Post

A Comprehensive Guide to User and Group Management in Unix-like Environments

Posted Updated
By Ahmed Aljorani 46 min read

User and Group Management stands as a fundamental pillar in the architecture of Unix-like operating systems, serving as a cornerstone for system security, resource allocation, and access control mechanisms. Rooted in the foundational principles of multi-user computing environments, effective user and group management facilitates the orchestration of diverse user identities, privileges, and permissions within a cohesive and structured framework.

Here are some commonly used commands and tools for managing users and groups:

User Commands:

useradd

useradd is a command-line utility in Linux and Unix-like operating systems used to create new user accounts. It is a fundamental command for system administration and user management. The useradd command is typically used by system administrators to add new users to the system, specifying various attributes and options such as the user’s home directory, default shell, and user ID.

Some commonly used options with useradd include:

Option Description
-c <comment> Adds a comment or description for the user account.
-d <home_dir> Specifies the home directory for the new user account.
-e <date> Sets an expiration date for the user account.
-g <group> Specifies the initial login group for the new user account.
-G <groups> Specifies additional groups to which the new user account should belong.
-m Creates the user’s home directory if it does not already exist.
-M Disables the creation of the user’s home directory.
-n Creates the user account without assigning a password.
-r Creates a system user account (with a UID less than 1000).
-s <shell> Specifies the login shell for the new user account.
-u <UID> Specifies the numerical user ID (UID) for the new user account.
-U Creates a group with the same name as the user (if it does not already exist).
-Z <SElinux_user> Sets the SElinux user for the new user account.

Here are examples for each useradd option with explanations:

  1. -c <comment>

    • Example: sudo useradd -c "John Doe" john
    • Explanation: This command creates a new user named john and adds the comment “John Doe” to the user’s account information.

  2. -d <home_dir>

    • Example: sudo useradd -d /home/john john

    • Explanation: This command creates a new user named john and specifies /home/john as the home directory for this user.

    • Example: sudo useradd -m -d /custom/home/user1 user1
    • Explanation: This sets /custom/home/user1 as the home directory and ensures it is created automatically with default files.

  3. -e <date>

    • Example: sudo useradd -e 2024-12-31 john
    • Explanation: This command creates a new user named john with an expiration date set to December 31, 2024.

  4. -g <group>

    • Example: sudo useradd -g staff john
    • Explanation: This command creates a new user named john and assigns the initial login group staff to this user.

  5. -G <groups>

    • Example: sudo useradd -G users,staff john
    • Explanation: This command creates a new user named john and adds the user to the additional groups users and staff.

  6. -m

    • Example: sudo useradd -m john
    • Explanation: This command creates a new user named john and automatically creates the user’s home directory /home/john if it does not already exist.

  7. -M

    • Example: sudo useradd -M john
    • Explanation: This command creates a new user named john without creating the user’s home directory.

  8. -n

    • Example: sudo useradd -n john
    • Explanation: This command creates a new user named john without assigning a password to the account.

  9. -r

    • Example: sudo useradd -r systemuser
    • Explanation: This command creates a new system user named systemuser with a UID less than 1000.

  10. -s <shell>

    • Example: sudo useradd -s /bin/bash john
    • Explanation: This command creates a new user named john and specifies /bin/bash as the login shell for this user.

  11. -u <UID>

    • Example: sudo useradd -u 2001 john
    • Explanation: This command creates a new user named john with the numerical user ID (UID) set to 2001.

  12. -U

    • Example: sudo useradd -U john
    • Explanation: This command creates a new user named john and also creates a group with the same name as the user, if it does not already exist.

  13. -Z <SElinux_user>

    • Example: sudo useradd -Z staff_u john
    • Explanation: This command creates a new user named john and sets staff_u as the SElinux user for this account.

userdel

The userdel command is a command-line utility in Linux and Unix-like operating systems used to delete user accounts. It is an essential tool for system administrators to manage user accounts and their associated files. The userdel command removes the specified user account from the system, along with its home directory and mail spool (if applicable), but it does not remove the user’s home directory by default.

Some commonly used options with userdel include:

Option Description
-f Forces the removal of the user account, even if the user is still logged in.
-r Removes the user’s home directory and mail spool.
-Z Removes any SElinux user mapping for the user.
-h Displays help information about the userdel command.

Here are examples for each userdel option with explanations:

  1. -f

    • Example: sudo userdel -f john
    • Explanation: This command forcefully removes the user account john, even if the user is currently logged in.

  2. -r

    • Example: sudo userdel -r john
    • Explanation: This command removes the user account john, as well as the user’s home directory and mail spool.
  3. -Z
    • Example: sudo userdel -Z john
    • Explanation: This command removes any SElinux user mapping associated with the user account john.
  4. -h
    • Example: userdel -h
    • Explanation: This command displays help information about the userdel command, showing a brief description of its options and usage.

usermod

The usermod command is a versatile command-line utility in Linux and Unix-like operating systems used to modify or change user account attributes. It provides a convenient way for system administrators to manage and update user account settings without deleting and recreating the user account.

Some commonly used options with usermod include:

Option Description
-aG <groups> Adds the user to additional groups without removing them from current groups.
-c <comment> Adds or changes the comment or description for the user account.
-d <home_dir> Changes the home directory for the user account.
-e <date> Sets an expiration date for the user account.
-g <group> Changes the initial login group for the user account.
-G <groups> Sets the supplementary groups for the user account, replacing the current list.
-l <new_name> Changes the username from the current username to new_name.
-L Locks (disables) the user account.
-s <shell> Changes the login shell for the user account.
-u <UID> Changes the numerical user ID (UID) for the user account.
-U Unlocks (enables) the user account.

Here are examples for each usermod option with explanations:

  1. -aG <groups>

    • Example: sudo usermod -aG sudo,johns_group john
    • Explanation: This command adds the user john to the additional groups sudo and johns_group without removing them from the current groups.

