Users account management is one of the fundamental task of every Linux system administrator. In this article we will learn how to create a new user account, how to modify it and how to delete it from the command line using the useradd, usermod and userdel utilities, which are part of the base system.
In this tutorial you will learn:
- What is the use of the /etc/login.defs file
- How to create a user account with various options using the useradd command
- How to modify a user account using the usermod command
- How to delete a user account using the userdel command
Software requirements and conventions used
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Distribution independent |
| Software | Useradd, usermod and userdel utilities (installed by default) |
| Other | Root permissions to perform administrative tasks |
| Conventions | # – requires given linux-commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux-commands to be executed as a regular non-privileged user |
Default settings
The default settings applied when a user is created are defined in the /etc/login.defs file. If we take a look at the file on a Fedora system, for example, we can see the options defined in it, which can be overridden at runtime by the dedicated command line options. Let’s see some of those definitions:
| OPTION | MEANING | DEFAULT VALUE |
|---|---|---|
| CREATE_HOME | Defines if an home directory should be created for new users | yes |
| ENCRYPT_METHOD | The encrypt method used for encrypting passwords | SHA512 |
| UID_MIN | Minimum uid value automatically assigned to standard users | 1000 |
| UID_MAX | Maximum uid value automatically assigned to standard users | 60000 |
| SYS_UID_MIN | Minimum uid value automatically assigned to “system” users | 201 |
| SYS_UID_MAX | Maximum uid value automatically assigned to “system” users | 999 |
| PASS_MAX_DAYS | Maximum number of days a password may be used | 99999 |
| PASS_MIN_DAYS | Minimum number of days allowed between password changes | 0 |
| PASS_WARN_AGE | Number of days warning is given before a password expires | 7 |
The ones above are only a small subset of the options defined in the /etc/login.defs file, but enough to give a general idea.
Creating a new user
To create a new user account on our Linux system we can use the useradd utility; its syntax is the following:
useradd [options] LOGIN
Where LOGIN is the login name to be created. Suppose we want to create a new account for the “newuser” user; we would run:
$ sudo useradd newuser
The command above will create the “newuser” account on the system; additionally an home directory will be created for the user, since, as we can see in the table above, the CREATE_HOME option is set to yes by default. It is possible to to request the creation of a home directory for the new user explicitly by using the -m (short for --create-home) option of the useradd command. If we instead we want to avoid the creation of said directory we should use the -M option, which is the short for --no-create-home.
After the creation of a user, the recommended way to set its password is to use the passwd utility, remember this, is an important step!
Specifying a login shell
Another common thing we may want to specify when creating a new user, is its login shell: we can do it by using the -s option (--shell) and passing the path of the shell binary as argument. If this option is not provided explicitly, the shell specified by the $SHELL variable will be used (on Fedora it is /bin/bash). For instance, to explicitly declare the login shell of a new user, we would run:
$ sudo useradd -s /bin/bash newuser
Manually specify the user UID
When a new user is created, by default, the first available uid greater or equal to that specified by the UID_MIN option in the /etc/login.defs file, greater than the one of any other user and smaller or equal to the one specified with the UID_MAX option, is assigned to him. If we want to manually specify an uid, we should use the -u (--uid) option and provide the uid value we want to use as its argument (it must be a non-negative value). To create a user with an uid of 1005 assigned manually, we would run:
$ sudo useradd -u 1005 newuser
Creating a “system” user
If not explicitly declared, the useradd command will create “standard” users, so users with an uid >= 1000. If we want to create a “system” user, instead, so a user with no aging information declared in the /etc/shadow file, we must use the -r (--system) option. System users are normally used by daemons or other applications, therefore home directories are not created for them. Their uid is chosen in the range defined by the SYS_UID_MIN and SYS_UID_MAX options in the /etc/login.defs file. To create a “system” user we would run:
$ sudo useradd -r newuser
Specify additional groups for a new user
When a standard user is created, by default, a group named after it, will be created and it will be automatically included in it: this is its primary group. If we want to specify a series of additional groups the user should be part of, we must use the -G option, which is the short for --groups, and provide a comma-separated list of groups as its argument. For example, to include a user in the wheel group, which is necessary to let it use the sudo command, we would run:
$ sudo useradd -G wheel newuser
Modifying user account with the usermod utility
If the useradd utility is used to create a new user account, the usermod one, as its name suggests, is used to modify an existing one. The syntax to use with the command is the same used by useradd:
usermod [options] LOGIN
Let’s see some examples of the utility usage.
