Linux Users and Permissions on Linuxize

How to List Users in Linux

hello@linuxize.com (Linuxize) — Mon, 09 Jul 2018 08:30:40 +0100

If you need to check who can log in, verify service accounts, or confirm that a user exists, you need a reliable way to list Linux users from local and directory sources. Every user account on a Linux system is recorded in the /etc/passwd file or in a network directory service such as LDAP.

This guide explains how to list users in Linux using /etc/passwd, getent, and several related commands for everyday user management.

The quickest way to list every account is getent passwd, which reads local files and any directory service such as LDAP or SSSD. To see only real human accounts, filter the output by UID (typically 1000 and above). For currently logged-in users, run who or w.

List All Users with /etc/passwd

Local user information is stored in the /etc/passwd file. Each line represents one user account. To view the file, use cat or less :

Terminal
less /etc/passwd

Each line contains seven colon-delimited fields:

Field	Description
Username	Login name
Password	`x` means the hash is in `/etc/shadow`
UID	Numeric user ID
GID	Primary group ID
GECOS	Full name or comment
Home directory	Path to the user’s home
Shell	Login shell (e.g., `/bin/bash` or `/usr/sbin/nologin`)

To print only the usernames, use awk or cut :

Terminal
awk -F: '{ print $1 }' /etc/passwd

Terminal
cut -d: -f1 /etc/passwd

output

root
daemon
bin
sys
sync
...
sshd
vagrant
jack
anne

List All Users with getent

The getent command queries name service databases configured in /etc/nsswitch.conf, including the passwd database. Unlike reading /etc/passwd directly, getent also returns users from LDAP, NIS, or SSSD if your system uses a network directory.

To list all users:

Terminal
getent passwd

The output format is the same as /etc/passwd. To extract only the usernames:

Terminal
getent passwd | cut -d: -f1

Check Whether a User Exists

To check if a specific user account exists, pass the username directly to getent:

Terminal
getent passwd jack

If the user exists, the command prints the full /etc/passwd entry for that account. If the user does not exist, there is no output and the exit code is 2.

You can use this in a script to test for a user:

Terminal
if getent passwd jack > /dev/null 2>&1; then
 echo "User jack exists"
fi

To count the total number of user accounts on the system:

Terminal
getent passwd | wc -l

List Only Human Users

Linux distinguishes between system accounts (created during installation or by packages) and human accounts (created by administrators). The difference is the UID range. On most distributions, human users have a UID between 1000 and 60000, as defined in /etc/login.defs.

To check the UID range on your system:

Terminal
grep -E '^UID_MIN|^UID_MAX' /etc/login.defs

output

UID_MIN 1000
UID_MAX 60000

To list only human user accounts:

Terminal
getent passwd | awk -F: '$3 >= 1000 && $3 <= 60000'

output

vagrant:x:1000:1000:vagrant,,,:/home/vagrant:/bin/bash
jack:x:1001:1001:,,,:/home/jack:/bin/bash
anne:x:1002:1002:Anne Stone,,,:/home/anne:/bin/bash
patrick:x:1003:1003:Patrick Star,,,:/home/patrick:/usr/sbin/nologin

To print only the usernames:

Terminal
getent passwd | awk -F: '$3 >= 1000 && $3 <= 60000 { print $1 }'

List Users Who Can Log In

Some accounts have their shell set to /usr/sbin/nologin or /bin/false to prevent interactive login. To list only users with a real login shell:

Terminal
getent passwd | awk -F: '$7 !~ /(nologin|false)$/ { print $1 }'

This filters out service accounts and shows only users who can actually open a shell session.

List Logged-In Users

To see which users are currently logged in, use the who command:

Terminal
who

output

jack pts/0 2026-02-13 09:15 (10.0.2.15)
anne pts/1 2026-02-13 10:30 (10.0.2.20)

The w command provides more detail, including what each user is running:

Terminal
w

For a simple list of logged-in usernames without duplicates:

Terminal
users

List Users in a Group

To see which users belong to a specific group, use getent group followed by the group name:

Terminal
getent group sudo

output

sudo:x:27:jack,anne

The last field shows the group members. To list all groups a specific user belongs to, use the groups command:

Terminal
groups jack

output

jack : jack sudo docker

The lastlog command shows the most recent login for every account:

Terminal
lastlog

To filter out accounts that have never logged in, use:

Terminal
lastlog | grep -v "Never"

The last command shows a log of recent login sessions:

Terminal
last -n 10

This displays the 10 most recent logins, including the terminal, remote host, and session duration.

Troubleshooting

getent command not found
The getent tool is part of glibc utilities and is available by default on most Linux distributions. If it is missing, install the standard libc utilities package for your distribution.

getent passwd does not show LDAP or directory users
Check /etc/nsswitch.conf and verify that passwd includes the correct source (for example files sss or files ldap). If you use SSSD, confirm the service is running and connected.

UID range does not match my distribution
The common human-user range is 1000-60000, but your system can use a different range. Check UID_MIN and UID_MAX in /etc/login.defs, then adjust the awk filter accordingly.

No users appear as logged in
The who, w, and users commands show active sessions only. On servers without interactive logins at that moment, empty output is expected.

Quick Reference

Command	Description
`cat /etc/passwd`	Show all local user entries
`getent passwd`	List all users (local + directory)
`getent passwd jack`	Check if user jack exists
`getent passwd \| awk -F: '$3 >= 1000 && $3 <= 60000'`	List human users only
`cut -d: -f1 /etc/passwd`	Print usernames only
`who`	Show currently logged-in users
`w`	Logged-in users with activity
`users`	Simple list of logged-in usernames
`getent group sudo`	List members of a group
`groups jack`	Show all groups for a user
`lastlog`	Last login time for all accounts
`last -n 10`	Recent login history

FAQ

What is the difference between system and human users?
System users are created during OS installation or by packages and typically have a UID below 1000. Human users are created by administrators and have UIDs in the 1000-60000 range. System accounts usually have /usr/sbin/nologin as their shell.

Why does my system show so many user accounts?
Most of those are system accounts created by installed packages. Services like sshd, www-data, and nobody each have their own user for security isolation. To see only human accounts, filter by UID range with getent passwd | awk -F: '$3 >= 1000 && $3 <= 60000'.

What is the difference between /etc/passwd and getent?
Reading /etc/passwd shows only local accounts. The getent command queries all configured name services, including LDAP, NIS, and SSSD, so it returns both local and network directory users.

How do I list users in a specific group?
Run getent group groupname. The last field in the output lists the group members. You can also run groups username to see all groups a particular user belongs to.

How do I find out when a user last logged in?
Use lastlog to see the most recent login time for every account, or use last username to see the full login history for a specific user.

Conclusion

Linux provides several commands for listing and filtering user accounts. Use getent passwd for a complete list, filter by UID range for human users, and use who or last to track login activity.

For managing users, see useradd , userdel , and usermod . To list groups instead of users, see How to List Groups in Linux .

If you have any questions, feel free to leave a comment below.

How to Create Users in Linux (useradd Command)

hello@linuxize.com (Linuxize) — Tue, 11 Dec 2018 18:30:40 +0100

Linux is a multi-user operating system, so each person or service should have its own account.

The useradd command creates new user accounts in Linux and lets you control home directories, login shells, group membership, UIDs, and account expiry settings.

This article explains how to create users in Linux with useradd, set passwords, and customize the account during creation.

Understanding User Types in Linux

In Linux, there are two main types of users:

Regular Users: Created by the administrator, these are individual accounts for standard operations.
System Users: These are created automatically by the system or applications to run specific services.

Based on their permission levels, regular users can be further classified as:

Standard Users: Limited access rights, typically used for everyday tasks.
Administrative Users: Have elevated permissions and should be trusted individuals, as granting administrative rights should be done only when absolutely necessary.

As a system administrator, you are responsible for managing the system’s users and groups by creating and removing users and assigning them to appropriate groups .

In this article, we will explain how to create new user accounts using the useradd command.

Quick Reference

Command	Description
`sudo useradd username`	Create a user with default settings
`sudo useradd -m username`	Create a user and home directory
`sudo useradd -m -s /bin/bash username`	Create a user with a specific login shell
`sudo useradd -m -G sudo username`	Create a user and add to supplementary group
`sudo passwd username`	Set or reset the user password
`sudo useradd -D`	Show default `useradd` settings
`id username`	Verify UID, GID, and groups
`sudo userdel -r username`	Remove a user and home directory

For a printable quick reference, see the useradd cheatsheet .

`useradd` Command

useradd is a command-line utility for creating new user accounts on Linux and Unix systems.

The syntax of the useradd command is:

txt
useradd [OPTIONS] USERNAME

Only root or users with sudo privileges can create new user accounts with this command.

When executed, useradd creates a new user account based on the options specified on the command line and the default values found in the /etc/default/useradd file.

The variables defined in this file differ from distribution to distribution, which causes the useradd command to produce different results on different systems.

useradd also reads the contents of the /etc/login.defs file. This file contains configuration for the shadow password suite, such as password expiration policy, ranges of user IDs used when creating the system and regular users, and more.

Creating a New User

To create a new account, run the useradd command followed by the user’s name.

For instance, to create a new user named leah, you would run the following:

Terminal
sudo useradd leah

The account is created immediately, but the user cannot log in until you set a password with passwd.

Info

When executed without any options, useradd creates a new user account using the default settings specified in the /etc/default/useradd file.

The command adds an entry to the /etc/passwd, /etc/shadow , /etc/group, and /etc/gshadow files.

You can verify the account was created and view the user’s details by running the id command:

Terminal
sudo id leah

output

uid=1005(leah) gid=1005(leah) groups=1005(leah)

Setting User Passwords

To allow a new user to log in, you need to set the user’s password. You can do that by executing the passwd command followed by the username:

Terminal
sudo passwd leah

The command prompts you to enter and confirm a new password. Make sure you use a strong password.

output

Changing password for user leah.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Creating a User with a Home Directory

A home directory is a directory in a multi-user operating system that contains the user’s files. It is also known as the login directory.

On many Linux distributions, the home directory is not automatically created when a user account is created.

To create a home directory, use the -m (--create-home) option:

Terminal
sudo useradd -m leah

The command above creates the new user’s home directory at /home/<username>, along with default initialization files copied from /etc/skel.

If you list the files in the /home/leah directory, you will see the files:

Terminal
ls -la /home/leah/

output

total 20
drwxr-x--- 2 leah leah 4096 Dec 20 17:58 .
drwxr-xr-x 4 root root 4096 Dec 20 17:58 ..
-rw-r--r-- 1 leah leah 220 Jan 6 2025 .bash_logout
-rw-r--r-- 1 leah leah 3771 Jan 6 2025 .bashrc
-rw-r--r-- 1 leah leah 807 Jan 6 2025 .profile

The user can write, edit, and delete files and directories in the home directory.

Creating a User with a Specific Home Directory

To create a user with a designated home directory, use the -d (--home) option.

Here is an example of how to create a new user named leah with the home directory /opt/leah:

Terminal
sudo useradd -m -d /opt/leah leah

Creating a User with a Specific User ID

In Linux and Unix-like operating systems, users are identified by a unique UID and a username.

A user identifier (UID) is a unique positive integer assigned by the Linux system to each user. The UID and other access control policies determine the actions a user can perform on system resources.

By default, when a new user is created, the system assigns the next available UID from the range of user IDs specified in the login.defs file.

Invoke the useradd command with the -u (--uid) option to create a user with a specific UID.

For instance, to create a new user named leah with a UID of 1500, you would type:

Terminal
sudo useradd -u 1500 leah

To verify the user’s UID, use the id command:

Terminal
id -u leah

output

Creating a User with a Specific Group ID

Linux groups are organizational units used to manage user accounts. The primary purpose of groups is to define a set of privileges, such as read, write, or execute permissions, for a given resource that can be shared among the users in the group.

When creating a new user, the default behavior of the useradd command is to create a group with the same name as the username and the same GID as the UID.

The -g (--gid) option allows you to create a user with a specific initial login group. You can specify either the group name or the GID number. The group name or GID must already exist.

The following example shows how to create a new user named leah and set the login group to users:

Terminal
sudo useradd -g users leah

To verify the user’s GID, use the id command:

Terminal
id -gn leah

output

users

Creating a User and Assigning Multiple Groups

There are two types of groups in Linux operating systems: Primary and Secondary (or supplementary) groups. Each user can belong to exactly one primary group and zero or more secondary groups.

You can use the -G (--groups) option to specify a list of additional (supplementary) groups for the user.

The following command creates a new user named zoe with primary group users and secondary groups wheel and docker.

Terminal
sudo useradd -g users -G wheel,docker zoe

You can check the user groups by typing:

Terminal
id zoe

output

uid=1002(zoe) gid=100(users) groups=100(users),10(wheel),993(docker)

When a new user is created, its login shell is set to the one specified in the /etc/default/useradd file. In some distributions, the default shell is set to /bin/sh, while in others, it is set to /bin/bash.

The -s (--shell) option allows you to specify the new user’s login shell.

Here is an example showing how to create a new user named zoe with /usr/bin/zsh as a login shell:

Terminal
sudo useradd -s /usr/bin/zsh zoe

Check the user entry in the /etc/passwd file to verify the user’s login shell:

Terminal
grep zoe /etc/passwd

output

zoe:x:1001:1001::/home/zoe:/usr/bin/zsh

Creating a User with a Custom Comment

The user’s full name or contact information can be added as a comment.

To add a short description for the new user, use the -c (--comment) option.

In the following example, we are creating a new user named zoe with the text string “Test User Account” as a comment:

Terminal
sudo useradd -c "Test User Account" zoe

The comment is saved in the /etc/passwd file:

Terminal
grep zoe /etc/passwd

output

zoe:x:1001:1001:Test User Account:/home/zoe:/bin/sh

The comment field is also known as GECOS.

Creating a User with an Expiry Date

To define a time at which the new user accounts will expire, use the -e (--expiredate) option. This is useful for creating temporary accounts.

The date must be specified using the YYYY-MM-DD format.

For example, to create a new user account named zoe with an expiry time set to January 22, 2027, you would run the following:

Terminal
sudo useradd -e 2027-01-22 zoe

Use the chage command to verify the user account expiry date:

Terminal
sudo chage -l zoe

The output will look something like this:

output

Last password change : Dec 11, 2023
Password expires : never
Password inactive : never
Account expires : Jan 22, 2027
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

Creating a System User

System users are typically created during OS and package installations, and there is no real technical difference between them and regular users.

Use the -r (--system) option to create a system user account. For example, to create a new system user named zoe you would type:

Terminal
sudo useradd -r zoe

System users are created with no expiry date. Their UIDs are chosen from the range of system user IDs specified in the login.defs file, which differs from the range used for regular users.

Configuring Default Values for User Accounts

The default useradd options can be viewed and changed using the -D, --defaults option or by manually editing the /etc/default/useradd file.

To view the current default options, type:

Terminal
useradd -D

The output will look something like this:

output

GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/sh
SKEL=/etc/skel
CREATE_MAIL_SPOOL=no

Let us say you want to change the default login shell from /bin/sh to /bin/bash. To do that, specify the new shell as shown below:

Terminal
sudo useradd -D -s /bin/bash

You can verify that the default shell is changed by running the following command:

Terminal
sudo useradd -D | grep -i shell

output

SHELL=/bin/bash

Troubleshooting

“useradd: user ‘username’ already exists”
The username is already taken. Choose a different name, or use id username to inspect the existing account. To modify an existing user, use usermod instead.

“useradd: Permission denied”
Creating users requires root privileges. Prefix the command with sudo, or switch to the root user first.

Home directory was not created
By default, useradd does not create a home directory on all distributions. Always pass the -m flag to ensure the home directory is created: sudo useradd -m username.

User cannot log in after creation
A newly created user has no password set by default and will be locked. Run sudo passwd username to set a password before the user can log in.

“specified group does not exist”
When using -g or -G, the group must already exist. Create the group first with sudo groupadd groupname, then retry the useradd command.

FAQ

What is the difference between useradd and adduser?
useradd is a low-level binary available on all Linux distributions. adduser is a higher-level, interactive script available on Debian-based systems (Ubuntu, Debian) that calls useradd internally and automatically sets a password, creates the home directory, and prompts for user details.

How do I create a user with a home directory in Linux?
Use the -m flag: sudo useradd -m username. This creates the home directory at /home/username and copies default files from /etc/skel.

How do I create a user and add them to a group at the same time?
Use the -G flag to specify supplementary groups: sudo useradd -m -G sudo,docker username. The user will be a member of all listed groups in addition to their primary group.

How do I verify that a user was created successfully?
Run id username to check the user’s UID, GID, and group memberships. You can also check the entry in /etc/passwd with grep username /etc/passwd.

How do I delete a user in Linux?
Use the userdel command. To also remove the home directory, add the -r flag: sudo userdel -r username. See the userdel guide for details.

Conclusion

The useradd command covers everything from basic account creation to custom UIDs, group assignments, login shells, and expiry dates. On Debian-based systems, adduser provides a friendlier interactive alternative that handles the most common options automatically.

usermod Command in Linux: Modify User Accounts and Groups

hello@linuxize.com (Linuxize) — Tue, 01 Sep 2020 20:30:40 +0100

usermod is a command-line utility for modifying user account attributes. You can use it to add a user to a group, change the default shell, rename a user, set an expiry date, lock or unlock an account, and more.

Only root or users with sudo access can invoke usermod. To create new users, see useradd . To remove users, see userdel .

usermod Command Syntax

The syntax of the usermod command takes the following form:

txt
usermod [OPTIONS] USER

On success, the command does not display any output.