  2. -c <comment>

    • Example: sudo usermod -c "John Doe" john
    • Explanation: This command adds or changes the comment “John Doe” for the user account john.

  3. -d <home_dir>

    • Example: sudo usermod -d /home/new_home john
    • Explanation: This command changes the home directory for the user account john to /home/new_home.

  4. -e <date>

    • Example: sudo usermod -e 2024-12-31 john
    • Explanation: This command sets an expiration date of December 31, 2024, for the user account john.

  5. -g <group>

    • Example: sudo usermod -g new_group john
    • Explanation: This command changes the initial login group for the user account john to new_group.

  6. -G <groups>

    • Example: sudo usermod -G users,staff john
    • Explanation: This command sets the supplementary groups for the user account john to users and staff, replacing the current list of supplementary groups.

  7. -l <new_name>

    • Example: sudo usermod -l new_username john
    • Explanation: This command changes the username of john to new_username.

  8. -L

    • Example: sudo usermod -L john
    • Explanation: This command locks (disables) the user account john, preventing the user from logging in.

  9. -s <shell>

    • Example: sudo usermod -s /bin/bash john
    • Explanation: This command changes the login shell for the user account john to /bin/bash.

  10. -u <UID>

    • Example: sudo usermod -u 2001 john
    • Explanation: This command changes the numerical user ID (UID) for the user account john to 2001.

  11. -U

    • Example: sudo usermod -U john
    • Explanation: This command unlocks (enables) the user account john, allowing the user to log in.

passwd

The passwd command is a command-line utility in Linux and Unix-like operating systems used to change or set the password for a user account. It is an essential tool for system administrators and individual users to manage and maintain the security of user accounts.

Some commonly used options with passwd include:

Option Description
-a Displays the status of all password entries in /etc/passwd and /etc/shadow.
-d <user> Deletes the password for the specified user account.
-e <user> Expires the password for the specified user account, forcing the user to change it upon next login.
-l <user> Locks (disables) the password for the specified user account.
-u <user> Unlocks (enables) the password for the specified user account.
-S, --status Displays the password status for the current user.
-g Specifies the group to which the password should be changed (for root only).
-r <repository> Specifies the NSS (Name Service Switch) backend to use for user and group information.
-s Changes the user’s login shell.
-w Changes the password for the specified user account without prompting for the old password.
-i Specifies the number of days after which the password must be changed.
-n Specifies the minimum number of days before the password can be changed.
-x Specifies the maximum number of days the password is valid.
-y Specifies the number of days before the password expiration date to warn the user.
-Q Exits with a status code indicating the password status for the specified user (0 = valid, 1 = invalid).

Here are examples for each passwd option with explanations:

  1. -a

    • Example: sudo passwd -a
    • Explanation: This command displays the status of all password entries in /etc/passwd and /etc/shadow.

  2. -d <user>

    • Example: sudo passwd -d john
    • Explanation: This command deletes the password for the user account john, making it a passwordless account.

  3. -e <user>

    • Example: sudo passwd -e john
    • Explanation: This command expires the password for the user account john, forcing the user to change it upon the next login.

  4. -l <user>

    • Example: sudo passwd -l john
    • Explanation: This command locks (disables) the password for the user account john, preventing the user from logging in.

  5. -u <user>

    • Example: sudo passwd -u john
    • Explanation: This command unlocks (enables) the password for the user account john, allowing the user to log in.

  6. -S

    • Example: passwd -S

    • Explanation: This command displays the password status for the current user.

    • Example: passwd --status username
    • Explanation: The output consists of seven fields, each conveying specific information about the user’s password status.
      1. Login Name: The username of the account.
      2. Password Status: Indicates the current state of the password:
        • P: Password is set and usable.
        • L: Password is locked, preventing login with the password.
        • NP: No password is set for the account.
      1
2

       $ passwd --status johndoe
 johndoe P 2025-01-10 0 99999 7 -1

      In this example:

      1
2
3
4
5
6
7

      - **`johndoe:`** The username.
- **`P:`** Password is set and usable.
- **`2025-01-10:`** Password was last changed on January 10, 2025.
- **`0:`** No minimum days required between password changes.
- **`99999:`** Password is valid for 99999 days (effectively no expiration).
- **`7:`** User will receive a warning 7 days before password expiration.
- **`-1:`** Account will never be disabled due to inactivity after password expiration.

  7. -g

    • Example: sudo passwd -g
    • Explanation: This command specifies the group to which the password should be changed. This option is typically used by the root user.

  8. -r <repository>

    • Example: sudo passwd -r files john
    • Explanation: This command specifies the NSS (Name Service Switch) backend files to use for user and group information when changing the password for the user account john.

  9. -s

    • Example: sudo passwd -s john
    • Explanation: This command changes the login shell for the user account john.

  10. -w

    • Example: sudo passwd -w password john
    • Explanation: This command changes the password for the user account john to password without prompting for the old password.

  11. -i

    • Example: sudo passwd -i 30 john
    • Explanation: This command specifies that the password for the user account john must be changed after 30 days.

  12. -n

    • Example: sudo passwd -n 7 john
    • Explanation: This command specifies that the password for the user account john cannot be changed within the first 7 days after the last password change.

  13. -x

    • Example: sudo passwd -x 90 john
    • Explanation: This command specifies that the password for the user account john is valid for a maximum of 90 days.

  14. -y

    • Example: sudo passwd -y 7 john
    • Explanation: This command specifies that the user john should be warned 7 days before the password expires.

  15. -Q

    • Example: passwd -Q john
    • Explanation: This command exits with a status code indicating the password status for the user account john (0 = valid, 1 = invalid).

Group Commands:

groupadd

The groupadd command is a command-line utility in Linux and Unix-like operating systems used to create new group accounts. It is a fundamental tool for system administrators to manage group permissions and group memberships.

