Linux Administration Lesson 7 – Users and Groups Basics | Dataplexa

Linux Administration

I. Linux Fundamentals
1. What is Linux and Why It Matters 2. Linux Distributions Overview 3. Linux File System Structure 4. Basic Linux Commands 5. Working with Files and Directories 6. File Permissions and Ownership 7. Users and Groups Basics 8. Linux Editors (vi, nano) 9. Linux Help and Documentation 10. Linux Best Practices for Beginners
II. User, Process & Package Management
11. User and Group Management 12. Password Policies and Aging 13. Package Management 14. System Services and systemd 15. Process Management 16. Job Scheduling (cron, at) 17. Environment Variables 18. Disk Partitioning and Mounting 19. File System Types 20. Disk Usage and Cleanup 21. Log Files and Log Rotation 22. Monitoring System Resources 23. Managing Software Repositories 24. Linux Boot Process 25. Linux Administration Best Practices
III. Networking, Security & Storage
26. Linux Networking Basics 27. Network Configuration & Troubleshooting 28. SSH and Secure Access 29. Firewall Management 30. SELinux Basics 31. Linux Security Best Practices 32. File Sharing (NFS, Samba) 33. Storage Concepts (LVM) 34. Backup and Restore Strategies 35. Time Synchronization 36. Kernel Basics 37. Kernel Parameters and Tuning 38. Performance Monitoring Tools 39. System Troubleshooting Methodology 40. Linux Hardening Checklist
IV. Advanced Linux & Real-World
41. Linux in Cloud Environments 42. Linux for Containers 43. Linux for Kubernetes Nodes 44. Linux Automation with Shell Scripts 45. Bash Scripting Basics 46. Advanced Bash Scripting 47. Linux Disaster Recovery 48. Linux Debugging Techniques 49. Linux Interview Scenarios 50. Mini Project
Section I — Linux Fundamentals

Users and Groups Basics

In this lesson

User account model /etc/passwd and /etc/shadow Groups and /etc/group su and sudo User identity commands

Users and groups are the foundation of Linux's access control model. Every process, file, and resource on the system is owned by a user and associated with a group. Linux tracks users by a numeric User ID (UID) and groups by a numeric Group ID (GID) — names are purely a human-friendly layer on top. Understanding this model is essential before managing any multi-user system.

The User Account Model

Linux maintains three categories of user accounts. Each plays a distinct role in system security and operations.

Root — UID 0

The superuser. Has unrestricted access to every file, process, and system resource. There is exactly one root account per system. Direct root login is disabled on most hardened servers.

System — UID 1–999

Created by the OS and installed packages for running services — nginx, www-data, mysql. These accounts have no interactive login shell and no home directory by default.

Regular — UID 1000+

Human user accounts created by administrators. Have a home directory under /home, a login shell, and limited privileges unless granted sudo access.

UID 0 root UID 1 – 999 System / Service accounts (nginx, mysql, nobody…) UID 1000 and above Regular user accounts (alice=1000, bob=1001…)

Fig 1 — Linux UID ranges and their categories

Analogy: UIDs work like employee ID numbers. The name on the badge can change, but the ID number is what the system tracks for access decisions. Two users can never share the same UID on the same system.

/etc/passwd and /etc/shadow

User account data is stored in two files. /etc/passwd is world-readable and holds general account information. /etc/shadow stores hashed passwords and is readable only by root.

/etc/passwd — ONE LINE PER USER alice : x : 1000 : 1000 : Alice Smith : /home/alice : /bin/bash username password (x = shadow) UID GID GECOS / Comment Home Directory Login Shell The 'x' in the password field means the actual hash is stored in /etc/shadow (root-readable only)

Fig 2 — The seven colon-separated fields of an /etc/passwd entry

# View the passwd file — safe, world-readable
cat /etc/passwd

# View just your own entry
grep "^alice:" /etc/passwd

# View the shadow file — requires root
sudo cat /etc/shadow

# Show your current UID, GID and group memberships
id

# Show only the current username
whoami
# grep "^alice:" /etc/passwd
alice:x:1000:1000:Alice Smith:/home/alice:/bin/bash

# id
uid=1000(alice) gid=1000(alice) groups=1000(alice),27(sudo),1001(devs)

# sudo cat /etc/shadow (partial — hashes truncated)
alice:$6$rounds=656000$rA7k...:19800:0:99999:7:::

What just happened? The id command revealed that alice has UID 1000, primary GID 1000, and belongs to three groups — her own personal group, the sudo group (granting elevated privilege), and the devs group. The shadow entry shows the hashed password prefixed with $6$ indicating SHA-512 hashing.

Groups and /etc/group

Every user has one primary group — stored in /etc/passwd as the GID field — and can belong to multiple supplementary groups. Group membership determines which shared files and directories a user can access. All group data is stored in /etc/group.

