It’s important to note that, by default, userdel will
not remove the user’s home directory from the
file system. If you do want to remove the home
directory when you delete the user, you need to
use the –r option in the command line. For
example, entering userdel –r ken will remove the
account and delete her home directory.
groups are defined in the /etc/group file. Each
record is composed of the following four fields:
• Group Specifies the name of the group. In the
example above, the name of the group is video.
• Password Specifies the group password.
• GID Specifies the group ID (GID) number of
• Users Lists the members of the group.
• As with /etc/shadow, each line in
/etc/gshadow represents a record for a single
group. Each record is composed of the
groupadd options groupname
–g Specifies a GID for the new group.
–p Specifies a password for the group.
–r Specifies that the group being created is a
Anytime a user creates a new file or directory, his or
her user account is assigned as that file or directory’s
“owner.” For example, suppose the ken user logs in
to her Linux system and creates a file named
linux_introduction.odt using OpenOffice.org in home
directory. Because she created this file, ken is
How ownership works
• You can specify a different user and/or group as the
owner of a given file or directory. To change the
user who owns a file, you must be logged in as
root. To change the group that owns a file, you
must be logged in as root or as the user who
currently owns the file.
You can also view file ownership from the command
line using the ls –l command
• The chown utility can be used to change the user or group that
owns a file or directory.
Syntax chown user.group file or directory.
Example: If I wanted to change the file’s owner to the ken1 user, I would
chown ken1 /tmp/myfile.txt
–If I wanted to change this to the users group, of which users is a member,
I would enter
chown .users /tmp/myfile.txt
Notice that I used a period (.) before the group name to tell chown that
the entity specified is a group, not a user account.
Ex: chown student.users /tmp/myfile.txt
Note: You can use the –R option with chown to change ownership on
many files at once recursively.
• In addition to chown, you can also use chgrp to
change the group that owns a file or directory.
chgrp group file (or directory)
• Example: chgrp student /tmp/newfile.txt.