Some commonly used options with groupadd include:

Option Description
-f Forces the creation of the group, even if it already exists.
-g <GID> Specifies the numerical group ID (GID) for the new group.
-h Displays help information about the groupadd command.
-K <key=value> Overrides /etc/login.defs defaults (may be used multiple times).
-o Allows the creation of a group with a non-unique GID.
-p <password> Sets the password for the new group (encrypted).
-r Creates a system group (with a GID less than 1000).
-R <chroot_dir> Uses as the directory tree for the `groupadd` command.

Here are examples for each groupadd option with explanations:

  1. -f

    • Example: sudo groupadd -f newgroup
    • Explanation: This command forces the creation of the group newgroup, even if it already exists.

  2. -g <GID>

    • Example: sudo groupadd -g 2001 newgroup
    • Explanation: This command specifies the numerical group ID (GID) of 2001 for the new group newgroup.

  3. -h

    • Example: groupadd -h
    • Explanation: This command displays help information about the groupadd command, providing a brief description of its options and usage.

  4. -K <key=value>

    • Example: sudo groupadd -K GID_MIN=1000 newgroup
    • Explanation: This command overrides the default minimum GID value defined in /etc/login.defs and creates the group newgroup with a GID of 1000 or higher.

  5. -o

    • Example: sudo groupadd -o newgroup
    • Explanation: This command allows the creation of a group newgroup with a non-unique GID, meaning the GID can already exist.

  6. -p <password>

    • Example: sudo groupadd -p password newgroup
    • Explanation: This command sets the encrypted password password for the new group newgroup.

  7. -r

    • Example: sudo groupadd -r systemgroup
    • Explanation: This command creates a system group systemgroup with a GID less than 1000.

  8. -R <chroot_dir>

    • Example: sudo groupadd -R /home/chroot newgroup
    • Explanation: This command uses /home/chroot as the directory tree for the groupadd command, creating the group newgroup within this chroot environment.

groupdel

The groupdel command is a command-line utility in Linux and Unix-like operating systems used to delete group accounts. It is an essential tool for system administrators to manage and remove unnecessary or obsolete group accounts.

Some commonly used options with groupdel include:

Option Description
-h Displays help information about the groupdel command.
-f Forces the removal of the group, even if it still contains members.
-R <chroot_dir> Uses as the directory tree for the `groupdel` command.

Here are examples for each groupdel option with explanations:

  1. -h

    • Example: groupdel -h
    • Explanation: This command displays help information about the groupdel command, providing a brief description of its options and usage.

  2. -f

    • Example: sudo groupdel -f oldgroup
    • Explanation: This command forces the removal of the group oldgroup, even if it still contains members.

  3. -R <chroot_dir>

    • Example: sudo groupdel -R /home/chroot oldgroup
    • Explanation: This command uses /home/chroot as the directory tree for the groupdel command, removing the group oldgroup within this chroot environment.

groupmod

The groupmod command is a command-line utility in Linux and Unix-like operating systems used to modify or change group account attributes. It provides a convenient way for system administrators to manage and update group settings without deleting and recreating the group.

Some commonly used options with groupmod include:

Option Description
-g <GID> Change the group ID to <GID>.
-h Display help message and exit.
-n <new_name> Change the name of the group to <new_name>.
-o Allow the group ID to be a non-unique value.
-p <password> Use the encrypted password <password> for the new group.

Here are examples for each groupmod option with explanations:

  1. -g <GID>

    • Example: sudo groupmod -g 2001 oldgroup
    • Explanation: This command changes the group ID of oldgroup to 2001.

  2. -h

    • Example: groupmod -h
    • Explanation: This command displays help information about the groupmod command, providing a brief description of its options and usage.

  3. -n <new_name>

    • Example: sudo groupmod -n newgroup oldgroup
    • Explanation: This command changes the name of the group oldgroup to newgroup.

  4. -o

    • Example: sudo groupmod -o oldgroup
    • Explanation: This command allows the group ID of oldgroup to be a non-unique value.

  5. -p <password>

    • Example: sudo groupmod -p password oldgroup
    • Explanation: This command sets the encrypted password password for the group oldgroup.

gpasswd

The gpasswd command is a command-line utility in Linux and Unix-like operating systems used to administer the /etc/group file and the /etc/gshadow file, which store group account information and group passwords, respectively. It provides a convenient way for system administrators to manage group memberships and group passwords.

Some commonly used options with gpasswd include:

Option Description
-a <username> Adds a user to the specified group.
-d <username> Removes a user from the specified group.
-h Displays help information about the gpasswd command.
-M <users> Sets the members of the group, replacing the current list.
-r Removes the password from the specified group.
-R <repository> Sets the location of the group information (e.g., LDAP).

Here are examples for each gpasswd option with explanations:

  1. -a <username>

    • Example: sudo gpasswd -a john newgroup
    • Explanation: This command adds the user john to the group newgroup.

  2. -d <username>

    • Example: sudo gpasswd -d john oldgroup
    • Explanation: This command removes the user john from the group oldgroup.

  3. -h

    • Example: gpasswd -h
    • Explanation: This command displays help information about the gpasswd command, providing a brief description of its options and usage.

  4. -M <users>

    • Example: sudo gpasswd -M alice,bob newgroup
    • Explanation: This command sets the members of the group newgroup to alice and bob, replacing the current list of members.

  5. -r

    • Example: sudo gpasswd -r newgroup
    • Explanation: This command removes the password from the group newgroup.

  6. -R <repository>

    • Example: sudo gpasswd -R ldap oldgroup
    • Explanation: This command sets the location of the group information to ldap for the group oldgroup.

Management Commands:

id

The id command is a command-line utility in Linux and Unix-like operating systems used to display the user and group IDs (UID and GID) along with the associated group names for the current user or a specified username.

Some commonly used options with id include:

Option Description
-g Displays the effective group ID (GID) of the user.
-G Displays all group IDs (GIDs) to which the user belongs, including the effective GID.
-h Displays help information about the id command.
-u Displays the effective user ID (UID) of the user.
-n Displays the name of the user and all groups to which the user belongs, separated by spaces.
-r Displays the real (not effective) user ID (UID) and group ID (GID).
-Z Displays the security context (SElinux user and role) of the user.

