Add Groups and Users

This post is copied from: ArchLinux: Users and groups

Group management

/etc/group is the file that defines the groups on the system.

Display group membership with the groups command:

]$ groups [user]

If user is omitted, the current user’s group names are displayed.

The id command provides additional detail, such as the user’s UID and associated GIDs:

]$ id [user]

To list all groups on the system:

]$ cat /etc/group

Create new groups with the groupadd command:

]# groupadd [group]

Add users to a group with the gpasswd command:

]# gpasswd -a [user] [group]

Modify an existing group with groupmod; e.g. to rename old_group group to new_group whilst preserving gid (all files previously owned by old_group will be owned by new_group):

]# groupmod -n [old_group] [new_group]

To delete existing groups:

]# groupdel [group]

To remove users from a group:

]# gpasswd -d [user] [group]

If the user is currently logged in, he/she must log out and in again for the change to have effect.


User management

To list users currently logged on the system, the who command can be used.

To add a new user, use the useradd command:

# useradd -m -g [initial_group] -G [additional_groups] -s [login_shell] [username]
  • -m creates the user home directory as /home/username. Within their home directory, a non-root user can write files, delete them, install programs, and so on.
  • -g defines the group name or number of the user’s initial login group. If specified, the group name must exist; if a group number is provided, it must refer to an already existing group. If not specified, the behaviour of useradd will depend on the USERGROUPS_ENAB variable contained in /etc/login.defs. The default behaviour (USERGROUPS_ENAB yes) is to create a group with the same name as the username, with GID equal to UID.
  • -G introduces a list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma, with no intervening spaces. The default is for the user to belong only to the initial group.
  • -s defines the path and file name of the user’s default login shell. After the boot process is complete, the default login shell is the one specified here. Ensure the chosen shell package is installed if choosing something other thanBash.
Warning: The login shell should be one of those listed in /etc/shells. For programs that use PAM, this is checked by the pam_shells module.

Example adding a user

On a typical desktop system, use the following command to add a new user named archie, specify Bash as their login shell and add them to the wheel group (see the entry in #User groups for details):

# useradd -m -G wheel -s /bin/bash archie

This command will also automatically create a group called archie with the same GID as the UID of the user archie and makes this the default group for archie on login. Making each user have their own group (with group name same as user name and GID same as UID) is the preferred way to add users.

You could also make the default group something else, e.g. users:

# useradd -m -g users -G wheel -s /bin/bash archie

However, this is not recommended for multi-user systems. Typically, the method for facilitating shared write access for specific groups of users while keeping home directories private is setting user umask value to 002, meaning the default group (users in the example above) will by default always have write access to any file you create. The user’s home folder, which is owned by a group with group name same as user name, will be read-only for other system users, while shared files/folders can be made writeable by default for everyone in the operative group. The owning group can be automatically fixed to the group which owns the parent directory by setting the group sticky bit on this directory:

# chmod g+s our_shared_directory

Otherwise the file creator’s default group (usually the same as the user name) is used.

Other examples of user management

To add a user to other groups use:

# usermod -aG additional_groups username

Alternatively, gpasswd may be used. Though the username can only be added (or removed) from one group at a time.

# gpasswd --add username group
Warning: If the -a option is omitted in the usermod command above, the user is removed from all groups not listed in additional_groups (i.e. the user will be member only of those groups listed in additional_groups).

To enter user information for the GECOS field (e.g. the full user name), type:

# chfn username

(this way chfn runs in interactive mode).

To specify the user’s password, type:

# passwd username

To mark a user’s password as expired, requiring them to create a new password the first time they log in, type:

# chage -d 0 username

User accounts may be deleted with the userdel command.

# userdel -r username

The -r option specifies that the user’s home directory and mail spool should also be deleted.

Tip: The AUR packages adduseradduser-defaults or adduser-deb provide an adduser script that allows carrying out the jobs of useraddchfn and passwd interactively. See also FS#32893.