Managing user permissions is crucial for system security. Ineffective access configuration often makes a system vulnerable. This guide will show you how to secure your server with simple yet effective methods for managing user accounts. It is particularly useful for novice system administrators and other IT professionals.
User permissions in Linux significantly impact system security. Proper configuration makes it harder for attackers to access your system.
Commands can be used to manage system access, creating a set of users who can read, edit, or execute data stored on the server. Ubuntu, as other Linux distributions, uses two basic user units: user and group. Let's see how to create and delete them.
A user is an individual account capable of executing commands and accessing system data. The simplest way to make a user in Ubuntu is:
sudo adduser username
The system will prompt you to set a password.
To block a user, use:
sudo usermod -L username
To unblock the user, replace -L
with -U
.
To delete a user in Ubuntu:
sudo userdel -r username
The -r
flag also removes the user’s home directory and all their data, a step that is irreversible. To retain the user’s information, omit the -r
flag.
A group is a collection of one or more accounts that share access to system data. To create a new group, enter:
sudo addgroup groupname
To check a user’s group memberships, use:
groups username
To add a user to a group in Ubuntu:
sudo usermod -aG groupname username
Here, -a
means "add" and -G
specifies the group.
To delete a group:
sudo delgroup groupname
To see a list of all system accounts, use:
cat /etc/passwd
Similarly, to see all groups:
cat /etc/group
The /etc/group
file contains information about all system groups and user memberships. To view all groups a user belongs to:
groups username
To view permissions for using sudo commands, check if the user belongs to the sudo group.
To change a user’s password:
sudo passwd username
You will be prompted to enter a new password for the specified account.
Every process in the system is associated with an account identifier, indicating the user who initiated the process. By default, User IDs (UID) from 0 to 999 are reserved for system use, while newly created accounts get IDs starting from 1000. To check a user account’s properties:
grep username /etc/passwd
To change a user’s UID:
usermod -u 2025 username
To add a comment to an account:
usermod -c "Comment" username
To create and change the home directory:
mkdir -p /catalog1/catalog
usermod -d /catalog1/catalog username
To change the login shell:
usermod -s /sbin/nologin username
Setting the login shell to /sbin/nologin
prevents the user from accessing the bash shell.
To set a password expiration date:
usermod -e "YYYY-MM-DD" username
After this date, the user cannot log in.
By default, Ubuntu grants root privileges to users for only 15 minutes to minimize security risks. The sudo
command allows users to execute tasks with root privileges.
There are two main ways to set root
privileges to a user in Ubuntu:
Add the user to the sudo
group, allowing them to execute commands with elevated privileges.
Edit the sudoers
file to manually assign privileges.
The sudoers
file defines who has access to sudo
. To edit it safely, use:
sudo visudo
The default contents look like this:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL
#includedir /etc/sudoers.d
To add a user with root privileges:
username ALL=(ALL) NOPASSWD:ALL
Save the file with CTRL + X, then Y, and ENTER.
To switch to the root
user:
sudo su
This combines sudo
and su
, allowing you to operate as the root
user without prefacing each command with sudo
.
Create user groups for simplified access management:
User_Alias ADMINS = user1, user2
Use these aliases to assign permissions in the sudoers
file.
Use sudo -i
to start a shell with root
privileges, useful for executing multiple commands:
sudo -i
User permissions for directories and files in Ubuntu can be controlled using various commands.
To add permissions:
chmod +rwx filename
To remove permissions:
chmod -rwx filename
To allow execution:
chmod +x filename
To remove write permissions:
chmod -wx filename
Change file ownership:
chown username filename
Change ownership recursively:
chown -R username:group /path/to/directory
Change group ownership:
chgrp groupname filename
Permissions can also be set using numerical codes:
0 = No permission
1 = Execute
2 = Write
4 = Read
Basically, you add up the numbers depending on what level of permissions you want to grant.
0 = no
1 = --x
2 = -w-
3 = -wx
4 = r-
5 = r-x
6 = rw-
7 = rwx
Example:
chmod 777 directoryname
This grants everyone permission to read, write, and execute.
chmod 700 filename
This grants read, write, and execute permissions only to the owner.
This guide covers user permissions management in Ubuntu and also applies to other Linux systems. By following these steps, you can create users, groups and control access to files and root
privileges, enhancing your system's security.