Here are examples for each id option with explanations:

  1. -g

    • Example: id -g
    • Explanation: This command displays the effective group ID (GID) of the current user.

  2. -G

    • Example: id -G
    • Explanation: This command displays all group IDs (GIDs) to which the current user belongs, including the effective GID.

  3. -h

    • Example: id -h
    • Explanation: This command displays help information about the id command, providing a brief description of its options and usage.

  4. -u

    • Example: id -u
    • Explanation: This command displays the effective user ID (UID) of the current user.

  5. -n

    • Example: id -n
    • Explanation: This command displays the name of the current user and all groups to which the user belongs, separated by spaces.

  6. -r

    • Example: id -r
    • Explanation: This command displays the real (not effective) user ID (UID) and group ID (GID) of the current user.

  7. -Z

    • Example: id -Z
    • Explanation: This command displays the security context, including the SElinux user and role, of the current user.

getent

The getent command is a command-line utility in Linux and Unix-like operating systems used to retrieve entries from databases supported by the Name Service Switch (NSS) libraries. It allows you to query various databases, such as /etc/passwd, /etc/group, /etc/hosts, and more, from the command line. The term getent stands for “get entries”.

Some commonly used databases with getent include:

Option Description
ahosts Retrieves the host names associated with the specified IP address.
ahostsv4 Retrieves the IPv4 host names associated with the specified IP address.
ahostsv6 Retrieves the IPv6 host names associated with the specified IP address.
aliases Retrieves the alias names defined in the specified database.
ethers Retrieves the Ethernet address and hostname pairs.
group Retrieves the group entries from the group database.
gshadow Retrieves the secure group database entries.
hosts Retrieves the host names and IP addresses.
netgroup Retrieves the netgroup entries.
networks Retrieves the network names and addresses.
passwd Retrieves the user account information.
protocols Retrieves the network protocols.
publickey Retrieves the public keys for user-based authentication.
rpc Retrieves the remote procedure call names and numbers.
services Retrieves the service names and port numbers.
shadow Retrieves the secure user account information.

Here are examples for each getent option with explanations:

  1. ahosts

    • Example: getent ahosts 8.8.8.8
    • Explanation: This command retrieves the host names associated with the specified IPv4 address 8.8.8.8.

  2. ahostsv4

    • Example: getent ahostsv4 www.google.com
    • Explanation: This command retrieves the IPv4 host names associated with the specified host name www.google.com.

  3. ahostsv6

    • Example: getent ahostsv6 www.google.com
    • Explanation: This command retrieves the IPv6 host names associated with the specified host name www.google.com.

  4. aliases

    • Example: getent aliases
    • Explanation: This command retrieves the alias names defined in the alias database.

  5. ethers

    • Example: getent ethers
    • Explanation: This command retrieves the Ethernet address and hostname pairs.

  6. group

    • Example: getent group
    • Explanation: This command retrieves the group entries from the group database.

  7. gshadow

    • Example: getent gshadow
    • Explanation: This command retrieves the secure group database entries.

  8. hosts

    • Example: getent hosts www.google.com
    • Explanation: This command retrieves the host names and IP addresses associated with the specified host name www.google.com.

  9. netgroup

    • Example: getent netgroup
    • Explanation: This command retrieves the netgroup entries.

  10. networks

    • Example: getent networks
    • Explanation: This command retrieves the network names and addresses.

  11. passwd

    • Example: getent passwd
    • Explanation: This command retrieves the user account information.

  12. protocols

    • Example: getent protocols
    • Explanation: This command retrieves the network protocols.

  13. publickey

    • Example: getent publickey john
    • Explanation: This command retrieves the public keys for user john for user-based authentication.

  14. rpc

    • Example: getent rpc
    • Explanation: This command retrieves the remote procedure call names and numbers.

  15. services

    • Example: getent services
    • Explanation: This command retrieves the service names and port numbers.

  16. shadow

    • Example: getent shadow
    • Explanation: This command retrieves the secure user account information.

sudo

The sudo command is a powerful command-line utility in Linux and Unix-like operating systems that allows users to run programs with the security privileges of another user, by default the superuser (root). It stands for “SuperUser Do” or “switch user and do”.

Some commonly used options with sudo include:

Option Description
-h Displays help information about the sudo command.
-i Starts a new login shell with the root user’s environment variables.
-l Lists the commands allowed by the user in the sudoers file.
-S Reads the password from standard input, allowing for scripting.
-u <username> Executes the command as the specified user instead of root.
-v Updates the user’s time stamp, asking for the password if necessary.

Here are examples for each sudo option with explanations:

  1. -h

    • Example: sudo -h
    • Explanation: This command displays help information about the sudo command, providing a brief description of its options and usage.

  2. -i

    • Example: sudo -i
    • Explanation: This command starts a new login shell with the root user’s environment variables.

  3. -l

    • Example: sudo -l
    • Explanation: This command lists the commands allowed by the current user in the sudoers file.

  4. -S

    • Example: echo "password" | sudo -S command
    • Explanation: This command reads the password from standard input, allowing for scripting. In this example, the password is provided through the echo command.

  5. -u <username>

    • Example: sudo -u john whoami
    • Explanation: This command executes the whoami command as the user john instead of root, displaying the current username.

  6. -v

    • Example: sudo -v
    • Explanation: This command updates the user’s time stamp, asking for the password if necessary, and keeps the sudo session alive for the next 5 minutes by default (this can be configured).

su

The su command is a command-line utility in Linux and Unix-like operating systems used to switch to another user account, typically the superuser (root). The name su stands for “switch user” or “substitute user.”

