Linux User and Group Management Cheat Sheet

Updated 2026-05-21

Linux user and group management is the foundation of access control on every Linux system — governing who can log in, which resources they can reach, and under what conditions they can elevate privilege. Every process runs as a UID and one or more GIDs; every file has an owner and group; every sudo rule, ACL entry, and PAM policy traces directly back to these identities. The critical mental model is that identity is layered: the kernel cares only about numeric UIDs and GIDs, the database files (/etc/passwd, /etc/shadow, /etc/group, /etc/gshadow) map those numbers to names, and higher-level tools (PAM, SSSD, sudo) bolt additional policy on top — misunderstand the layer and troubleshooting becomes guesswork.

What This Cheat Sheet Covers

This topic spans 15 focused tables and 149 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Core User Commands (useradd / usermod / userdel)Table 2: Account Database FilesTable 3: Password and Account Aging (passwd / chage)Table 4: login.defs and useradd DefaultsTable 5: /etc/skel — Skeleton DirectoryTable 6: Group Management (groupadd / groupmod / groupdel / gpasswd)Table 7: sudo and /etc/sudoersTable 8: PAM (Pluggable Authentication Modules)Table 9: SSH-Based User AccessTable 10: Identity Switching (su / runuser)Table 11: Auditing and Login HistoryTable 12: Access Control Lists (setfacl / getfacl)Table 13: LDAP/AD Integration with SSSDTable 14: Troubleshooting Permissions and Access DeniedTable 15: Security Best Practices — Least Privilege

Table 1: Core User Commands (useradd / usermod / userdel)

Creating, modifying, and deleting local user accounts is done with the shadow-utils trio useradd, usermod, and userdel. These commands write directly to /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow, and their behaviour is governed by defaults in /etc/login.defs and /etc/default/useradd.

Command	Example	Description
useradd -m -s	`useradd -m -s /bin/bash alice`	• Creates user `alice` with home directory (`-m`) and login shell • home is populated from `/etc/skel`.
useradd -r	`useradd -r -s /usr/sbin/nologin svcacct`	• Creates a system account (UID in `SYS_UID_MIN`–`SYS_UID_MAX` range) • no aging info written to `/etc/shadow` • no home by default
useradd -u -g -G	`useradd -u 1500 -g staff -G sudo,docker alice`	Sets explicit UID, primary group (`-g`), and supplementary groups (`-G`) at creation time.
useradd -e	`useradd -e 2025-12-31 contractor`	• Sets account expiration date in YYYY-MM-DD format • account becomes inaccessible after that date
useradd -D	`useradd -D`	Displays (or modifies with extra flags) the defaults stored in `/etc/default/useradd`.
usermod -aG	`usermod -aG docker alice`	• Appends `alice` to the `docker` supplementary group without removing her from existing groups • omitting `-a` replaces all supplementary groups
usermod -g	`usermod -g staff alice`	• Changes alice's primary group • files in her home dir owned by the old GID are re-owned automatically
usermod -s	`usermod -s /bin/zsh alice`	• Changes the login shell • an empty string restores the system default

Table 1: Core User Commands (useradd / usermod / userdel)

Command	Example	Description
useradd -m -s	`useradd -m -s /bin/bash alice`	• Creates user `alice` with home directory (`-m`) and login shell • home is populated from `/etc/skel`.
useradd -r	`useradd -r -s /usr/sbin/nologin svcacct`	• Creates a system account (UID in `SYS_UID_MIN`–`SYS_UID_MAX` range) • no aging info written to `/etc/shadow` • no home by default
useradd -u -g -G	`useradd -u 1500 -g staff -G sudo,docker alice`	Sets explicit UID, primary group (`-g`), and supplementary groups (`-G`) at creation time.
useradd -e	`useradd -e 2025-12-31 contractor`	• Sets account expiration date in YYYY-MM-DD format • account becomes inaccessible after that date
useradd -D	`useradd -D`	Displays (or modifies with extra flags) the defaults stored in `/etc/default/useradd`.
usermod -aG	`usermod -aG docker alice`	• Appends `alice` to the `docker` supplementary group without removing her from existing groups • omitting `-a` replaces all supplementary groups
usermod -g	`usermod -g staff alice`	• Changes alice's primary group • files in her home dir owned by the old GID are re-owned automatically
usermod -s	`usermod -s /bin/zsh alice`	• Changes the login shell • an empty string restores the system default