The add family of commands is used to create a user or group, and to define whether a user will be part of a group as part of its creation. This allows us to manage access to various parts of the Linux OS based on which user is requesting access (either a human or, as is often the case, a process).
groupadd
The groupadd command is used to create new user groups, which are like organisational buckets for access control. For example, sudo groupadd developerswill create a new group called developers; when run, this will return an exit code of 0 if successful.
useradd
To add a new user we can use the useradd command, along with options to define parameters for that account such as default shell, home dir, expiration, etc.
Example
The command below does the following:
-c adds a comment that can be seen when we look at user lists
adduser is used to accomplish the same thing as useradd, except it uses an interactive prompt to create a user step by step.
Delete
To remove access and data for a specific user, we can use userdel
`userdel
Permanently removes a user’s account from the system.
Example
If we want to remove a user from the system, and also delete all their files, we can use the -r flag to accomplish this. Note that the -r flag deletes the user’s home dir, mail spool, and other standard directories:
sudo userdel -r john
`deluser
Much like the dichotomy between adduser and useradd, deluser is an interactive prompt to remove a user.
groupdel
This command is used to remove a group from the system when it is no longer needed. It can simply be used with sudo groupdel my_group. Note that it will only work if no user is part of the group.
Modify
passwd
Used to change a user’s password, lock or unlock accounts, or delete passwords from a user’s account.
-d will delete a password for a user; -l will lock an account, while -u will unlock it. Finally, -e will expire the password.
chsh
Used to change a user’s login shell. It is used by running chsh -s [SHELL] [USERNAME]
groupmod
Used to manage user groups. A common use, for example, is to change the name of a group. This is accomplished with sudo groupmod -n devs developers, where the first argument after -n is the new group name.
usermod
Make changes to a user’s account, such as adding them or removing them from groups, etc. To add someone to the admin group, for example, we can use sudo usermod -aG admin samantha. We can also use usermod instead of chsh to change a login shell by using usermod -s [SHELL] [USERNAME].
To disable a user, do usermod -L [USERNAME]. To re-enable, use the -U flag (and note that this is equivalent to using passwd).
Lock
While a lot of access restrictions can be managed with passwd and usermod, we can also use chage. This command is used to manage user expiration and aging; it allows us to set when a password will expire, when a user will be warning about the expiration, and when the account will be disabled if the password is not updated.
Example
To set a maximum password validity period of 30 days, with a 7 day warning, we can set it up with:
sudo chage -M 30 -W 7 [USERNAME]
To disable an account entirely after a specific date, we can instead use:
sudo chage -E 2025-12-31 [USERNAME]
To see current password policies for a specific user, use the -l option.
Expiration
On Linux, most security settings are managed through default security policies, which can be seen at /etc/login.defs (for some destributions). Here we can set defaults that apply to all users, while chage can be used to update specific details for specific accounts.
In addition to that file, we can also look at /etc/passwd contains information such as username, UID, GID, default shell, etc. In this file, too, we can specify an expiration date that will override those written in /etc/login.defs by setting it in the last field.
User information
Every user in a Linux system has a set of attributes, such as User ID, Group ID, and their group membership. We can use tools such as whoami and id to see some of this information; likewise, we can see the groups a user belongs to with groups, or get all users in the database with getent passwd.
Note
The getent passwd is particularly useful in that it retrieves information about all system users, including those not logged in, and it includes network sessions rather than only local ones.
The information this command pulls from the user database and possibly from network directory accounts such as LDAP, etc.
Session tracking
To see which sessions are logged in and other related information there are multiple commands that will retrieve relevant data:
Command
Use
who
Shows current logged-in users. It will also display connection IP, if appropriate.
w
Shows who is logged in and what they are doing
lastlog
Displays last login time for all users
last
Shows full login history, including reboots and shutdowns
User profile templates
These templates define the default settings and files that a user inherits when their account is created, and is referenced by Add commands. Thw two primary ones are:
/etc/skel and /etc/profile
`/skel
This template contains default files and directories that are copied into each new user’home dir.
/profile
User to configure system-wide environment settings for all users, such as environment variables or shell behaviour during login.
Important
The /etc/profile template is used for when a new user logs in, not at account creation! This means we can modify the behaviour for existing users at login without changing defaults for each user.