CHAPTER 10. User and Group Management 
In this chapter, we will learn about users and groups in Linux and how to manage them and administer password policies for these users. By the end of this chapter, you will be well versed in the role of users and groups on a Linux system and how they are interpreted by the operating system. You will learn to create, modify, lock and delete user and group accounts, which have been created locally. You will also learn how to manually lock accounts by enforcing a password-aging policy in the shadow password file.  
Users and Groups
In this section, we will understand what users and groups are and what is their association with the operating system.  
Who is a user? 
Every process or a running program on the operating system runs as a user. The ownership of every file lies with a user in the system. A user restricts access to a file or a directory. Hence, if a process is running as a user, that user will determine the files and directories the process will have access to.  
You can know about the currently logged-in user using the id command. If you pass another user as an argument to the id command, you can retrieve basic information of that other user as well.  
If you want to know the user associated with a file or a directory, you can use the ls -l command and the third column in the output shows the username.  
You can also view information related to a process by using the ps command. The default output to this command will show processes running only in the current shell. If you use the ps an option in the command, you will get to see all the processes across the terminal. If you wish to know the user associated with a command, you can pass the u option with the ps command and the first column of the output will show the user. 
The usernames are mapped to numbers using a database in the system. There is a flat file stored at /etc/passwd, which stored the information of all users. There are seven fields for every user in this file.  
username: password:UID:GID:GECOS:/home/dir:shell
username:
Username is simply the pointing of a user ID UID to a name so that humans can retain it better. 
password:
This field is where passwords of users used to be saved in the past, but now they are stored in a different file located at /etc/shadow 
UID:
It is a user ID, which is numeric and used to identify a user by the system at the most fundamental level 
GID:
This is the primary group number of a user. We will discuss groups in a while 
GECOS:
This is a field using arbitrary text, which usually is the full name of the user 
/home/dir:
This is the location of the home directory of the user where the user has their personal data and other configuration files 
shell:
This is the program that runs after the user logs in. For a regular user, this will mostly be the program that gives the user the command line prompt 
What is a group? 
Just like users, there are names and group ID GID numbers associated with a group. Local group information can be found at /etc/group 
There are two types of groups. Primary and supplementary. Let’s understand the features of each one by one.  
Primary Group:  
Supplementary Group:
Getting Superuser Access
In this section, we will learn about what the root user is and how you can be the root or superuser and gain full access over the system. 
The root user
There is one user in every operating system that is known as the superuser and has all access and rights on that system. In a Windows-based operating system, you may have heard about the superuser known as the administrator. In Linux based operating systems, this superuser is known as the root user. The root user has the power to override any normal privileges on the file system and is generally used to administer and manage the system. If you want to perform tasks such as installing new software or removing existing software, and other tasks such as manage files and directories in the system, a user will have to escalate privileges to the root user.  
Most devices on an operating system can be controlled only by the root user, but there are a few exceptions. A normal user gets to control removable devices such as a USB drive. A non-root user can, therefore, manage and remove files on a removable device but if you want to make modifications to a fixed hard drive, that would only be possible for a root user.  
But as we have heard, with great power comes great responsibility. Given the unlimited powers that the root user has, those powers can be used to damage the system as well. A root user can delete files and directories, remove or modify user accounts, create backdoors in the system, etc. Someone else can gain full control over the system if the root user account gets compromised. Therefore, it is always advisable that you login as a normal user and escalate privileges to the root user only when absolutely required.  
It is a practice in Linux to login as a regular user and then uses tools to gain certain privileges of the root account.  
Using Su to Switch Users 
You can switch to a different user account in Linux using the su command. If you do not pass a username as an argument to the su command, it is implied that you want to switch to the root user account. If you are invoking the command as a regular user, you will be prompted to enter the password of the account that you want to switch to. However, if you invoke the command as a root user, you will not need to enter the password of the account that you are switching to.  
su - <username>
[student@desktop ~]$ su - 
Passord: rootpassword
[root@desktop ~]#
If you use the command su username, it will start a session in a non-login shell. But if you use the command as su - username, there will be a login shell initiated for the user. This means that using su - username sets up a new and clean login for the new user whereas just using su username will retain all the current settings of the current shell. Mostly, to get the new user’s default settings, administrators usually use the su - command.  
sudo and the root 
There is a very strict model implemented in Linux operating systems for users. The root user has the power to do everything while the other users can do nothing related to the system. The common solution, which was followed in the past was to allow the normal user to become the root user using the su command for a temporary period until the required task was completed. This, however, has the disadvantage that a regular user literally would become the root user and gain all the powers of the root user. They could then make critical changes to the system like restarting the system and even delete an entire directory like /etc. Also, gaining access to become the root user would involve another issue that every user switching to the root user would need to know the password of the root user, which is not a very good idea.  
This is where the sudo command comes into the picture. The sudo command lets a regular user run command as if they are the root user, or another user, as per the settings defined in the /etc/sudoers file. While other tools like su would require you to know the password of the root user, the sudo command requires you to know only your own password for authentication, and not the password of the account that you are trying to gain access to. By doing this, it allows the administrator of the system to allow a certain list of privileges to regular users such that they perform system administration tasks, without actually needing to know the root password.  
Lets us see an example where the student user through sudo has been granted access to run the usermod command. With this access, the student user can now modify any other user account and lock that account 
[student@desktop ~]$ sudo usermod -L username 
[sudo] password for student: studentpassword 
Another benefit of using the sudo access is that all commands that any user runs using sudo are logged to /var/log/secure.