Some commonly used options with su include:

Option Description
- Starts a login shell with the new user’s environment variables.
-c <command> Executes the specified command as the new user, without starting a login shell.
-h Displays help information about the su command.
-l Starts a login shell with the new user’s environment variables.
-m Simulates a full login, similar to -l.
-p Preserves the new user’s environment variables when executing the command.
-s <shell> Changes the shell used for the new user session.
-u <username> Specifies the username of the user account to switch to.

Here are examples for each su option with explanations:

  1. -

    • Example: su - john
    • Explanation: This command starts a login shell with the john user’s environment variables.

  2. -c <command>

    • Example: su -c "whoami" john
    • Explanation: This command executes the whoami command as the john user, without starting a login shell, and displays the current username.

  3. -h

    • Example: su -h
    • Explanation: This command displays help information about the su command, providing a brief description of its options and usage.

  4. -l

    • Example: su -l john
    • Explanation: This command starts a login shell with the john user’s environment variables.

  5. -m

    • Example: su -m john
    • Explanation: This command simulates a full login for the john user, similar to using -l.

  6. -p

    • Example: su -p john
    • Explanation: This command preserves the john user’s environment variables when executing the command.

  7. -s <shell>

    • Example: su -s /bin/bash john
    • Explanation: This command changes the shell used for the john user session to /bin/bash.

  8. -u <username>

    • Example: su -u john
    • Explanation: This command specifies the username john of the user account to switch to.

visudo

The visudo command is a command-line utility in Linux and Unix-like operating systems used to edit and manage the /etc/sudoers file safely. The /etc/sudoers file is the configuration file for the sudo command, which determines which users and groups are allowed to execute which commands as the superuser (root).

When you run visudo, it opens the /etc/sudoers file in a safe manner, preventing multiple administrators from editing the file simultaneously and avoiding the risk of corrupting the file. The visudo command uses the vi text editor by default, but you can change the default editor by setting the EDITOR or VISUAL environment variable.

For example, to edit the /etc/sudoers file using the nano text editor, you can use:

1

VISUAL=nano visudo

Or you can set the EDITOR environment variable and then use visudo:

1
2

export EDITOR=nano
visudo

It’s important to note that making incorrect changes to the /etc/sudoers file can potentially lock you out of your system, so it’s crucial to use visudo to edit the file to ensure that the syntax is correct.

The /etc/sudoers file consists of user specifications, which define which users and groups are allowed to run which commands with sudo. The visudo utility provides syntax checking and locks the /etc/sudoers file to prevent simultaneous edits, making it a safer way to edit the sudo configuration.

Some commonly used options with visudo include:

Option Description
-c Check the syntax of the sudoers file before saving changes.
-f <file> Specify an alternate sudoers file to edit.
-h Displays help information about the visudo command.
-s Edit the sudoers file using the specified editor (defaults to vi).
-V Display the version of visudo and exit.

Here are examples for each visudo option with explanations:

  1. -c

    • Example: visudo -c
    • Explanation: This command checks the syntax of the sudoers file for any errors before saving changes.

  2. -f <file>

    • Example: visudo -f /etc/sudoers.d/custom
    • Explanation: This command specifies the alternate sudoers file /etc/sudoers.d/custom to edit with visudo.

  3. -h

    • Example: visudo -h
    • Explanation: This command displays help information about the visudo command, providing a brief description of its options and usage.

  4. -s

    • Example: visudo -s
    • Explanation: This command opens the sudoers file for editing using the specified editor (defaults to vi).

  5. -V

    • Example: visudo -V
    • Explanation: This command displays the version of visudo and then exits.

vipw

The vipw command is a command-line utility in Linux and Unix-like operating systems used to edit the /etc/passwd and /etc/shadow files safely. The /etc/passwd file contains user account information, and the /etc/shadow file contains the encrypted passwords for user accounts. When you run vipw, it opens the /etc/passwd and /etc/shadow files in a safe manner, preventing multiple administrators from editing the files simultaneously and avoiding the risk of corrupting the files.

Some commonly used options with vipw include:

Option Description
-h Displays help information about the vipw command.
-g Edit the /etc/group file instead of the /etc/passwd file.
-p Edit the /etc/passwd file using the specified editor (defaults to vi).
-s Edit the /etc/shadow file instead of the /etc/passwd file.

Here are examples for each vipw option with explanations:

  1. -h

    • Example: vipw -h
    • Explanation: This command displays help information about the vipw command, providing a brief description of its options and usage.

  2. -g

    • Example: vipw -g
    • Explanation: This command edits the /etc/group file instead of the default /etc/passwd file.

  3. -p

    • Example: vipw -p
    • Explanation: This command opens the /etc/passwd file for editing using the specified editor (defaults to vi).

  4. -s

    • Example: vipw -s
    • Explanation: This command edits the /etc/shadow file instead of the default /etc/passwd file.

chage

The chage command is a command-line utility in Linux and Unix-like operating systems used to change the password expiry information for a user account. It allows system administrators to set or modify the password expiry dates, the date of the last password change, the minimum password age, and other password-related policies for user accounts. The name chage is derived from “change age” reflecting its purpose of managing the aging parameters of user passwords.

Some commonly used options with chage include:

Option Description
-d <date> Sets the last password change date to the specified date (in YYYY-MM-DD format).
-E <date> Sets the account expiration date to the specified date (in YYYY-MM-DD format).
-h Displays help information about the chage command.
-I <date> Sets the password inactive period to the specified date (in YYYY-MM-DD format).
-l Displays the current aging information for the user account.
-m <days> Sets the minimum number of days between password changes to the specified value.
-M <days> Sets the maximum number of days the password is valid to the specified value.
-W <days> Sets the number of days before password expiration that the user is warned.

Here are examples for each chage option with explanations:

  1. -d <date>

    • Example: sudo chage -d 2022-01-01 username
    • Explanation: This command sets the last password change date for the user username to January 1, 2022.

  2. -E <date>

    • Example: sudo chage -E 2025-12-31 username

    • Explanation: This command sets the account expiration date for the user username to December 31, 2025.

