An In-Depth Guide to User Management in Linux

Delve into the main concepts of creating, removing, and modifying users, as well as managing passwords and access to Linux systems.

User management is a fundamental aspect of Linux system administration, playing a crucial role in maintaining security and operational efficiency. Effective management of users and groups allow system administrators to enforce access control policies, monitor user activities, and mitigate security risks. In multi-user environments, ensuring that permissions are appropriately assigned and managed is key to prevent unauthorized access to sensitive data and system resources.

From a cybersecurity perspective, adequate user management helps mitigate various threats, including privilege escalation, insider threats, and unauthorized data access. Implementing best practices such as password policies, user auditing, and role-based access control (RBAC), is a must fortify Linux systems against security breaches. Additionally, the principle of least privilege (PoLP) should always be followed, ensuring that users only have the minimum necessary permissions required to perform their tasks. Improper privilege assignments can result in security vulnerabilities that could be easily exploited by attackers.

In this article, we will do an in-depth exploration of Linux user management, including essential commands, best practices, and their implications for cybersecurity.

User Management

Linux employs a structured approach to user management, utilizing user accounts and groups to streamline administrative tasks. A user account consists of a unique username, user ID (UID), group ID (GID), home directory, and assigned shell.

Creating and Removing Users

useradd

The useradd command is used to create new user accounts. In a business setting, whenever a new employee joins, their Linux account needs to be created for access to internal systems. Using useradd, administrators can create an account with customized settings, such as a specific home directory or assigned shell. This ensures that each user has a personalized working environment tailored to their role. Automating user creation with scripts using useradd can streamline onboarding processes, especially in large organizations.

sudo useradd <username>

passwd

After a new user account is created, the natural next step is to set a password for it. The passwd command is used to set or change user passwords. Ensuring that users have strong, regularly updated passwords is a fundamental security practice. If a user forgets their password, an administrator can use passwd to reset it. Additionally, forcing password changes periodically helps protect against credential leaks. This command is particularly useful when implementing security policies requiring employees to update their passwords every few months.

sudo passwd <username>

Here is an example:

sudo passwd luiz

You will be prompted to enter the new password twice.

New password:
Retype new password:

And upon success, the following message will appear.

passwd: password updated successfully

You can also use passwd to update the password of the user you are currently logged in as. Simply run the command without any arguments:

passwd

You will be prompted to enter the old password and the new password twice.

Old password:
New password:
Retype new password:

---

Pro Tip: When inputting passwords in Linux systems, the terminal will not update with each keystroke, as one might expect. This is a security feature to avoid exposing passwords in plaintext on the screen.

---

Another great use-case for the passwd command is to force a user to update his or her password on the next login. For example:

sudo passwd --expire jsmith

When trying to log in the next time, the user will be prompted with the following dialog:

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for <user>.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

userdel

The userdel command is used to remove users from the system. This is essential when deactivating accounts for employees who have left the company or revoking access for security reasons. Removing inactive accounts helps prevent unauthorized access and ensures better resource allocation. To completely remove a user along with their home directory, the -r flag can be used.

sudo userdel -r <username>

---

Pro Tip: The /etc directory contains a file named passwd, which contains all system user accounts. Viewing this file can help administrators check existing accounts and verify user configurations. If a specific user’s details are needed, grep can be used to filter the output.

---

Checking User Activity

who

The who command is useful for determining which users are currently logged into a system. This command helps administrators track active sessions and identify unauthorized access attempts. In a shared system environment, knowing which users are logged in can be essential for troubleshooting and managing resources efficiently. For example, if a system administrator needs to perform maintenance, they can check active users before notifying them of potential downtime. Additionally, monitoring logins can help detect potential security breaches, such as unauthorized access attempts.

who

w

The w command provides a more detailed view of currently logged-in users, including their session start time, idle time, and the commands they are running. This can be useful when diagnosing system performance issues or identifying users who are running resource-intensive tasks. For instance, if a server is experiencing slow performance, running w can help pinpoint which user process is consuming excessive resources. System administrators can then take action, such as terminating a problematic process or notifying the user. Additionally, this command helps ensure compliance with company policies by allowing administrators to monitor user activities.

