Managing Users and Groups on Raspberry Pi: A Complete Guide

Do you need to add or remove user accounts on your Raspberry Pi, or grant users access to certain groups? Managing users and groups is crucial for controlling permissions and securing your Raspberry Pi system.

In this comprehensive 2500+ word guide, you‘ll learn everything about managing users and groups on Linux-based systems like Raspberry Pi. Follow examples to create users, assign group memberships, and delete unneeded accounts.

Here‘s what we‘ll cover:

• An Introduction to Linux Users and Groups – Background on how Linux permissions work.
• Creating New Users on Raspberry Pi – Add fresh user accounts with adduser.
• Adding a User to Groups – Grant permissions by adding users to groups.
• Removing a User from a Group – Revoke access with deluser.
• Deleting a User Completely – Deleting unused accounts.
• Best Practices for User and Group Management – Set up accounts properly.

Let‘s get started with a foundation on Linux users and groups.

An Introduction to Linux Users and Groups

Linux systems like Raspberry Pi rely on users and groups to manage access control and permissions. Learning core concepts here will help you understand how to add and remove users from groups.

Each user on a Linux system has a unique name and numeric ID. These are assigned when the user account is first created. The user ID (UID) tracks individual users for permissions and accounting.

Usernames like john, mary, peter etc. map to UIDs behind the scenes. For example john may map to UID 500, mary to UID 501, peter to UID 502, and so on.

When a user tries to access a resource like a file or process, Linux checks their ID against the access rules. This determines if access should be granted or denied.

Groups are collections of users who share common permissions. Each group is identified by a name and group ID (GID).

For example employees in the sales department may belong to a "sales" group. Engineers could belong to an "engineering" group.

Group IDs work like user IDs to control permissions. If accessing a sales spreadsheet shared to the "sales" group, your user ID would need membership in the "sales" group (GID) to be granted access by Linux.

When you create a new user account, Linux automatically creates a private group with the same name.

For example, creating user john automatically generates group john. By default, new users start out only belonging to their own private group.

This initial group is handy for permissions on files owned by that user. However, broader access requires adding users to additional existing groups on the system.

The "sudo" and "wheel" groups deserve special mention. They grant sudo privileges allowing members to execute commands as the root superuser.

This gives complete system control, so admins need to be careful about granting sudo group membership.

Now that you understand users, groups and permissions in Linux, let‘s move on to managing them on a Raspberry Pi.

Creating New Users on Raspberry Pi

The first step in managing users and groups is creating new user accounts. Each person accessing your Raspberry Pi should have their own user account.

Here are some reasons it‘s best practice to create user accounts for each individual:

• Permissions – Control resource access per user.
• Accounting – Track activity per user.
• Security – Limit damage from compromised accounts.

To add a new user on Raspberry Pi, use the adduser command:

sudo adduser newuser

Replace newuser with the username you want to create.

The adduser command creates the new account along with a home folder and assigned UID automatically.

Let‘s walk through an example creating a user named john:

sudo adduser john

You‘ll first be prompted to enter and confirm a password for the new account:

Enter new UNIX password: 
Retype new UNIX password: 

Always choose a strong password. This will prevent attackers from easily compromising the account. Consider using a password manager to generate and store a random, complex password.

Next, adduser will prompt you to fill in some optional GECOS information. GECOS stands for General Electric Comprehensive Operating System developed in the early 1960s.

The GECOS field is meant to store personal user details. Press Enter to skip if you don‘t need this:

Full Name []: John Smith
Room Number []: 
Work Phone []:
Home Phone []:
Other []:

Finally, verify the information is correct when prompted:

Is the information correct? [Y/n] Y

This will finish creating the new user account!

By default, adduser creates a private group with the same name which the user belongs to initially.

Our example user john would belong to initial group john. Verify with:

groups john

john : john

Of course, belonging only to their private group prevents access to most of the system. Next we‘ll look at adding users to additional groups for more permissions.

On Ubuntu and Debian, adduser also automatically copies /etc/skel files like .profile into the new home folder. This sets up a basic environment.

That covers the basics of creating a new user with adduser!

Adding a User to Groups

To grant access beyond their private group, users need membership in shared groups. We do this by adding users to groups with the adduser or usermod commands.

Shared groups like users, sudo, adm or systemd-journal control access to broader resources like storage, logs and devices.

For example, the default pi user belongs to the users, sudo and input groups among others:

groups pi
pi : pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi render

Let‘s add our test user john to the users and adm groups:

sudo adduser john users

sudo adduser john adm

Confirm john now belongs to those groups:

groups john
john : john users adm

The users group grants access to certain system paths and resources. adm allows reading system logs in /var/log.