    • Example: sudo chage -E 0 username

    • Explanation: In the context of chage, an expiration date of 0 corresponds to January 1, 1970 (the Unix epoch). Setting the expiration date to this value effectively means the account is expired and cannot be used to log in until the expiration date is updated.

    • Example: sudo chage -E '' username
    • Explanation: Removes any set account expiration date. By providing an empty string '' as the expiration date, you’re instructing chage to clear any existing expiration date, making the account non-expiring. This means the account will remain active indefinitely unless changed in the future.

  3. -h

    • Example: chage -h
    • Explanation: This command displays help information about the chage command, providing a brief description of its options and usage.

  4. -I <date>

    • Example: sudo chage -I 30 username
    • Explanation: This command sets the password inactive period for the user username to 30 days.

  5. -l

    • Example: chage -l username
    • Explanation: This command displays the current aging information for the user account username.

  6. -m <days>

    • Example: sudo chage -m 7 username
    • Explanation: This command sets the minimum number of days between password changes for the user username to 7 days.

  7. -M <days>

    • Example: sudo chage -M 90 username
    • Explanation: This command sets the maximum number of days the password is valid for the user username to 90 days.

  8. -W <days>

    • Example: sudo chage -W 7 username
    • Explanation: This command sets the number of days before password expiration that the user username is warned to 7 days.

groups

The groups command is a command-line utility in Linux and Unix-like operating systems used to display the groups to which a user belongs. It shows a list of all the groups that a specified user is a member of, including the user’s primary group and any secondary groups.

Some commonly used options with groups include:

Option Description
-h Displays help information about the groups command.
-v Displays the process’s effective group IDs (GIDs) in numerical form.
<username> Specifies the username for which to display group memberships. If not specified, uses the current user.

Here are examples for each groups option with explanations:

  1. -h

    • Example: groups -h
    • Explanation: This command displays help information about the groups command, providing a brief description of its options and usage.

  2. -v

    • Example: groups -v
    • Explanation: This command displays the process’s effective group IDs (GIDs) in numerical form.

  3. <username>

    • Example: groups john
    • Explanation: This command displays the group memberships for the user john. If the username is not specified, the groups command will display group memberships for the current user.

grpck

The grpck command is a command-line utility in Linux and Unix-like operating systems used to verify the integrity and consistency of the /etc/group file and its associated /etc/gshadow file. The /etc/group file contains group account information, and the /etc/gshadow file contains the encrypted group passwords and other secure group account information. The grpck command in Linux stands for “Group Check”.

Some commonly used options with grpck include:

Option Description
-h Displays help information about the grpck command.
-r Fixes any detected errors automatically.
-s Displays a summary of the verification process.

Here are examples for each grpck option with explanations:

  1. -h

    • Example: grpck -h
    • Explanation: This command displays help information about the grpck command, providing a brief description of its options and usage.

  2. -r

    • Example: grpck -r
    • Explanation: This command automatically fixes any detected errors in the group database.

  3. -s

    • Example: grpck -s
    • Explanation: This command displays a summary of the verification process of the group database.

sg

The sg command is a command-line utility in Linux and Unix-like operating systems used to execute a command as another group. It allows users to run commands with the privileges of a different group, rather than switching to another user account. The sg command in Linux stands for “Switch Group”.

Some commonly used options with sg include:

Option Description
- Simulates a login shell with the group ID of the specified group.
[group] Specifies the group name or GID to use.
[-c command] Specifies the command to be executed with the new group ID.

Here are examples for each sg option with explanations:

  1. -

    • Command: sg - groupname
    • Explanation: This command simulates a login shell with the group ID set to groupname.

  2. [group]

    • Command: sg groupname
    • Explanation: This command starts a new shell with the group ID set to groupname.

  3. [-c command]

    • Command: sg groupname -c "ls -l"
    • Explanation: This command executes the ls -l command with the group ID set to groupname.

newgrp

The newgrp command is a command-line utility in Linux and Unix-like operating systems used to change the current group ID during a login session. It allows users to switch to another group and obtain the group permissions of that group without logging out and logging back in again.

Some commonly used options with newgrp include:

Option Description
- Starts a new login shell with the new group’s environment variables.
-h Displays help information about the newgrp command.

Here are examples for each newgrp option with explanations:

  1. -

    • Example: newgrp - groupname
    • Explanation: This command starts a new login shell with the environment variables of the specified group groupname.

  2. -h

    • Example: newgrp -h
    • Explanation: This command displays help information about the newgrp command, providing a brief description of its options and usage.

chgrp

The chgrp command is a command-line utility in Linux and Unix-like operating systems used to change the group ownership of files and directories. It allows users to set or modify the group ownership of a file or directory to a specified group. The chgrp command in Linux stands for “Change Group”.

Some commonly used options with chgrp include:

Option Description
-c, --changes Report only when a change is made.
-f, --silent, --quiet Suppress most error messages.
-v, --verbose Output a diagnostic for every file processed.
--dereference Affect the referent of each symbolic link (default).
-h, --no-dereference Affect symbolic links instead of any referenced file (useful only on systems that can change the ownership of a symlink).
--no-preserve-root Do not treat ‘/’ specially (the default).
--preserve-root Fail to operate recursively on ‘/’.
--reference=RFILE Use RFILE’s group rather than specifying a GROUP value.
-R, --recursive Operate on files and directories recursively.
-H If a command line argument is a symbolic link to a directory, traverse it.
-L Traverse every symbolic link to a directory encountered.
-P Do not traverse any symbolic links (default).
--help Display help and exit.
--version Output version information and exit.

Here are examples for each chgrp option with explanations:

  1. -c, --changes

    • Command: chgrp -c groupname filename
    • Explanation: This command changes the group ownership of filename to groupname and reports only when a change is made.

  2. -f, --silent, --quiet

    • Command: chgrp -f groupname filename
    • Explanation: This command changes the group ownership of filename to groupname and suppresses most error messages.

