User and Group Administration: useradd, passwd, /etc/passwd and shadow
What You Will Achieve
- Create, modify, and delete users with
useradd/usermod/userdel - Manage groups with
groupadd/groupmod/groupdel/gpasswd - Control passwords and aging with
passwd/chage - Read the fields of
/etc/passwd//etc/shadow//etc/group//etc/gshadow - Explain how
/etc/skel//etc/login.defsaffect user creation - Answer the exam-frequent
usermod -aG(the-G-only pitfall) with reasoning
This is the core of LPIC-1 objective 107.1 "Manage user and group accounts and related system files". Account management is the foundation of permissions and security.
How Do the User Commands Differ?
User operations come down to three commands: create (useradd), modify (usermod), and delete (userdel). Passwords are a separate track handled by passwd, and aging is handled by chage.
| Purpose | Command | Key options |
|---|---|---|
| Create | useradd |
-m -d -s -g -G -u |
| Modify | usermod |
-aG -L -U -l |
| Delete | userdel |
-r |
| Password | passwd |
-l -u -e |
| Aging | chage |
-l -M -E |
Some distributions also ship the interactive adduser (a Perl script on Debian/Ubuntu), but LPIC-1 asks about the low-level useradd family. This article covers those.
Create, Modify, and Delete Users
By default useradd does not create a home directory. Without -m you easily end up with "can log in but has no home", so be careful.
Step 1: Create a user with useradd
sudo useradd -m -s /bin/bash -c "Sato Taro" sato getent passwd sato
sato:x:1001:1001:Sato Taro:/home/sato:/bin/bash
Key options (man useradd):
| Option | Meaning |
|---|---|
-m |
Create the home directory (copies /etc/skel) |
-d DIR |
Set the home directory path |
-s SHELL |
Set the login shell |
-g GROUP |
Set the primary group |
-G G1,G2 |
Set secondary (supplementary) groups |
-u UID |
Specify the UID explicitly |
-c COMMENT |
Set the comment (GECOS) field |
-g is the "primary group" and -G is "secondary groups". A user has exactly one primary group but can have multiple secondary groups.
Step 2: Set the password with passwd
sudo passwd sato
New password: Retype new password: passwd: password updated successfully
A freshly created account often has no password and is locked. Only after you set it with passwd can the user log in normally.
Step 3: Modify a user with usermod
sudo usermod -aG wheel,docker sato id sato
uid=1001(sato) gid=1001(sato) groups=1001(sato),10(wheel),998(docker)
Key options (man usermod):
| Option | Meaning |
|---|---|
-aG G1,G2 |
Add to secondary groups (-a = append, keeps existing) |
-G G1,G2 |
Replace secondary groups (without -a it overwrites) |
-L |
Lock the password (prepend ! in /etc/shadow) |
-U |
Unlock the password |
-l NEWNAME |
Change the login name |
-g GROUP |
Change the primary group |
Running usermod -G group user without -a removes the user from any existing secondary groups not listed. To "add" to a secondary group, always use -aG. This is the single most common accident on both the exam and the job.
Step 4: Delete a user with userdel
sudo userdel -r sato
(No output. -r also removes the home directory and mail spool.)
userdel alone leaves the home directory. Adding -r also removes the home directory and the mail spool. Deleting a user that still has running processes may fail.
How Do You Manage Groups?
Group operations use groupadd (create), groupmod (modify), and groupdel (delete); member management is handled by gpasswd. /etc/group and /etc/gshadow hold the data.
Step 1: Create a group with groupadd
sudo groupadd -g 1500 developers getent group developers
developers:x:1500:
-g GID sets the GID explicitly. If omitted, it is auto-assigned from the range in /etc/login.defs.
Step 2: Modify a group with groupmod
sudo groupmod -n devs developers sudo groupmod -g 1600 devs getent group devs
devs:x:1600:
-n NEWNAME changes the group name and -g GID changes the GID.
Step 3: Manage members with gpasswd
sudo gpasswd -a sato devs sudo gpasswd -d sato devs getent group devs
Adding user sato to group devs Removing user sato from group devs devs:x:1600:
gpasswd -a user group adds a member and -d user group removes one (man gpasswd). gpasswd -A user group designates a group administrator.
Step 4: Delete a group with groupdel
sudo groupdel devs
(No output)
You cannot delete a group that is the primary group of some user. You must first change that user's primary group.
What Is the Difference Between /etc/passwd and /etc/shadow?
/etc/passwd holds the basic account information, while /etc/shadow holds the encrypted password and aging data. Separating the password out of passwd is the shadow password mechanism.
The 7 fields of /etc/passwd
sato:x:1001:1001:Sato Taro:/home/sato:/bin/bash
Colon-separated, 7 fields (man 5 passwd):
| # | Field | Example | Meaning |
|---|---|---|---|
| 1 | Username | sato |
Login name |
| 2 | Password | x |
x means the real value is in /etc/shadow |
| 3 | UID | 1001 |
User ID |
| 4 | GID | 1001 |
Primary group ID |
| 5 | GECOS | Sato Taro |
Comment (full name, etc.) |
| 6 | Home | /home/sato |
Home directory |
| 7 | Shell | /bin/bash |
Login shell |
An account whose 7th field is /sbin/nologin or /bin/false is service-only and cannot log in interactively.
