How to create, modify, and delete local user accounts in Linux

A number of command-line tools can be used to manage local user accounts.

Creating Users from the Command Line

  • The useradd username command creates a new user named username. It sets up the user’s home directory and account information, and creates a private group for the user named username. At this point the account does not have a valid password set, and the user cannot log in until a password is set.
  • The useradd –help command displays the basic options that can be used to override the defaults. In most cases, the same options can be used with the usermod command to modify an existing user.
  • Some defaults, such as the range of valid UID numbers and default password aging rules, are read from the /etc/login.defs file. Values in this file are only used when creating new users. A change to this file does not affect existing users.

Modifying Existing Users from the Command Line

The usermod –help command displays the basic options that can be used to modify an account. Some common options include:

-c, –comment COMMENT Add the user’s real name to the comment field.
-g, –gid GROUP Specify the primary group for the user account.
-G, –groups GROUPS Specify a comma-separated list of supplementary groups for the user account.
-a, –append Used with the -G option to add the supplementary groups to the user’s current set of group memberships instead of replacing the set of supplementary groups with a new set.
-d, –home HOME_DIR Specify a particular home directory for the user account.
-m, –move-home Move the user’s home directory to a new location. Must be used with the -d option.
-s, –shell SHELL Specify a particular login shell for the user account.
-L, –lock Lock the user account.
-U, –unlock Unlock the user account.

Deleting Users from the Command Line

- The userdel username command removes the details of username from /etc/passwd, but leaves the user’s home directory intact. - The userdel -r username command removes the details of username from /etc/passwd and also deletes the user’s home directory.

WARNING: When a user is removed with userdel without the -r option specified, the system will have files that are owned by an unassigned UID. This can also happen when a file, having a deleted user as its owner, exists outside that user’s home directory. This situation can lead to information leakage and other security issues.

In CentOS/RHEL 7 and 8, the useradd command assigns new users the first free UID greater than or equal to 1000, unless you explicitly specify one using the -u option. This is how information leakage can occur. If the first free UID had been previously assigned to a user account that has since been removed from the system, the old user’s UID will get reassigned to the new user, giving the new user ownership of the old user’s remaining files.

The following scenario demonstrates this situation.

[[email protected] ~]# useradd user01
[[email protected] ~]# ls -l /home
drwx------. 3 user01  user01    74 Feb  4 15:22 user01
[[email protected] ~]# userdel user01
[[email protected] ~]# ls -l /home
drwx------. 3    1000    1000   74 Feb  4 15:22 user01
[[email protected] ~]# useradd user02
[[email protected] ~]# ls -l /home
drwx------. 3 user02     user02       74 Feb  4 15:23 user02
drwx------. 3 user02     user02       74 Feb  4 15:22 user01

Notice that user02 now owns all files that user01 previously owned. Depending on the situation, one solution to this problem is to remove all unowned files from the system when the user that created them is deleted. Another solution is to manually assign the unowned files to a different user. The root user can use the find / -nouser -o -nogroup command to find all unowned files and directories.

Setting Passwords from the Command Line

- The passwd username command sets the initial password or changes the existing password of username. - The root user can set a password to any value. A message is displayed if the password does not meet the minimum recommended criteria, but is followed by a prompt to retype the new password and all tokens are updated successfully.

[[email protected] ~]# passwd user01
Changing password for user user01.
New password: new_passwd
BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word
Retype new password: new_passwd
passwd: all authentication tokens updated successfully.
[[email protected] ~]#

A regular user must choose a password at least eight characters long and is also not based on a dictionary word, the username, or the previous password.

UID Ranges

Specific UID numbers and ranges of numbers are used for specific purposes by Red Hat Enterprise Linux.

  • UID 0 is always assigned to the superuser account, root.
  • UID 1-200 is a range of “system users” assigned statically to system processes by Red Hat.
  • UID 201-999 is a range of “system users” used by system processes that do not own files on the file system. They are typically assigned dynamically from the available pool when the software that needs them is installed. Programs run as these “unprivileged” system users in order to limit their access to only the resources they need to function.
  • UID 1000+ is the range available for assignment to regular users.