Add a User to a Group

The most common use of usermod is adding a user to a secondary group. Use the -a -G options followed by the group name and the username:

Terminal
usermod -a -G GROUP USER

To add the user to multiple groups at once, specify the groups after -G as a comma-separated list with no spaces.

For example, to add the user linuxize to the games group:

Terminal
sudo usermod -a -G games linuxize

Always use the -a (append) option when adding a user to a new group. If you omit -a, the user will be removed from every group not listed after -G.

To verify the change, run:

Terminal
id linuxize

If the user or group does not exist, the command will display a warning. For more on managing groups, see How to Add a User to a Group in Linux and How to Create Groups in Linux .

Change User Primary Group

To change a user’s primary group, use the -g option followed by the group name and the username:

Terminal
sudo usermod -g GROUP USER

In the following example, we are changing the primary group of the user linuxize to developers:

Terminal
sudo usermod -g developers linuxize

Each user can belong to exactly one primary group and zero or more secondary groups.

Changing the User Information

To change the GECOS field (the full name or description of the user), run the command with the -c option followed by the new comment and the username:

Terminal
usermod -c "GECOS Comment" USER

Here is an example showing how to add a description to the user linuxize:

Terminal
sudo usermod -c "Test User" linuxize

This information is stored in the /etc/passwd file.

Changing a User Home Directory

On most Linux systems, user home directories are named after the username and created under /home.

To change the home directory, use the -d option followed by the absolute path of the new directory and the username:

Terminal
usermod -d HOME_DIR USER

By default, the command does not move the contents of the old home directory to the new one. To move the contents, add the -m option. If the new directory does not already exist, it is created:

Terminal
usermod -d HOME_DIR -m USER

Here is an example showing how to change the home directory of the user www-data to /var/www:

Terminal
sudo usermod -d /var/www www-data

Changing a User Default Shell

The default shell is the shell that starts when you log in to the system. On most Linux systems, the default shell is Bash.

To change the default shell, use the -s option followed by the absolute path of the shell and the username:

Terminal
usermod -s SHELL USER

In the following example, we are changing the login shell to Zsh:

Terminal
sudo usermod -s /usr/bin/zsh linuxize

You can view the shells available on your system by reading the /etc/shells file.

Changing a User UID

The UID (user identifier) is a number assigned to each user that the operating system uses to identify that user internally.

To change the UID, use the -u option followed by the new UID and the username:

Terminal
usermod -u UID USER

The following example changes the UID of linuxize to 1050:

Terminal
sudo usermod -u 1050 linuxize

The UID of files owned by the user and located in the user’s home directory and mailbox will be updated automatically. The ownership of all other files must be changed manually.

Changing a User Name

To rename an existing user, use the -l option. The new username is specified first, followed by the current username:

Terminal
usermod -l NEW_USER USER

In the following example, we are renaming the user linuxize to leah:

Terminal
sudo usermod -l leah linuxize

When renaming a user, you may also want to rename the home directory to match. Use -d together with -m to move it:

Terminal
sudo usermod -l leah -d /home/leah -m linuxize

To verify the rename, see How to List Users in Linux .

Setting a User Expiry Date

The expiry date is the date on which the user account will be disabled. To set the expiry date, use the -e option followed by the date and the username:

Terminal
sudo usermod -e DATE USER

The date must use the format YYYY-MM-DD.

For example, to disable the user linuxize on 2026-12-31:

Terminal
sudo usermod -e "2026-12-31" linuxize

To remove the expiry date and keep the account active indefinitely, set an empty string:

Terminal
sudo usermod -e "" linuxize

Use the chage -l command to confirm the expiry date:

Terminal
sudo chage -l linuxize

output

Last password change : Jul 24, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

The expiration date is stored in the /etc/shadow file.

Locking and Unlocking a User Account

The -L option locks a user account by inserting an exclamation point (!) in front of the encrypted password in /etc/shadow. This prevents password-based logins, but other methods such as SSH key-based authentication or switching users with su remain active.

To lock only the password:

Terminal
sudo usermod -L linuxize

To lock the account completely and disable all login methods, combine -L with an expiry date of 1:

Terminal
sudo usermod -L -e 1 linuxize

To unlock a user account, use the -U option:

Terminal
sudo usermod -U USER

For password management options, see How to Change User Password in Linux .

Quick Reference

Command	Description
`usermod -a -G GROUP USER`	Add user to a secondary group
`usermod -g GROUP USER`	Change primary group
`usermod -c "TEXT" USER`	Set GECOS comment field
`usermod -d DIR USER`	Change home directory
`usermod -d DIR -m USER`	Change and move home directory contents
`usermod -s SHELL USER`	Change default shell
`usermod -u UID USER`	Change user UID
`usermod -l NEW_USER USER`	Rename user
`usermod -e YYYY-MM-DD USER`	Set account expiry date
`usermod -e "" USER`	Remove account expiry date
`usermod -L USER`	Lock account (disable password login)
`usermod -U USER`	Unlock account

Troubleshooting

User is removed from all groups after running usermod -G
You omitted the -a flag. Without -a, the -G option replaces the user’s group list entirely. Always use -a -G together when adding to a group: usermod -a -G GROUP USER.

Wrong argument order with -l
The new username must come before the old username: usermod -l NEW_NAME OLD_NAME. Reversing the order will rename the wrong account or produce an error.

usermod: user USER is currently used by process PID error
The user is logged in or a process is running under that account. Log the user out and stop any associated processes before modifying the account.

UID conflict error when using -u
The UID you specified is already assigned to another user. Choose a UID that is not in use, or check existing UIDs with getent passwd | cut -d: -f3 | sort -n.

FAQ

What is the difference between -g and -G?
-g changes the user’s primary group — the group assigned to new files by default. -G sets the list of supplementary groups. Always pair -G with -a to add to the list without replacing it.

What happens if I omit -a when using -G?
The user is removed from all groups not listed in the -G argument. This can silently revoke access to services and shared directories. Always use -a -G to append.

How do I verify changes made by usermod?
Use id USERNAME to check UID, primary group, and supplementary groups. Use grep USERNAME /etc/passwd to check the shell and home directory. Use sudo chage -l USERNAME to review expiry settings. See How to List Users in Linux and How to List Groups in Linux for more options.

Can I change multiple settings in one command?
Yes. You can combine multiple options in a single usermod call. For example, to rename a user and move the home directory at the same time: usermod -l leah -d /home/leah -m linuxize.

What is the difference between locking with -L and setting an expiry date?
-L only disables password authentication. The account can still be accessed via SSH keys or su. Setting the expiry date to 1 with -e 1 disables all login methods regardless of authentication type.

Conclusion

The usermod command covers nearly all common user account modifications — group membership, shell, home directory, UID, username, expiry, and account locking. Use id and chage -l after each change to verify the result.

If you have any questions, feel free to leave a comment below.

How to Remove a User in Linux

hello@linuxize.com (Linuxize) — Wed, 20 Mar 2019 10:30:40 +0100

When an account is no longer needed, you can remove it from Linux with the userdel command:

Terminal
sudo userdel username

This removes the user account but keeps the home directory and files. To remove the account and the home directory at the same time, use userdel -r:

Terminal
sudo userdel -r username

Linux is a multi-user system, which means that more than one person can interact with the same system at the same time. As a system administrator, you manage users and groups by creating new users , assigning them to groups , and removing accounts when someone leaves the organization or when an account is no longer needed.

The userdel command removes a user account from a Linux system. It deletes the user’s entries from the /etc/passwd and /etc/shadow files.

Only root or users with sudo privileges can delete user accounts.

Quick Reference

Task	Command
Remove a user and keep home directory	`sudo userdel username`
Remove a user and home directory	`sudo userdel -r username`
Force remove a logged-in user	`sudo userdel -f username`
Kill all user processes	`sudo killall -u username`
Remove user’s cron jobs	`sudo crontab -r -u username`
Lock a user instead of deleting	`sudo usermod -L username`
Find files with no valid owner	`sudo find / -nouser`
Find files by UID	`sudo find / -uid 1001`
Verify user was removed	`id username`
Remove user with deluser on Debian/Ubuntu	`sudo deluser --remove-home username`

userdel Command Syntax

txt
userdel [OPTIONS] USERNAME

When invoked without options, userdel removes the user account but leaves the home directory and mail spool intact. The command also reads /etc/login.defs; if USERGROUPS_ENAB is set to yes, it deletes the user’s primary group only if no other users belong to it.

Before You Remove a User

Warning

Before you delete a user, back up any important data and make sure the account is not actively used.

Before removing a user, decide what should happen to the account’s files and scheduled tasks. A safe cleanup usually means checking these items first:

Back up files from the user’s home directory if they may be needed later.
Check whether the user is logged in or has running processes.
Remove the user’s cron jobs if the scheduled tasks should not continue.
Lock the account instead of deleting it if access only needs to be disabled temporarily.

These checks help you avoid deleting data that still belongs to an active workflow.

Remove a User in Linux

To remove a user account and keep the home directory:

Terminal
sudo userdel username

This removes the user from /etc/passwd and /etc/shadow but keeps the home directory and all user files.

Remove a User and Home Directory

To remove the user account along with the home directory and mail spool, use the -r (--remove) option:

Terminal
sudo userdel -r username

Warning

The -r option permanently deletes the user’s home directory and its contents. Back up any important data before running this command.

Files owned by the user in other locations are not removed. See Finding Orphaned Files below.

Remove a Logged-In User

If the user is still logged in or has running processes , userdel will refuse to remove the account.

First, list the user’s running processes:

Terminal
ps -u username

If you are sure those processes should be stopped, kill all processes belonging to the user:

Terminal
sudo killall -u username

Then delete the user:

Terminal
sudo userdel -r username

Alternatively, use the -f (--force) option to force the removal even if the user is logged in or has running processes:

Terminal
sudo userdel -f username

Use -f carefully. It can leave running processes or files in a confusing state if you remove an account while it is still active.

Removing a User’s Cron Jobs

Deleting a user does not automatically remove their scheduled cron jobs. To remove them:

Terminal
sudo crontab -r -u username

Run this before deleting the user account.

Locking a User Instead of Deleting

If you only need to disable access temporarily, lock the account instead of deleting it:

Terminal
sudo usermod -L username

To unlock it later:

Terminal
sudo usermod -U username

Finding Orphaned Files

After deleting a user, files they owned outside the home directory remain on the system. These files are now owned by the user’s old numeric UID.

To find all files with no valid owner:

Terminal
sudo find / -nouser

To find files owned by a specific UID, for example 1001:

Terminal
sudo find / -uid 1001

You can then decide to delete , reassign, or archive these files.

Verifying the User Was Deleted

To confirm the user account no longer exists:

Terminal
id username

output

id: 'username': no such user

You can also check:

Terminal
getent passwd username

No output means the user does not exist.

deluser on Debian and Ubuntu

On Debian-based distributions (Debian, Ubuntu, Linux Mint), the deluser command is a higher-level wrapper around userdel. It reads its configuration from /etc/deluser.conf and handles additional cleanup.

To delete a user and their home directory with deluser:

Terminal
sudo deluser --remove-home username

To remove the user from a specific group without deleting the account:

Terminal
sudo deluser username groupname

Troubleshooting

userdel: user username is currently used by process
The user still has running processes. Check them with:

Terminal
ps -u username

Stop the processes normally if possible. If they must be stopped immediately, use:

Terminal
sudo killall -u username

Then run userdel again.

userdel: user username is currently logged in
The user has an active login session. Ask the user to log out, terminate the session, or use userdel -f only when you understand the risk:

Terminal
sudo userdel -f username

userdel: user username does not exist
The account name is wrong or the user was already removed. Check the account database:

Terminal
getent passwd username

If the command prints no output, the user does not exist.

The home directory was not removed
userdel username removes only the account. Use -r when you want to remove the home directory and mail spool:

Terminal
sudo userdel -r username

If the account was already removed, you can manually review and delete the old home directory after confirming it is no longer needed.

Files are still owned by the deleted user
Files outside the home directory are not removed by userdel -r. Find files without a valid owner:

Terminal
sudo find / -nouser

Review the results and decide whether to delete, archive, or reassign those files.

FAQ

Does userdel delete the home directory?
Not by default. Use userdel -r to remove the home directory and mail spool along with the account.

What happens to files owned by a deleted user?
Files outside the home directory remain on the system, owned by the user’s old numeric UID. Use find / -nouser to locate them.

What is the difference between userdel and deluser?
userdel is the low-level command available on all Linux distributions. deluser is a higher-level wrapper available on Debian-based systems that reads configuration from /etc/deluser.conf and provides additional options.

Can I delete a user that is currently logged in?
Not without the -f flag. Either log the user out and kill their processes first, or use userdel -f to force the removal.

Does deleting a user remove their cron jobs?
No. Run sudo crontab -r -u username before deleting the user to remove their scheduled cron jobs.

How do I undo a user deletion?
You cannot undo userdel. If you deleted the home directory with -r, the data is gone unless you have a backup. You would need to recreate the user and restore their files.

Conclusion

The userdel command removes user accounts from Linux. Use -r when you also want to remove the home directory, check active processes before deleting logged-in users, and run find / -nouser afterward to locate files left behind.

passwd Command in Linux: Change User Passwords

hello@linuxize.com (Linuxize) — Wed, 27 Jun 2018 06:31:47 +0100

In Linux, user passwords are changed with the passwd command. The encrypted passwords and aging information are stored in the /etc/shadow file.

As a regular user, you can only change your own password. The root user and users with sudo privileges can change another user’s password and control how the password can be used or changed.

When changing a password, make sure you use a strong and unique password. A strong password has at least 16 characters and contains at least one uppercase letter, one lowercase letter, one number, and one special character.

The instructions in this guide work on any Linux distribution, including Ubuntu, Debian, and CentOS.

`passwd` Command Syntax

The basic passwd syntax is:

txt
passwd [OPTIONS] [USERNAME]

Run passwd without a username to change your own password. Run it as root, or with sudo, followed by a username to change another user’s password.

Changing Your Own Password

To change your own password, run passwd without any arguments:

Terminal
passwd

You will be prompted to enter your current password. If correct, the command will ask you to enter and confirm the new password:

output

Changing password for linuxize.
Current password:
New password:
Retype new password:
passwd: password updated successfully

Info

Passwords are not displayed on the screen when you type them.

Changing Another User’s Password

To change the password of another user account, run the passwd command followed by the username. For example, to change the password of a user named sansa:

Terminal
sudo passwd sansa

You will be prompted to enter and confirm the new password:

output

New password:
Retype new password:
passwd: password updated successfully

Unlike changing your own password, you are not asked for the current password.

Changing the Root Password

To change the root password, run:

Terminal
sudo passwd root

Enter and confirm the new root password when prompted.

If you do not know the current root password and have sudo access, this is the way to reset it.

Info

On Ubuntu, the root account is locked by default. Setting a root password enables local root login, but SSH root login may still be disabled in sshd_config.

Removing a Password (Empty Password)

To remove a user’s password (set it to empty), use the -d option:

Terminal
sudo passwd -d sansa

An empty password allows passwordless login, so use this only in controlled environments.

To force a user to change their password the next time they log in, expire the password with the --expire option:

Terminal
sudo passwd --expire sansa

The next time the user tries to log in, they will see a message requiring them to set a new password:

output

WARNING: Your password has expired.
You must change your password now and login again!
Current password:
New password:
Retype new password:
passwd: password updated successfully
Connection to 192.168.1.10 closed.

You can also use chage to achieve the same result:

Terminal
sudo chage -d 0 sansa

Password Aging Policy with `chage`

The chage command controls password aging. It allows you to set expiration dates, minimum and maximum password age, and warning periods.

To view the password aging information for a user:

Terminal
sudo chage -l sansa

output

Last password change : Feb 03, 2026
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

Common chage options:

Set the maximum number of days a password is valid (e.g., 90 days):
Terminal
```
sudo chage -M 90 sansa
```
Set the minimum number of days between password changes (e.g., 7 days):
Terminal
```
sudo chage -m 7 sansa
```
Set the number of warning days before the password expires (e.g., 14 days):
Terminal
```
sudo chage -W 14 sansa
```
Set an account expiration date:
Terminal
```
sudo chage -E 2026-12-31 sansa
```

Locking and Unlocking a User Account

To lock a user account so they cannot log in:

Terminal
sudo passwd -l sansa

output

passwd: password expiry information changed.

This prepends a ! to the encrypted password in /etc/shadow, making it invalid.

To unlock the account:

Terminal
sudo passwd -u sansa

To check whether an account is locked:

Terminal
sudo passwd -S sansa

The second field shows L for locked or P for a usable password.

Quick Reference

Task	Command
Change your own password	`passwd`
Change another user’s password	`sudo passwd username`
Change the root password	`sudo passwd root`
Force password change at next login	`sudo passwd --expire username`
View password aging info	`sudo chage -l username`
Set max password age (90 days)	`sudo chage -M 90 username`
Set min password age (7 days)	`sudo chage -m 7 username`
Set warning days (14 days)	`sudo chage -W 14 username`
Set account expiration date	`sudo chage -E YYYY-MM-DD username`
Lock a user account	`sudo passwd -l username`
Unlock a user account	`sudo passwd -u username`
Check account lock status	`sudo passwd -S username`

FAQ

How do I change the root password if I forgot it?
If you have sudo access, run sudo passwd root. If you do not have sudo access, boot into single-user mode or a recovery environment to reset it.

