Unix - UNIX User and Group Administration

UNIX is a multi-user operating system, meaning that multiple users can access and use the system simultaneously. To maintain security, organization, and proper resource allocation, UNIX provides a robust user and group administration system. User and group administration involves creating, modifying, managing, and removing user accounts and groups while controlling access to files, directories, and system resources.

Understanding Users in UNIX

A user account represents an individual who can log in and interact with the UNIX system. Every user has a unique identity and specific permissions assigned by the system administrator.

Each user account contains important information such as:

  • Username

  • User ID (UID)

  • Group ID (GID)

  • Home directory

  • Login shell

  • Password information

When a user logs into the system, UNIX uses these details to determine what resources and commands the user can access.

Types of Users

Root User

The root user is the superuser of the UNIX system. This account has unrestricted access to all files, directories, and system settings.

Characteristics:

  • UID is usually 0

  • Can create and delete users

  • Can modify system files

  • Can install and remove software

  • Has complete administrative privileges

Because of its powerful permissions, access to the root account must be carefully controlled.

System Users

System users are created automatically during software or service installation.

Examples include:

  • Mail services

  • Web servers

  • Database servers

These users typically do not log in interactively and exist solely for running system services.

Regular Users

Regular users are accounts created for people who use the system.

These users:

  • Have limited permissions

  • Cannot modify system files

  • Work within their assigned directories

  • Can execute authorized commands

User Account Information

User account details are stored in the /etc/passwd file.

Example entry:

john:x:1001:1001:John Doe:/home/john:/bin/bash

Fields include:

  1. Username

  2. Password placeholder

  3. User ID (UID)

  4. Group ID (GID)

  5. User description

  6. Home directory

  7. Login shell

User ID (UID)

The UID uniquely identifies each user.

Examples:

  • Root user: UID 0

  • System users: Usually low UID numbers

  • Regular users: Typically start from 1000 or higher

The operating system uses the UID internally to determine ownership and permissions.

Password Management

Password information is usually stored in the /etc/shadow file.

The shadow file contains:

  • Encrypted passwords

  • Password aging information

  • Account expiration settings

Only privileged users can access this file, improving security.

Creating User Accounts

System administrators create new users using the useradd command.

Example:

useradd john

This command creates a user account.

To assign a password:

passwd john

The system prompts for a new password and stores it securely.

Creating a User with Additional Details

useradd -m -s /bin/bash john

Options:

  • -m creates a home directory

  • -s specifies the login shell

Home Directories

Every user typically has a home directory.

Examples:

/home/john
/home/alice

The home directory stores:

  • Personal files

  • Configuration files

  • Documents

  • Scripts

Users generally have full control over their own home directories.

Modifying User Accounts

Administrators may need to change account settings.

The usermod command is used for this purpose.

Example:

usermod -s /bin/ksh john

This changes the user's default shell.

Changing the home directory:

usermod -d /home/newjohn john

Adding a user to another group:

usermod -aG developers john

Deleting User Accounts

Users can be removed using:

userdel john

To remove the user and their home directory:

userdel -r john

This command deletes:

  • User account

  • Home directory

  • User files

Administrators should verify important data before deleting accounts.

Understanding Groups in UNIX

A group is a collection of users who share similar permissions and access rights.

Groups simplify permission management by allowing administrators to assign permissions to multiple users simultaneously.

Types of Groups

Primary Group

Every user belongs to one primary group.

Example:

john → developers

Files created by the user are usually associated with the primary group.

Secondary Groups

A user may belong to multiple secondary groups.

Example:

john → developers, testers, projectA

This allows the user to access resources belonging to several teams.

Group Information

Group details are stored in:

/etc/group

Example:

developers:x:1010:john,alice,bob

Fields:

  1. Group name

  2. Password placeholder

  3. Group ID

  4. Group members

Creating Groups

Use:

groupadd developers

This creates a new group named developers.

Modifying Groups

Rename a group:

groupmod -n engineering developers

This changes the group name.

Deleting Groups

Use:

groupdel developers

The group is removed from the system.

Managing Group Membership

Adding a user to a group:

usermod -aG developers john

Viewing a user's groups:

groups john

Output:

john : john developers testers

Removing a user from a group:

gpasswd -d john developers

File Ownership and Permissions

UNIX security heavily relies on ownership and permissions.

Every file has:

  • Owner

  • Group

  • Permissions

Example:

-rw-r--r-- 1 john developers report.txt

Components:

  • Owner: john

  • Group: developers

  • File: report.txt

Permissions determine who can read, write, or execute the file.

Changing Ownership

Change file owner:

chown john report.txt

Change owner and group:

chown john:developers report.txt

Changing Group Ownership

chgrp developers report.txt

This assigns the file to the specified group.

Account Security Administration

User administration includes maintaining account security.

Important practices include:

Strong Password Policies

Administrators should enforce:

  • Minimum password length

  • Complexity requirements

  • Regular password updates

Password Aging

UNIX supports password expiration.

Example:

chage -M 90 john

This requires password changes every 90 days.

Account Locking

Temporarily disable an account:

passwd -l john

Unlock:

passwd -u john

Monitoring User Activity

Administrators can track user activity using commands such as:

who

w

last

These commands display login history and active sessions.

Best Practices for User and Group Administration

  1. Follow the principle of least privilege.

  2. Grant only necessary permissions.

  3. Use groups instead of assigning permissions individually.

  4. Regularly review inactive accounts.

  5. Remove unused users and groups.

  6. Enforce strong password policies.

  7. Monitor login activity frequently.

  8. Restrict root account access.

  9. Maintain backups of user configuration files.

  10. Document all administrative changes.

Conclusion

UNIX User and Group Administration is a fundamental aspect of system management that ensures security, resource control, and organized access to system resources. By effectively managing users, groups, permissions, and account policies, administrators can maintain a secure and efficient multi-user environment. Proper administration reduces security risks, simplifies permission management, and helps ensure that users have appropriate access to the resources they need while protecting critical system components from unauthorized modifications.