Sections of the site
Editor's Choice:
- How to reduce the size of a pdf, detailed instructions
- Is it possible to change the battery in iPhone 4?
- The best programs to defragment your hard drive on Windows
- Selecting a receiver and acoustics (budget hi-fi) Floor-standing and bookshelf
- Cooler not working on laptop
- Setting a password for a page How to protect a php page with a password
- Neighborhoods of calpe spain
- How to properly charge a laptop to extend battery life How to charge a laptop battery for the first time
- Skyrim - guide to improving graphics (UPD) Basic graphic settings of Skyrim
- How to adopt a child in Skyrim – Children for adoption Download mod for Skyrim improved children
Advertising
Ubuntu Server - administrative user rights. User management Give full rights to ubuntu user |
In this material you will learn how to create a user, how to create a change password, get information about the user or delete it altogether, create/change/delete a group, after reading this material you will be able to do all this with ease. We work with users and groups, learn how to manage, create users, groups, move between groups and other other manipulations with groups in Ubuntu Linux.Adding a userAdding a user is done using the useradd command. Usage example: Sudo useradd vasyapupkin This command will create a new user vasyapupkin in the system. To change settings user being created, you can use the following keys:
Default user creation optionsIf no additional keys are specified when creating a user, then the default settings are taken. You can view these settings by running Useradd -D The result will be something like this: GROUP=100HOME=/home INACTIVE=-1EXPIRE= SHELL=/bin/shSKEL=/etc/skel CREATE_MAIL_SPOOL=no If you are not satisfied with these settings, you can change them by running Useradd -D-m-s/bin/bash where -m and -s are the keys taken from the table above. Change userUser parameters are changed using the usermod utility. Usage example: Sudo usermod -c "This command will change the user's comment" vasyapupkin usermod uses the same options as useradd. change PasswordYou can change a user's password using the passwd utility. Sudo passwd vasyapupkin Basic passwd keys: Getting information about usersw – displays information (user name, shell, login time, etc.) about all logged-in users. whoami – displays your username. users – displays the names of users working in the system. groups username – displays a list of groups the user belongs to. Deleting a userTo delete a user, use the userdel utility. Usage example: Sudo userdel vasyapupkin userdel has only two main keys: Group managementCreate a groupThe groupadd program creates new group according to the specified values command line and system defaults. Usage example: Sudo groupadd testgroup Main keys: Change groupYou can change the group name, GID or password using groupmod. Example: Sudo groupmod -n newtestgroup testgroup #Group name changed from testgroup to newtestgroup groupmod options: Delete a groupDeleting a group works like this: Sudo groupdel testgroup groupdel does not have any additional parameters. Configuration filesYou can change the settings of users and groups not only using special utilities, but also manually. All settings are stored in text files. A description of each of them is given below. /etc/passwdIn file /etc/passwd All information about users except the password is stored. One line from this file corresponds to the description of one user. The approximate content of the line is: Vasyapupkin:x:1000:1000:Vasya Pupkin:/home/vpupkin:/bin/bash A line consists of several fields, each of which is separated from the other by a colon. The meaning of each field is given in the table. The second and last fields are optional and may not have a value. /etc/groupIN /etc/group, as the name suggests, information about groups is stored. It is written in a similar way /etc/passwd form: Vasyapupkin:x:1000:vasyapupkin,petya In this file, the second and fourth fields may be empty. /etc/shadowFile /etc/shadow stores passwords, so the rights set on this file do not allow it to be read to a simple user. An example of one of the entries from this file: Vasyapupkin:$6$Yvp9VO2s$VfI0t.o754QB3HcvVbz5hlOafmO.LaHXwfavJHniHNzq/bCI3AEo562hhiWLoBSqxLy7RJJNm3fwz.sdhEhHL0:15803:0:99999:7::: Managing users and groups via GUIThe current version of Ubuntu does not have a standard utility for managing groups of system users, so by default all actions with groups must be performed in the console. However, for these purposes there is special utility"Users and groups." Installing a graphical GUI utility for managing groupsThe gnome-system-tools package is located in Ubuntu repositories, therefore it is installed with one command: Sudo apt-get install gnome-system-tools Group managementTo add, delete groups, as well as add/remove users to/from specific groups, you need to go to the Ubuntu / Dash Menu - System utilities- Administration - Users and groups, after clicking the “Manage Groups” button in this window, you will see a window displaying all groups present in the system: in which choosing the desired group and by clicking “Properties” you can tick the users who need to be added to the group. May 3, 2016 12:20 pm 27,946 views | no commentsUser management is a critical skill system administrator Linux environment. As a rule, in new system By default there is only one user - root. The root account has extensive privileges and is very flexible, but running the server as root on an ongoing basis is highly discouraged. The fact is that, having absolute rights, the root user can accidentally cause irreparable harm to the system and server. Therefore, for everyday work, you need to create an additional user with normal privileges, and then transfer superuser rights to him. You can also create additional accounts for other users who need to have access to the server. This guide will teach you how to create new user accounts, transfer sudo rights, and delete users. Adding a userTo add a new user to root sessions, enter: While in a non-root user session with sudo access, you can add a new user using the command: sudo adduser newuser The team will offer:
