Skip to content

Users

Tasks

User management

Lock user
usermod -L $USER # --lock
passwd -l $USER  # --lock
Unlock user
usermod -U $USER # --unlock
passwd -u $USER  # --unlock

Groups

Display groups of effective user
id -Gn
getent group | grep $(whoami) -

Commands

chage

Expire password in 30 days
chage -E $(date -d +30days +%Y-%m-%d) $USER

getent

Get entries from the passwd file 

getent passwd bob


getent group dba_admins

lastb

Display failed logins for user
lastb $USER

sudo

The /etc/sudoers file (or files placed under /etc/sudoers.d/) contains user specifications that define commands that users may execute.

$USER $HOST = ($RUNAS) $CMD
  • $USER: usernames, UIDs, group names when prefixed with % i.e. %wheel, or GIDs when prefixed with %#
  • $HOST: hostnames, IP addresses, or a CIDR range (i.e. 192.0.2.0/24)
  • $RUNAS: optional clause that controls the user or group sudo will run the command as. If a username is specified, sudo will not accept a -g argument when runing sudo.
  • $CMD: full path to an executable, or a comma-delimited list of commands.

Any of these elements can be replaced with the keyword ALL.

Ansible service account
ansible ALL=(ALL) NOPASSWD: ALL
Allow user to run only the mkdir command
user ALL=/bin/mkdir
Allow user to run all commands without authenticating
user ALL=(ALL) NOPASSWD: ALL

Change timeout to 10 minutes 

Defaults timestamp_timeout=10

Change timeout to 10 minutes only for user linuxize 

Defaults:linuxize timestamp_timeout=10

gpasswd

Administer /etc/group and /etc/gshadow

Add user to group
gpasswd -a $USER $GROUP
Add user as admin of group
gpasswd -A $USER $GROUP
Remove user from group
gpasswd -d $USER $GROUP

groupadd

groupdel

groupmod

useradd

Add user
useradd $USER               \
        -m                  \ # Create home directory
        -d $PATH            \ # Specify home directory
        -s /bin/bash        \ # Default shell
        -c $FULLNAME        \ # Note full name in comment
        -G $GROUP1 $GROUP2  \ # Add groups        
        -u $UID             \ # Specify user ID
        -e $DATE            \ # Specify expiration date (YYYY-MM-DD)
        -r                  \ # System user

Useradd's config is at /etc/default/useradd but it also inherits settings from /etc/login.defs.

Example config
# useradd defaults file for ArchLinux
# original changes by TomK
GROUP=users
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=no

These settings can be displayed with: 

useradd -D

userdel

Delete an existing user account as well as the user's home directory 
userdel -r $USER

usermod