What are the password requirements in Linux?
By default, Linux uses PAM (Pluggable Authentication Modules) to enforce password quality. The default rules depend on the distribution and PAM configuration in /etc/pam.d/. You can install libpam-pwquality (or pam_pwquality on RHEL-based systems) to configure minimum length, character classes, and other requirements.

What is the difference between passwd --expire and chage -d 0?
Both commands force the user to change their password at the next login. passwd --expire is simpler; chage -d 0 sets the “last password change” date to epoch 0, which has the same effect.

Can I change a password non-interactively in a script?
Yes. Pipe the new password to chpasswd:

Terminal
echo "username:newpassword" | sudo chpasswd

What does locking an account with passwd -l do?
It prepends ! to the hashed password in /etc/shadow, making password authentication impossible. It does not disable SSH key-based login. To fully disable an account, use usermod -s /usr/sbin/nologin username as well.

Conclusion

The passwd command handles password changes for your own account and other users. Use chage to manage password aging policies like expiration and minimum age. To lock or unlock accounts, use passwd -l and passwd -u.

For more information, type man passwd or man chage in your terminal.

If you have any questions, feel free to leave a comment below.

How to List Groups in Linux

hello@linuxize.com (Linuxize) — Sat, 06 Jul 2019 08:30:40 +0100

In Linux, a group is a collection of users. The main purpose of groups is to define a set of privileges such as read, write, or execute permissions for a given resource that can be shared among the users within the group. Users can be added to an existing group to use the privileges it grants.

This guide explains how to list all groups a user is a member of, how to view group entries and membership details, and how to list all groups on the system.

Linux Groups

There are two types of groups that a user can belong to:

Primary or login group - the group assigned to files created by the user. Usually, the name of the primary group is the same as the name of the user. Each user must belong to exactly one primary group.
Secondary or supplementary group - used to grant certain privileges to a set of users. A user can be a member of zero or more secondary groups.

List all Groups a User is a Member of

There are multiple ways to find the groups a user belongs to.

The primary group is stored in the /etc/passwd file and the supplementary groups are listed in the /etc/group file. One way to find a user’s groups is to search those files directly using cat , less , or grep . A more direct option is to use a command designed to report user and group information.

Using the groups Command

The most straightforward command for this task is groups. When executed without an argument, it prints a list of all groups the currently logged-in user belongs to:

Terminal
groups

output

john adm cdrom sudo dip plugdev lpadmin sambashare

The first group listed is the primary group.

To list the groups a specific user belongs to, pass the username as an argument:

Terminal
groups linuxize

output

linuxize : linuxize sudo

As before, the first group listed after the colon is the primary group.

Using the id Command

The id command prints information about the specified user and their groups. If the username is omitted, it shows information for the current user.

For example, to get information about the user linuxize, run:

Terminal
id linuxize

The command shows the user ID (uid), the user’s primary group (gid), and the user’s secondary groups (groups):

output

uid=1001(linuxize) gid=1001(linuxize) groups=1001(linuxize),27(sudo)

To print group names instead of numbers, use the -n option. The -g option prints only the primary group and -G prints all groups.

The following command prints the names of all groups the current user belongs to:

Terminal
id -nG

output

john adm cdrom sudo dip plugdev lpadmin sambashare

List Members of a Group

To view a group entry and its listed members, use the getent group command followed by the group name.

For example, to view the entry and listed members of the developers group:

Terminal
getent group developers

If the group exists, the command prints the group entry:

output

developers:x:126:frank,mary

Each field is separated by a colon: the group name, a password placeholder (x), the group ID (GID), and a comma-separated list of users listed as members of that group. If the group does not exist, the command produces no output.

The last field does not always include users whose primary group is developers. Primary group membership is stored in the password database, where each user account has a primary GID. To include users whose primary group matches the group, compare the group GID with the fourth field from getent passwd:

Terminal
group=developers
gid=$(getent group "$group" | cut -d: -f3)
getent passwd | awk -F: -v gid="$gid" '$4 == gid { print $1 }'

This prints users whose primary group is developers. Use it together with getent group developers when you need to account for both primary and supplementary membership.

List All Groups

To view all groups on the system, open the /etc/group file. Each line represents one group:

Terminal
less /etc/group

Another option is to use the getent command, which queries databases configured in /etc/nsswitch.conf, including the group database. This approach is more reliable on systems that use LDAP or other directory services, because it returns groups from all configured sources, not just /etc/group.

To list all groups:

Terminal
getent group

To print only the group names, pipe the output to awk :

Terminal
getent group | awk -F: '{ print $1}'

You can also use cut to extract the same field:

Terminal
getent group | cut -d: -f1

Quick Reference

Task	Command
List groups for the current user	`groups`
List groups for a specific user	`groups username`
Show user and group IDs	`id username`
Print only group names for current user	`id -nG`
View a group entry and listed members	`getent group groupname`
List all groups on the system	`getent group`
List only group names	`getent group \| awk -F: '{print $1}'`

Troubleshooting

getent group groupname returns no output
The group may not exist, or it may not be available through your configured NSS sources. Verify the exact name and check /etc/nsswitch.conf to confirm the group database configuration.

Group changes are not visible after usermod -aG
Group membership updates apply to new sessions. Log out and back in, or start a new login shell, then run id username or groups username again.

groups username does not show expected directory-service groups
On systems using LDAP/AD/SSSD, make sure identity services are running and reachable. Use getent group and id username to confirm groups from all configured sources, not only local /etc/group.

FAQ

What is the difference between a primary and secondary group?
Every user belongs to exactly one primary group, which is assigned to files the user creates. Secondary groups grant additional privileges. A user can belong to zero or more secondary groups.

How do I check what group a file belongs to?
Run ls -l to view file details. The fourth column shows the group assigned to each file.

How do I add a user to a group?
Use usermod -aG groupname username. See our guide on adding a user to a group .

Where are group definitions stored?
Group definitions are stored in /etc/group. Each line contains the group name, a password placeholder, the GID, and a comma-separated member list, all separated by colons.

Conclusion

The groups and id commands are the quickest way to see which groups a user belongs to. Use getent group to view group entries, and check the primary GID from getent passwd when you need a complete membership picture.

How to Create Groups in Linux: groupadd Command

hello@linuxize.com (Linuxize) — Mon, 07 Oct 2019 21:30:40 +0100

In Linux, groups are used to organize and administer user accounts. The primary purpose of groups is to define a set of privileges such as reading, writing, or executing permission for a given resource that can be shared among the users within the group.

This guide explains how to create new groups in Linux using the groupadd command.

`groupadd` Command Syntax

The general syntax for the groupadd command is as follows:

txt
groupadd [OPTIONS] GROUPNAME

Only the root or a user with sudo privileges can create new groups.

When invoked, groupadd creates a new group using the options specified on the command line plus the default values specified in the /etc/login.defs file.

Creating a Group in Linux

To create a new group, type groupadd followed by the new group name.

For example, to create a new group named mygroup you would run:

Terminal
groupadd mygroup

The command adds an entry for the new group to the /etc/group and /etc/gshadow files.

Once the group is created, you can start adding users to the group .

If the group with the same name already exists, the system will print an error message like the following:

output

groupadd: group 'mygroup' already exists

To suppress the error message if the group exists and to make the command exit successfully, use the -f (--force) option:

Terminal
groupadd -f mygroup

Creating a Group with Specific GID

In Linux and Unix-like operating systems, groups are identified by their name and a unique GID (a positive integer).

By default, when a new group is created, the system assigns the next available GID from the range of group IDs specified in the login.defs file.

Use the -g (--gid) option to create a group with a specific GID.

For example, to create a group named mygroup with GID of 1010 you would type:

Terminal
groupadd -g 1010 mygroup

You can verify the group’s GID by listing all groups and filtering the result with grep :

Terminal
getent group | grep mygroup

output

mygroup:x:1010:

If a group with the given GID already exists, you will get the following error:

output

groupadd: GID '1010' already exists

When used with the -o (--non-unique) option, the groupadd command allows you to create a group with a non-unique GID:

Terminal
groupadd -o -g 1010 mygroup

Creating a System Group

There is no real technical difference between the system and regular (normal) groups. Usually, system groups are used for some special system operation purposes, like creating backups or doing system maintenance.

System group GIDs are chosen from the range of system group IDs specified in the login.defs file, which is different than the range used for regular groups.

Use the -r (--system) option to create a system group. For example, to create a new system group named mysystemgroup you would run:

Terminal
groupadd -r mysystemgroup

Overriding the Default `/etc/login.defs` Values

The -K (--key) option followed by KEY=VAL allows you to override the default values specified in the /etc/login.defs file.

Basically, all you can override are the maximum and minimum values of the normal and system group IDs for automatic GID selection when creating a new group.

To create a new group with a GID in the range between 1200 and 1500, specify the min/max values as shown below:

Terminal
groupadd -K GID_MIN=1200 -K GID_MAX=1500 mygroup

Setting a Group Password

Adding a password to a group has no practical use and may cause a security problem since more than one user will need to know the password.

The -p (--password) option accepts an encrypted password hash, not plain text:

Terminal
groupadd -p '$6$rounds=656000$hash...' mygroup

In most setups, you should avoid group passwords and manage access by adding users to groups with usermod -aG .

Quick Reference

Command	Description
`groupadd GROUPNAME`	Create a new group
`groupadd -g GID GROUPNAME`	Create a group with a specific GID
`groupadd -r GROUPNAME`	Create a system group
`groupadd -f GROUPNAME`	Suppress error if group already exists
`groupadd -o -g GID GROUPNAME`	Allow non-unique GID
`groupadd -K GID_MIN=N -K GID_MAX=N GROUPNAME`	Override GID range
`getent group GROUPNAME`	Verify group was created
`id USERNAME`	Show a user’s group memberships

Troubleshooting

“Permission denied” or “only root can do that”
You must run groupadd as root or with sudo. Prefix the command with sudo groupadd GROUPNAME.

“GID already exists”
The specified GID is already in use. Choose a different GID with -g, or use the -o flag to allow a non-unique GID.

“Group already exists”
A group with that name already exists in /etc/group. Use -f to suppress the error and exit successfully, or choose a different name.

Group created but user does not see it
Run id USERNAME to check group memberships. A user must log out and back in for new group memberships to take effect.

FAQ

How do I verify that a group was created successfully?
Run getent group GROUPNAME or check /etc/group directly with grep GROUPNAME /etc/group. The output shows the group name, password placeholder, GID, and members.

What is the difference between a system group and a regular group?
System groups use a separate GID range defined in /etc/login.defs and are typically used for services and system processes. Regular groups are used for user account organization. There is no functional difference in how permissions work.

How do I add a user to a group after creating it?
Use the usermod -aG GROUPNAME USERNAME command. The -a flag appends the group without removing existing memberships. See how to add a user to a group for more details.

How do I find what GID was assigned to a new group?
Run getent group GROUPNAME or grep GROUPNAME /etc/group. The third field in the output is the GID. You can also use the id command to verify a user’s group memberships.

How do I delete a group in Linux?
Use the groupdel GROUPNAME command. See how to delete a group in Linux for the full guide.

Conclusion

In Linux, you can create new groups using the groupadd command. The same instructions apply for any Linux distribution, including Ubuntu, Debian, Fedora, and RHEL-based systems.

If you have any questions, feel free to leave a comment below.

How to Add a User to a Group in Linux

hello@linuxize.com (Linuxize) — Fri, 24 Aug 2018 18:30:40 +0100

When you need to give a Linux user access to Docker, sudo, shared directories, or other protected resources, you usually add the user to a group. Groups let you manage permissions for several users at once instead of changing permissions for each account separately.

This guide explains how to add an existing user to a Linux group, add a user to multiple groups, change a user’s primary group, and verify that the change was applied.

There are two types of groups:

Primary group: assigned to a user when the account is created. Usually, the name of the primary group is the same as the username. When a user creates a file, the file’s group is set to the user’s primary group. The primary group is stored in the /etc/passwd file.
Secondary (supplementary) groups: used to grant additional permissions. For example, adding a user to the docker group allows them to run Docker commands without sudo.

Each user has exactly one primary group and can belong to zero or more secondary groups.

Only root or users with sudo privileges can modify group membership.

Quick Reference

Task	Command
View user’s groups	`id username`
List group names only	`groups username`
List all system groups	`getent group`
List members of a group	`getent group groupname`
Check whether a user exists	`getent passwd username`
Check whether a group exists	`getent group groupname`
Add user to a group	`sudo usermod -a -G groupname username`
Add user to multiple groups	`sudo usermod -a -G group1,group2 username`
Start a shell with the new group	`newgrp groupname`
Change primary group	`sudo usermod -g groupname username`
Create user with groups	`sudo useradd -g primary -G sec1,sec2 username`
Remove user from a group	`sudo gpasswd -d username groupname`
Create a group	`sudo groupadd groupname`
Delete a group	`sudo groupdel groupname`

Displaying User Groups

Before modifying groups, it is useful to check a user’s current group membership.

The id command displays the user’s UID, primary group, and all secondary groups:

Terminal
id linuxize

output

uid=1000(linuxize) gid=100(users) groups=100(users),10(wheel),95(storage),98(power),990(libvirt),993(docker),999(kvm)

The groups command prints only the group names:

Terminal
groups linuxize

output

wheel storage power users libvirt docker kvm

If you omit the username, both commands display information for the currently logged-in user.

Listing All Groups on the System

To list all groups on the system:

Terminal
getent group

To list all members of a specific group:

Terminal
getent group docker

output

docker:x:993:linuxize,deploy

Adding a User to a Group

Before changing group membership, make sure both the user and group already exist. The usermod command does not create missing users or groups for you.

Check the user with getent passwd:

Terminal
getent passwd linuxize

Check the group with getent group:

Terminal
getent group docker

If both commands return entries, you can add the user to the group.

To add an existing user to a secondary group, use the usermod -a -G command followed by the group name and the username:

Terminal
sudo usermod -a -G groupname username

For example, to add the user linuxize to the docker group:

Terminal
sudo usermod -a -G docker linuxize

Warning

Always use the -a (append) option when adding a user to a group. If you omit -a, the user will be removed from all secondary groups not listed after the -G option.

On success, the command produces no output. Verify the new membership with id:

Terminal
id linuxize

output

uid=1000(linuxize) gid=1000(linuxize) groups=1000(linuxize),993(docker)

Group changes apply after the user logs out and logs back in. To apply the change in the current session, run:

Terminal
newgrp docker

The newgrp command starts a shell with the selected group as the active group. For normal login sessions, logging out and signing back in is the cleaner option.

Adding a User to Multiple Groups

To add a user to multiple secondary groups at once, separate the group names with commas (no spaces):

Terminal
sudo usermod -a -G group1,group2,group3 username

For example, to add linuxize to the docker and developers groups:

Terminal
sudo usermod -a -G docker,developers linuxize

Do not put spaces after the commas. usermod expects one comma-separated list.

Changing a User’s Primary Group

To change a user’s primary group, use usermod with the lowercase -g option:

Terminal
sudo usermod -g groupname username

For example, to change the primary group of the user linuxize to developers:

Terminal
sudo usermod -g developers linuxize

Note the difference: -G (uppercase) sets secondary groups, -g (lowercase) sets the primary group.

Creating a User with Groups

The useradd command can assign both primary and secondary groups when creating a new user:

Terminal
sudo useradd -g users -G wheel,developers nathan

This creates a user nathan with users as the primary group and wheel and developers as secondary groups.

Removing a User from a Group

To remove a user from a group, use the gpasswd command with the -d option:

Terminal
sudo gpasswd -d username groupname

For example, to remove linuxize from the docker group:

Terminal
sudo gpasswd -d linuxize docker

Creating and Deleting Groups

To create a new group :

Terminal
sudo groupadd groupname

To delete a group :

Terminal
sudo groupdel groupname

You cannot delete a group that is a user’s primary group. Change the user’s primary group first.

Troubleshooting

Group changes do not apply in the current shell
Linux reads a user’s groups when the session starts. If id username shows the new group but the user still cannot access the resource, log out and log back in. For a temporary shell with the new group, run newgrp groupname.

usermod: user 'username' does not exist
The username is missing or spelled differently. Check the account with getent passwd username. If you need to create the user first, use useradd or your distribution’s user management tool.

usermod: group 'groupname' does not exist
The group must exist before you can add a user to it. Check it with getent group groupname. If it is missing, create it with sudo groupadd groupname, then run usermod -a -G groupname username again.

The user lost access to other groups after running usermod -G
This happens when -G is used without -a. The command replaces the user’s secondary groups with the groups listed after -G. Add the missing groups back with sudo usermod -a -G group1,group2 username, then verify with id username.

FAQ

What happens if I forget the -a flag with usermod -G?
The user will be removed from all secondary groups except those listed in the command. This is the most common mistake when managing groups. Always use -a -G together.

Do group changes take effect immediately?
No. The user must log out and log back in for the new group membership to take effect. You can verify by running id username; the change shows up there immediately, but the user’s active session still uses the old groups.

What is the difference between -g and -G in usermod?
Lowercase -g sets the user’s primary group. Uppercase -G sets secondary (supplementary) groups. When used with -a, -G appends to the existing list instead of replacing it.

How do I find out which groups exist on the system?
Run getent group to list all groups, or getent group groupname to check whether a specific group exists and see its members.

Can a user belong to multiple primary groups?
No. Each user has exactly one primary group. To grant access to multiple resources, use secondary groups.