  3. -v, --verbose

    • Command: chgrp -v groupname filename
    • Explanation: This command changes the group ownership of filename to groupname and outputs a diagnostic for every file processed.

  4. --dereference

    • Command: chgrp --dereference groupname symlink
    • Explanation: This command changes the group ownership of the referent of symlink to groupname (the default behavior).

  5. -h, --no-dereference

    • Command: chgrp -h groupname symlink
    • Explanation: This command changes the group ownership of symlink itself to groupname (useful on systems that can change the ownership of a symlink).

  6. --no-preserve-root

    • Command: chgrp --no-preserve-root groupname /path/to/directory
    • Explanation: This command changes the group ownership of /path/to/directory to groupname without treating ‘/’ specially (the default).

  7. --preserve-root

    • Command: chgrp --preserve-root groupname /
    • Explanation: This command fails to operate recursively on ‘/’.

  8. --reference=RFILE

    • Command: chgrp --reference=referencefile targetfile
    • Explanation: This command changes the group ownership of targetfile to match that of referencefile.

  9. -R, --recursive

    • Command: chgrp -R groupname directory
    • Explanation: This command changes the group ownership of directory and its contents recursively to groupname.

  10. -H

    • Command: chgrp -RH groupname symlink_directory
    • Explanation: This command changes the group ownership of symlink_directory and any symbolic links to directories it points to, recursively.

  11. -L

    • Command: chgrp -RL groupname symlink_directory
    • Explanation: This command changes the group ownership of symlink_directory and every symbolic link it points to, recursively.

  12. -P

    • Command: chgrp -RP groupname directory
    • Explanation: This command changes the group ownership of directory without traversing any symbolic links.

  13. --help

    • Command: chgrp --help
    • Explanation: This command displays help information about the chgrp command.

  14. --version

    • Command: chgrp --version
    • Explanation: This command outputs version information about chgrp.

groupmems

The groupmems command is a command-line utility in Linux and Unix-like operating systems used to manage the members of a group. It allows users to add or remove members from a group without editing the /etc/group file manually. The groupmems command in Linux stands for “Group Memberships”.

Some commonly used options with groupmems include:

Option Description
-a Adds a user to the specified group.
-d Deletes a user from the specified group.
-h Displays help information about the groupmems command.
-g Specifies the group to administer.
-l Lists the members of the specified group.
-p purge all members from the group

Here are examples for each groupmems option with explanations:

  1. -a

    • Command: groupmems -a username -g groupname
    • Explanation: This command adds the user username to the group groupname.

  2. -d

    • Command: groupmems -d username -g groupname
    • Explanation: This command deletes the user username from the group groupname.

  3. -h

    • Command: groupmems -h
    • Explanation: This command displays help information about the groupmems command, providing a brief description of its options and usage.

  4. -g

    • Command: groupmems -g groupname
    • Explanation: This command specifies the group groupname to administer.

  5. -l

    • Command: groupmems -l -g groupname
    • Explanation: This command lists the members of the group groupname.

  6. -p

    • Command: groupmems -p password -g groupname
    • Explanation: This command removes all members from the group groupname.

vigr

The vigr command is a command-line utility in Linux and Unix-like operating systems used to edit the /etc/group and /etc/gshadow files safely. The /etc/group file contains group account information, and the /etc/gshadow file contains the encrypted group passwords and other secure group account information.

When you run vigr, it opens the /etc/group and /etc/gshadow files in a safe manner, preventing multiple administrators from editing the files simultaneously and avoiding the risk of corrupting the files. The vigr command uses the vi text editor by default, but you can change the default editor by setting the EDITOR or VISUAL environment variable.

It’s important to note that making incorrect changes to the /etc/group and /etc/gshadow files can potentially lock you out of your system or cause other issues, so it’s crucial to use vigr to edit the files to ensure that the syntax is correct.

Some commonly used options with vigr include:

Option Description
-g, --group edit group database
-h, --help display this help message and exit
-p, --passwd edit passwd database
-q, --quiet quiet mode
-R, --root CHROOT_DIR directory to chroot into
-s, --shadow edit shadow or gshadow database

Here are examples for each vigr option with explanations:

  1. -g, --group

    • Example: vigr -g
    • Explanation: This command opens the /etc/group file for editing using the vi editor.

  2. -h, --help

    • Example: vigr -h
    • Explanation: This command displays help information about the vigr command, providing a brief description of its options and usage.

  3. -p, --passwd

    • Example: vigr -p
    • Explanation: This command opens the /etc/passwd file for editing using the vi editor.

  4. -q, --quiet

    • Example: vigr -q
    • Explanation: This command runs vigr in quiet mode, which suppresses all normal output.

  5. -R, --root CHROOT_DIR

    • Example: vigr -R /mnt/chroot
    • Explanation: This command sets the directory /mnt/chroot as the directory to chroot into before editing the database.

  6. -s, --shadow

    • Example: vigr -s
    • Explanation: This command opens the /etc/shadow file for editing using the vi editor.

whoami

The whoami command does not have any options to provide examples for. It simply displays the username of the current user.

  1. whoami
    • Command: whoami
    • Output: username
    • Explanation: This command displays the username of the current user.

W or w

The w command is a command-line utility in Linux and Unix-like operating systems used to display information about the currently logged-in users and what they are doing. It provides a quick overview of the system’s activity, showing who is logged in, what they are doing, and how long they have been idle.

Some commonly used options with w include:

Option Description
-h Displays help information about the w command.
-s Displays only the summary information, omitting the login time, JCPU, and PCPU fields.
-u Shows the load average, number of users logged in, and system uptime.

Here are examples for each w option with explanations:

  1. -h

    • Example: w -h
    • Explanation: This command displays help information about the w command, providing a brief description of its options and usage.

  2. -s

    • Example: w -s
    • Explanation: This command displays only the summary information, omitting the login time, JCPU (total CPU time used by the job), and PCPU (CPU time used by the process) fields.