w

last

The last command retrieves login history, displaying a list of previous login attempts. This is particularly useful for security auditing and investigating suspicious activities. For example, if there is an unexpected change in system files or unauthorized access to critical directories, last can reveal whether an unknown user recently logged in. It also helps administrators track employee work hours in a corporate environment by providing timestamps for each login session. Keeping an eye on login trends can also help in detecting automated attacks or brute-force login attempts.

last

faillog

The faillog command displays records of failed login attempts, helping administrators detect potential security threats. If multiple failed login attempts are recorded, it could indicate a brute-force attack where an attacker is trying to guess user credentials. By analyzing the output of faillog, security teams can determine whether an account needs to be locked or further investigated. For example, if an employee's account shows repeated login failures from an unusual IP address, it might have been compromised. Enforcing account lockout policies based on faillog results can significantly reduce the risk of unauthorized access.

faillog -a

User Access Management

Access management is a fundamental security mechanism that spans beyond just Linux systems. The concept aligns with the AAA (Authentication, Authorization, and Accountability) triad of Cybersecurity, and the goal is to control system access and enforce security policies.

• Authentication verifies user identities through credentials such as passwords, SSH keys, or multi-factor authentication, ensuring only legitimate users can log in.

• Authorization determines what authenticated users can access and modify, using user accounts, groups, and file permissions to enforce the principle of least privilege (PoLP).

• Accountability tracks and logs user activities, helping administrators monitor access patterns, detect anomalies, and audit compliance with security policies.

Being a security-oriented system, Linux-based OSs ensures that users operate within well-defined boundaries, reducing the risk of unauthorized access or privilege abuse. Regularly reviewing user accounts, disabling inactive users, and enforcing strong password policies that further strengthen security is the “bread and butter” of every sysadmin.

In this context, Linux systems provide strong tools that allow for well-structured access management strategies that not only safeguard critical resources, but also maintain system integrity and compliance with security best practices.

usermod

The usermod command in Linux is used to modify existing user accounts, allowing administrators to update user properties such as home directories, login names, group memberships, and account expiration settings. Proper use of usermod ensures efficient user management, enabling administrators to maintain access control and enforce security policies within the system.

The example below illustrates how to rename an existing user:

sudo usermod -l <new name> <current name>

For example, to rename a user named john to jsmith:

sudo usermod -l jsmith john

As usual, an array of useful options are available. For instance, flag -L can be used to lock a user out of the system.

sudo usermod -L <user>

To unlock a previously locked out user, use flag -U instead.

sudo usermod -U <user>

Another key feature is in setting an expiration date for a user account. This command is particularly helpful when creating users that are supposed to have only temporary access to the system.

sudo usermod <user> -e <date YYYY-MM-DD>

As an example:

sudo usermod luiz -e 2023-12-25

Alternatively, a similar command, chage, can be used to achieve a similar result:

sudo chage -E 2024-12-25 luiz

The chage command can also be used to verify the account changes successfully applied.

sudo chage -l <user>

Below an output example. In this case, the user password was never changed and has no expiration date defined.

Last password change                                    : Sep 18, 2024
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

The Difference Between usermod -e and chage -E

At this point, the attentive reader may be wondering if there is actually a difference between the two commands. As it turns out, that is a very important question.

While both commands deal with expiration dates, usermod -e sets an expiration date for the account, ultimately revoking the user’s ability to log in. In contrast, chage -E sets the password expiration date, forcing a password reset upon next login.

In other words, chage is specifically designed for managing password aging, and usermod is a more general command for modifying user account attributes.

In Conclusion

Effective user management is a cornerstone of Linux system administration and cybersecurity. By properly configuring user accounts and permissions, system administrators can enforce security policies and protect system integrity. Monitoring user activity and enforcing password policies are essential steps in mitigating potential threats. Utilizing auditing tools is key to further strengthening system security. Additionally, enforcing best practices like account expiration policies and password aging ensures continuous security maintenance.

Mastering user management in Linux not only enhances security, but also improves overall system management efficiency. As cyber threats continue to evolve, maintaining a robust access control strategy is crucial for safeguarding sensitive data and preventing unauthorized access. System administrators should continuously refine their user management strategies to align with best practices and emerging security trends. Understanding the nuances of user permissions and leveraging automation tools to streamline management tasks can further improve security and efficiency in Linux environments, and is a key component in the life of a sysadmin.