Conclusion

The usermod -a -G command adds existing users to secondary groups in Linux. Use id, groups, and getent to verify the change, and always include -a when working with -G so existing group memberships stay intact.

groupdel Command in Linux: Delete a Group

hello@linuxize.com (Linuxize) — Tue, 05 May 2020 21:30:40 +0100

In Linux, groups are used to organize and administer user accounts. The primary purpose of groups is to define a set of privileges such as reading, writing, or executing permissions for a given resource that can be shared among the users within the group.

A new group can be created using the groupadd command. If a group is no longer needed, it can be removed from the system using the groupdel command.

This article explains how to remove a group in Linux using the groupdel command.

`groupdel` Command Syntax

The general syntax for the groupdel command is as follows:

txt
groupdel GROUPNAME

GROUPNAME is the name of the group you want to remove. Only root or a user with sudo privileges can remove groups.

Before Deleting a Group

Before removing a group, it is worth checking a few things.

Check whether any users have the group as their primary group. It is not possible to remove a group that is the primary group of an existing user. To find which users have a specific group as their primary group, first get the group’s GID:

Terminal
getent group mygroup

output

mygroup:x:1005:

Then search for users with that GID in /etc/passwd:

Terminal
awk -F: '$4 == 1005 {print $1}' /etc/passwd

If any users are returned, you must either change their primary group with usermod or remove those users before you can delete the group.

Check and remove group members. To see the current members of a group:

Terminal
getent group mygroup

To remove a user from the group before deleting it:

Terminal
sudo gpasswd -d username mygroup

Deleting a Group in Linux

To delete a group, run groupdel followed by the group name:

Terminal
sudo groupdel mygroup

The command removes the group entry from the /etc/group and /etc/gshadow files. On success, no output is printed.

To verify that the group has been removed, use getent :

Terminal
getent group mygroup

If the group was successfully deleted, the command returns no output.

What Happens to Files Owned by the Deleted Group

Deleting a group does not delete or modify any files owned by that group. Files previously owned by the group retain their numeric GID. When you list such files, the GID appears as a number instead of a group name:

Terminal
ls -la /path/to/file

output

-rw-r--r-- 1 linuxize 1005 1024 Mar 01 10:00 file.txt

If the GID is later assigned to a new group, those files will appear to be owned by the new group, which can be a security concern. To find all files still owned by the old GID after deletion:

Terminal
sudo find / -gid 1005

On large systems, scanning from / can take time. If you already know where the files are, limit the search scope (for example, /home or /srv) to speed up the audit.

Review the results and reassign ownership as needed using chown:

Terminal
sudo chown :newgroup /path/to/file

Troubleshooting

groupdel: cannot remove the primary group of user 'username' The group is set as the primary group of an existing user. Change the user’s primary group first with sudo usermod -g newgroup username, then retry the deletion.

groupdel: group 'mygroup' does not exist The group name is misspelled or the group has already been removed. Run getent group mygroup to confirm whether it exists.

Files still show a numeric GID after group deletion The files retain the old GID. The group name no longer exists in /etc/group so the system displays the raw number. Use sudo find / -gid GID to locate affected files and chown :newgroup file to reassign ownership.

Quick Reference

Command	Description
`sudo groupdel GROUP`	Delete a group
`getent group GROUP`	Check if a group exists and view its GID and members
`awk -F: '$4 == GID' /etc/passwd`	Find users with a specific primary GID
`sudo gpasswd -d USER GROUP`	Remove a user from a group before deletion
`sudo find / -gid GID`	Find files still owned by a deleted group’s GID

FAQ

What happens to files owned by a deleted group? The files are not deleted or changed. They retain the numeric GID of the deleted group. If that GID is later reassigned to a new group, the files will appear owned by the new group. Always audit and reassign file ownership after deleting a group.

How do I check which users belong to a group before deleting it? Run getent group groupname. The last field lists the supplementary members. To find users who have the group as their primary group, match the GID against /etc/passwd using awk -F: '$4 == GID {print $1}' /etc/passwd. See How to List Users in Linux for more options.

Can I delete a group that still has members? Yes, as long as the group is not the primary group of any existing user. Supplementary group members are not blocked from deletion. However, it is good practice to remove members first with gpasswd -d to avoid stale group references. See How to Add a User to a Group for managing group membership.

Conclusion

Use groupdel to remove a group from the system. Before deleting, verify that no user has the group as a primary group, and check for files still owned by the group’s GID after deletion.

If you have any questions, feel free to leave a comment below.

su Command in Linux: Switch User

hello@linuxize.com (Linuxize) — Tue, 17 Sep 2019 20:31:47 +0100

When you are logged in as a regular user and a task needs root or a different account, you have two practical options on Linux: switch into that user with su, or run a single command with elevated privileges through sudo. The su utility (short for substitute or switch user) is the older of the two and the one many sysadmins still reach for when they want a full shell as another user.

Using su is the simplest way to switch to the administrative account in the current login session. It is especially handy when the root user is not allowed to log in to the system through SSH or using the GUI display manager. If you only want to run a single command with elevated privileges, see the sudo command guide instead.

This guide explains how to use the su command with practical examples and how it compares to sudo.

Syntax

The general syntax for the su command is as follows:

txt
su [OPTIONS] [USER [ARGUMENT...]]

When invoked without any option, the default behavior of su is to run an interactive shell as root:

Terminal
su

You will be prompted to enter the root password, and if authenticated, the user running the command temporarily becomes root.

Info

Unlike sudo, which asks for your own password, su requires the password of the target user you are switching to.

To confirm that the user is changed, use the whoami command:

Terminal
whoami

output

root

To switch to another user account, pass the user name as an argument to su. For example, to switch to the user tyrion you would type:

Terminal
su tyrion

To start a login shell as another user:

Terminal
su - tyrion

When you run su without the - option, the SHELL and HOME environment variables are set from the target user’s /etc/passwd entry, but the current directory and the rest of the environment are not changed. This means the PATH variable still contains the original user’s directories.

The most commonly used option when invoking su is - (-l, --login). This starts a login shell with an environment identical to a real login, including changing the current directory to the target user’s home:

Terminal
su -

In most cases, you want to use su - rather than plain su to get a clean environment.

Options

The su command accepts the following options:

Run a Specific Shell

To run a shell other than the one defined in the passwd file, use the -s, --shell option. For example, to switch to root and run the zsh shell:

Terminal
su -s /usr/bin/zsh

Preserve the Environment

To preserve the entire environment (HOME, SHELL, USER, and LOGNAME) of the calling user, use the -p, --preserve-environment option:

Terminal
su -p

When the - option is used, -p is ignored.

Run a Single Command

To run a command as the target user without starting an interactive shell, use the -c, --command option. For example, to invoke the ps command as root:

Terminal
su -c 'ps aux'

To run a command as a specific user:

Terminal
su -c 'whoami' tyrion

The command string should be quoted if it contains spaces or special characters.

sudo vs su

On some Linux distributions like Ubuntu, the root user account is disabled by default for security reasons. This means that no password is set for root, and you cannot use su to switch to root.

One option to change to root would be to prepend the su command with sudo and enter the currently logged-in user password:

Terminal
sudo su -

The sudo command allows you to run programs as another user, by default the root user.

If the user is granted sudo access, the su command is invoked as root. Running sudo su - and then typing the user password has the same effect as running su - and typing the root password.

When used with the -i option, sudo runs an interactive login shell with the root user’s environment:

Terminal
sudo -i

sudo -i is similar to running su -, but it authenticates through sudo.

The key differences between sudo and su:

Password: su requires the target user’s password. sudo requires your own password.
Access control: sudo allows fine-grained control over which commands a user can run (configured in /etc/sudoers). su gives full access to the target user’s account.
Auditing: sudo logs commands invoked through sudo. su only logs that a user switched accounts, and commands run inside the new shell are not logged individually by su.
Root password: sudo removes the need to share the root password among multiple administrators.

Troubleshooting

su: Authentication failure
You typed the wrong password for the target user, or the target account has no password set. On Ubuntu and other distributions where the root account is locked by default, plain su will always fail because no root password exists. Use sudo su - or sudo -i instead, or set a root password with sudo passwd root if you really need direct su access.

su: User <name> does not exist or the user entry does not contain all the required fields
The user account you are switching to is not in /etc/passwd. Double-check the spelling and confirm the account exists with id <name> or getent passwd <name>.

su -c runs the wrong command or splits arguments unexpectedly
The command string is being parsed by your current shell before su sees it. Wrap the whole command in single quotes, for example su -c 'systemctl restart nginx', so the target user’s shell receives it as a single argument.

Cannot exit back to the original user
The exit command (or pressing Ctrl+D) leaves the current shell. If su was nested several times, you may need to run exit more than once before you are back in your original session.

Quick Reference

Task	Command
Switch to root	`su`
Switch to root (login shell)	`su -`
Switch to another user	`su username`
Run a command as root	`su -c 'command'`
Use a specific shell	`su -s /bin/zsh`
Preserve environment	`su -p`
Switch to root via sudo	`sudo su -`
Sudo login shell	`sudo -i`

FAQ

What is the difference between su and su -?
su switches to the target user but keeps most of the current environment, including PATH and the working directory. su - starts a full login shell with the target user’s complete environment.

What is the difference between su and sudo?
su switches your entire session to another user and requires that user’s password. sudo runs a single command (or opens a shell) with elevated privileges using your own password.

Why does su ask for a password even though I am root?
If you are already root, su does not ask for a password. If it still prompts, you are most likely in a nested shell that only looks like a root shell, for example after a previous sudo -i left an unusual prompt. Run whoami to confirm who you actually are before troubleshooting further.

How do I exit an su session?
Type exit or press Ctrl+D to leave the current shell and return to the previous user. If you ran su more than once in a row, repeat the step until you are back in your original session.

How do I restrict which users can use su?
On most distributions, you can restrict su access to members of the wheel group by configuring PAM. Edit /etc/pam.d/su and uncomment the line containing pam_wheel.so.

Conclusion

The su command lets you switch to another user account and run commands with that user’s privileges, which is the right tool when you need a full interactive shell as another user. For everyday administrative work, sudo is usually the better choice thanks to its access control and auditing, so consider pairing this guide with the sudo command in Linux post.

Sudo Command in Linux: Run Commands as Root

hello@linuxize.com (Linuxize) — Sat, 15 Jun 2019 20:31:47 +0100

The sudo command allows you to run programs as another user, by default the root user. You will use it whenever a task requires administrative privileges, such as managing packages, services, users, or system configuration files.

Using sudo instead of logging in as root is more secure because you can grant limited administrative privileges to individual users without them knowing the root password.

This guide explains how to use the sudo command on Linux, covering common options, sudoers configuration, and real-world examples.

Installing Sudo

The sudo package is pre-installed on most Linux distributions.

To check whether sudo is installed on your system, run:

Terminal
sudo --version

If sudo is not installed, you will see a sudo: command not found error. To install it, run the following commands as the root user. On systems with an enabled root account, switch to root first with su -; otherwise use another admin account or a root recovery shell.

Install Sudo on Ubuntu, Debian, and Derivatives

Terminal
apt install sudo

Install Sudo on Fedora, RHEL, and Derivatives

Terminal
dnf install sudo

Adding a User to Sudoers

By default, on most Linux distributions, granting sudo access is as simple as adding the user to the sudo group defined in the sudoers file . Members of this group can run any command as root. The name of the group differs between distributions.

On Fedora, RHEL, and their derivatives, the sudo group is named wheel. To add the user to the group , run:

Terminal
usermod -aG wheel username

On Ubuntu, Debian, and their derivatives, members of the sudo group are granted sudo access:

Terminal
usermod -aG sudo username

The root user account in Ubuntu is disabled by default for security reasons, and users are encouraged to perform system administration tasks using sudo. The initial user created by the Ubuntu installer is already a member of the sudo group.

To allow a specific user to run only certain programs as sudo, add the user directly to the sudoers file instead of the group. Open the file with visudo:

Terminal
sudo visudo

Then append the following line to allow the user linuxize to run only the mkdir command:

ini
linuxize ALL=(root) /usr/bin/mkdir

On most systems, visudo opens the /etc/sudoers file with the vim editor. If you do not have experience with vim, see our article on how to save a file and quit the vim editor .

You can also allow users to run sudo commands without entering a password :

ini
linuxize ALL=(ALL) NOPASSWD: ALL

How to Use sudo

The general syntax for the sudo command is:

Terminal
sudo [OPTION]... COMMAND

The sudo command has many options that control its behavior, but it is most commonly used in its basic form without any options.

To run a command as root, prefix it with sudo:

Terminal
sudo command

Where command is the command you want to run with elevated privileges.

The first time you use sudo in a session, you will be prompted to enter your user password. Once authenticated, sudo reads /etc/sudoers to verify the user has permission, then executes the command as root.

For example, to list the contents of the /root directory:

Terminal
sudo ls /root

output

[sudo] password for linuxize:
. .. .bashrc .cache .config .local .profile

Open a Root Shell

Instead of prefixing every command with sudo, you can open an interactive root shell for an extended session.

The -i option starts a login shell as root, loading root’s environment, home directory, and shell configuration:

Terminal
sudo -i

The -s option starts an interactive shell as root without running a login shell, keeping more of your current environment:

Terminal
sudo -s

Use exit or press Ctrl+D to return to your normal user session.

List sudo Privileges

To see what commands the current user is allowed to run with sudo, use the -l option:

Terminal
sudo -l

output

Matching Defaults entries for linuxize on server:
env_reset, mail_badpass, secure_path=...
User linuxize may run the following commands on server:
(ALL : ALL) ALL

To list privileges for a specific user, pass the -U flag followed by the username:

Terminal
sudo -l -U username

Password Timeout

By default, sudo caches your credentials for a period defined in the sudoers file, typically 5 minutes on RHEL-based systems and 15 minutes on Ubuntu and Debian. After that period of inactivity, sudo will prompt for your password again.

To change the default timeout, open the sudoers file with visudo:

Terminal
sudo visudo

Add the following line, replacing 10 with the desired timeout in minutes:

ini
Defaults timestamp_timeout=10

To set the timeout only for a specific user, use:

ini
Defaults:user_name timestamp_timeout=10

Invalidate the sudo Timestamp

To manually clear the cached credentials and force sudo to prompt for a password on the next use, run:

Terminal
sudo -k

This is useful when you finish a privileged session and want to require re-authentication immediately.

Run a Command as Another User

There is a common misconception that sudo is used only to provide root privileges. You can use sudo to run a command as any user by passing the -u option.

In the following example, we are using sudo to run the whoami command as the user richard:

Terminal
sudo -u richard whoami

The command prints the name of the user running it:

output

richard

How to Redirect with sudo

If you try to redirect output to a file that your current user does not have write permission for, you will get a “Permission denied” error:

Terminal
sudo echo "test" > /root/file.txt

output

bash: /root/file.txt: Permission denied

This happens because the shell processes the > redirection before invoking sudo, so the redirect runs as your regular user, not root.

One solution is to start a subshell as root using sudo sh -c:

Terminal
sudo sh -c 'echo "test" > /root/file.txt'

Another option is to pipe the output to the tee command with sudo:

Terminal
echo "test" | sudo tee /root/file.txt

Quick Reference

Option	Description
`sudo command`	Run a command as root
`sudo -u user command`	Run a command as a specific user
`sudo -i`	Open a root login shell
`sudo -s`	Open a root shell (non-login)
`sudo -l`	List sudo privileges for the current user
`sudo -l -U user`	List sudo privileges for another user
`sudo -k`	Invalidate cached sudo credentials
`sudo -e file`	Edit a file as root using your default editor
`sudo visudo`	Edit the sudoers file safely

Troubleshooting

username is not in the sudoers file
The user has not been added to the sudoers group. Log in as root and run usermod -aG sudo username (Ubuntu/Debian) or usermod -aG wheel username (RHEL/Fedora), then log out and back in for the group change to take effect.

sudo: unable to resolve host hostname
The system hostname does not match an entry in /etc/hosts. Add an entry for your hostname in /etc/hosts (for example, 127.0.1.1 hostname on Ubuntu and Debian), then try again.

sudo: command not found after using sudo -i or sudo -s
The root shell may use a restricted PATH that does not include your command’s directory. Use the full path to the command (for example, /usr/local/bin/command), or run sudo env PATH="$PATH" command to preserve your current path.

FAQ

What is the difference between sudo and su?
sudo runs a single command as another user (usually root) and requires your own password. su switches to another user account entirely and requires that user’s password. sudo is preferred for one-off privileged commands; su is used to fully switch user sessions.

How do I re-run the last command with sudo?
Use sudo !!, the !! expands to the last command in your shell history, and sudo runs it with elevated privileges.

How do I run sudo without entering a password?
Add a NOPASSWD rule in the sudoers file: linuxize ALL=(ALL) NOPASSWD: ALL. See our guide on running sudo without a password .

How long does sudo remember my password?
This depends on your distribution. Ubuntu and Debian default to 15 minutes; RHEL and Fedora default to 5 minutes. You can change this with Defaults timestamp_timeout=N in the sudoers file.

Conclusion

The sudo command is an essential tool for Linux system administration. It lets you run commands with elevated privileges while keeping your system secure by avoiding direct root logins. Use sudo -l to inspect your privileges, sudo -i to open a root shell, and sudo -k to clear the credential cache when you are done.

