User Permissions Management in Ubuntu

Managing user permissions is crucial for system security. Ineffective access configuration often makes a system vulnerable. This guide will show you how to secure your server with simple yet effective methods for managing user accounts. It is particularly useful for novice system administrators and other IT professionals.

User permissions in Linux significantly impact system security. Proper configuration makes it harder for attackers to access your system.

Basic User Settings

Commands can be used to manage system access, creating a set of users who can read, edit, or execute data stored on the server. Ubuntu, as other Linux distributions, uses two basic user units: user and group. Let's see how to create and delete them.

Creating a User

A user is an individual account capable of executing commands and accessing system data. The simplest way to make a user in Ubuntu is:

sudo adduser username

The system will prompt you to set a password.

Blocking and Deleting a User

To block a user, use:

sudo usermod -L username

To unblock the user, replace -L with -U.

To delete a user in Ubuntu:

sudo userdel -r username

The -r flag also removes the user’s home directory and all their data, a step that is irreversible. To retain the user’s information, omit the -r flag.

Creating a Group

A group is a collection of one or more accounts that share access to system data. To create a new group, enter:

sudo addgroup groupname

To check a user’s group memberships, use:

groups username

To add a user to a group in Ubuntu:

sudo usermod -aG groupname username

Here, -a means "add" and -G specifies the group.

Deleting a Group

To delete a group:

sudo delgroup groupname

Listing All Users and Groups

To see a list of all system accounts, use:

cat /etc/passwd

Similarly, to see all groups:

cat /etc/group

Viewing User Groups and Permissions

The /etc/group file contains information about all system groups and user memberships. To view all groups a user belongs to:

groups username

To view permissions for using sudo commands, check if the user belongs to the sudo group.

Changing User Passwords

To change a user’s password:

sudo passwd username

You will be prompted to enter a new password for the specified account.

Usermod and ID

Every process in the system is associated with an account identifier, indicating the user who initiated the process. By default, User IDs (UID) from 0 to 999 are reserved for system use, while newly created accounts get IDs starting from 1000. To check a user account’s properties:

grep username /etc/passwd

To change a user’s UID:

usermod -u 2025 username

To add a comment to an account:

usermod -c "Comment" username

To create and change the home directory:

mkdir -p /catalog1/catalog
usermod -d /catalog1/catalog username

To change the login shell:

usermod -s /sbin/nologin username

Setting the login shell to /sbin/nologin prevents the user from accessing the bash shell.

To set a password expiration date:

usermod -e "YYYY-MM-DD" username

After this date, the user cannot log in.

The sudoers File and Root Permissions

By default, Ubuntu grants root privileges to users for only 15 minutes to minimize security risks. The sudo command allows users to execute tasks with root privileges.

Granting Root Privileges

There are two main ways to set root privileges to a user in Ubuntu:

1. Add the user to the sudo group, allowing them to execute commands with elevated privileges.

2. Edit the sudoers file to manually assign privileges.

Editing the sudoers File

The sudoers file defines who has access to sudo. To edit it safely, use:

sudo visudo

The default contents look like this:

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

root    ALL=(ALL:ALL) ALL
%admin  ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL

#includedir /etc/sudoers.d

To add a user with root privileges:

username ALL=(ALL) NOPASSWD:ALL

Save the file with CTRL + X, then Y, and ENTER.

Switching to Root User

To switch to the root user:

sudo su

This combines sudo and su, allowing you to operate as the root user without prefacing each command with sudo.

Creating Aliases

Create user groups for simplified access management:

User_Alias ADMINS = user1, user2

Use these aliases to assign permissions in the sudoers file.

Interactive and Non-Interactive sudo

Use sudo -i to start a shell with root privileges, useful for executing multiple commands:

sudo -i

File Access Management

User permissions for directories and files in Ubuntu can be controlled using various commands.

Adding and Removing Permissions

To add permissions:

chmod +rwx filename

To remove permissions:

chmod -rwx filename

To allow execution:

chmod +x filename

To remove write permissions:

chmod -wx filename

Changing File Ownership and Group

Change file ownership:

chown username filename

Change ownership recursively:

chown -R username:group /path/to/directory

Change group ownership:

chgrp groupname filename

Numerical Permission Codes

Permissions can also be set using numerical codes:

• 0 = No permission

• 1 = Execute

• 2 = Write

• 4 = Read

Basically, you add up the numbers depending on what level of permissions you want to grant.

• 0 = no

• 1 = --x

• 2 = -w-

• 3 = -wx

• 4 = r-

• 5 = r-x

• 6 = rw-

• 7 = rwx

Example:

chmod 777 directoryname

This grants everyone permission to read, write, and execute.

chmod 700 filename

This grants read, write, and execute permissions only to the owner.

Conclusion

This guide covers user permissions management in Ubuntu and also applies to other Linux systems. By following these steps, you can create users, groups and control access to files and root privileges, enhancing your system's security.