Day 13 - Users and Groups

INTRO

Today you’re going to set-up another user on your system. You’re going to imagine that this is a help-desk person that you trust to do just a few simple tasks:

check that the system is running
check disk space with: df -h

…but you also want them to be able to reboot the system, because you believe that “turning it off and on again” resolves most problems :-)

You’ll be covering a several new areas, so have fun!

YOUR TASKS TODAY

Create a new user
Create a new group
Create a new user and add to an existing group
Make a new user a sudoer

Follow this demo

ADDING A NEW USER

Choose a name for your new user - we’ll use “helen” in the examples, so to add this new user:

sudo adduser helen

(Names are case-sensitive in Linux, so “Helen” would be a completely different user)

The “adduser” command works very slightly differently in each distro - if it didn’t ask you for a password for your new user, then set it manually now by:

sudo passwd helen

You will now have a new entry in the simple text database of users: /etc/passwd (check it out with: less), and a group of the same name in the file: /etc/group. A hash of the password for the user is in: /etc/shadow (you can read this too if you use “sudo” - check the permissions to see how they’re set. For obvious reasons it’s not readable to just everyone).

If you’re used to other operating systems it may be hard to believe, but these simple text files are the whole Linux user database and you could even create your users and groups by directly editing these files - although this isn’t normally recommended.

Additionally, adduser will have created a home directory, /home/helen for example, with the correct permissions.

ATTENTION! useradd is not the same as adduser. They both create a new user, but they interact very differently. Check the link in the EXTENSION section to see those differences.

ADDING A NEW GROUP

Let’s say we want to all of the developers in my organization to have their own group, so they can have access to the same things.

sudo groupadd developers

On most modern Linux systems there is a group created for each user, so user “ubuntu” is a member of the group “ubuntu”. But if you want, you can create a new user directly into an existing group, using the ingroup flag. So a new user fred would be created like this:

sudo adduser --ingroup developers fred

ADDING AN USER TO GROUPS

Users can also be part of more than one group, and groups can be added as required.

To see what groups you’re a member of, simply type: groups

On an Ubuntu system the first user created (in your case ubuntu), should be a member of the groups: ubuntu, sudo and admin - and if you list the /var/log folder you’ll see your membership of the sudo group is why you can use less to read and view the contents of /var/log/auth.log

The “root” user can add a user to an existing group with the command:

usermod -a -G group user

so your ubuntu user can do the same simply by prefixing the command with sudo.

Because the new user helen is not the first user created in the system, they don’t have the power to run sudo - which your user has by being a member of the group sudo.

So, to check which groups helen is a member of, you can “become helen” by switching users like this:

sudo su helen

Then:

groups

If you try to do stuff only a sudo user can do, i.e. read the contents of /var/log/auth.log, even using the prefix sudo won’t work. Helen is not a sudo and has no permissions to perform this action.

Now type “exit” to return to your normal user, and you can add helen to this group with:

sudo usermod -a -G sudo helen

Instead of switching users again, simply run the groups helen to check. Try that with fred too and check how everything works.

See if any of your new users can sudo reboot.

CLEVER SUDO TRICKS

Your new user is just an ordinary user and so can’t use sudo to run commands with elevated privileges - until we set them up. We could simply add them to a group that’s pre-defined to be able to use sudo to do anything as root (like we did with helen) - but we don’t want to give fred quite that same amount of power.

Use ls -l to look at the permissions for the file: /etc/sudoers This is where the magic is defined, and you’ll see that it’s tightly controlled, but you should be able to view it with: sudo less /etc/sudoers You want to add a new entry in there for your new user, and for this you need to run a special utility: visudo

To run this, you can temporarily “become root” by running:

sudo -i

Notice that your prompt has changed to a #

Now simply run visudo to begin editing /etc/sudoers - typically this will use nano.

All lines in /etc/sudoers beginning with “#” are optional comments. You’ll want to add some lines like this:

# Allow user "fred" to run "sudo reboot"
# ...and don't prompt for a password
#
fred ALL = NOPASSWD:/sbin/reboot

You can add these line in wherever seems reasonable. The visudo command will automatically check your syntax, and won’t allow you to save if there are mistakes - because a corrupt sudoers file could lock you out of your server!

Type exit to remove your magic hat and become your normal user again - and notice that your prompt reverts to: $

TESTING

Test by logging in as your test user and typing: sudo reboot Note that you can “become” helen by:

sudo su helen

If your ssh config allows login only with public keys, you’ll need to setup /home/helen/.ssh/authorized_keys - including getting the owner and permissions correct. A little challenge of your understanding of this area!

EXTENSION

If you find this all pretty familiar, then you might like to check and update your knowledge on a couple of related areas:

Restricting shell access
Linux Password & Shadow File Formats
What’s the difference between ‘useradd’ and ‘adduser’?
How to create users and groups in Linux from the command line
Learn how to use the $EDITOR environmental variable to set your default editor to vim. With this done, visudo will use vim rather than nano for editing.

RESOURCES

Some rights reserved. Check the license terms here