How to Run Sudo Command Without Password

hello@linuxize.com (Linuxize) — Fri, 28 Jun 2019 20:31:47 +0100

If you spend a lot of time on the command line, sudo is one of the commands you will use often. By default, sudo prompts for your password and then caches your credentials for a short period. This is the safest behavior, but in some situations, like running automated scripts or CI pipelines, you may need to skip the prompt.

This guide explains how to configure the sudoers file so that specific users or groups can run sudo commands without being asked for a password.

Warning

Granting passwordless sudo, especially with NOPASSWD:ALL, removes a key security layer. Anyone who gains access to that user account can run any command as root without a challenge. Limit passwordless rules to the specific commands you actually need whenever possible.

Adding User to the Sudoers File

The sudoers file contains information that determines a user’s and group’s sudo privileges.

You can configure the user sudo access by modifying the sudoers file or by adding a configuration file to the /etc/sudoers.d directory. The files created inside this directory are included in the sudoers file automatically.

Before making any changes, it is a good idea to back up the current file:

Terminal
sudo cp /etc/sudoers{,.backup_$(date +%Y%m%d)}

Info

The date command will append the current date to the backup file name.

Open the /etc/sudoers file with the visudo command:

Terminal
sudo visudo

Always use visudo when editing the sudoers file. This command checks the syntax after editing, and if there is an error it will not save the changes. Opening the file with a regular text editor risks a syntax error that could lock you out of sudo entirely.

On most systems, visudo opens the file in the vim text editor. If you do not have experience with vim, you can try another editor. For example, this often opens GNU nano :

Terminal
sudo EDITOR=nano visudo

Scroll down to the end of the file and add the following line. This allows the user linuxize to run any command with sudo without a password prompt:

/etc/sudoersini
linuxize ALL=(ALL) NOPASSWD:ALL

Info

Do not forget to change linuxize with the username you want to grant access to.

If you want to allow the user to run only specific commands without a password, list them after the NOPASSWD keyword.

For example, to allow only the mkdir and mv commands:

/etc/sudoersini
linuxize ALL=(ALL) NOPASSWD:/usr/bin/mkdir,/usr/bin/mv

You can find the full path of a command with which, for example which mkdir.

To apply the same rule to an entire group, prefix the group name with %. The following line grants passwordless sudo to every member of the deploy group:

/etc/sudoersini
%deploy ALL=(ALL) NOPASSWD:ALL

Once done, save the file and exit the editor .

Using `/etc/sudoers.d`

Instead of editing the sudoers file directly, you can create a new file with the authorization rules in the /etc/sudoers.d directory. This approach makes managing sudo privileges easier, especially when you have many users or automated provisioning tools.

Create the file with visudo so that syntax checking still applies:

Terminal
sudo visudo -f /etc/sudoers.d/linuxize

You can name the file as you want, but it is a good practice to use the user name or group name as the filename.

Add the same rule as you would add to the sudoers file:

ini
linuxize ALL=(ALL) NOPASSWD:ALL

Save the file and close the editor. Make sure the file is owned by root and has the correct permissions; sudo may ignore files that are writable by others:

Terminal
sudo chown root:root /etc/sudoers.d/linuxize
sudo chmod 0440 /etc/sudoers.d/linuxize

Verify the Configuration

After adding the rule, verify that it is active by running sudo -l as the target user:

Terminal
sudo -l

Look for a line containing NOPASSWD in the output. If it appears, the configuration is working. You can also test by running a command with sudo; it should no longer ask for a password.

Troubleshooting

Sudo still asks for a password
Check the file permissions in /etc/sudoers.d/. Files must be owned by root and must not be world-writable. Run sudo chmod 0440 /etc/sudoers.d/filename to fix this. Also make sure the username and hostname in the rule match exactly.

Syntax error locks out sudo
If you used visudo, it will refuse to save a broken file. If you edited the file with a regular editor and lost sudo access, boot into recovery mode or use a root shell to fix /etc/sudoers. This is why visudo should always be used.

Rule is ignored in /etc/sudoers.d/
File names in /etc/sudoers.d/ must not contain a dot (.) or end with a tilde (~). These files are silently skipped. Rename the file to remove the dot or tilde.

Conclusion

Configure passwordless sudo by adding a NOPASSWD rule to /etc/sudoers with visudo, or drop a file into /etc/sudoers.d/ for easier management. Whenever possible, limit the rule to specific commands rather than using NOPASSWD:ALL. For more on managing sudo access, see our guides on the sudo command and adding users to sudoers .

Linux File Permissions Explained

hello@linuxize.com (Linuxize) — Fri, 30 Apr 2021 05:01:47 +0100

In Linux, file permissions, attributes, and ownership control the access level that the system processes and users have to files. This ensures that only authorized users and processes can access specific files and directories.

Linux File Permissions

The basic Linux permissions model works by associating each system file with an owner and a group and assigning permission access rights for three different classes of users:

The file owner.
The group members.
Others (everybody else).

File ownership can be changed using the chown and chgrp commands.

Three file permissions types apply to each class of users:

The read permission.
The write permission.
The execute permission.

This concept allows you to control which users can read the file, write to the file, or execute the file.

To view the file permissions, use the ls command:

Terminal
ls -l file_name

output

-rw-r--r-- 12 linuxize users 12.0K Apr 28 10:10 file_name
|[-][-][-]- [------] [---]
| | | | | | |
| | | | | | +-----------> 7. Group
| | | | | +-------------------> 6. Owner
| | | | +--------------------------> 5. Alternate Access Method
| | | +----------------------------> 4. Others Permissions
| | +-------------------------------> 3. Group Permissions
| +----------------------------------> 2. Owner Permissions
+------------------------------------> 1. File Type

The first character indicates the file type. It can be a regular file (-), directory (d), a symbolic link (l), or other special types of files. The following nine characters represent the file permissions, three triplets of three characters each. The first triplet shows the owner permissions, the second one group permissions, and the last triplet shows everybody else permissions.

In the example above, rw-r--r-- means that the file owner has read and write permissions (rw-), the group and others have only read permissions (r--).

File permissions have a different meaning depending on the file type.

Each of the three permission triplets can be constructed of the following characters and have different effects, depending on whether they are set to a file or to a directory:

Effect of Permissions on Files

Permission	Character	Meaning on File
Read	`-`	The file is not readable. You cannot view the file contents.
	`r`	The file is readable.
Write	`-`	The file cannot be changed or modified.
	`w`	The file can be changed or modified.
Execute	`-`	The file cannot be executed.
	`x`	The file can be executed.
	`s`	If found in the `user` triplet, it sets the `setuid` bit. If found in the `group` triplet, it sets the `setgid` bit. It also means that `x` flag is set. When the `setuid` or `setgid` flags are set on an executable file, the file is executed with the file’s owner and/or group privileges.
	`S`	Same as `s`, but the `x` flag is not set. This flag is rarely used on files.
	`t`	If found in the `others` triplet, it sets the `sticky` bit. It also means that `x` flag is set. This flag is useless on files.
	`T`	Same as, `t` but the `x` flag is not set. This flag is useless on files.

Effect of Permissions on Directories (Folders)

Directories are special types of files that can contain other files and directories.

Permission	Character	Meaning on Directory
Read	`-`	The directory’s contents cannot be shown.
	`r`	The directory’s contents can be shown. (e.g., You can list files inside the directory with `ls` .)
Write	`-`	The directory’s contents cannot be altered.
	`w`	The directory’s contents can be altered. (e.g., You can create new files , delete files ..etc.)
Execute	`-`	The directory cannot be changed to.
	`x`	The directory can be navigated using `cd` .
	`s`	If found in the `user` triplet, it sets the `setuid` bit. If found in the `group` triplet it sets the `setgid` bit. It also means that `x` flag is set. When the `setgid` flag is set on a directory, the new files created within it inherits the directory group ID (GID) instead of the primary group ID of the user who created the file. `setuid` has no effect on directories.
	`S`	Same as `s`, but the `x` flag is not set. This flag is useless on directories.
	`t`	If found in the `others` triplet, it sets the `sticky` bit. It also means that `x` flag is set. When the sticky bit is set on a directory, only the file’s owner, the directory’s owner, or the administrative user can delete or rename the files within the directory.
	`T`	Same as `t`, but the `x` flag is not set. This flag is useless on directories.

Changing File Permissions

File permissions can be changed using the chmod command. Only root, the file owner, or a user with sudo privileges can change the permissions of a file. Be extra careful when using chmod, especially when changing permissions recursively. The command can accept one or more files and/or directories separated by spaces as arguments.

Permissions can be specified using a symbolic mode, numeric mode, or a reference file.

Symbolic (Text) Method

The syntax of the chmod command when using the symbolic mode has the following format:

sh
chmod [OPTIONS] [ugoa…][-+=]perms…[,…] FILE...

The first set of flags ([ugoa…]), called user flags, defines the user classes whose permissions will be changed.

u - The file owner.
g - The users who are members of the group.
o - All other users.
a - All users, identical to ugo.

When the users’ flag is omitted, it defaults to a.

The second set of flags ([-+=]), the operation flags, defines whether the permissions are to be removed, added, or set:

- - Removes the specified permissions.
+ - Adds specified permissions.
= - Changes the current permissions to the specified permissions. If no permissions are given after the = symbol, all permissions from the specified user class are removed.

The permissions (perms...) are explicitly set using either zero or one or more of the following letters: r, w, x, X, s, and t. Use a single letter from the set u, g, and o when copying permissions from one to another users’ class.

When setting permissions for more than one user class ([,…]), use commas (without spaces) to separate the symbolic modes.

Here are some examples of how to use the chmod command in symbolic mode:

Give the members of the group permission to execute the file, but not to read and write to it:
Terminal
```
chmod g=x filename
```
Remove the write permission for all users:
Terminal
```
chmod a-w filename
```
Recursively remove the execute permission for other users:
Terminal
```
chmod -R o-x dirname
```
Remove the read, write, and execute permission for all users except the file’s owner:
Terminal
```
chmod og-rwx filename
```
The same thing can also be accomplished by using the following form:
Terminal
```
chmod og= filename
```
Give read, write and execute permission to the file’s owner, read permissions to the file’s group, and no permissions to all other users:
Terminal
```
chmod u=rwx,g=r,o= filename
```

Numeric Method

The syntax of the chmod command when using the numeric mode has the following format:

sh
chmod [OPTIONS] NUMBER FILE...

When using the numeric mode, you can set the permissions for all three user classes (owner, group, and all others) at the same time.

The permission number can be a 3-digit or 4-digit number. When a 3-digit number is used, the first digit represents the permissions of the file’s owner, the second one the file’s group, and the last one all other users.

Each write, read, and execute permissions have the following number value:

r (read) = 4
w (write) = 2
x (execute) = 1
no permissions = 0

The permissions number of a specific user class is represented by the sum of the values of the permissions for that group.

To find out the file’s permissions in numeric mode, simply calculate the totals for all users’ classes. For example, to give read, write and execute permission to the file’s owner, read and execute permissions to the file’s group and only read permissions to all other users, you would do the following:

Owner: rwx=4+2+1=7
Group: r-x=4+0+1=5
Others: r–=4+0+0=4

Using the method above, we get the number 754, which represents the desired permissions.

To set the setuid, setgid, and sticky bit flags, use a 4-digit number.

When a 4-digit number is used, the first digit has the following meaning:

setuid=4
setgid=2
sticky=1
no changes = 0

The next three digits have the same meaning as when using 3 digits number.

If the first digit is 0 it can be omitted, and the mode can be represented with 3 digits. The numeric mode 0755 is the same as 755.

To calculate the numeric mode, you can also use another method (binary method), but it is a little more complicated. Knowing how to calculate the numeric mode using 4, 2, and 1 is sufficient for most users.

You can check the file’s permissions in the numeric notation using the stat command:

sh
stat -c "%a" file_name

Here are some examples of how to use the chmod command in numeric mode:

Give the file’s owner read and write permissions and only read permissions to group members and all other users:
Terminal
```
chmod 644 file
```
Give the file’s owner read, write and execute permissions, read and execute permissions to group members and no permissions to all other users:
Terminal
```
chmod 750 file
```
Give read, write, and execute permissions, and a sticky bit to a given directory:
Terminal
```
chmod 1777 dirname
```
Recursively set read, write, and execute permissions to the file owner and no permissions for all other users on a given directory:
Terminal
```
chmod -R 700 dirname
```

Quick Reference

For a printable quick reference, see the chmod cheatsheet .

Common permission values:

Mode	Symbolic	Who can do what
`777`	`rwxrwxrwx`	Everyone can read, write, and execute
`755`	`rwxr-xr-x`	Owner full access; group and others read and execute
`750`	`rwxr-x---`	Owner full access; group read and execute; others none
`700`	`rwx------`	Owner full access; group and others none
`664`	`rw-rw-r--`	Owner and group read/write; others read only
`644`	`rw-r--r--`	Owner read/write; group and others read only
`600`	`rw-------`	Owner read/write; group and others none
`400`	`r--------`	Owner read only; group and others none

Symbolic chmod examples:

Command	Effect
`chmod u+x file`	Add execute for owner
`chmod g-w file`	Remove write for group
`chmod o= file`	Remove all permissions for others
`chmod a+r file`	Add read for everyone
`chmod u=rwx,g=rx,o= file`	Set exact permissions for all classes
`chmod -R 755 dir`	Recursively set permissions on a directory

FAQ

What is the difference between chmod and chown?
chmod changes the permission bits (read, write, execute) on a file. chown changes the file’s owner and group. Both affect who can access the file, but they control different aspects.

What does chmod 777 mean and is it safe?
777 gives read, write, and execute permission to the owner, group, and all other users. It is rarely appropriate and should be avoided on files that contain sensitive data or are executable by services, as it allows anyone on the system to modify or run them.

Why does a directory need execute permission?
On a directory, execute permission allows you to enter it and access items inside it by name. Without execute permission, you can list the directory contents only in limited cases, but you cannot traverse it with commands such as cd or open files within it.

What is the sticky bit and when should I use it?
The sticky bit on a directory (mode 1xxx, shown as t in ls -l) restricts deletion so that only the file’s owner, the directory’s owner, or root can delete files inside it. It is used on shared directories like /tmp to prevent users from deleting each other’s files.

What is setuid and why is it dangerous?
When set on an executable file, setuid causes the file to run with the owner’s privileges rather than the caller’s. For example, /usr/bin/passwd is setuid root so ordinary users can change their own password. Misusing setuid on custom scripts is a common privilege escalation risk.

How do I view permissions in numeric mode?
Use the stat command: stat -c "%a %n" file. It prints the octal permission value alongside the filename.

Conclusion

In Linux, access to files is controlled through permission bits assigned to three classes — owner, group, and others. Use chmod with symbolic or numeric mode to change permissions, and use ls -l or stat to inspect them. For a focused command reference, see the chmod command guide .

chmod Command in Linux: Change File and Directory Permissions

hello@linuxize.com (Linuxize) — Mon, 16 Sep 2019 17:31:47 +0100

In Linux, you can control file access through permissions, attributes, and ownership. This ensures that only authorized users and processes can read, modify, or execute files and directories.

This tutorial explains how to use the chmod command to change permissions on files and directories.

Linux File Permissions Overview

Before going further, let us explain the basic Linux permissions model.

Every file and directory in Linux has an owner and a group, and is assigned permission access rights for three different classes of users:

Owner (the user who owns the file)
Group (users in the file’s group)
Others (everyone else)

File ownership can be modified with chown (for owner) and chgrp (for group).

Three file permission types apply to each class:

Read (r): View file contents or list directory contents
Write (w): Modify file or add/remove items in a directory
Execute (x): Run file as program/script or enter (cd) directory

Special bits (setuid, setgid, sticky) appear as s, S, t, or T in the execute position.

This concept allows you to specify which users are allowed to read, write, or execute the file.

File permissions can be viewed using the ls command:

Terminal
ls -l filename.txt

output

-rw-r--r-- 12 linuxize users 12.0K Apr 8 20:51 filename.txt
|[-][-][-]- [------] [---]
| | | | | | |
| | | | | | +-----------> 7. Group
| | | | | +-------------------> 6. Owner
| | | | +--------------------------> 5. Alternate Access Method
| | | +----------------------------> 4. Others Permissions
| | +-------------------------------> 3. Group Permissions
| +----------------------------------> 2. Owner Permissions
+------------------------------------> 1. File Type

Breakdown:

The first character shows the file type. It can be a regular file (-), a directory (d), a symbolic link (l), or any other special type of file.
The following nine characters represent the file permissions, three triplets of three characters each. The first triplet shows the owner permissions, the second one group permissions, and the last shows others permissions. The permissions can have a different meaning depending on the file type.

In the example (rw-r--r--):

The file owner has read and write permissions (rw-)
The group and others have only read permissions (r--)

The permission types can have different effects, depending on whether they are set to a file or to a directory:

Permissions on Files

Permission	Character	Meaning on File
Read	`-`	The file is not readable. Cannot view contents.
	`r`	The file is readable.
Write	`-`	The file cannot be deleted or modified.
	`w`	The file can be deleted or modified.
Execute	`-`	The file cannot be executed.
	`x`	The file can be executed and run as a program/script.
	`s`	If found in the `user` triplet, it sets the `setuid` bit. If found in the `group` triplet, it sets the `setgid` bit. It also means that the `x` flag is set. When the `setuid` or `setgid` flags are set on an executable file, the file is executed with the file’s owner and/or group privileges.
	`S`	Same as `s`, but the `x` flag is not set. This flag is rarely used on files.
	`t`	If found in the `others` triplet, it sets the `sticky` bit. It also means that the `x` flag is set. This flag is useless on files.
	`T`	Same as `t`, but the `x` flag is not set. This flag is useless on files.

