G
GuideDevOps
Lesson 6 of 17

Users & Groups

Part of the Linux Fundamentals tutorial series.

Identity Management

Every process running on a Linux machine runs as a specific user. Knowing who owns what process matters enormously in DevOps — a web server running as root is a serious security vulnerability.

The most important user is root (UID 0), the superuser with absolute control over the entire system. Every other user has limited privileges.

# See who you are
$ whoami
admin
 
# See your user ID and group memberships
$ id
uid=1000(admin) gid=1000(admin) groups=1000(admin),4(adm),27(sudo),33(www-data)

User Management Commands

Creating a User — useradd

# Basic user creation (Fedora/RHEL/CentOS)
$ sudo useradd -m -s /bin/bash alice
 
# On Debian/Ubuntu, use adduser (interactive, easier)
$ sudo adduser alice
Adding user `alice' ...
Adding new group `alice' (1001) ...
Adding new user `alice' (1001) with group `alice' ...
Creating home directory `/home/alice' ...
Copying files from `/etc/skel' ...

What -m -s /bin/bash does:

FlagMeaning
-mCreate the user's home directory
-s /bin/bashSet the login shell to Bash
# Verify the user was created
$ id alice
uid=1001(alice) gid=1001(alice) groups=1001(alice)
 
# Check the user database entry
$ grep alice /etc/passwd
alice:x:1001:1001::/home/alice:/bin/bash

Setting a Password — passwd

$ sudo passwd alice
New password:
Retype new password:
passwd: password updated successfully

Modifying a User — usermod

# Add user to supplementary groups (e.g., docker group to manage containers)
$ sudo usermod -aG docker alice
 
# Change the user's login shell
$ sudo usermod -s /bin/zsh alice
 
# Lock an account (prevents login)
$ sudo usermod -L alice
 
# Unlock an account
$ sudo usermod -U alice
 
# Change home directory
$ sudo usermod -d /new/home alice -m

The critical -aG flag: Without -a, usermod replaces all supplementary groups. Always use -aG to append groups.

# WRONG — this replaces all groups for alice
$ sudo usermod -G docker alice
 
# CORRECT — appends docker to existing groups
$ sudo usermod -aG docker alice

Deleting a User — userdel

# Delete user but keep home directory
$ sudo userdel alice
 
# Delete user AND their home directory (complete cleanup)
$ sudo userdel -r alice

Listing All Users

# Show all user accounts (from /etc/passwd)
$ awk -F: '{print $1, $3}' /etc/passwd
root 0
daemon 1
bin 2
...
admin 1000
alice 1001
bob 1002

Group Management

Groups organize users logically and let you assign shared permissions without granting individual access.

Creating and Managing Groups

# Create a new group
$ sudo groupadd developers
 
# Create a group with specific GID
$ sudo groupadd -g 1500 ops
 
# Add user to group(s)
$ sudo usermod -aG developers alice
$ sudo usermod -aG ops alice,bob
 
# Remove user from group
$ sudo gpasswd -d alice developers
 
# List all groups a user belongs to
$ groups alice
alice : alice developers ops
 
# List all members of a group
$ getent group developers
developers:x:1500:alice,bob

The groups Command

# See groups for current user
$ groups
admin : admin adm sudo www-data
 
# See groups for specific user
$ groups bob
bob : bob developers

Common System Groups

GroupPurposeDevOps Use Case
sudoRun commands as rootAdministrative access
wheelSame as sudo (RHEL)Administrative access
admRead system logsLog inspection
www-dataWeb server processNGINX/Apache ownership
dockerManage DockerContainer administration
systemd-journalJournal accessReading systemd logs
crontabSchedule jobsCron job management

Switching Users — su

Become Another User

# Switch to another user (prompts for password)
$ su - alice
 
# Switch to root (prompts for root password)
$ su -
 
# Run a single command as another user
$ su -c "systemctl restart nginx" alice
 
# Switch to user without loading their environment
$ su alice

The difference between su and su -:

# su -  loads the full login shell (environment)
$ su - alice
$ echo $HOME          # /home/alice
$ echo $PATH          # /home/alice/.local/bin:/usr/local/bin:...
 
# su  keeps current environment (risky — unexpected PATH)
$ su alice
$ echo $HOME          # /home/admin (still)

Superuser Do — sudo

sudo lets a permitted user run commands as root for a specific task, without sharing the root password.

Basic sudo Usage

# Run a single command as root
$ sudo systemctl restart nginx
[sudo] password for admin: ********
 
# Run as a different user
$ sudo -u alice whoami
alice
 
# Run as root without password (within sudoers file)
$ sudo -n systemctl restart nginx    # -n = non-interactive

Who Can Use sudo?

Members of the sudo group (Debian/Ubuntu) or wheel group (RHEL/CentOS) can use sudo.

# On Ubuntu/Debian — members of sudo group are sudoers
$ getent group sudo
sudo:x:27:admin
 
# On RHEL/CentOS — members of wheel group are sudoers
$ getent group wheel
wheel:x:10:admin

The Sudoers File

The /etc/sudoers file controls who can use sudo and with what restrictions. Always edit with visudo — it validates syntax before saving.

# Open sudoers file safely
$ sudo visudo

Common sudoers configurations:

# Allow user alice to run all commands without password
alice ALL=(ALL) NOPASSWD: ALL
 
# Allow group "developers" to run docker commands without password
%developers ALL=(ALL) NOPASSWD: /usr/bin/docker
 
# Allow user bob to restart nginx only
bob ALL=(ALL) NOPASSWD: /bin/systemctl restart nginx
 
# Restrict user to specific IP range
alice 192.168.1.0/24=(ALL) ALL

Quick Reference

TaskCommand
Show current userwhoami
Show current UID and groupsid
Create useruseradd -m username
Create user (Debian)adduser username
Set passwordpasswd username
Delete useruserdel -r username
Add to groupusermod -aG group user
Create groupgroupadd groupname
List all usersgetent passwd
List all groupsgetent group
Switch to usersu - username
Run as usersudo -u username command
Edit sudoerssudo visudo

Practice Challenge

  1. Create a new user named deploy with a home directory and Bash shell
  2. Create groups devops and monitoring
  3. Add deploy to both groups
  4. List the user's groups to verify
  5. Try sudo -u deploy whoami — does it work? Why not?
  6. Delete the deploy user cleanly