🐧 Debian User Management Cheat Sheet #

Complete guide for managing users and groups on Debian systems with best practices and security considerations.

📋 Table of Contents #

Core Concepts
Essential Tools
Creating Users
Modifying Users
Deleting Users
Group Management
Password Management
Privilege Escalation
Configuration Files
Security Best Practices
Advanced Topics
Troubleshooting

🎯 Core Concepts #

User Types #

System Users: UID < 1000, for services and daemons
Regular Users: UID ≥ 1000, for human users
Root User: UID 0, superuser with unlimited privileges

Key Files #

/etc/passwd - User account information
/etc/shadow - Encrypted passwords and aging info
/etc/group - Group definitions
/etc/gshadow - Group passwords and administrators

User Database Structure #

# /etc/passwd format:
username:x:UID:GID:GECOS:home_directory:shell

# /etc/shadow format:
username:encrypted_password:last_change:min_age:max_age:warn:inactive:expire:reserved

🛠️ Essential Tools #

Debian-Specific (Recommended) #

adduser - Interactive user creation (Debian frontend)
deluser - Safe user removal (Debian frontend)
addgroup - Group creation
delgroup - Group removal

Low-Level Tools (Universal) #

useradd - Create user accounts
userdel - Delete user accounts
usermod - Modify user accounts
groupadd - Create groups
groupdel - Delete groups
passwd - Change passwords
chsh - Change login shell
chfn - Change user information

👤 Creating Users #

Interactive User Creation (Recommended) #

# Create regular user with home directory
sudo adduser username

# Create system user
sudo adduser --system --group servicename

# Create user with specific shell
sudo adduser --shell /bin/zsh username

# Create user without home directory
sudo adduser --no-create-home username

# Create user with specific UID/GID
sudo adduser --uid 1500 --gid 1500 username

Low-Level User Creation #

# Basic user creation
sudo useradd username

# Create user with home directory and shell
sudo useradd -m -s /bin/bash username

# Create user with specific UID and groups
sudo useradd -u 1500 -g users -G sudo,audio username

# Create system user
sudo useradd --system --shell /bin/false servicename

# Create user with expiration date
sudo useradd -e 2024-12-31 tempuser

Common useradd Options #

-m, --create-home     # Create home directory
-d, --home DIR        # Specify home directory
-s, --shell SHELL     # Set login shell
-g, --gid GROUP       # Primary group
-G, --groups GROUPS   # Supplementary groups
-u, --uid UID         # User ID
-e, --expiredate DATE # Account expiration
-c, --comment GECOS   # User information
-k, --skel DIR        # Skeleton directory
-r, --system          # Create system account

✏️ Modifying Users #

Change User Properties #

# Change username
sudo usermod -l newname oldname

# Change user ID
sudo usermod -u 1600 username

# Change primary group
sudo usermod -g newgroup username

# Add user to supplementary groups
sudo usermod -aG sudo,docker username

# Change home directory
sudo usermod -d /new/home -m username

# Change login shell
sudo usermod -s /bin/zsh username
sudo chsh -s /bin/zsh username  # Alternative

# Lock/unlock user account
sudo usermod -L username  # Lock
sudo usermod -U username  # Unlock

# Set account expiration
sudo usermod -e 2024-12-31 username

# Change user information (GECOS)
sudo usermod -c "Full Name,Room,Work Phone,Home Phone" username
sudo chfn username  # Interactive alternative