Permissions on Directories (Folders)

Info

In Linux, directories are special types of files that contain other files and directories.

Permission	Character	Meaning on Directory
Read	`-`	The directory’s contents cannot be listed.
	`r`	The directory’s contents can be listed. (e.g., You can list files inside the directory with `ls` .)
Write	`-`	The directory’s contents cannot be altered.
	`w`	The directory’s contents can be altered. (e.g., You can create new files , rename files, delete files , etc.)
Execute	`-`	The directory cannot be entered.
	`x`	The directory can be navigated using `cd` .
	`s`	If found in the `user` triplet, it sets the `setuid` bit. If found in the `group` triplet it sets the `setgid` bit. It also means that the `x` flag is set. When the `setgid` flag is set on a directory, the new files created within it inherit the directory group ID (GID), instead of the primary group ID of the user who created the file. `setuid` has no effect on directories.
	`S`	Same as `s`, but the `x` flag is not set. This flag is useless on directories.
	`t`	If found in the `others` triplet, it sets the `sticky` bit. It also means that the `x` flag is set. When the sticky bit is set on a directory, only the file’s owner, the directory’s owner, or an administrative user can delete or rename the files within the directory.
	`T`	Same as `t`, but the `x` flag is not set. This flag is useless on directories.

Using the `chmod` Command

The chmod command takes the following syntax:

txt
chmod [OPTIONS] MODE FILE...

The chmod command allows you to change the permissions on a file using either a symbolic or numeric mode or a reference file. We will explain the modes in more detail later in this article. The command can accept one or more files and/or directories separated by spaces as arguments.

Only the root, the file owner, or a user with sudo privileges can change the permissions of a file. Be extra careful when using chmod, especially when changing permissions recursively.

Symbolic (Text) Method

The symbolic method uses letters and operators to specify permissions. The syntax is:

txt
chmod [OPTIONS] [ugoa…][-+=]perms…[,…] FILE...

The first set of flags ([ugoa…]) represent the users’ classes:

u - The file owner.
g - The users who are members of the group.
o - All other users.
a - All users, identical to ugo.

If the user’s flag is omitted, the default one is a, and the permissions that are set by umask are not affected.

The second set of flags ([-+=]), the operation flags, defines whether the permissions are to be removed, added, or set:

- Removes the specified permissions.
+ Adds specified permissions.
= Changes the current permissions to the specified permissions. If no permissions are specified after the = symbol, all permissions from the specified user class are removed.

The permissions (perms...) can be explicitly set using either zero or one or more of the following letters: r, w, x, X, s, and t. Use a single letter from the set u, g, and o when copying permissions from one user’s class to another user’s class.

When setting permissions for more than one user class ([,…]), use commas (without spaces) to separate the symbolic modes.

Below are some examples of how to use the chmod command in symbolic mode:

Give the members of the group permission to read the file, but not to write and execute it:
Terminal
```
chmod g=r filename
```
Remove the execute permission for all users:
Terminal
```
chmod a-x filename
```
Recursively remove the write permission for other users:
Terminal
```
chmod -R o-w dirname
```
Remove the read, write, and execute permission for all users except the file’s owner:
Terminal
```
chmod og-rwx filename
```
The same can be also accomplished by using the following form:
Terminal
```
chmod og= filename
```
Give read, write, and execute permissions to the file’s owner, read permissions to the file’s group, and no permissions to all other users:
Terminal
```
chmod u=rwx,g=r,o= filename
```
Add the file’s owner permissions to the permissions that the members of the file’s group have:
Terminal
```
chmod g+u filename
```
Add a sticky bit to a given directory:
Terminal
```
chmod o+t dirname
```

Numeric (Octal) Method

In numeric mode, you set permissions for all three user classes (owner, group, and others) at once. The syntax is:

txt
chmod [OPTIONS] NUMBER FILE...

The NUMBER can be a 3 or 4 digit number.

When a three-digit number is used, the first digit represents the permissions for the file’s owner, the second for the file’s group, and the last for all other users.

Each write, read, and execute permission has the following number value:

r (read) = 4
w (write) = 2
x (execute) = 1
no permissions = 0

The permissions number for a specific user class is the sum of the values of the permissions for that group.

To find out the file’s permissions in numeric mode, simply calculate the totals for all user classes. For example, to give read, write, and execute permission to the file’s owner, read and execute permissions to the file’s group, and only read permissions to all other users, you would do the following:

Owner: rwx=4+2+1=7
Group: r-x=4+0+1=5
Others: r–=4+0+0=4

Using the method above, we come up with the number 754, which represents the desired permissions.

To set up the setuid, setgid, and sticky bit flags, use a four-digit number.

When the four-digit number is used, the first digit has the following meaning:

setuid=4
setgid=2
sticky=1
no changes = 0

The next three digits have the same meaning as when using a three-digit number.

If the first digit is 0, it can be omitted, and the mode can be represented with 3 digits. The numeric mode 0755 is equivalent to 755.

To calculate the numeric mode, you can also use another method (the binary method), but it is a little more complicated. Knowing how to calculate the numeric mode using 4, 2, and 1 is sufficient for most users.

You can check the file’s permissions in the numeric notation using the stat command:

Terminal
stat -c "%a" filename

output

Here are some examples of how to use the chmod command in numeric mode:

Give the file’s owner read and write permissions and only read permissions to group members and all other users:
Terminal
```
chmod 644 filename
```
Give the file’s owner read, write, and execute permissions, read and execute permissions to group members, and no permissions to all other users:
Terminal
```
chmod 750 filename
```
Give read, write, and execute permissions, and a sticky bit to a given directory:
Terminal
```
chmod 1777 dirname
```
Recursively set read, write, and execute permissions to the file owner and no permissions for all other users on a given directory:
Terminal
```
chmod -R 700 dirname
```

Using a Reference File

The --reference=ref_file option allows you to set the file’s permissions to be the same as those of the specified reference file (ref_file).

txt
chmod --reference=REF_FILE FILE

For example, the following command will assign the permissions of file1 to file2:

Terminal
chmod --reference=file1 file2

Recursively Change the File’s Permissions

To recursively operate on all files and directories under the given directory, use the -R (--recursive) option:

txt
chmod -R MODE DIRECTORY

For example, to change the permissions of all files and subdirectories under the /var/www directory to 755, you would use:

Terminal
chmod -R 755 /var/www

Recursive changes may affect unintended files and can be dangerous. When not sure, test with find ... -print first. For fine-grained recursive control, such as setting different permissions for files and directories separately, see chmod recursive .

Operating on Symbolic Links

Symbolic links always have 777 permissions.

By default, when changing a symlink’s permissions, chmod will change the permissions on the file the link is pointing to.

Terminal
chmod 755 symlink

Chances are that instead of changing the target permissions, you will get a “cannot access ‘symlink’: Permission denied” error.

The error occurs because, by default, symlinks are protected on most Linux distributions, so you cannot operate on the target files. This option is set in /proc/sys/fs/protected_symlinks. 1 means enabled and 0 disabled. It is recommended not to disable the symlink protection.

Changing File Permissions in Bulk

Sometimes you need to bulk change file and directory permissions. The most common scenario is to recursively change the website’s files permissions to 644 and the directories permissions to 755.

Using the numeric method:

Terminal
find /var/www/my_website -type d -exec chmod 755 {} \;
find /var/www/my_website -type f -exec chmod 644 {} \;

Using the symbolic method:

Terminal
find /var/www/my_website -type d -exec chmod u=rwx,go=rx {} \;
find /var/www/my_website -type f -exec chmod u=rw,go=r {} \;

The find command will search for files and directories under /var/www/my_website and pass each found file and directory to the chmod command to set the permissions.

Common chmod Permission Values

Some chmod values appear so often that it is worth knowing what they mean in practice.

chmod 644

chmod 644 sets permissions to rw-r--r--: the owner can read and write, while the group and others get read-only access. This is the standard permission for most regular files and web content.

Terminal
chmod 644 file

chmod 755

chmod 755 sets permissions to rwxr-xr-x: the owner has full access (read, write, execute), while the group and others can read and execute. Use it for directories and scripts that should be publicly accessible.

Terminal
chmod 755 dir

chmod 700

chmod 700 sets permissions to rwx------: the owner has full access and no one else has any permissions. Use it for private scripts, config directories, or any resource restricted to the owner only.

Terminal
chmod 700 file

chmod 600

chmod 600 sets permissions to rw-------: only the owner can read and write, with no access for anyone else. Use it for sensitive files such as private SSH keys (~/.ssh/id_rsa) or files that contain passwords.

Terminal
chmod 600 file

chmod +x

chmod +x adds execute permission for all user classes (owner, group, and others). It is the quickest way to make a script runnable without changing its read or write permissions.

Terminal
chmod +x script.sh

Quick Reference

Option / Mode	Description
`chmod u+x file`	Add execute permission for the owner
`chmod go-w file`	Remove write permission for group and others
`chmod 644 file`	Owner read/write; group and others read only
`chmod 755 file`	Owner full; group and others read and execute
`chmod 700 file`	Owner full; no permissions for group and others
`chmod 777 file`	Full permissions for everyone (use with caution)
`chmod -R MODE dir`	Apply permissions recursively
`chmod --reference=f1 f2`	Copy permissions from `f1` to `f2`
`stat -c "%a" file`	View permissions in numeric notation

For a printable quick reference, see the chmod cheatsheet .

Troubleshooting

“Permission denied” error
You do not have the authority to change the file’s permissions. Run sudo chmod ... or switch to the file owner.

“No such file or directory”
The path is incorrect or the file does not exist. Verify with ls, use an absolute path, or use tab completion.

“Operation not permitted” even with sudo
Caused by filesystem mounts (e.g., FAT/NTFS), immutable attributes, or SELinux/AppArmor restrictions. Check with mount for noexec/nodev flags; remove the immutable flag with chattr -i file; review security policies.

Changes not applying to symbolic links
chmod on a symlink affects the target file, not the link itself. Due to /proc/sys/fs/protected_symlinks, the operation may be blocked. Run chmod directly on the target file instead.

“Invalid mode” error (e.g., “invalid mode: ‘abc’”)
Typo in symbolic or numeric mode. Numeric modes must be 3–4 digits. Use chmod --verbose to see what changes are applied and verify afterward with ls -l.

FAQ

What is the difference between chmod 644 and chmod 755?
644 gives the owner read and write access while the group and others get read-only access, the standard permission for web files. 755 adds execute permission for everyone, making it the standard for directories and executable scripts. For a full breakdown of common values, see the chmod 777 guide .

What does chmod 755 mean?
chmod 755 sets permissions to rwxr-xr-x. The owner can read, write, and execute, while the group and others can read and execute only. This is a common setting for directories and executable scripts.

What does chmod 644 mean?
chmod 644 sets permissions to rw-r--r--. The owner can read and write the file, while the group and others can only read it. It is the standard permission for most regular files and web server content.

What does chmod 700 mean?
chmod 700 sets permissions to rwx------. The owner has full access and no other user can read, write, or execute the file. Use it for private scripts, directories with sensitive data, or SSH key directories such as ~/.ssh.

What does chmod 600 mean?
chmod 600 sets permissions to rw-------. Only the owner can read and write the file, with no access for anyone else. It is the standard permission for private SSH keys (~/.ssh/id_rsa) and files that store credentials.

How do I apply chmod recursively to files but not directories?
Use find to filter by type before passing to chmod. For example: find /path -type f -exec chmod 644 {} \; sets permissions on files only. See chmod recursive for a full guide.

What does chmod +x do?
It adds execute permission for all user classes (owner, group, and others). It is commonly used to make a shell script runnable: chmod +x script.sh.

Can I use letters and numbers together in the same chmod command?
No. The symbolic mode (letters) and numeric mode (octal digits) are separate methods; use one or the other in a single chmod call.

What happens if I run chmod 777 on a file?
It grants read, write, and execute access to everyone on the system. This is rarely appropriate outside of testing; avoid it on production files and web server directories.

Conclusion

The chmod command gives you precise control over who can read, write, and execute files and directories on your Linux system. For a deeper look at how permissions interact with ownership, see the chown and chgrp commands.

Chmod Recursive: Change File Permissions Recursively in Linux

hello@linuxize.com (Linuxize) — Fri, 20 Dec 2019 17:31:47 +0100

When you deploy a website, restore a backup, or copy project files from another machine, permissions often end up inconsistent across many files and directories. In these cases, chmod with the -R flag lets you fix the entire directory tree in one command.

This guide explains how to use chmod -R to change permissions recursively, how to set different permissions for files and directories using find, and how to avoid common mistakes.

Understanding Permission Numbers

Linux permissions are represented by three digits. Each digit is the sum of read (4), write (2), and execute (1):

Number	Permission	Meaning
`7`	`rwx`	Read, write, and execute
`6`	`rw-`	Read and write
`5`	`r-x`	Read and execute
`4`	`r--`	Read only
`0`	`---`	No permission

The three digits represent the owner, group, and others, in that order. For example, 755 means the owner has full access (rwx), while the group and others can read and execute (r-x).

For a complete overview of the permission system, see Understanding Linux File Permissions .

Using chmod -R

The -R option tells chmod to apply permissions recursively to a directory and everything inside it. The general syntax is:

txt
chmod -R MODE DIRECTORY

For example, to set 755 on all files and subdirectories under /var/www/html:

Terminal
chmod -R 755 /var/www/html

The same change using symbolic mode:

Terminal
chmod -R u=rwx,go=rx /var/www/html

Only the root user, the file owner, or users with sudo privileges can change file permissions. Be careful when running chmod -R because it modifies every entry under the target directory.

Setting Different Permissions for Files and Directories

In most cases, files and directories should not have the same permissions. Directories require the execute bit so you can cd into them, but regular files typically do not need it.

The most common pattern is 755 for directories and 644 for files. Use the find command to target each type separately.

Using numeric mode:

Terminal
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;

Using symbolic mode:

Terminal
find /var/www/html -type d -exec chmod u=rwx,go=rx {} \;
find /var/www/html -type f -exec chmod u=rw,go=r {} \;

The find command searches for entries matching -type d (directories) or -type f (files) and passes each one to chmod via -exec.

When dealing with a large number of files, the -exec approach runs chmod once per entry. Use xargs to pass multiple entries at once, which is significantly faster:

Terminal
find /var/www/html -type d -print0 | xargs -0 chmod 755
find /var/www/html -type f -print0 | xargs -0 chmod 644

The -print0 and -0 flags handle filenames that contain spaces or special characters.

Using Capital X to Add Execute Only to Directories

The capital X permission is a shortcut that adds execute only to directories and files that already have at least one execute bit set. This avoids making regular files executable:

Terminal
chmod -R u=rwX,go=rX /var/www/html

This sets read for everyone, write for the owner, and execute only on directories — all in a single command without needing find.

Common Permission Patterns

Pattern	Directories	Files	Use Case
`755` / `644`	`rwxr-xr-x`	`rw-r--r--`	Web server content
`750` / `640`	`rwxr-x---`	`rw-r-----`	Private web apps (group access)
`700` / `600`	`rwx------`	`rw-------`	User-private files (SSH keys, configs)
`775` / `664`	`rwxrwxr-x`	`rw-rw-r--`	Shared project directories

Safety Considerations

Recursive permission changes can break your system if applied to the wrong directory. Keep the following in mind:

Never run chmod -R 777 / or target the root filesystem. This gives full access to every file on the system and can make the system unbootable.
Use --preserve-root to prevent accidental changes to /. Most modern distributions enable this by default, but you can set it explicitly:

Terminal
chmod -R --preserve-root 755 /some/directory

Always double-check the target path before pressing Enter. A misplaced space in chmod -R 755 / var/www (note the space after /) applies 755 to the entire root filesystem.
On GNU chmod, recursive mode uses -H behavior by default. It follows a symlink only when the symlink itself is passed as a command-line argument and points to a directory. It does not traverse every symlink found during recursion.
If you need different traversal behavior, use -L to follow all directory symlinks or -P to avoid following symlinks.

Verifying Permissions

To check the permissions of files and directories, use the ls command with the -l flag:

Terminal
ls -l /var/www/html/

output

drwxr-xr-x 2 www-data www-data 4096 Feb 13 10:00 css
-rw-r--r-- 1 www-data www-data 8421 Feb 13 10:00 index.html
drwxr-xr-x 3 www-data www-data 4096 Feb 13 10:00 images

The first character indicates the entry type (d for directory, - for file). The next nine characters show the owner, group, and others permissions.

To verify permissions recursively, add the -R flag:

Terminal
ls -lR /var/www/html/

Troubleshooting

Operation not permitted
You do not have permission to change the file. Run the command with sudo or switch to the file owner.

chmod: cannot access ‘path’: No such file or directory
The target path does not exist. Verify the path with ls before running chmod.

Permissions do not change on a mounted drive
Filesystems such as NTFS and FAT do not support Linux permissions. The permissions are set at mount time via the fmask and dmask mount options instead.

Files became executable after chmod -R 755
Using 755 on everything makes regular files executable. Use find to set 755 on directories and 644 on files separately, or use the capital X shortcut.