Add an existing user to additional groups
We saw how to add the user to some additional groups at creation time, using the -G option of the useradd command. If a user account already exists, however, and we want to make it member of supplementary groups, we should use the same option together with the -a (--append) one when running the usermod utility and provide the list of groups as its argument:
$ sudo usermod -G -a newgroup user
The -a option must be used exclusively together with -G. Be careful, however, that if the latter is used by itself, the specified groups will not be added to the list of the supplementary ones the user is already part of, but said list will
be completely redefined.
Locking and unlocking a user password
Sometimes we may want to lock a user password, so to make impossible for it to login by using it. In such cases we can use the -L option (short for --lock):
$ sudo usermod -L newuser
The ! symbol will be put in front of the encrypted password, disabling it:
newuser:!$6$ISaqNDTydf51adbj$6ciHWBByfhe9k0sfg8Cky2F3HhgxdfMtmrWyq0323rvuCUu/un0d4rldwI0ELj4aSyFv0.cki3c/oLJFFNGyt/:18602:0:99999:7:::
To perform the opposite operation, and unlock the user password, we should use the -U (--unlock) option:
$ sudo usermod -U newuser
Changing the user uid and the gid of its initial group
To change an existing user uid we should use the -u option of usermod and provide the new value to be used. The specified uid, of course, must not already be in use, otherwise we will receive an error:
$ sudo usermod -u 1000 newuser usermod: UID '1000' already exists
When the uid of an existing user is changed all the files contained in that user’s home directory, will have their user ID changed accordingly, except if the uid of the home directory is different from the uid currently assigned to the user.
We may also want to change the gid (group id) of the user initial group (the one that is created together with the user: its gid is the same as the user uid). To perform such operation we must run usermod with the -g or --gid option; the new group must already exist:
$ sudo usermod -g 1006 newuser
Once we change a user primary group, the files in its home directory, owned by its previous group, will be automatically set to be owned by the new one.
Changing a user login name
To change a user login name, we must use the -l (--login) option of the usermod utility, provide the new login name as first argument, and the current login name as the second one. Supposing we want to change the login name from
“newuser” to “linuxconfig”, we would run:
$ sudo usermod -l linuxconfig newuser
Beware that by running the above command, only the user login name will be changed and nothing else. The user’s home directory will not be renamed. Check the next section if you also want to make those additional changes.
Change a user home directory and move all the user files
Sometimes we may need to change a user’s home directory. To accomplish the task we must run the usermod utility with the -d option, short for --home and specify the path of the new directory. If we also want to move all the files existing in the current home directory we should also provide the -m option, which is the short for --move-home. The new home directory is created only if the current one actually exists; the files ownership, modes, ACL and extended attributes will be adapted to the new setup, but additional manual changes could be necessary. To change the directory of the newuser user, which actually is /home/newuser, to /home/newuser_new, and move all the files,
we would therefore run:
$ sudo usermod -d /home/newuser_new -m newuser
Removing a user with the userdel utility
We saw some example of how to create and modify a user account, now let’s see how can we use the userdel utility to delete one and all the related files. The syntax of the userdel utility is the same we saw before for useradd and usermod:
userdel [options] LOGIN
The utility has fewer options than useradd and usermod, for obvious reasons. The most common usage case is the removal of a user account together with all of the files contained in its home and spool directories, and those directories themselves. To accomplish such a task we would run userdel with the -r (--remove) option. Supposing we want to remove the “newuser” account, its home and spool directory, we would run:
$ sudo userdel -r newuser
If the user is currently logged in, we would receive an error, and the system will refuse to remove it. If we want to force the operation we must use also the -f (--force) option. Be warned! The use of this option is dangerous, since it could leave the system in an inconsistent state.
Conclusions
In this tutorial we saw how we can use the useradd, usermod and userdel system utilities to respectively create, modify and delete a user account. We saw some examples and use-cases. For a complete overview of all the options which can be used with these utilities, please consult their manuals.