New user is ready! Now you can connect to the server using it. Setting sudo permissionsTo be able to use the new account to perform administrative tasks, you must allow the user access to the sudo command. This can be done in two ways:
Adding a user to the sudo groupOn Ubuntu 16.04, all users who are members of the sudo group have access to the sudo command by default. To find out which groups you belong to New user, enter: The command will return: newuser: newuser By default, each new user of the system is included only in the group of the same name. To add a user to a group, enter: usermod -aG sudo newuser The –aG flag adds the user to the listed groups. Testing the setupNow we need to make sure that the new user has access to the sudo command. By default, commands in a new user session are launched like this: To run the command as an administrator, add sudo to the beginning of the command: sudo some_command The system will ask for the current user's password. Editing the /etc/sudoers fileAn alternative way to increase user privileges is to edit the sudoers file. To do this, use the visudo command, which allows you to open the /etc/sudoers file in an editor and explicitly specify the privileges of each system user. It is recommended to edit the sudoers file exclusively using visudo, since this command blocks multiple simultaneous edits and checks the contents before overwriting the file. This prevents errors in sudo configuration that could result in loss of privileges. If you are in a root session, enter: In a non-root user session with sudo access, enter: Typically, visudo opens /etc/sudoers in the vi editor, which can be confusing for newbies. By default in new Ubuntu installations visudo uses the more familiar nano editor. Use the arrow keys to move the cursor. Find the line: root ALL=(ALL:ALL) ALL Copy this line and paste it below, replacing root with the name of the user to whom you want to transfer superuser rights. root ALL=(ALL:ALL) ALL Add a line like this for each user who needs extended privileges. Save and close the file. Removing usersUnnecessary accounts can be deleted. To remove a user but leave their files, enter: as root To remove a user along with their home directory, use: in the root user session If the remote user had superuser rights, you need to remove these rights by editing the file: visudo If the line remained in the file, and a user of the same name appeared in the system, he would receive extended privileges automatically. This won't happen now. ConclusionUser management is a necessary skill when administering an Ubuntu 16.04 server. It will allow you to separate users and give them only the access they need to work. For getting additional information about setting up sudo, check out our . Tags: ,Option -c - add a comment to the user Sudo useradd -c "Comment for user" -g sudo -d /home/NameUser -m -s /bin/bash NameUser Set a password for the NameUser user: Sudo passwd NameUser Add a user using the adduser commandsudo useradd -c "Comment for user" -g sudo -d /home/NameUser -m -s /bin/bash NameUserEnter the password, answer all the questions asked, get a user with a password and home directory Changing the user passwordsudo passwd NameUserAdd a user to the sudo groupusermod -a -G sudo NameUserAdd a user/user group to Sudores directly:Let's edit the file /etc/sudores.tmp editor visudo Sudo visudo Let's give root rights to the user named user_name User_name ALL=(ALL:ALL) ALL Let's give root rights to a group of users group_name by adding a line to the sudoers file - Group_name ALL=(ALL:ALL) ALL User and his groupsWe look at the available groups on the host Cat /etc/group Checking the existence of a group examplegroup on the host where examplegroup is the group you are interested in Grep examplegroup /etc/group We check/find out which groups the user belongs to (as well as his uid, gid) Id NameUser Add an existing user NameUser to an existing group examplegroup Usermod -g examplegroup NameUser Removing an Ubuntu userWe use the command, the user's folder will not be deleted Sudo userdel NameUser Delete the folder if necessary Sudo rm -r /home/NameUser/ We check whether the user has deleted; if there is no output, then the user has been deleted Sudo grep -R NameUser /etc/passwd --color List all local userssudo cat /etc/passwd sudo cat /etc/shadowTo display more detailed information about the user, install the package finger Sudo apt-get install finger To view information about the user NameUser, run the command Finger NameUser To output information about all users to a file infoaboutalluser.txt let's create a script finger.sh #!/bin/bash n=`cat /etc/passwd | cut -d: -f1` for i in $n; do echo "=========================================================================== ================" finger $i done Let's run the script finger.sh and save its contents to a file infoaboutalluser.txt ./finger.sh infoaboutalluser.txt List all privileged users:egrep ":0:0:" /etc/passwdor not privileged Egrep -v ":0:0:" /etc/passwd List all users whose names begin with the letters abcd: Cat /etc/passwd | grep "^.