Listen to this Post
Introduction:
Linux user and group management is the bedrock of system security, yet it is often overlooked in favor of flashier defenses like firewalls and intrusion detection. Controlling who can access what, enforcing password policies, and auditing user activity are the first and most critical steps in preventing privilege escalation and unauthorized access.
Learning Objectives:
- Understand the structure and security implications of
/etc/passwd,/etc/shadow, and/etc/group. - Execute core Linux user/group management commands and configure password aging policies.
- Implement granular access controls using ACLs, monitor user sessions, and audit activity for compliance.
You Should Know:
1. The Critical Trio: `/etc/passwd`, `/etc/shadow`, and `/etc/group`
These three files store all user account and group information. `/etc/passwd` contains usernames, UIDs, home directories, and shells – but no passwords (the `x` indicates the hash is in /etc/shadow). `/etc/shadow` holds the password hashes and aging policies, readable only by root. `/etc/group` and `/etc/gshadow` manage group memberships and administrative passwords.
Step‑by‑step: Inspecting and securing these files
View user accounts (safe, no passwords) cat /etc/passwd | head -5 Check password hashes and last change (requires root) sudo cat /etc/shadow | grep username Verify group memberships cat /etc/group | grep sudo Ensure shadow file permissions are correct (should be 640 or 600) ls -l /etc/shadow sudo chmod 640 /etc/shadow Fix if needed
Windows equivalent: `net user` and `net localgroup` from Command Prompt, or `Get-LocalUser` in PowerShell.
2. Core User Commands: `useradd`, `usermod`, `userdel`
These commands create, modify, and delete users. Always use `-m` to create a home directory, and `-s` to set a shell. Deleting a user with `-r` removes their home directory and mail spool.
Step‑by‑step: Creating and managing users
Create a new user with home directory and bash shell sudo useradd -m -s /bin/bash jdoe Set initial password sudo passwd jdoe Modify user: add to supplementary group, change home directory sudo usermod -aG docker,admin jdoe -aG appends, avoids overwriting sudo usermod -d /custom/home jdoe Delete user and their home directory sudo userdel -r jdoe
Windows equivalent: net user jdoe password /add, then net localgroup.
3. Group Management: `groupadd`, `groupmod`, `groupdel`
Groups enable role‑based access control. Add users to groups to grant permissions to files, devices, or sudo rights.
Step‑by‑step: Creating groups and assigning members
Create a new group sudo groupadd devops Add existing user to group (primary or supplementary) sudo usermod -aG devops alice supplementary group sudo usermod -g devops bob change primary group Modify group name or GID sudo groupmod -1 engineering devops Delete group (does not delete users) sudo groupdel engineering
Check group membership:
groups alice id alice
4. Enforcing Password Policies with `passwd` & `chage`
Weak password policies are a top attack vector. Use `chage` to set expiration, inactivity, and minimum password age.
Step‑by‑step: Hardening password security
Force user to change password on next login sudo passwd -e jdoe Set maximum password age to 90 days, warn 7 days before sudo chage -M 90 -W 7 jdoe Set minimum days between changes (prevent immediate re-use) sudo chage -m 1 jdoe Set account expiration date (e.g., 2026-12-31) sudo chage -E 2026-12-31 jdoe View password aging info sudo chage -l jdoe
Linux hardening tip: Edit `/etc/login.defs` to set global defaults (PASS_MAX_DAYS 90, PASS_MIN_DAYS 1).
5. Privileged Access: `sudo` and `su`
`su` switches users (root if no argument), while `sudo` grants specific commands without sharing the root password. Misconfigured sudoers files are a classic privilege escalation path.
Step‑by‑step: Configuring sudo safely
Edit sudoers safely (never edit /etc/sudoers directly) sudo visudo Give a group full sudo rights %admin ALL=(ALL) ALL Give a user passwordless sudo for specific commands jdoe ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx, /usr/bin/apt update Allow a user to run commands as another user (not root) alice ALL=(bob) /bin/ls Switch to root (requires root password) su - Switch to another user (requires that user's password) su - alice
Audit sudo usage: `sudo journalctl _COMM=sudo` or check /var/log/auth.log.