/etc/group — ONE LINE PER GROUP devs : x : 1001 : alice,bob,carol group name password GID member usernames (comma-separated)

Fig 3 — The four colon-separated fields of an /etc/group entry

# View the group file
cat /etc/group

# Find which groups a user belongs to
groups alice

# Find the entry for a specific group
grep "^devs:" /etc/group

# Show all groups the current user belongs to (same as groups)
id -Gn
# groups alice
alice : alice sudo devs docker

# grep "^devs:" /etc/group
devs:x:1001:alice,bob,carol

What just happened? groups alice listed every group alice belongs to. The first name after the colon is her primary group. The others are supplementary groups that grant her additional file access rights — including the docker group, which allows her to run containers without sudo.

su and sudo — Elevated Privileges

Running every command as root is dangerous. Linux provides two controlled mechanisms to elevate privileges only when needed — su and sudo.

su — Switch User

  • Switches your session to another user entirely
  • Requires the target user's password
  • su - gives a full login shell with the target's environment
  • Leaves an unbroken root session open — higher risk
  • All actions attributed to the switched-to user

sudo — Superuser Do

  • Runs a single command with elevated privileges
  • Requires your own password (not root's)
  • Controlled by /etc/sudoers — granular per-user rules
  • Every sudo command is logged to the auth log
  • Preferred on modern Linux systems — audit trail preserved
# ── su examples ──────────────────────────────────────────
# Switch to root (requires root password)
su -

# Switch to another user
su - bob

# Run a single command as root then return
su -c "cat /etc/shadow" root

# ── sudo examples ─────────────────────────────────────────
# Run a single command as root
sudo apt update

# Open an interactive root shell (use sparingly)
sudo -i

# Run a command as a different user
sudo -u www-data ls /var/www/html

# Check which sudo commands you are allowed to run
sudo -l
# sudo -l
Matching Defaults entries for alice on webserver:
    env_reset, mail_badpass

User alice may run the following commands on webserver:
    (ALL : ALL) ALL

What just happened? sudo -l queried the sudoers configuration for alice. The line (ALL : ALL) ALL means she can run any command as any user on this host — she has full sudo access. On hardened systems, this entry would instead list only specific allowed commands.

The /etc/sudoers File

The /etc/sudoers file defines precisely who can run what as whom. It must always be edited with visudo — which validates syntax before saving, preventing a broken sudoers file from locking all administrators out of the system. 

# Always edit sudoers with visudo — never directly with a text editor
sudo visudo
# /etc/sudoers — example entries

# Full sudo access for a user
alice   ALL=(ALL:ALL) ALL

# Full sudo access for all members of the sudo group
%sudo   ALL=(ALL:ALL) ALL

# Allow bob to restart nginx only, with no password prompt
bob     ALL=(ALL) NOPASSWD: /bin/systemctl restart nginx

# Allow the devs group to run apt commands only
%devs   ALL=(ALL) /usr/bin/apt, /usr/bin/apt-get

# Drop-in files are preferred on modern systems — place in:
# /etc/sudoers.d/username
Sudoers Rule Syntax
Field Meaning
alice The user this rule applies to. Prefix with % for a group.
ALL (host) Which hostnames this rule applies on. ALL means every host.
(ALL:ALL) Which user and group the command can be run as. ALL means any.
NOPASSWD: Skip the password prompt for this rule — used for automation scripts.
ALL (cmd) Which commands are permitted. Replace with full binary paths to restrict.

User Identity Commands

A set of quick commands lets administrators inspect identity and session information on any Linux system without opening configuration files.

id
Full identity

Displays the UID, primary GID, and all supplementary group memberships for the current user or any specified user. The single most useful identity command.

whoami
Current username

Prints only the username of the current effective user. Useful in scripts to check whether the script is running as root before proceeding with privileged operations.

w
Logged-in users and activity

Shows who is currently logged in, which terminal they are on, their login time, idle time, and the last command they ran. Useful for checking active sessions on shared servers.

last
Login history

Reads /var/log/wtmp and displays a chronological list of all logins and logouts. Use last alice to filter by user or lastb to see failed login attempts.

finger
Detailed user information

Shows the GECOS field, home directory, shell, and current login status for a user. Not installed by default on all distros — use getent passwd username as an alternative.

# Full identity of the current user
id

# Full identity of a specific user
id bob

# See who is currently logged in and what they are doing
w

# Show login history for all users
last

# Show login history for a specific user
last alice

# Show failed login attempts (requires root)
sudo lastb | head -20

# Look up user info from the passwd database
getent passwd alice

Never Edit /etc/passwd or /etc/shadow Directly

Both files have strict formatting requirements. A single corrupt line — a missing colon, an incorrect UID — can prevent all users from logging in, including root. Always use the dedicated tools: useradd, usermod, userdel, and passwd to manage user accounts safely. These commands are covered in depth in Lesson 11.

Lesson Checklist

I can explain the three user account categories and their UID ranges
I can read and interpret all seven fields of an /etc/passwd entry
I understand the difference between primary and supplementary groups
I can distinguish between su and sudo and know when to use each
I can use id, groups, w, and last to inspect user identity and session information

Teacher's Note

The id command is one of the first things an experienced administrator runs on an unfamiliar system — it immediately reveals privilege level, group memberships, and any special access grants. Make it a habit.

Practice Questions

1. Reading the following /etc/passwd line, identify and explain each of the seven fields: nginx:x:998:996:nginx web server:/var/cache/nginx:/sbin/nologin

2. A junior administrator needs to restart the Apache service on a production server but must not have unrestricted root access. Write the exact sudoers rule that grants only this specific permission, and explain each field in your rule.

3. Describe the security difference between using su - to become root and using sudo for individual commands. Include at least two reasons why sudo is preferred in production environments.

Lesson Quiz

1. A user account entry in /etc/passwd has /sbin/nologin as its login shell. This means which of the following?

2. The sudoers file must always be edited with visudo rather than a standard text editor because of which reason?

3. The id command output shows groups=1000(alice),27(sudo). This means which of the following?

Up Next

Lesson 8 — Linux Editors (vi, nano)

Editing files directly on the server — vi modal editing, nano basics, and when to use each

← Previous Course Index Next →