  3. -u

    • Example: w -u
    • Explanation: This command shows the load average, number of users logged in, and system uptime, in addition to the usual output.

last

The last command is a command-line utility in Linux and Unix-like operating systems used to display information about the last logged-in users and their sessions. It provides a history of the last logged-in users, showing when they logged in and out, as well as from which terminals or IP addresses they logged in.

Some commonly used options with last include:

Option Description
-d Displays the hostname in the last column of the output.
-f <file> Reads the specified file instead of /var/log/wtmp.
-h Displays help information about the last command.
-i Displays the IP addresses along with the hostname in the output.
-n <num> Displays the specified number (num) of lines.
-x Displays the system shutdown entries and run level changes.

Here are examples for each last option with explanations:

  1. -d

    • Example: last -d
    • Explanation: This command displays the hostname in the last column of the output, in addition to the usual output.

  2. -f <file>

    • Example: last -f /var/log/wtmp.1
    • Explanation: This command reads the specified file /var/log/wtmp.1 instead of the default /var/log/wtmp.

  3. -h

    • Example: last -h
    • Explanation: This command displays help information about the last command, providing a brief description of its options and usage.

  4. -i

    • Example: last -i
    • Explanation: This command displays the IP addresses along with the hostname in the output.

  5. -n <num>

    • Example: last -n 5
    • Explanation: This command displays the last 5 lines of the log.

  6. -x

    • Example: last -x
    • Explanation: This command displays the system shutdown entries and run level changes in the output.

finger

The finger command is a command-line utility in Linux and Unix-like operating systems used to display information about user accounts. It provides detailed information about a specific user, such as the login name, real name, terminal name, login time, idle time, and more.

Some commonly used options with finger include:

Option Description
-h Displays help information about the finger command.
-l Displays a long format listing, including the user’s home directory, login shell, and more.
-m Displays information in a machine-parseable format.
-p Suppresses the display of the user’s plan file.
-q Quiet mode; only displays the user’s login name, real name, terminal, and write status.
-s Short format; displays only the user’s login name, real name, terminal, and write status.
<username> Specifies the username(s) for which to display information. If not specified, displays information for all logged-in users.

Here are examples for each finger option with explanations:

  1. -h

    • Example: finger -h
    • Explanation: This command displays help information about the finger command, providing a brief description of its options and usage.

  2. -l

    • Example: finger -l username
    • Explanation: This command displays a long format listing for the user username, which includes the user’s home directory, login shell, and more.

  3. -m

    • Example: finger -m username
    • Explanation: This command displays information for the user username in a machine-parseable format.

  4. -p

    • Example: finger -p username
    • Explanation: This command suppresses the display of the user’s plan file for the user username.

  5. -q

    • Example: finger -q username
    • Explanation: This command displays information for the user username in quiet mode, showing only the user’s login name, real name, terminal, and write status.

  6. -s

    • Example: finger -s username
    • Explanation: This command displays information for the user username in a short format, showing only the user’s login name, real name, terminal, and write status.

  7. <username>

    • Example: finger username
    • Explanation: This command displays information for the specified username. If no username is specified, it displays information for all logged-in users.

chfn

The chfn command is a command-line utility in Linux and Unix-like operating systems used to change the user information stored in the /etc/passwd file. It allows users to modify the information associated with their user account, such as the full name, room number, work phone, and other details. The chfn command in Linux stands for “Change Finger”.

Some commonly used options with chfn include:

Option Description
-f <full_name> Sets the user’s full name.
-h Displays help information about the chfn command.
-o Allows the use of duplicate GECOS field values.
-r <room_number> Sets the user’s office or room number.
-w <work_phone> Sets the user’s work phone number.

Here are examples for each chfn option with explanations:

  1. -f <full_name>

    • Example: chfn -f "John Doe" username
    • Explanation: This command sets the full name of the user username to “John Doe”.

  2. -h

    • Example: chfn -h
    • Explanation: This command displays help information about the chfn command, providing a brief description of its options and usage.

  3. -o

    • Example: chfn -o username
    • Explanation: This command allows the use of duplicate GECOS (General Electric Comprehensive Operating System) field values for the user username.

  4. -r <room_number>

    • Example: chfn -r "101" username
    • Explanation: This command sets the office or room number of the user username to “101”.

  5. -w <work_phone>

    • Example: chfn -w "555-1234" username
    • Explanation: This command sets the work phone number of the user username to “555-1234”.

chsh

The chsh (change shell) command in Linux and Unix-like operating systems allows users to change their default login shell. The login shell is the command-line interface that users interact with upon logging into the system.

Commonly Used Options with chsh:

Option Description
-s <shell_path> Specifies the new login shell by providing its full path.
-l Lists available shells from the /etc/shells file.
-u Updates the user’s shell without performing validation checks.
-h Displays help information about the chsh command.

Examples for Each chsh Option with Explanations:

  1. -s <shell_path>

    • Example: chsh -s /bin/zsh username
    • Explanation: This command changes the login shell for the user username to /bin/zsh. Ensure that the specified shell exists and is listed in the /etc/shells file.

  2. -l

    • Example: chsh -l
    • Explanation: This command lists all available shells as specified in the /etc/shells file, allowing users to see which shells are permissible to select.

  3. -u

    • Example: chsh -u username
    • Explanation: This command updates the user’s shell without performing the usual validation checks. Use this option with caution, as it may allow setting a shell that is not listed in /etc/shells.

  4. -h

    • Example: chsh -h
    • Explanation: This command displays help information about the chsh command, providing a brief description of its options and usage.

Important Considerations:

  • Only the superuser (root) can change the login shell for other users. Regular users can change their own login shell, provided the new shell is listed in /etc/shells.
  • Ensure that the specified shell is installed on the system and is a valid executable.
  • Changes made by chsh take effect the next time the user logs in.
Linux, Command
user and group management
This post is licensed under CC BY 4.0 by the author.