User management is a critical skill system administrator Linux environment. As a rule, in new system By default there is only one user - root.

The root account has extensive privileges and is very flexible, but running the server as root on an ongoing basis is highly discouraged. The fact is that, having absolute rights, the root user can accidentally cause irreparable harm to the system and server. Therefore, for everyday work, you need to create an additional user with normal privileges, and then transfer superuser rights to him. You can also create additional accounts for other users who need to have access to the server.

This guide will teach you how to create new user accounts, transfer sudo rights, and delete users.

Adding a user

To add a new user to root sessions, enter:

While in a non-root user session with sudo access, you can add a new user using the command:

sudo adduser newuser

The team will offer:

• Set and confirm a password.
• Enter additional user information. This is optional; to accept the default information, simply press Enter.
• Confirm that the information provided is correct (press Enter).

New user is ready! Now you can connect to the server using it.

Setting sudo permissions

To be able to use the new account to perform administrative tasks, you must allow the user access to the sudo command. This can be done in two ways:

1. Add user to sudo group
2. Edit sudo settings in /etc/sudoers file

Adding a user to the sudo group

On Ubuntu 16.04, all users who are members of the sudo group have access to the sudo command by default.

To find out which groups you belong to New user, enter:

The command will return:

newuser: newuser

By default, each new user of the system is included only in the group of the same name. To add a user to a group, enter:

usermod -aG sudo newuser

The –aG flag adds the user to the listed groups.

Testing the setup

Now we need to make sure that the new user has access to the sudo command.

By default, commands in a new user session are launched like this:

To run the command as an administrator, add sudo to the beginning of the command:

sudo some_command

The system will ask for the current user's password.

Editing the /etc/sudoers file

An alternative way to increase user privileges is to edit the sudoers file. To do this, use the visudo command, which allows you to open the /etc/sudoers file in an editor and explicitly specify the privileges of each system user.

It is recommended to edit the sudoers file exclusively using visudo, since this command blocks multiple simultaneous edits and checks the contents before overwriting the file. This prevents errors in sudo configuration that could result in loss of privileges.

If you are in a root session, enter:

In a non-root user session with sudo access, enter:

Typically, visudo opens /etc/sudoers in the vi editor, which can be confusing for newbies. By default in new Ubuntu installations visudo uses the more familiar nano editor. Use the arrow keys to move the cursor. Find the line:

root ALL=(ALL:ALL) ALL

Copy this line and paste it below, replacing root with the name of the user to whom you want to transfer superuser rights.

root ALL=(ALL:ALL) ALL
newuser ALL=(ALL:ALL) ALL

Add a line like this for each user who needs extended privileges. Save and close the file.

Removing users

Unnecessary accounts can be deleted.

To remove a user but leave their files, enter:

as root
deluser newuser
How regular user with extended privileges:
sudo deluser newuser

To remove a user along with their home directory, use:

in the root user session
deluser --remove-home newuser
in a user session with extended privileges:
sudo deluser --remove-home newuser

If the remote user had superuser rights, you need to remove these rights by editing the file:

visudo
Or
sudo visudo
root ALL=(ALL:ALL) ALL
newuser ALL=(ALL:ALL) ALL # remove this line

If the line remained in the file, and a user of the same name appeared in the system, he would receive extended privileges automatically. This won't happen now.

Conclusion

User management is a necessary skill when administering an Ubuntu 16.04 server. It will allow you to separate users and give them only the access they need to work.

For getting additional information about setting up sudo, check out our .

Option -c - add a comment to the user
Option -g sudo - add a user to the sudo group.
The -s option will set the user's shell to /bin/bash
Option -d used to specify the user's home folder
Option -m will indicate that the folder needs to be created immediately:

Sudo useradd -c "Comment for user" -g sudo -d /home/NameUser -m -s /bin/bash NameUser

Set a password for the NameUser user:

Sudo passwd NameUser

Add a user using the adduser command

Enter the password, answer all the questions asked, get a user with a password and home directory

Changing the user password

Add a user to the sudo group

Add a user/user group to Sudores directly:

