User Management in Linux Administration

User management is a critical part of Linux administration. It involves creating and managing user accounts and groups to control access to system resources. In this guide, we’ll cover the basics of user management in Linux using simple commands, ensuring that even beginners can understand the concepts clearly.

Become Super User (Root User)

Before performing any user management tasks, you often need superuser privileges. This is because user management commands require administrative access to make changes to the system. To switch to the superuser (root) account, use:

sudo su

Create a New User

To create a new user, you can use the useradd command followed by the username. For example, to create a user named John:

useradd john

To check the details of the user you just created, use the id command. This command will display information about John, including his user ID (UID), primary group ID (GID), and any secondary groups he belongs to.

id john

Note: When you create a user in Linux, a group with the same name as the user is also created by default.

Set a Password for the User

After creating a user, you need to set a password for them to enable them to log in. Use the passwd command and you’ll be prompted to enter a new password for John.

passwd john

User and Group Configuration Files

  • /etc/passwd: Contains basic user information, such as username, user ID, group ID, home directory, and default shell.
  • /etc/group: Stores group information, including the group name, group ID, and member list.

Create and Manage Groups

You can create a new group using the groupadd command. For example, to create a group named devops.

groupadd devops

Each user must have at least one primary group and can have multiple secondary groups. By default, a new user’s primary group has the same name as the username. However, you can change this primary group using the usermod command.

  • For example, if you want to change John’s primary group to devops, you would use:
usermod -g devops john

Note: After running this command, John’s primary group changes from john to devops. The group named john will still be there, but John won’t be part of it anymore unless you add him back.

  • To add John to a secondary group named testing:
usermod -aG testing john
  • To remove John from the testing group (Secondary Group):
gpasswd -d john testing

Remove User from the System

If an employee, such as John, leaves the organization, you will need to remove their user account from the system. The steps are:

  1. Remove the user from Primary Group.
  2. Delete the user account.

For example, to delete John’s account:

Before deleting the user, ensure they are removed from all groups. This can be done using the gpasswd -d command as shown earlier. Since every user must belong to at least one primary group, you can’t remove the user from their primary group directly. So, reassign John back to his original primary group using:

usermod -g john john

Once the user is reassigned to their original group, you can safely delete the user account.

userdel john

This command will delete John’s user account. If you want to also delete John’s home directory and mail spool, use the -r option. As John was part of a group named john, deleting his user account will also delete that group.

Delete Group

If you don’t need the devops group and it is no longer associated with any users, you can then safely delete it using:
groupdel devops

Log in with Password Authentication

When a new user, such as “John,” is created, inform them of their login details, including the username and password.

By default, Linux systems may be configured to allow only key-based authentication for security reasons. However, if you want to enable password-based authentication, you need to modify the SSH configuration:

  1. Edit the SSH configuration file (usually /etc/ssh/sshd_config).
  2. Set PasswordAuthentication to yes.
  3. Restart the SSH service to apply the changes using systemctl restart sshd

John can now connect to the server using his username and password.

Log in with Key-Based Authentication

For secure access to a Linux server, administrators often use SSH keys instead of passwords. Here’s how it works:

  1. John, for example, would create an SSH key pair on his computer. This consists of two parts: a public key and a private key.
  2. John would then share his public key with the Linux administrator. The private key stays secure on John’s computer and should never be shared.
  3. The Linux administrator takes John’s public key and adds it to a special file called authorized_keys located in John’s home directory on the server. The path to this file is
/home/john/.ssh/authorized_keys

By adding the public key to the authorized_keys file, the server recognizes John’s private key when he tries to connect. This allows John to securely log in to the server without needing to enter a password.

Note: Make sure SSH key authentication is enabled and password authentication is disabled on the server. This ensures that only users with a valid private key can access the server, adding an extra layer of security.

Understanding File Permissions (r, w, x) and Ownership

In Linux, every file and directory has permissions that define who can read, write, or execute it. These permissions are assigned to three categories of users:

  • Owner (u) – the user who owns the file
  • Group (g) – the group associated with the file
  • Others (o) – everyone else

Each file can have three types of permissions:

  • r (read) – allows reading or viewing the file contents
  • w (write) – allows modifying or deleting the file
  • x (execute) – allows running the file as a program or script

To view file permissions, use:

ls -l

You’ll see output like:

-rwxr-xr--

Here:

  • The first character (-) indicates it’s a file (for directories, it shows d).
  • The next three (rwx) are permissions for the owner.
  • The next three (r-x) are for the group.
  • The last three (r--) are for others.

To modify permissions, use the chmod command.
For example:

chmod +x script.sh

This adds execute permission to the file script.sh, allowing it to be run as a program.

You can also set permissions numerically using modes:

  • 7 = read + write + execute (rwx)
  • 6 = read + write (rw-)
  • 5 = read + execute (r-x)
  • 4 = read only (r–)

For example:

chmod 755 script.sh

This means:

  • Owner: read, write, execute
  • Group: read, execute
  • Others: read, execute

If you need to change the owner of a file or directory, use:

chown username:groupname filename

Example:

chown john:devops project1.sh

This command makes John the owner and assigns the file to the devops group.

File and Directory Permissions

Managing file and directory permissions is crucial for maintaining security. Here’s how to set permissions for John

  • The .ssh directory should be accessible only by John to ensure no one else can access the SSH keys. Set using:
chmod 700 /home/john/.ssh
  • The authorized_keys file should be readable and writable only by John to prevent unauthorized changes. Set using:
chmod 600 /home/john/.ssh/authorized_keys
  • Change the ownership of authorized_keys file to John using:
chown -R John:John .ssh

By setting these permissions, you ensure that John’s SSH configuration is secure and that only John can modify or access these files.

To dive deeper… Check out these related topics:

Leave a Reply

Your email address will not be published. Required fields are marked *