Password Management #

# Change user password
sudo passwd username

# Force password change on next login
sudo passwd -e username

# Set password aging
sudo passwd -n 7 -x 90 -w 7 username  # min 7, max 90, warn 7 days

# Lock/unlock password
sudo passwd -l username  # Lock
sudo passwd -u username  # Unlock

# Delete password (dangerous)
sudo passwd -d username

🗑️ Deleting Users #

Safe User Removal (Recommended) #

# Remove user (keep home directory)
sudo deluser username

# Remove user and home directory
sudo deluser --remove-home username

# Remove user and all files
sudo deluser --remove-all-files username

# Remove user from specific group only
sudo deluser username groupname

Low-Level User Removal #

# Remove user (keep home directory)
sudo userdel username

# Remove user and home directory
sudo userdel -r username

# Force removal even if user is logged in
sudo userdel -f username

👥 Group Management #

Creating Groups #

# Create group
sudo addgroup groupname
sudo groupadd groupname  # Alternative

# Create group with specific GID
sudo groupadd -g 2000 groupname

# Create system group
sudo groupadd -r systemgroup

Managing Group Membership #

# Add user to group
sudo adduser username groupname
sudo usermod -aG groupname username  # Alternative

# Remove user from group
sudo deluser username groupname
sudo gpasswd -d username groupname  # Alternative

# List user's groups
groups username
id username

# List group members
getent group groupname

Deleting Groups #

# Delete group
sudo delgroup groupname
sudo groupdel groupname  # Alternative

# Force delete group even if it's primary group
sudo groupdel -f groupname

🔐 Password Management #

Password Policies #

# Install password quality checking
sudo apt install libpam-pwquality

# Configure in /etc/pam.d/common-password
password requisite pam_pwquality.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

# Set password aging in /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 7

Password Commands #

# Generate secure password
openssl rand -base64 32
pwgen -s 16 1

# Check password expiration
sudo chage -l username

# Set password expiration
sudo chage -M 90 -m 7 -W 7 username

# Interactive password aging setup
sudo chage username

🔑 Privilege Escalation #

sudo Configuration #

# Edit sudoers file (always use visudo)
sudo visudo

# Add user to sudo group
sudo usermod -aG sudo username

# Check sudo access
sudo -l

# Run command as another user
sudo -u username command

# Preserve environment
sudo -E command

# Run shell as root
sudo -i
sudo su -

Common sudoers Entries #

# Allow user to run all commands
username ALL=(ALL:ALL) ALL

# Allow group to run specific commands
%groupname ALL=(ALL) /usr/bin/systemctl, /usr/bin/service

# Allow without password
username ALL=(ALL) NOPASSWD: ALL

# Allow specific commands on specific hosts
username hostname=(root) /usr/bin/apt, /usr/bin/dpkg

su Command #

# Switch to root
su -
su root

# Switch to another user
su - username

# Run single command as another user
su -c "command" username

📁 Configuration Files #

/etc/passwd #

# View user database
cat /etc/passwd
getent passwd

# Find specific user
getent passwd username

# List all users with UID >= 1000
awk -F: '$3 >= 1000 {print $1}' /etc/passwd

/etc/shadow #

# View password database (root only)
sudo cat /etc/shadow

# Check password status
sudo passwd -S username

/etc/group #

# View group database
cat /etc/group
getent group

# Find groups for user
groups username
id -Gn username

/etc/login.defs #

# Key settings for user creation
UID_MIN 1000
UID_MAX 60000
GID_MIN 1000
GID_MAX 60000
CREATE_HOME yes
UMASK 022
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512

🔒 Security Best Practices #

Account Security #

# Disable unused accounts
sudo usermod -L -e 1 username

# Set strong password policies
# Edit /etc/pam.d/common-password
password requisite pam_pwquality.so minlen=12 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1

# Enable account lockout
# Edit /etc/pam.d/common-auth
auth required pam_tally2.so deny=5 unlock_time=900

# Monitor failed logins
sudo pam_tally2 --user username

User Limits #

# Configure resource limits in /etc/security/limits.conf
* soft nproc 1000
* hard nproc 2000
* soft nofile 1024
* hard nofile 2048
@users hard core 0

