You share your Linux system with invisible people you never invited.
Run this right now:
cat /etc/passwd | wc -lGot 30+? Every line is a user. Most of them are services — www-data (your web server), mysql (your database), syslog (your logging system). They all had accounts created automatically.
Understanding these users is Day 1 Linux SysAdmin work.
The Two Key Files
Everything about users and groups on Linux lives in four files:
| File | Contains | Readable by |
|---|---|---|
/etc/passwd | All users (no passwords) | Everyone |
/etc/shadow | Hashed passwords | Root only |
/etc/group | All groups | Everyone |
/etc/gshadow | Group passwords (rare) | Root only |
Historically, /etc/passwd stored hashed passwords in the second field. But since everyone can read /etc/passwd, it became a security risk.
In the 1980s, “shadow passwords” moved the hashes to /etc/shadow (root-only). Now /etc/passwd just has an x in the password field — meaning “look in shadow”.
Decoding /etc/passwd
Every line in /etc/passwd has 7 fields separated by colons (:):
shekhar : x : 1001 : 1001 : Shekhar Kumar : /home/shekhar : /bin/bash
1 2 3 4 5 6 7| Field | Value | Meaning |
|---|---|---|
| 1 | shekhar | Username (what you type at login) |
| 2 | x | Password is in /etc/shadow (always x on modern Linux) |
| 3 | 1001 | UID — User ID number (OS uses this, not the name) |
| 4 | 1001 | Primary GID — the user’s main group |
| 5 | Shekhar Kumar | GECOS — display name / comment |
| 6 | /home/shekhar | Home directory |
| 7 | /bin/bash | Login shell (/usr/sbin/nologin = service account) |
Look for users with field 7 = /usr/sbin/nologin or /bin/false.
These are service accounts — they run services but can’t be logged into interactively. www-data, mysql, syslog, daemon are all service accounts. This is intentional security design.
The User Org Chart
UID Ranges
| UID Range | Type | Examples |
|---|---|---|
| 0 | Superuser | root only, always |
| 1 – 999 | System accounts | daemon, www-data, mysql, syslog |
| 1000+ | Regular human users | shekhar, alice, bob |
| 65534 | nobody user | Ultra-minimal permissions for mapped-nobody scenarios |
Managing Users
Creating a User
useradd: Low-level C program. Available on all Linux distros. No prompts. Requires flags for everything.adduser: Higher-level Perl script (Debian/Ubuntu). Interactive. Creates home dir, asks for password automatically.
Recommendation: Use adduser on Ubuntu/Debian for humans. Use useradd in scripts and on other distros.
The simple way (Ubuntu/Debian):
Create a new user 'alice' with home directory, interactive password setup, and default shell
- •adduser creates /home/alice automatically
- •It will prompt for a password and GECOS info
- •It creates a primary group 'alice' automatically
- •Only available on Debian/Ubuntu. Use 'useradd' on RHEL/CentOS.
The full control way (all distros):
Create user 'alice' with home dir (-m), bash shell (-s), and display name (-c)
- •-m = create home directory at /home/alice
- •-s /bin/bash = set login shell to bash
- •-c 'Alice Smith' = GECOS/comment field (display name)
- •After this, set password: sudo passwd alice
Set or change a password:
Set or change the password for user 'alice'
- •Without sudo, 'passwd' changes YOUR own password
- •With sudo, 'passwd alice' changes alice's password
- •Password is stored hashed in /etc/shadow — never in plain text
Modifying Users
Add user to a group (the most common operation):
Add alice to the 'docker' group (without removing her from existing groups)
- •-a = APPEND (add to group without removing from others)
- •-G = specify supplementary group(s)
- •CRITICAL: always use -a with -G. Without -a, alice loses all other group memberships!
- •Changes take effect at alice's NEXT login
- •Common groups to add users to: sudo, docker, www-data, adm
sudo usermod -G docker alice WITHOUT -a will remove alice from ALL other groups and only put her in docker.
Always: usermod -aG (a for append, G for group). Never: usermod -G alone.
Change a user’s shell:
Change alice's login shell to zsh
- •Valid shells are listed in /etc/shells
- •Use /usr/sbin/nologin to disable a service account's login
Lock and unlock a user:
Lock alice's account (prevents login, doesn't delete anything)
- •-L = lock (adds ! to the password hash in /etc/shadow)
- •-U = unlock
- •Useful for temporarily disabling ex-employees without deleting their data
- •'passwd -l alice' does the same thing
Deleting a User
Delete user 'alice' AND her home directory and mail spool (-r)
- •-r = remove home directory and mail spool
- •Without -r: user is deleted but /home/alice remains (orphaned files)
- •Orphaned files keep alice's UID number but no name — show up as UID number in 'ls -la'
- •Always double-check: does alice have data you need to backup first?
Managing Groups
Creating Groups
Create a new group called 'developers'
- •Group is created in /etc/group
- •New group starts empty — no members
- •Use usermod -aG to add users after
Adding Users to Groups
Add alice to the 'developers' group (alternative to usermod -aG)
- •gpasswd -a = add user to group
- •gpasswd -d = remove user from group
- •Either gpasswd or usermod -aG works — both are correct
Viewing Group Membership
Show all members of the 'developers' group
- •Output format: group_name:password:GID:member1,member2,member3
- •getent reads from /etc/group (and potentially LDAP/NIS in enterprise)
- •'groups alice' shows all groups alice belongs to
Hands-On Challenge
Complete this sequence on your Linux machine:
- Create a new user
devopswith home directory and bash shell - Create a group
engineers - Add
devopsto theengineersgroup (usingusermod -aG) - Verify with
id devops— you should seeengineersin the groups list - Lock the account with
usermod -L devops - Verify the lock:
sudo passwd -S devops(should showLstatus) - Bonus: Look at
/etc/shadowas root — find the!before devops’s password hash that indicates the lock
Key Takeaways
/etc/passwdhas 7 fields — learn to read each one. The login shell field immediately tells you if it’s a service account or human account.- UIDs are what matter — the OS uses numbers, not names.
1000+= human,1-999= service,0= root. usermod -aG— the-ais MANDATORY when adding groups. Forget it and you wipe all existing group memberships.adduservsuseradd—adduseris friendlier and Debian/Ubuntu only.useraddis universal but requires manual flags.- Service accounts (
www-data,mysql) can’t log in interactively — this is by design for security. Never give them a real shell. - Group membership changes → user must log out and back in for them to take effect.
How to read /etc/passwd, create and manage real users and service accounts, add users to groups safely, and understand the difference between UIDs 0-999 (system) and 1000+ (human). You are now a functioning Linux user manager.
Next Steps in This Series
- Linux File Permissions: Visual Guide — Now that you know users and groups, learn what permissions they can hold
- sudo & the Sudoers File — Control which users can run which commands as root
- What is IAM? — See how the exact same model (Users, Groups, Permissions) works in AWS
Test Your Knowledge
Take a quick 3-question quiz to check your understanding.