- Granular Access Control Lists (ACLs): `setfacl` & `getfacl`
Traditional Unix permissions (owner/group/other) are too coarse. ACLs allow per‑user or per‑group permissions on files and directories.
Step‑by‑step: Implementing ACLs
Check current ACLs getfacl /shared/project Give read/write to a specific user (not owner/group) setfacl -m u:jdoe:rw- /shared/project Give read-only to a group setfacl -m g:devops:r-x /shared/project Remove a specific ACL entry setfacl -x u:jdoe /shared/project Set default ACL for new files in a directory setfacl -d -m u:jdoe:rw- /shared/project
Enable ACLs on filesystem: Add `acl` to mount options in `/etc/fstab` (e.g., defaults,acl), then mount -o remount /.
7. Monitoring Sessions and Auditing Activity
Attackers first run who, w, last, and `id` to understand the environment. You must audit these same commands to detect anomalies.
Step‑by‑step: Visibility and auditing
Show currently logged-in users and their activity who w Show last logins (including failed attempts with -f) last -10 lastb -5 bad logins (requires root) Display user ID, group ID, and supplementary groups id jdoe Manage user sessions on systemd-based systems loginctl list-users loginctl show-user jdoe loginctl terminate-user jdoe Monitor real-time authentication logs sudo tail -f /var/log/auth.log Debian/Ubuntu sudo tail -f /var/log/secure RHEL/CentOS
Pro tip: Combine `lastlog` to see when each user last logged in. Set up `auditd` to monitor changes to `/etc/passwd` and /etc/shadow.
What Undercode Say:
- Key Takeaway 1: Linux security fails from the inside out – misconfigured users, weak passwords, and overprivileged accounts are how 80% of breaches start.
- Key Takeaway 2: Auditability is non‑negotiable; if you cannot answer “who has sudo” and “when did they last log in,” you are already compromised.
- Analysis (10 lines):
Most security teams spend millions on endpoint detection and SIEMs but ignore the foundational identity layer. The post correctly emphasizes that `/etc/shadow` and sudoers are more valuable to an attacker than any open port. Every penetration tester’s first step on a Linux box is `sudo -l` andcat /etc/passwd. By mastering user and group management, you deny them that low‑hanging fruit. Implementing least privilege through groups and ACLs reduces blast radius dramatically. Password aging alone stops credential reuse attacks. Moreover, modern cloud infrastructure (Kubernetes nodes, containers, CI runners) all run Linux – the same principles apply. The GitHub PDF linked by Okan YILDIZ (Full Document) is a solid reference for production hardening. The real takeaway? Automate user lifecycle management with Ansible or similar – manual useradd invites drift. And always, always rotate sudoer files after any employee change.
Expected Output (Example command & result):
$ sudo chage -l jdoe Last password change : Jan 15, 2026 Password expires : Apr 15, 2026 Password inactive : Never Account expires : Never Minimum number of days between password change : 1 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
Prediction:
- +1 As infrastructure-as-code and immutable Linux images become standard, user and group management will shift to declarative tools (e.g., systemd-sysusers, Ansible user modules) – reducing manual errors and enhancing audit trails.
- -1 However, the rise of ephemeral containers and serverless runtimes is eroding traditional Linux user management awareness, leading to a new generation of engineers who misconfigure `runAsUser` and privilege escalation in Kubernetes, causing repeat breaches.
- +1 Compliance frameworks (PCI DSS 4.0, ISO 27001:2022) are increasing penalties for weak password policies and lack of user access reviews – making mastery of `chage` and `loginctl` directly billable skills.
- -1 Attackers are already automating the enumeration of `/etc/passwd` and sudo groups via supply‑chain malware; without daily monitoring of these files (e.g., with AIDE or Tripwire), most organizations will not detect the backdoor until it is too late.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Yildizokan Linux – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