*" As the reader's response shows, the issue of separation of administrative rights in Ubuntu still remains unclear to most novice administrators, so we decided to bring some clarity to this issue with this material. Therefore, if you don’t know how su differs from sudo, where you hid root, etc., etc., it’s time to start studying our article. Let's start with a small digression. The Linux administrative rights system goes back to the Unix OS and therefore has much in common with other Unix-like systems: BSD, Solaris, MacOS. At the same time, different distributions have their own specific implementation features, so specific examples We will talk about the Ubuntu family, but knowledge of the general rules will allow you to easily understand the environment of any other Unix-like OS. The user has full administrative rights in Linux. root, whose rights cannot be limited, so everyday work on behalf of this user is extremely undesirable: careless actions of the user can lead to damage to the system, and compromising this account will give the attacker unlimited access to the system. Therefore, a different scheme has been adopted in Linux: all users, including administrators, work under a limited account, and to perform administrative actions they use one of the rights escalation mechanisms. To do this, you can increase rights using the utility sudo or log in as superuser (root) without completing current session using the command su. Many people mistakenly confuse these two mechanisms, so let’s look at them in more detail. Team su allows you to log in as another user (not necessarily root) without terminating the current session. So the command: Su petrov will allow you to log in as the user petrov, the user environment (home folder) will also be changed to belong to this user. Team su allows you to log in under your account without specifying a username root"a. However this method has one significant drawback - to log in on behalf of another user you need to know his password. If you have several administrators, then each of them will know the superuser password and you will not be able to limit their rights. In addition, it is unsafe; knowing the superuser password and the ability to log in under his name in case of compromise can lead to a complete loss of control over the system. What happens if we try to increase rights in Ubuntu this way? We won't be able to do anything because we don't know the user's password root, at the same time, no one is stopping us from logging in as a different user. "Wait!" - another user will say, “aren’t root rights given to the first created user, whom we specify during installation?” Indeed, administrative tasks can only be performed on behalf of the user created during installation; if we try to do this on behalf of another user, we will suffer failure. Here we come close to the second mechanism for increasing rights - the utility sudo. However, before moving on to studying it, it is worth clarifying: superuser (root) rights in Ubuntu belong to the root account, which is disabled by default. Therefore, increase permissions using the command su does not seem possible. The main mechanism for elevating rights in Ubuntu is the utility sudo. This utility allows you to elevate rights to the superuser level for the command being executed, but you do not need to know the superuser password; the user must enter his own password. After which the utility will check whether this user has the right to execute this command on this host with superuser rights and, if the checks are successful, will execute it. It is important! The main difference su from sudo serves what su allows you to change the current user to root, which requires an active superuser account in the system and knowledge of its password, sudo allows you to elevate rights for the command being executed without specifying a superuser password; the user must enter his own password; logging in as root with these credentials will not work. Another important circumstance is that when using a pipeline or redirection with superuser rights, only the first part of the command will be executed, for example in the design: Sudo command1 | team2 With root rights will only be executed team1. And the team Sudo cat sources.list > /etc/apt/sources.list will give an access rights error because the entry is in /etc/apt/sources.list will occur with normal user rights. To perform complex combinations of commands, you can switch to superuser mode with the command which is similar to elevating rights with a command su, however, this will not change the user environment and the current user’s directory will be used as the home directory, which is convenient and safe. Each administrator will only have access to their home directory. Now is the time to figure out who has the right to use the opportunities sudo and to what extent. The file is responsible for the settings of this utility /etc/sudoers, despite the fact that this is a regular configuration file, to edit it it is highly recommended to use the command: Sudo visudo This command locks the file and checks the syntax, otherwise you risk losing administrative access to your PC due to a typo. Syntax of this file quite simple. For example, at the very end of the file there is an entry: %admin ALL=(ALL) ALL This means that the users of the group admin can execute any command on any host, on behalf of any user. As we can easily verify using the command groups in our case the user andrey belongs to the group admin, and the user petrov No. But all the advantages of this utility lie in the ability to flexibly configure the parameters for obtaining rights in each specific case. For example: Petrov ubuntu-lts=(andrey) ALL