Quick Reference

Command	Description
`chmod -R 755 dir/`	Set 755 on directory tree
`chmod -R u=rwX,go=rX dir/`	Owner rw, others r, execute on dirs only
`find dir/ -type d -exec chmod 755 {} \;`	Set 755 on directories only
`find dir/ -type f -exec chmod 644 {} \;`	Set 644 on files only
`find dir/ -type d -print0 \| xargs -0 chmod 755`	Faster directory permission change
`find dir/ -type f -print0 \| xargs -0 chmod 644`	Faster file permission change
`chmod -R --preserve-root 755 /path`	Prevent accidental changes to `/`
`chmod -R g+w dir/`	Add group write recursively
`chmod -R o-rwx dir/`	Remove all others permissions
`ls -lR dir/`	Verify permissions recursively

FAQ

What is the difference between 755 and 644?
With 755, the owner can read, write, and execute, while others can read and execute. With 644, the owner can read and write, while others can only read. Use 755 for directories and 644 for regular files.

Does chmod -R follow symbolic links?
On GNU chmod, -R uses -H behavior by default. This means it follows a symlink only when that symlink is provided as a command-line argument and points to a directory. Use -L to follow all directory symlinks, or -P to avoid following symlinks during traversal.

Can I undo a recursive chmod?
There is no built-in undo. If you change permissions on the wrong directory, you must restore them manually or from a backup. Always verify the target path before running chmod -R.

How do I change permissions on all files in a directory?
Use find with -type f to target files only, then pass each one to chmod:

Terminal
find /path/to/directory -type f -exec chmod 644 {} \;

This leaves directory permissions unchanged. For large trees, use xargs for better performance:

Terminal
find /path/to/directory -type f -print0 | xargs -0 chmod 644

What does chmod -R 777 do?
chmod -R 777 sets full read, write, and execute permissions for everyone on all files and directories in the tree:

Terminal
chmod -R 777 /path/to/directory

This is a serious security risk. Any user on the system can read, modify, or delete those files. Avoid it on production systems, web server directories, or any path containing sensitive data. For web content, use 755 for directories and 644 for files instead.

What does capital X mean in chmod?
Capital X adds execute permission only to directories and files that already have an execute bit set. It is useful for applying permissions recursively without making regular files executable.

Conclusion

The chmod -R command changes permissions recursively across an entire directory tree. For most use cases, combine find with chmod to set different permissions for files and directories, or use the capital X shortcut for a single-command approach. For a broader look at the permission system, see Understanding Linux File Permissions .

What Does chmod 777 Mean

hello@linuxize.com (Linuxize) — Sun, 08 Mar 2020 20:51:37 +0100

You are trying to fix a permission issue with your web server and found a suggestion to recursively run chmod 777 on the web directory. Before doing that, make sure you understand what chmod -R 777 does and why you should never set permissions to 777.

chmod 777 sets read, write, and execute permissions for the owner, the group, and everyone else on the system. In symbolic form, it is rwxrwxrwx. It lets any user on the machine read, modify, or execute the file, which is why you should never use it on production directories or web roots.

This guide explains the Linux permissions model, what 777 means, and how permission numbers work. For a deeper walkthrough of chmod, see our chmod guide .

Understanding Linux File Permissions

In Linux, access to the files is controlled by the operating system using file permissions, attributes, and ownership. Understanding the Linux file system permissions model allows you to restrict access to files and directories only to authorized users and processes and makes your system more secure.

Each file is owned by a particular user and a group and assigned permission access rights for three different classes of users:

The file owner.
The group members.
Others (everybody else).

Three file permission types apply to each user class, and allow you to specify which users are allowed to read, write to, or execute the file. The same permission attributes apply for both files and directories with a different meaning:

The read permission.
- The file is readable. For instance, when the read permission is set, the user can open the file in a text editor or display the file content in the terminal.
- The content of the directory can be viewed. The user can list files inside the directory with the ls command.
The write permission.
- The file can be changed or modified.
- The content of the directory can be altered. The user can create new files , delete existing files , move files , rename files , etc.
The execute permission.
- The file can be executed. The user can run the script or binary from the command line.
- The directory can be entered using the cd command.

File permissions can be viewed using the ls command. Here is an example:

Terminal
ls -l filename.txt

output

-rw-r--r-- 12 linuxize users 12.0K Apr 8 20:51 filename.txt
|[-][-][-]- [------] [---]
| | | | | | |
| | | | | | +-----------> 7. Group
| | | | | +-------------------> 6. Owner
| | | | +--------------------------> 5. Alternate Access Method
| | | +----------------------------> 4. Others Permissions
| | +-------------------------------> 3. Group Permissions
| +----------------------------------> 2. Owner Permissions
+------------------------------------> 1. File Type

The first character indicates the file type. It can be a regular file (-), directory (d), a symbolic link (l), or any other special type of file.

The following nine characters represent the file permissions, three characters for each user class. The first triplet shows the owner permissions, the second group permissions, and the last one shows the permissions for everyone else.

Permission Numbers

File permissions can be represented in either numeric or symbolic format.

The permission number may consist of three or four digits, ranging from 0 to 7.

When using a 3-digit number to represent file permissions, the first digit corresponds to the owner’s permissions, the second digit to the group’s permissions, and the third digit to everyone else’s permissions.

The read, write, and execute permissions have the following number value:

r (read) = 4
w (write) = 2
x (execute) = 1
no permissions = 0

The permissions digit of a specific user class is the sum of the values of the permissions for that class.

Each digit of the permissions number may be a sum of 4, 2, 1, and 0:

0 (0+0+0) – No permission.
1 (0+0+1) – Only execute permission.
2 (0+2+0) – Only write permission.
3 (0+2+1) – Write and execute permissions.
4 (4+0+0) – Only read permission.
5 (4+0+1) – Read and execute permission.
6 (4+2+0) – Read and write permissions.
7 (4+2+1) – Read, write, and execute permission.

For instance, if the permission number is set to 750, it means the file’s owner has read, write, and execute permissions. The file’s group has read and execute permissions, while other users have no permissions:

Owner: rwx=4+2+1=7
Group: r-x=4+0+1=5
Others: —=0+0+0=0

When a 4-digit number is used, the first digit represents special permissions:

setuid = 4: When set on an executable, it runs with the file owner’s privileges.
setgid = 2: When set on an executable, it runs with the group’s privileges. When set on a directory, new files inherit the directory’s group.
sticky = 1: When set on a directory, only the file owner can delete or rename files within it (commonly used on /tmp).
no changes = 0

For example, to set the sticky bit on a shared directory:

Terminal
chmod 1777 /tmp

The next three digits have the same meaning as when using a 3-digit number. If the first digit is 0, it can be omitted, and the mode can be represented with 3 digits. For example, the numeric mode 0755 is the same as 755.

To view the file’s permissions in numeric (octal) notation, you can use the stat command:

Terminal
stat -c "%a" filename

output

Never Use chmod 777

Setting 777 permissions (chmod 777) to a file or directory means that it will be readable, writable, and executable by all users and is a serious security risk.

For instance, if you recursively change the permissions of all files and subdirectories under the /var/www directory to 777, any user on the system can create, delete, or modify files in that directory.

If you experience permission issues with your web server, instead of recursively setting the permission to 777, change the file’s ownership to the user running the application and set the file’s permissions to 644 and the directory’s permissions to 755.

Remember that directories need execute (x) permission to be accessed, so safe defaults differ for files (644) and directories (755).

File ownership can be changed using the chown command and permissions with chmod.

Suppose you have a PHP application on your server running as user “linuxize”. To set the correct permissions, you would run the following:

Terminal
chown -R linuxize: /var/www
find /var/www -type d -exec chmod 755 {} \;
find /var/www -type f -exec chmod 644 {} \;

Only the root, the file owner, or the user with sudo privileges can change the permissions of a file. Be extra careful when using chmod, especially when recursively changing the permissions.

Understanding umask

The umask value controls the default permissions for new files and directories. It subtracts permissions from the system defaults. For example, a common umask of 022 results in:

Files: 644 (read/write for owner, read-only for group and others)
Directories: 755 (read/write/execute for owner, read/execute for group and others)

To view the current umask:

Terminal
umask

Numeric vs Symbolic Format

You can also set permissions using the symbolic format. Instead of numbers, it uses letters (u for owner, g for group, o for others, a for all) combined with +, -, or =:

Terminal
chmod u+rwx,g+rx,o+rx filename

This is equivalent to chmod 755 filename. The symbolic format can be more readable when you want to change specific permissions without affecting others:

Terminal
chmod g+w filename
chmod o-x filename

Common Permission Examples

Here are some commonly used permission settings and their typical use cases:

Permission	Numeric	Meaning	Common Use
`-rwx------`	`700`	Owner can read, write, execute	Private scripts, home directories
`-rwxr-xr-x`	`755`	Owner can read, write, execute; group and others can read and execute	Directories, executable scripts
`-rw-r--r--`	`644`	Owner can read, write; group and others can read	Regular files, web content
`-rw-rw-r--`	`664`	Owner and group can read, write; others can read	Shared project files
`-rw-------`	`600`	Owner can read, write	Private configuration files, SSH keys
`-rw-rw----`	`660`	Owner and group can read, write	Shared sensitive files
`-rwxrwxrwx`	`777`	Everyone can read, write, execute	Never recommended

Quick Reference

For a printable quick reference, see the chmod cheatsheet .

Task	Command
View permissions (symbolic)	`ls -l filename`
View permissions (numeric)	`stat -c "%a" filename`
Set permissions	`chmod 755 filename`
Set all directories recursively	`find /path -type d -exec chmod 755 {} \;`
Set directories to 755, files to 644	`find /path -type d -exec chmod 755 {} \;` and `find /path -type f -exec chmod 644 {} \;`
Change ownership	`chown user:group filename`

FAQ

What does chmod 777 do?
It sets read, write, and execute permissions for the owner, group, and all other users. This means anyone on the system can read, modify, or execute the file.

When is it OK to use chmod 777?
Almost never in production. It is sometimes used temporarily for debugging permission issues, but the permissions should be reverted immediately after. For web directories, use 755 for directories and 644 for files.

Does sudo chmod 777 do something different from chmod 777?
No. sudo only lets you run the command as a privileged user when you do not own the file. The 777 part still grants the same wide-open permissions to every account on the system, so reaching for sudo does not make 777 any safer.

Is chown 777 the same as chmod 777?
No. chown changes file ownership and does not accept permission numbers like 777. To change permissions, use chmod. To change the user or group that owns a file, use chown .

What is the difference between chmod 755 and chmod 644?
755 allows the owner to read, write, and execute, while group and others can read and execute. 644 allows the owner to read and write, while group and others can only read. Use 755 for directories and executable files, and 644 for regular files.

How do I check the current permissions of a file?
Use ls -l filename to see the symbolic format (-rwxr-xr-x) or stat -c "%a" filename to see the numeric format (755).

Conclusion

You should never set 777 (rwxrwxrwx) permissions on files and directories, since it gives anyone with an account full control over those files. Reach for 755 on directories and 644 on files, and only loosen them when a specific user or group genuinely needs more.

chown Command in Linux: Change File Ownership

hello@linuxize.com (Linuxize) — Tue, 04 Dec 2018 07:31:47 +0100

The chown command in Linux allows you to change the user and/or group ownership of files, directories, and symbolic links. Knowing how to use chown is essential for managing access control, especially in multi-user environments.

In Linux, every file and directory has an owner and a group, along with permissions that define access rights for the file owner, the group members, and others.

This guide covers the chown command syntax, common options, practical examples, and best practices for secure usage.

What Is File Ownership in Linux?

Every file and directory in Linux has an owner and a group, and is assigned permission access rights for three different classes of users:

Owner (the user who owns the file)
Group (users in the file’s group)
Others (everyone else)

File ownership can be viewed using the ls command:

Terminal
ls -l filename.txt

output

-rw-r--r-- 12 linuxize users 12.0K Apr 8 20:51 filename.txt
[------] [---]
| |
| +-----------> Group
+-------------------> Owner

chown Command Syntax

The basic syntax of the chown command is:

txt
chown [OPTIONS] USER[:GROUP] FILE(s)

Syntax Breakdown:

USER - The user name or the user ID (UID) of the new owner.
GROUP - The new group’s name or the group ID (GID).
FILE(s) - The name of one or more files, directories, or symlinks. Numeric IDs should be prefixed with the + symbol to avoid conflicts with usernames.

Key patterns:

USER - Sets the file owner to the given user. The group ownership is not changed.
USER: - When a colon (:) follows the username, and the group name is not given, the user will become the owner of the files, and the file’s group ownership is changed to the user’s login group.
USER:GROUP - If both the user and the group are specified (with no space between them), the user ownership of the files is changed to the given user, and the group ownership is changed to the given group.
:GROUP - If the User is omitted and the group is prefixed with a colon (:), only the file’s group ownership is changed to the given group (equivalent to chgrp).
: If only a colon (:) is given, without specifying the user and the group, no change is made.

Most common chown options:

-R - Apply to the directory and its contents recursively.
-h - Change ownership of the symbolic links, not the referenced file.
-v - Verbose output.
--reference=REF_FILE - Copy ownership from reference file.

By default, chown does not produce any output on success and returns zero.

Who Can Use chown?

Regular users can change the file group only if they own the file and only to a group they are a member of.
Administrative users can change the ownership of all files.

Changing File Owner

To change the owner of a file, use the chown command followed by the user name of the new owner and the target file as an argument:

txt
chown USER FILE

For example, the following command will change the ownership of a file named file1 to a new owner named linuxize:

Terminal
chown linuxize file1

To change the ownership of multiple files or directories, specify them as a space-separated list:

Terminal
chown linuxize file1 dir1

The numeric user ID (UID) can be used instead of the username:

Terminal
chown +1000 file2

Warning

If a numeric owner exists as a user name, the ownership will be transferred to the user name. To avoid this, prefix the ID with +.

Changing Owner and Group

To change both the owner and the group of a file, use the chown command followed by the new owner and group separated by a colon (:) with no intervening spaces and the target file as argument:

txt
chown USER:GROUP FILE

The following command will change the ownership of a file named file1 to a new owner named linuxize and group devs:

Terminal
chown linuxize:devs file1

If the group is omitted, Linux assigns the user’s default login group:

Terminal
chown linuxize: file1

How to Change Group Ownership Only

To change only the group of a file, use the chown command followed by a colon (:) and the new group name (with no space between them) and the target file as an argument:

txt
chown :GROUP FILE

The following command will change the group of the file named file1 to www-data:

Terminal
chown :www-data file1

Alternatively, to change the group ownership of files, you can use the chgrp command.

Changing Symbolic Link Ownership

By default, the chown command changes the ownership of the files that the symlinks point to, not the symlinks themselves.

For example, if you try to change the owner and the group of the symbolic link symlink1 that points to /var/www/file1, chown will change the ownership of the file or directory the symlink points to:

Terminal
chown www-data: symlink1

On most Linux distributions, symlinks are protected by default, so operating on the target file through a symlink may result in a “cannot dereference ‘symlink1’: Permission denied” error. This protection is controlled by /proc/sys/fs/protected_symlinks — 1 means enabled, 0 is disabled. We recommend keeping symlink protection enabled.

To change the ownership of the symlink itself, use the -h option:

Terminal
chown -h www-data symlink1

Recursively Changing Ownership

To recursively change ownership of all files and directories within a directory, use the -R (--recursive) option:

txt
chown -R USER:GROUP DIRECTORY

For example, to change the ownership of all files and subdirectories under the /var/www directory to a new owner and group named www-data, you would run:

Terminal
chown -R www-data: /var/www

If the directory contains symbolic links, pass the -h option:

Terminal
chown -hR www-data: /var/www

The -H and -L options also affect how chown handles symbolic links during recursive traversal. -H causes chown to follow a symlink to a directory when that symlink is given as a command-line argument. -L causes it to follow every symlink to a directory that is encountered. Avoid these options in most cases — they can cause unintended ownership changes across the filesystem.

Using a Reference File

The --reference=ref_file option copies the owner and group from another file. If the reference file is a symbolic link, chown will use the ownership of the target file.

txt
chown --reference=REF_FILE FILE

For example, the following command will assign the user and group ownership of file1 to file2:

Terminal
chown --reference=file1 file2

Common Use Cases

Here are the most common situations where you will use chown:

Web server directories — Set www-data:www-data ownership on /var/www so the web server process can read and write files. Combine with chmod for secure setups.
After file transfers or archive extractions — Files copied from another system or extracted from a tarball may retain the original UID. Use chown to reassign them to the correct local user.
Application deployments — Assign ownership of application files to a dedicated service user so the application runs with minimal privileges.
Multi-user environments — Use chown with chmod to enforce clear boundaries between users sharing the same system.

Always verify ownership with ls -l before and after changes, especially when using -R. Avoid recursive operations on high-level directories such as / or /var.

Quick Reference

Command	Description
`chown USER FILE`	Change file owner
`chown USER:GROUP FILE`	Change owner and group
`chown :GROUP FILE`	Change group only
`chown USER: FILE`	Change owner; set group to user’s login group
`chown -R USER:GROUP DIR`	Recursively change ownership
`chown -h USER FILE`	Change symlink ownership (not target)
`chown -hR USER:GROUP DIR`	Recursively change, including symlinks
`chown --reference=REF FILE`	Copy ownership from reference file
`chown +UID FILE`	Use numeric UID (prefix `+` to avoid name conflicts)

For a printable quick reference, see the chown cheatsheet .

Take Ownership as the Current User

A common use case is taking ownership of a file or directory as the currently logged-in user. Use the $USER variable to avoid hardcoding the user name.

Terminal
sudo chown $USER:$USER file1
sudo chown -R $USER:$USER mydir

This is especially useful after copying files with sudo, extracting archives owned by root, or fixing permissions in a development directory.