Let's edit the file /etc/sudores.tmp editor visudo

Sudo visudo

Let's give root rights to the user named user_name

User_name ALL=(ALL:ALL) ALL

Let's give root rights to a group of users group_name by adding a line to the sudoers file -

Group_name ALL=(ALL:ALL) ALL

User and his groups

We look at the available groups on the host

Cat /etc/group

Checking the existence of a group examplegroup on the host where examplegroup is the group you are interested in

Grep examplegroup /etc/group

We check/find out which groups the user belongs to (as well as his uid, gid)

Id NameUser

Add an existing user NameUser to an existing group examplegroup

Usermod -g examplegroup NameUser

Removing an Ubuntu user

We use the command, the user's folder will not be deleted

Sudo userdel NameUser

Delete the folder if necessary

Sudo rm -r /home/NameUser/

We check whether the user has deleted; if there is no output, then the user has been deleted

Sudo grep -R NameUser /etc/passwd --color

List all local users

To display more detailed information about the user, install the package finger

Sudo apt-get install finger

To view information about the user NameUser, run the command

Finger NameUser

To output information about all users to a file infoaboutalluser.txt let's create a script finger.sh

#!/bin/bash n=`cat /etc/passwd | cut -d: -f1` for i in $n; do echo "=========================================================================== ================" finger $i done

Let's run the script finger.sh and save its contents to a file infoaboutalluser.txt

./finger.sh infoaboutalluser.txt

List all privileged users:

or not privileged

Egrep -v ":0:0:" /etc/passwd

List all users whose names begin with the letters abcd:

Cat /etc/passwd | grep "^.*"

As the reader's response shows, the issue of separation of administrative rights in Ubuntu still remains unclear to most novice administrators, so we decided to bring some clarity to this issue with this material. Therefore, if you don’t know how su differs from sudo, where you hid root, etc., etc., it’s time to start studying our article.

Let's start with a small digression. The Linux administrative rights system goes back to the Unix OS and therefore has much in common with other Unix-like systems: BSD, Solaris, MacOS. At the same time, different distributions have their own specific implementation features, so specific examples We will talk about the Ubuntu family, but knowledge of the general rules will allow you to easily understand the environment of any other Unix-like OS.

The user has full administrative rights in Linux. root, whose rights cannot be limited, so everyday work on behalf of this user is extremely undesirable: careless actions of the user can lead to damage to the system, and compromising this account will give the attacker unlimited access to the system.

Therefore, a different scheme has been adopted in Linux: all users, including administrators, work under a limited account, and to perform administrative actions they use one of the rights escalation mechanisms. To do this, you can increase rights using the utility sudo or log in as superuser (root) without completing current session using the command su. Many people mistakenly confuse these two mechanisms, so let’s look at them in more detail.

Team su allows you to log in as another user (not necessarily root) without terminating the current session. So the command:

Su petrov

will allow you to log in as the user petrov, the user environment (home folder) will also be changed to belong to this user.

Team su allows you to log in under your account without specifying a username root"a. However this method has one significant drawback - to log in on behalf of another user you need to know his password. If you have several administrators, then each of them will know the superuser password and you will not be able to limit their rights.

In addition, it is unsafe; knowing the superuser password and the ability to log in under his name in case of compromise can lead to a complete loss of control over the system.

What happens if we try to increase rights in Ubuntu this way? We won't be able to do anything because we don't know the user's password root, at the same time, no one is stopping us from logging in as a different user.

"Wait!" - another user will say, “aren’t root rights given to the first created user, whom we specify during installation?” Indeed, administrative tasks can only be performed on behalf of the user created during installation; if we try to do this on behalf of another user, we will suffer failure.

Here we come close to the second mechanism for increasing rights - the utility sudo. However, before moving on to studying it, it is worth clarifying: superuser (root) rights in Ubuntu belong to the root account, which is disabled by default. Therefore, increase permissions using the command su does not seem possible.

The main mechanism for elevating rights in Ubuntu is the utility sudo. This utility allows you to elevate rights to the superuser level for the command being executed, but you do not need to know the superuser password; the user must enter his own password. After which the utility will check whether this user has the right to execute this command on this host with superuser rights and, if the checks are successful, will execute it.