The 9 fields of /etc/shadow
sato:$6$xyz...:19500:0:99999:7:::
Colon-separated, 9 fields (man 5 shadow):
| # | Field | Meaning |
|---|---|---|
| 1 | Username | Corresponds to /etc/passwd |
| 2 | Encrypted password | Hash. A leading ! or * means locked/disabled |
| 3 | Last change | Days since 1970-01-01 |
| 4 | Minimum days | Cannot change again for this many days |
| 5 | Maximum days | Must change after this many days |
| 6 | Warning days | Days to warn before expiry |
| 7 | Inactive days | Days the account stays usable after expiry |
| 8 | Account expiry | Days since 1970-01-01 |
| 9 | Reserved | Unused |
/etc/shadow is readable only by root (permissions like 0640). Hiding it from regular users prevents offline cracking of the hashes.
/etc/group and /etc/gshadow
developers:x:1500:sato,suzuki
/etc/group has 4 fields (man 5 group): group name, password (x), GID, and a comma-separated member list (users who belong as a secondary group). /etc/gshadow holds the group password plus administrators and members (man 5 gshadow).
The member list in /etc/group shows only users who have this group as a secondary group. Users whose primary group it is are not listed here (that is expressed by the GID in /etc/passwd).
The Role of /etc/skel and /etc/login.defs
/etc/skel is the template for a new home directory, and /etc/login.defs defines the default values for useradd. Both shape what happens at user creation time.
When useradd -m creates a home, the files under /etc/skel (.bashrc, .profile, etc.) are copied into the new home. Put initial settings you want for every user here.
/etc/login.defs defines the auto-assignment ranges for UID/GID (UID_MIN / UID_MAX, etc.), the password aging defaults (PASS_MAX_DAYS / PASS_MIN_DAYS / PASS_WARN_AGE), and whether to create homes automatically (CREATE_HOME) (man 5 login.defs).
grep -E '^(UID_MIN|UID_MAX|PASS_MAX_DAYS)' /etc/login.defs
UID_MIN 1000 UID_MAX 60000 PASS_MAX_DAYS 99999
How Do You Control Password Aging?
chage is the dedicated command for the aging fields in /etc/shadow. Learn it together with the lock options of passwd.
Check and set aging with chage
sudo chage -l sato
Last password change : May 30, 2026 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Key options (man chage):
| Option | Meaning |
|---|---|
-l |
List the current aging settings |
-M DAYS |
Maximum password lifetime |
-m DAYS |
Minimum days between changes |
-W DAYS |
Warning days before expiry |
-E DATE |
Account expiry date (YYYY-MM-DD) |
-d DATE |
Last change date (-d 0 forces a change at next login) |
Lock and force a change with passwd
sudo passwd -l sato sudo passwd -u sato sudo passwd -e sato
passwd: password expiry information changed.
passwd -l locks (prepends ! in /etc/shadow), -u unlocks, and -e expires immediately, forcing a password change at next login.
Common Mistakes and Fixes
Using usermod -G without -a drops existing groups
usermod -G docker sato replaces the secondary groups with just docker, so the user is removed from wheel and others. To add, use usermod -aG docker sato.
Forgetting -m on useradd leaves no home
useradd sato alone creates no home directory, and the /etc/skel settings are not applied after login. Make useradd -m sato your default (or set CREATE_HOME yes in /etc/login.defs).
Mistaking the ! in a locked password for "broken"
A leading !, !!, or * in the /etc/shadow hash means locked/disabled and is a normal state. It is added by passwd -l or usermod -L. Remove it with passwd -u or usermod -U.
userdel alone leaves the home and fills the disk
userdel sato leaves the home directory. To remove it fully, use userdel -r sato. A leftover home stays owned by the old UID, and if the same UID is later reused, ownership gets confused.
A group change does not take effect
Adding a secondary group with usermod -aG does not apply to existing login sessions immediately. It takes effect at a new login (or with newgrp group). Use id user to check the membership in /etc/group.
Troubleshooting
Symptom: useradd says "user already exists"
Cause: A user with the same name already exists, or the UID collides
Check:
getent passwd sato getent passwd 1001
Fix: Inspect the existing account and delete it with userdel if unneeded. For a UID collision, pick a free UID with -u.
Symptom: The user is in the right group but lacks permission
Cause: They have not logged in again after the secondary group was added (the session has not picked it up)
Check:
id sato getent group docker
Fix: Log out and back in. For a one-off action you want immediately, switch groups with newgrp docker.
Symptom: groupdel says "cannot remove the primary group"
Cause: The group you are trying to delete is the primary group of some user
Check:
getent passwd | awk -F: '$4=="1500"{print $1}'Fix: Change that user's primary group with usermod -g other user, then run groupdel.
Completion Checklist
- [ ] Created a user with a home using
useradd -m -s /bin/bash - [ ] Set the password with
passwd - [ ] Added to a secondary group with
usermod -aG(with-a) - [ ] Read the fields of
/etc/passwdand/etc/shadow - [ ] Checked password aging with
chage -l - [ ] Deleted with the home using
userdel -r
Summary
| Scenario | Command | Purpose |
|---|---|---|
| Create | useradd -m -s /bin/bash user |
Create a user with a home |
| Password | passwd user |
Set the password |
| Add secondary group | usermod -aG group user |
Add while keeping existing |
| Lock | passwd -l / usermod -L |
Disable the account |
| Aging | chage -M 90 user |
Set password lifetime |
| Delete | userdel -r user |
Delete with the home |
| Look up | getent passwd / id |
Check account info |
User and group administration is the basis of permissions and security. Combine it next with file management and shell environment to connect your operational knowledge.