Troubleshooting

“cannot dereference ‘symlink’: Permission denied”
By default, chown tries to change the target of the symlink, not the symlink itself. If symlink protection is enabled (the default on most systems), this fails. Use chown -h USER symlink to change the symlink’s own ownership instead.

“Operation not permitted”
Only root or a user with sudo can change file ownership to a different user. Run the command with sudo chown ....

“invalid user” or “invalid group”
The specified user or group does not exist on the system. Verify with id username or getent group groupname before running chown.

Recursive change affects the wrong files
Always run ls -la /path/to/dir to inspect the directory tree before using -R. A typo in the path or an unexpected symlink can cause ownership changes in unintended locations.

FAQ

What is the difference between chown and chmod?
chown changes who owns a file (the user and group). chmod changes the permission bits that control what the owner, group, and others can do with the file. Both are used together to manage access control.

How do I change the ownership of all files in a directory?
Use the -R flag: sudo chown -R USER:GROUP /path/to/dir. This applies the new ownership to the directory itself and everything inside it recursively.

Can a regular user change file ownership?
A regular user can change a file’s group to any group they belong to, as long as they own the file. Only root can transfer ownership to a different user.

How do I change only the group of a file?
Use chown :GROUP FILE or the chgrp command, which is dedicated to group ownership changes.

What does the + prefix mean for numeric UIDs?
Normally, chown 1000 file could be interpreted as a username if a user named 1000 exists. Prefixing with + (chown +1000 file) forces chown to treat the value as a numeric UID, avoiding ambiguity.

Conclusion

The chown command is the standard way to transfer file and directory ownership in Linux. Use chown USER:GROUP FILE for a single file, add -R to apply changes recursively, and use -h when working with symbolic links. For permission bits rather than ownership, see the chmod guide .

Understanding the /etc/passwd File

hello@linuxize.com (Linuxize) — Sun, 01 Dec 2019 22:36:37 +0100

There are several different authentication schemes that can be used on Linux systems. The most commonly used and standard scheme is to perform authentication against the /etc/passwd and /etc/shadow files.

/etc/passwd is a plain text-based database that contains information for all user accounts on the system. It is owned by root and has 644 permissions . The file can only be modified by root or users with sudo privileges and readable by all system users.

Modifying the /etc/passwd file by hand should be avoided unless you know what you are doing. Always use a command that is designed for the purpose. For example, to modify a user account, use the usermod command, and to add a new user account use the useradd command.

How to View the `/etc/passwd` File

To print the entire file to the terminal, run:

Terminal
cat /etc/passwd

If the file is long and you want to scroll through it page by page, use:

Terminal
less /etc/passwd

Use cat for a quick dump and less when you want to inspect the file more comfortably.

`/etc/passwd` Format

The /etc/passwd file is a text file with one entry per line, representing a user account. To view the contents of the file, use a text editor or a command such as cat :

Terminal
cat /etc/passwd

Usually, the first line describes the root user, followed by the system and normal user accounts. New entries are appended at the end of the file.

Each line of the /etc/passwd file contains seven colon-separated fields:

output

mark:x:1001:1001:mark,,,:/home/mark:/bin/bash
[--] - [--] [--] [-----] [--------] [--------]
| | | | | | |
| | | | | | +-> 7. Login shell
| | | | | +----------> 6. Home directory
| | | | +--------------------> 5. GECOS
| | | +--------------------------> 4. GID
| | +-------------------------------> 3. UID
| +-----------------------------------> 2. Password
+----------------------------------------> 1. Username

Username. The string you type when you log into the system. Each username must be a unique string on the machine. The maximum length of the username is restricted to 32 characters.
Password. In older Linux systems, the user’s encrypted password was stored in the /etc/passwd file. On most modern systems, this field is set to x, and the user password is stored in the /etc/shadow file.
UID. The user identifier is a number assigned to each user. It is used by the operating system to refer to a user.
GID. The user’s group identifier number, referring to the user’s primary group. When a user creates a file , the file’s group is set to this group. Typically, the name of the group is the same as the name of the user. User’s secondary groups are listed in the /etc/group file.
GECOS or the full name of the user. This field contains a list of comma-separated values with the following information:
- User’s full name or the application name.
- Room number.
- Work phone number.
- Home phone number.
- Other contact information.
Home directory. The absolute path to the user’s home directory. It contains the user’s files and configurations. By default, the user home directories are named after the name of the user and created under the /home directory.
Login shell. The absolute path to the user’s login shell. This is the shell that is started when the user logs into the system. On most Linux distributions, the default login shell is Bash.

Quick Reference

Field	Position	Example
Username	1	`mark`
Password placeholder	2	`x`
UID	3	`1001`
GID	4	`1001`
GECOS (full name)	5	`mark,,,`
Home directory	6	`/home/mark`
Login shell	7	`/bin/bash`

FAQ

Why is the password field set to x?
The x is a placeholder indicating that the encrypted password is stored in the /etc/shadow file. Storing passwords in /etc/passwd was abandoned because the file is world-readable.

What does a * or ! in the password field mean?
A * means the account has no password and cannot log in via password authentication. A ! means the account is locked. Neither value is a valid password hash, so login is blocked.

What is UID 0?
UID 0 is the root user. Any account with UID 0 has full superuser privileges, regardless of its username.

What login shell is used for system accounts?
System accounts that should not have an interactive login use /usr/sbin/nologin or /bin/false as their shell. This prevents anyone from logging in as that account.

Why can all users read /etc/passwd?
The file must be readable so the system and user-space programs can map UIDs to usernames, shells, and home directories. Password hashes are not stored there; they are kept in /etc/shadow, which is restricted to root.

Can I edit /etc/passwd directly?
You should use vipw to edit the file safely — it locks the file to prevent simultaneous edits. Direct editing with a text editor risks corrupting the file if two processes write at the same time.

Conclusion

The /etc/passwd file keeps track of every user account on the system, storing the username, UID, GID, home directory, and login shell for each entry. Understanding this file is essential when troubleshooting login issues or auditing user accounts. For password storage details, see the /etc/shadow file guide .

umask Command in Linux: Set Default File Permissions

hello@linuxize.com (Linuxize) — Thu, 04 Jul 2019 19:21:42 +0100

On Linux and Unix operating systems, all new files are created with a default set of permissions. The umask command lets you view or set the file mode creation mask, which determines the permission bits for newly created files and directories.

It is used by mkdir, touch, tee , and other commands that create new files and directories.

This guide explains how umask works, how to read and calculate mask values, and how to make your changes permanent.

umask Syntax

txt
umask [OPTION] [MASK]

-S — Display the current mask in symbolic notation instead of octal.

When called without arguments, umask prints the current mask value. When called with a mask value, it sets the mask for the current shell session.

Linux Permissions

Before going further, let us briefly explain the Linux permissions model.

In Linux, each file is associated with an owner and a group and assigned permission access rights for three different classes of users:

The file owner.
The group members.
Everyone else.

There are three permission types that apply to each class:

The read permission.
The write permission.
The execute permission.

This concept allows you to specify which users are allowed to read the file, write to the file, or execute the file.

To view the file permissions, use the ls command:

Terminal
ls -l dirname

output

drwxr-xr-x 12 linuxize users 4.0K Apr 8 20:51 dirname
|[-][-][-] [------] [---]
| | | | | |
| | | | | +-----------> Group
| | | | +-------------------> Owner
| | | +----------------------------> Others Permissions
| | +-------------------------------> Group Permissions
| +----------------------------------> Owner Permissions
+------------------------------------> File Type

The first character represents the file type, which can be a regular file (-), a directory (d), a symbolic link (l), or any other special type of file.

The next nine characters represent the permissions, three sets of three characters each. The first set shows the owner permissions, the second set shows group permissions, and the last set shows everybody else’s permissions.

Character r with an octal value of 4 stands for read, w with an octal value of 2 for write, x with an octal value of 1 for execute, and - with an octal value of 0 for no permission.

There are also three special file permission types: setuid, setgid, and sticky bit.

In the example above, rwxr-xr-x means the owner has read, write, and execute permissions (rwx), while the group and others have read and execute permissions.

If we represent the file permissions using numeric notation, we get 755:

Owner: rwx = 4+2+1 = 7
Group: r-x = 4+0+1 = 5
Other: r-x = 4+0+1 = 5

When represented in numeric notation, permissions can have three or four octal digits (0-7). The first digit represents special permissions, and if it is omitted, it means no special permissions are set. In our example, 755 is the same as 0755. The first digit can be a combination of 4 for setuid, 2 for setgid, and 1 for sticky bit.

File permissions can be changed using the chmod command and ownership using the chown command.

Understanding umask

By default on Linux systems, the default creation permissions are 666 for files, which gives read and write permission to user, group, and others, and 777 for directories, which means read, write, and execute permission to user, group, and others. Linux does not allow a file to be created with execute permissions.

The default creation permissions can be modified using the umask command.

umask affects only the current shell environment. On most Linux distributions, the default system-wide umask value is set in the pam_umask.so module, the /etc/profile file, or /etc/login.defs.

If you want to specify a different value on a per-user basis, edit the user’s shell configuration files such as ~/.bashrc or ~/.zshrc. You can also change the current session umask value by running umask followed by the desired value.

To view the current mask value, type umask without any arguments:

Terminal
umask

output

The umask value contains the permission bits that will NOT be set on newly created files and directories.

The default creation permissions for files are 666 and for directories 777. To calculate the permission bits for new files, subtract the umask value from the default value.

For example, to calculate how umask 022 affects newly created files and directories:

Files: 666 - 022 = 644. The owner can read and modify the files. Group and others can only read the files.
Directories: 777 - 022 = 755. The owner can cd into the directory and list, read, modify, create, or delete files in it. Group and others can cd into the directory and list and read the files.

You can also display the mask value in symbolic notation using the -S option:

Terminal
umask -S

output

u=rwx,g=rx,o=rx

Unlike the numeric notation, the symbolic notation value shows the permission bits that will be set on newly created files and directories.

Setting the umask Value

The file creation mask can be set using octal or symbolic notation. To make the change permanent, set the new umask value in a global configuration file like /etc/profile, which will affect all users, or in a user’s shell configuration files such as ~/.profile, ~/.bashrc, or ~/.zshrc, which will affect only that user. User files take precedence over global files.

Before changing the umask value, make sure the new value does not pose a security risk. Values less restrictive than 022 should be used with caution. For example, umask 000 typically results in 666 permissions for new files and 777 permissions for new directories.

To set more restrictive permissions so others cannot cd into directories or read files, use 750 for directories and 640 for files.

To calculate the umask value, subtract the desired permissions from the default:

txt
umask value: 777 - 750 = 027

The desired umask value in numeric notation is 027.

To permanently set the new value system-wide, open the /etc/profile file with your text editor:

Terminal
sudo nano /etc/profile

Add or change the following line:

/etc/profilesh
umask 027

For the change to take effect, run the source command or start a new login session:

Terminal
source /etc/profile

If your shell is non-login, you may need to set umask in ~/.bashrc or ~/.zshrc instead of relying on /etc/profile.

To verify the new settings, create a file and a directory using touch and mkdir :

Terminal
touch newfile
mkdir newdir

Check the permissions with ls:

output

drwxr-x--- 2 linuxize users 4096 Jul 4 18:14 newdir
-rw-r----- 1 linuxize users 0 Jul 4 18:14 newfile

The new file has 640 and the new directory has 750 permissions, as expected.

You can also set the file creation mask using symbolic notation. For example, umask u=rwx,g=rx,o= is the same as umask 027.

Quick Reference

Command	Description
`umask`	Display the current mask in octal notation
`umask -S`	Display the current mask in symbolic notation
`umask 022`	Set the mask to `022` for the current session
`umask u=rwx,g=rx,o=rx`	Set the mask using symbolic notation

Troubleshooting

umask value resets in new terminals
You likely set it in a file that your shell does not load for that session type. Login shells usually read /etc/profile and ~/.profile; interactive non-login shells usually read ~/.bashrc or ~/.zshrc.

umask works for your user but not for services
Service processes often run under systemd units or dedicated service accounts and do not inherit your interactive shell settings. Set UMask= in the relevant systemd unit or configure the service account environment explicitly.

sudo commands create files with unexpected permissions
sudo runs commands with root’s environment and mask settings, not your user shell settings. Check root’s defaults (sudo sh -c 'umask') and configure root or service-level settings where needed.

FAQ

What is the default umask on Linux?
Most Linux distributions use 0022 as the default system-wide umask. This results in 644 permissions for new files and 755 for new directories.

How do I make a umask change permanent?
Add the umask command to your shell configuration file. For a single user, edit ~/.bashrc or ~/.zshrc. For all users on the system, edit /etc/profile or /etc/login.defs.

What is the difference between umask and chmod?
umask sets the default permissions applied at file creation time. chmod changes the permissions of an existing file or directory. They work at different points in the file lifecycle.

Why do new files never get execute permission even with umask 000?
Linux applies an additional restriction that strips execute bits from regular files at creation time. The base for regular files is 666, not 777, so even umask 000 results in 666 permissions for files. Execute permission must be added explicitly with chmod.

Conclusion

The umask command controls the default permission mask applied to all newly created files and directories. Understanding how to calculate and set the umask value helps you enforce consistent, secure permission defaults across your system.

For more information, type man umask in your terminal. To learn more about Linux file permissions, see the chmod and chown command guides.

If you have any questions, feel free to leave a comment below.

Linux Users and Permissions on Linuxize

How to List Users in Linux

List All Users with /etc/passwd #

List All Users with getent #

Check Whether a User Exists #

List Only Human Users #

List Users Who Can Log In #

List Logged-In Users #

List Users in a Group #

Last Login Information #

Troubleshooting #

Quick Reference #

FAQ #

Conclusion #

How to Create Users in Linux (useradd Command)

Understanding User Types in Linux #

Quick Reference #

useradd Command #

Creating a New User #

Setting User Passwords #

Creating a User with a Home Directory #

Creating a User with a Specific Home Directory #

Creating a User with a Specific User ID #

Creating a User with a Specific Group ID #

Creating a User and Assigning Multiple Groups #

Creating a User with a Specific Login Shell #

Creating a User with a Custom Comment #

Creating a User with an Expiry Date #

Creating a System User #

Configuring Default Values for User Accounts #

Troubleshooting #

FAQ #

Conclusion #

usermod Command in Linux: Modify User Accounts and Groups

usermod Command Syntax #

Add a User to a Group #

Change User Primary Group #

Changing the User Information #

Changing a User Home Directory #

Changing a User Default Shell #

Changing a User UID #

Changing a User Name #

Setting a User Expiry Date #

Locking and Unlocking a User Account #

Quick Reference #

Troubleshooting #

FAQ #

Conclusion #

How to Remove a User in Linux

Quick Reference #

userdel Command Syntax #

Before You Remove a User #

Remove a User in Linux #

Remove a User and Home Directory #

Remove a Logged-In User #

Removing a User’s Cron Jobs #

Locking a User Instead of Deleting #

Finding Orphaned Files #

Verifying the User Was Deleted #

deluser on Debian and Ubuntu #

Troubleshooting #

FAQ #

Conclusion #

passwd Command in Linux: Change User Passwords

passwd Command Syntax #

Changing Your Own Password #

Changing Another User’s Password #

Changing the Root Password #

Removing a Password (Empty Password) #

Forcing a Password Change at Next Login #

Password Aging Policy with chage #

Locking and Unlocking a User Account #

Quick Reference #

FAQ #

Conclusion #

How to List Groups in Linux

Linux Groups #

List all Groups a User is a Member of #

Using the groups Command #

Using the id Command #

List All Users with /etc/passwd

List All Users with getent

Check Whether a User Exists

List Only Human Users

List Users Who Can Log In

List Logged-In Users

List Users in a Group

Last Login Information

Troubleshooting

Quick Reference

FAQ

Conclusion

Understanding User Types in Linux

Quick Reference

`useradd` Command

Creating a New User

Setting User Passwords

Creating a User with a Home Directory

Creating a User with a Specific Home Directory

Creating a User with a Specific User ID

Creating a User with a Specific Group ID

Creating a User and Assigning Multiple Groups

Creating a User with a Specific Login Shell

Creating a User with a Custom Comment

Creating a User with an Expiry Date

Creating a System User

Configuring Default Values for User Accounts

Troubleshooting

FAQ

Conclusion

usermod Command Syntax

Add a User to a Group

Change User Primary Group

Changing the User Information

Changing a User Home Directory

Changing a User Default Shell

Changing a User UID

Changing a User Name

Setting a User Expiry Date

Locking and Unlocking a User Account

Quick Reference

Troubleshooting

FAQ

Conclusion

Quick Reference

userdel Command Syntax

Before You Remove a User

Remove a User in Linux

Remove a User and Home Directory

Remove a Logged-In User

Removing a User’s Cron Jobs

Locking a User Instead of Deleting

Finding Orphaned Files

Verifying the User Was Deleted

deluser on Debian and Ubuntu

Troubleshooting

FAQ

Conclusion

`passwd` Command Syntax

Changing Your Own Password

Changing Another User’s Password

Changing the Root Password

Removing a Password (Empty Password)

Forcing a Password Change at Next Login

Password Aging Policy with `chage`

Locking and Unlocking a User Account

Quick Reference

FAQ

Conclusion

Linux Groups

List all Groups a User is a Member of

Using the groups Command

Using the id Command

List Members of a Group

List All Groups

Quick Reference

Troubleshooting

FAQ

Conclusion

`groupadd` Command Syntax