We can keep adding john to as many groups as needed. Common Raspberry Pi groups include:

• users – General system access
• adm – Read logs
• dialout – Serial device access
• cdrom – Directly access optical disks
• sudo – Escalate to root with sudo
• audio – Audio devices
• video – Video devices
• plugdev – Hotplug device access
• gpio – GPIO pin control
• i2c – I2C interface access
• spi – SPI interface access

For example, adding john to gpio would allow GPIO pin usage:

sudo adduser john gpio

Alternatively, we can add users to multiple groups in one command with:

sudo usermod -a -G group1,group2,... user

For instance:

sudo usermod -a -G users,adm,dialout,gpio john

This adds john to all those groups simultaneously!

Follow the principle of least privilege in assigning group memberships. Only add users to the specific groups absolutely needed for their role and duties.

Overly broad access increases risks should an account be compromised. But don‘t forget to provide all necessary access! Finding the right balance takes practice.

That‘s the essential process for granting users additional access by adding them to system groups. Now let‘s look at removing group access.

Removing a User from a Group

Taking away permissions is just as important as granting them. Removing users from groups prevents access to resources they no longer require.

Use the deluser command to remove a user from a group:

sudo deluser john adm

This removes user john from the adm group, revoking access to read log files.

Check john no longer belongs to adm:

groups john
john : john users

Likewise, we can remove john from any other groups:

sudo deluser john dialout 

sudo deluser john gpio

The deluser command is simple but should be used judiciously. Only remove group memberships when you have confirmed the user no longer requires that access.

Accidently removing a user from a group they need could disrupt workflows or break dependencies. Err on the side of caution here.

In summary, remembering to revoke unneeded or excessive group access is key for security. Over time, users inevitably accumulate permissions they no longer require as roles and needs change.

Prune group memberships with deluser to limit potential damage should an account ever become compromised. Apply the principle of least privilege.

Next let‘s look at completely removing user accounts.

Deleting a User Completely

Sometimes user accounts are no longer needed at all. Removing the account entirely can make sense to improve security.

The deluser command deleted the user‘s group memberships. To delete the user itself, use:

sudo deluser john

This will:

• Delete the user‘s home folder
• Remove their unique UID
• Revoke all group memberships
• Prevent logins

In short, it completely deletes their presence from the system.

Double check the account can no longer log in or be queried:

su - john

No passwd entry for user ‘john‘

Use care when deleting entire accounts however. This can break workflows relying on that user. Only delete accounts you are absolutely certain are no longer needed.

In summary, deluser offers control over revoking access and removing unneeded accounts. Use it whenever your user and permission requirements change.

Best Practices for User and Group Management

Now that we‘ve covered the basics of user and group management, let‘s discuss some best practices to apply these concepts securely and effectively.

Follow these guidelines as you manage users and groups on your Raspberry Pi:

Create individual user accounts – Don‘t share accounts. Create a unique user for each person. This ties activity to individuals and limits damage if an account is compromised.

Use strong passwords – Always set a complex, random password for each user. Enforce password policies requiring sufficient length, mixed cases, numbers and symbols.

Grant least privilege – Only add users to the specific groups absolutely necessary for their role and no more. Excessive access increases risk. Revoke permissions once no longer needed.

Leverage private groups – Use each user‘s private group to control permissions on files that should be restricted to them.

Limit sudo users – Only add users to the sudo group if they specifically need root command access. Audit sudo group membership regularly.

Review groups – Periodically review group memberships to ensure they align with current needs and remove any excessive access.

Delete unused accounts – Removing accounts is wise if you confirm they are obsolete. But use caution deleting active users.

Log audits – Audit logs via last and monitor user additions, deletions and privilege escalations.

No single rule addresses all scenarios, so adapt as needed. But keeping these best practices in mind will help you manage users and groups securely.

Conclusion

You now have a complete overview of managing users and groups on a Linux system like Raspberry Pi!

Here‘s a quick summary of what we covered:

• Linux permissions rely on users and groups. Understand how UIDs and GIDs work.
• Create new users with adduser when you need new accounts.
• Add users to permitted groups like users or gpio with adduser to grant access.
• Revoke group access as needed with deluser to enforce least privilege.
• Fully delete obsolete accounts with deluser if no longer needed.
• Apply best practices like individual accounts and limited privileges.

Following this guide, you can:

• Confidently create, modify and remove users on your Raspberry Pi
• Assign users to groups granting only necessary access
• Revoke permissions when requirements change
• Delete unneeded accounts to improve security
• Troubleshoot account and access issues

Properly managing your users and groups is crucial for securing your Raspberry Pi. Restrict access where required while providing necessary permissions. Strive for least privilege.

You now have the knowledge to control your Raspberry Pi users and groups like a Linux pro! Put these skills to work as you manage your system.