Auditing Users #

# List all users
cut -d: -f1 /etc/passwd

# Find users with shell access
awk -F: '$7 !~ /nologin|false/ {print $1}' /etc/passwd

# Check for users with UID 0
awk -F: '$3 == 0 {print $1}' /etc/passwd

# Find users without passwords
sudo awk -F: '$2 == "" {print $1}' /etc/shadow

# Check for duplicate UIDs
awk -F: '{print $3}' /etc/passwd | sort | uniq -d

# List recently created users
sudo find /home -maxdepth 1 -type d -newerct "1 week ago"

🔧 Advanced Topics #

PAM Configuration #

# PAM configuration directory
ls /etc/pam.d/

# Common PAM modules
/lib/x86_64-linux-gnu/security/

# Key PAM files
/etc/pam.d/common-auth      # Authentication
/etc/pam.d/common-account   # Account management
/etc/pam.d/common-password  # Password management
/etc/pam.d/common-session   # Session management

User Environment #

# Skeleton directory for new users
ls -la /etc/skel/

# Default shell configuration
/etc/bash.bashrc
/etc/profile

# User-specific configurations
~/.bashrc
~/.profile
~/.bash_profile

Batch Operations #

# Create multiple users from file
# Format: username:password:uid:gid:gecos:home:shell
sudo newusers userlist.txt

# Change passwords in batch
# Format: username:password
sudo chpasswd < passwordlist.txt

# Mass user creation script
#!/bin/bash
for user in user1 user2 user3; do
    sudo adduser --disabled-password --gecos "" $user
    echo "$user:defaultpass" | sudo chpasswd
    sudo passwd -e $user  # Force password change
done

🚨 Troubleshooting #

Common Issues #

# User cannot login
sudo passwd -S username  # Check password status
sudo usermod -U username  # Unlock if locked

# Permission denied errors
ls -la /home/username/    # Check home directory permissions
sudo chown -R username:username /home/username/

# Group membership not taking effect
# User needs to log out and back in, or:
newgrp groupname

# Cannot delete user
sudo pkill -u username    # Kill user processes
sudo userdel -f username  # Force deletion

# Home directory not created
sudo mkhomedir_helper username

Verification Commands #

# Verify user creation
id username
getent passwd username
ls -la /home/username/

# Check group membership
groups username
id -Gn username

# Verify sudo access
sudo -l -U username

# Test user login
sudo -i -u username

Recovery Procedures #

# Reset forgotten root password (single user mode)
# 1. Boot to GRUB menu
# 2. Edit kernel parameters, add: init=/bin/bash
# 3. Mount filesystem: mount -o remount,rw /
# 4. Change password: passwd root
# 5. Reboot: exec /sbin/init

# Restore from backup
sudo cp /etc/passwd.backup /etc/passwd
sudo cp /etc/shadow.backup /etc/shadow
sudo cp /etc/group.backup /etc/group

📚 Useful Commands Reference #

Information Gathering #

whoami                    # Current user
id                       # Current user ID and groups
who                      # Logged in users
w                        # Detailed user activity
last                     # Login history
lastlog                  # Last login times
finger username          # User information (if installed)

Quick Operations #

# One-liner user creation with sudo access
sudo adduser newuser && sudo usermod -aG sudo newuser

# Create temporary user (expires in 30 days)
sudo useradd -m -e $(date -d "+30 days" +%Y-%m-%d) tempuser

# Bulk password reset
echo "username:newpassword" | sudo chpasswd

# Find all users with bash shell
grep "/bin/bash" /etc/passwd | cut -d: -f1

🎯 Best Practices Summary #

Always use adduser instead of useradd for interactive user creation
Use visudo to edit sudoers file to prevent syntax errors
Implement strong password policies with PAM modules
Regular audit user accounts and remove unused ones
Use groups for permission management instead of individual user permissions
Set appropriate resource limits to prevent abuse
Monitor user activities with logging and auditing tools
Backup user databases before making bulk changes
Test user accounts after creation or modification
Follow principle of least privilege for sudo access

man adduser - Debian user creation tool
man useradd - Low-level user creation
man usermod - User modification
man sudo - Privilege escalation
man passwd - Password management
man pam - Pluggable Authentication Modules
/usr/share/doc/adduser/ - Debian adduser documentation

This cheat sheet covers comprehensive Debian user management. Always test commands in a safe environment before applying to production systems.