This line allows the user petrov execute any command on the host ubuntu-lts on behalf of the user andrey. When specifying commands, you should indicate the full path to them; you can find it out using the command which For example, we want to allow users petrov And sidorov shut down and restart the computer, as well as remove tasks. However, these commands should not require entering a password. Another nice feature of the sudo utility is the creation of aliases, so in our case we will add in /etc/sudoers the following lines: User_Alias USERGROUP1 = petrov, sidorov With this we created two aliases USERGROUP1, where we included the users we need and CMDGROUP1 with a set of necessary commands, we can subsequently edit only aliases without affecting all the rules where they can be used. Then let's add a rule: USERGROUP1 ALL = (ALL) NOPASSWD:СMDGROUP1 which will allow users listed in the specified alias to execute commands from the given alias on any host on behalf of any user without entering a password. In addition to the above two, aliases are also available for the host name and users on whose behalf it is allowed to execute commands, for example: Host_Alias WWW = webserver1, webserver2 USERGROUP1 WWW = (WWW) ALL The given set of records will allow users entering USERGROUP1 execute any commands on behalf of users www-data And www-developer on the company's web servers. Finally, let’s look at what to do if a root account is still needed. It's simple, to enable it, just set a password: Sudo passwd root Block again account superuser can be created with the command: Sudo passwd -l root Remember that all administrative tasks in Ubuntu can be done using the sudo utility, so don't enable the root account unless absolutely necessary! As you can see, Ubuntu has rich administrative rights management capabilities, which allows you to flexibly distribute rights among several administrators, as well as give the ability to increase rights for some users, and do this efficiently and securely. User management is a critical part of maintaining a secure system. Ineffective user and privilege management often lead many systems into being compromised. Therefore, it is important that you understand how you can protect your server through simple and effective user account management techniques. Ubuntu developers made a conscientious decision to disable the administrative root account by default in all Ubuntu installations. This does not mean that the root account has been deleted or that it may not be accessed. It merely has been given a password which matches no possible encrypted value, therefore may not log in directly by itself. Instead, users are encouraged to make use of a tool by the name of sudo to carry out system administrative duties. Sudo allows an authorized user to temporarily elevate their privileges using their own password instead of having to know the password belonging to the root account. This simple yet effective methodology provides accountability for all user actions, and gives the administrator granular control over which actions a user can perform with said privileges. If for some reason you wish to enable the root account, simply give it a password: Configurations with root passwords are not supported. sudo passwd Sudo will prompt you for your password, and then ask you to supply a new password for root as shown below: Password for username: (enter your own password) Enter new UNIX password: (enter a new password for root) Retype new UNIX password: (repeat new password for root) passwd: password updated successfully To disable the root account password, use the following passwd syntax: sudo passwd -l root However, to disable the root account itself, use the following command: usermod --expiredate 1 You should read more on Sudo by reading the man page: man sudo By default, the initial user created by the Ubuntu installer is a member of the group "sudo " which is added to the file /etc/sudoers as an authorized sudo user. If you wish to give any other account full root access through sudo , simply add them to the sudo group. Adding and Deleting UsersThe process for managing local users and groups is straightforward and differs very little from most other GNU/Linux operating systems. Ubuntu and other Debian based distributions encourage the use of the "adduser" package for account management. To add a user account, use the following syntax, and follow the prompts to give the account a password and identifiable characteristics, such as a full name, phone number, etc. sudo adduser username To delete a user account and its primary group, use the following syntax: sudo deluser username Deleting an account does not remove their respective home folder. It is up to you whether or not you wish to delete the folder manually or keep it according to your desired retention policies. Remember, any user added later on with the same UID/GID as the previous owner will now have access to this folder if you have not taken the necessary precautions. You may want to change these UID/GID values to something more appropriate, such as the root account, and perhaps even relocate the folder to avoid future conflicts: sudo chown -R root:root /home/username/ To temporarily lock or unlock a user account, use the following syntax, respectively: sudo passwd -l username sudo passwd -u username To add or delete a personalized group, use the following syntax, respectively: sudo addgroup groupname sudo delgroup groupname To add a user to a group, use the following syntax: sudo adduser username groupname User Profile SecurityWhen a new user is created, the adduser utility creates a brand new home directory named /home/username . The default profile is modeled after the contents found in the directory of /etc/skel , which includes all profile basics. If your server will be home to multiple users, you should pay close attention to the user home directory permissions to ensure confidentiality. By default, user home directories in Ubuntu are created with world read/execute permissions. This means that all users can browse and access the contents of other users home directories. This may not be suitable for your environment. To verify your current user home directory permissions, use the following syntax: ls -ld /home/username The following output shows that the directory /home/username has world-readable permissions: drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username You can remove the world readable-permissions using the following syntax: sudo chmod 0750 /home/username Some people tend to use the recursive option (-R) indiscriminately which modifies all child folders and files, but this is not necessary, and may yield other undesirable results. The parent directory alone is sufficient for preventing unauthorized access to anything below the parent. A much more efficient approach to the matter would be to modify the adduser global default permissions when creating user home folders. Simply edit the file /etc/adduser.conf and modify the DIR_MODE variable to something appropriate, so that all new home directories will receive the correct permissions. After correcting the directory permissions using any of the previously mentioned techniques, verify the results using the following syntax: ls -ld /home/username The results below show that world-readable permissions have been removed: drwxr-x--- 2 username username 4096 2007-10-02 20:03 username Password PolicyA strong password policy is one of the most important aspects of your security posture. Many successful security breaches involve simple brute force and dictionary attacks against weak passwords. If you intend to offer any form of remote access involving your local password system, make sure you adequately address minimum password complexity requirements, maximum password lifetimes, and frequent audits of your authentication systems. Minimum Password LengthBy default, Ubuntu requires a minimum password length of 6 characters, as well as some basic entropy checks. These values are controlled in the file /etc/pam.d/common-password , which is outlined below. password pam_unix.so obscure sha512 If you would like to adjust the minimum length to 8 characters, change the appropriate variable to min=8. The modification is outlined below. password pam_unix.so obscure sha512 minlen=8 Basic password entropy checks and minimum length rules do not apply to the administrator using sudo level commands to setup a new user. Password ExpirationWhen creating user accounts, you should make it a policy to have a minimum and maximum password age forcing users to change their passwords when they expire. To easily view the current status of a user account, use the following syntax: sudo chage -l username The output below shows interesting facts about the user account, namely that there are no policies applied: Last password change: Jan 20, 2015 Password expires: never Password inactive: never Account expires: never Minimum number of days between password change: 0 Maximum number of days between password change: 99999 Number of days of warning before password expires: 7 To set any of these values, simply use the following syntax, and follow the interactive prompts: sudo change username The following is also an example of how you can manually change the explicit expiration date (-E) to 01/31/2015, minimum password age (-m) of 5 days, maximum password age (-M) of 90 days, inactivity period (-I) of 5 days after password expiration, and a warning time period (-W) of 14 days before password expiration:/home/username/.ssh/authorized_keys . Remove or rename the directory .ssh/ in the user"s home folder to prevent further SSH authentication capabilities. Be sure to check for any established SSH connections by the disabled user, as it is possible they may have existing inbound or outbound connections. Kill any that are found. who | grep username (to get the pts/# terminal) sudo pkill -f pts/# Restrict SSH access to only user accounts that should have it. For example, you may create a group called "sshlogin" and add the group name as the value associated with the AllowGroups variable located in the file /etc/ssh/sshd_config . AllowGroups sshlogin Then add your permitted SSH users to the group "sshlogin", and restart the SSH service. sudo adduser username sshlogin External User Database AuthenticationMost enterprise networks require centralized authentication and access controls for all system resources. If you have configured your server to authenticate users against external databases, be sure to disable the user accounts both externally and locally. This way you ensure that local fallback authentication is not possible. |
Popular:
New
- Is it possible to change the battery in iPhone 4?
- The best programs to defragment your hard drive on Windows
- Selecting a receiver and acoustics (budget hi-fi) Floor-standing and bookshelf
- Cooler not working on laptop
- Setting a password for a page How to protect a php page with a password
- Neighborhoods of calpe spain
- How to properly charge a laptop to extend battery life How to charge a laptop battery for the first time
- Skyrim - guide to improving graphics (UPD) Basic graphic settings of Skyrim
- How to adopt a child in Skyrim – Children for adoption Download mod for Skyrim improved children
- Unlock Bootloader HTC