It is important! The main difference su from sudo serves what su allows you to change the current user to root, which requires an active superuser account in the system and knowledge of its password, sudo allows you to elevate rights for the command being executed without specifying a superuser password; the user must enter his own password; logging in as root with these credentials will not work.

Another important circumstance is that when using a pipeline or redirection with superuser rights, only the first part of the command will be executed, for example in the design:

Sudo command1 | team2

With root rights will only be executed team1. And the team

Sudo cat sources.list > /etc/apt/sources.list

will give an access rights error because the entry is in /etc/apt/sources.list will occur with normal user rights.

To perform complex combinations of commands, you can switch to superuser mode with the command

which is similar to elevating rights with a command su, however, this will not change the user environment and the current user’s directory will be used as the home directory, which is convenient and safe. Each administrator will only have access to their home directory.

Now is the time to figure out who has the right to use the opportunities sudo and to what extent. The file is responsible for the settings of this utility /etc/sudoers, despite the fact that this is a regular configuration file, to edit it it is highly recommended to use the command:

Sudo visudo

This command locks the file and checks the syntax, otherwise you risk losing administrative access to your PC due to a typo.

Syntax of this file quite simple. For example, at the very end of the file there is an entry:

%admin ALL=(ALL) ALL

This means that the users of the group admin can execute any command on any host, on behalf of any user. As we can easily verify using the command groups in our case the user andrey belongs to the group admin, and the user petrov No.

But all the advantages of this utility lie in the ability to flexibly configure the parameters for obtaining rights in each specific case. For example:

Petrov ubuntu-lts=(andrey) ALL

This line allows the user petrov execute any command on the host ubuntu-lts on behalf of the user andrey. When specifying commands, you should indicate the full path to them; you can find it out using the command which

For example, we want to allow users petrov And sidorov shut down and restart the computer, as well as remove tasks. However, these commands should not require entering a password.

Another nice feature of the sudo utility is the creation of aliases, so in our case we will add in /etc/sudoers the following lines:

User_Alias ​​USERGROUP1 = petrov, sidorov
Cmnd_Alias ​​CMDGROUP1 = /bin/kill, /sbin/reboot, /sbin/shutdown

With this we created two aliases USERGROUP1, where we included the users we need and CMDGROUP1 with a set of necessary commands, we can subsequently edit only aliases without affecting all the rules where they can be used. Then let's add a rule:

USERGROUP1 ALL = (ALL) NOPASSWD:СMDGROUP1

which will allow users listed in the specified alias to execute commands from the given alias on any host on behalf of any user without entering a password.

In addition to the above two, aliases are also available for the host name and users on whose behalf it is allowed to execute commands, for example:

Host_Alias ​​WWW = webserver1, webserver2
Runas_Alias ​​WWW = www-data, www-developer

USERGROUP1 WWW = (WWW) ALL

The given set of records will allow users entering USERGROUP1 execute any commands on behalf of users www-data And www-developer on the company's web servers.

Finally, let’s look at what to do if a root account is still needed. It's simple, to enable it, just set a password:

Sudo passwd root

Block again account superuser can be created with the command:

Sudo passwd -l root

Remember that all administrative tasks in Ubuntu can be done using the sudo utility, so don't enable the root account unless absolutely necessary!

As you can see, Ubuntu has rich administrative rights management capabilities, which allows you to flexibly distribute rights among several administrators, as well as give the ability to increase rights for some users, and do this efficiently and securely.

User management is a critical part of maintaining a secure system. Ineffective user and privilege management often lead many systems into being compromised. Therefore, it is important that you understand how you can protect your server through simple and effective user account management techniques.

Ubuntu developers made a conscientious decision to disable the administrative root account by default in all Ubuntu installations. This does not mean that the root account has been deleted or that it may not be accessed. It merely has been given a password which matches no possible encrypted value, therefore may not log in directly by itself.

Instead, users are encouraged to make use of a tool by the name of sudo to carry out system administrative duties. Sudo allows an authorized user to temporarily elevate their privileges using their own password instead of having to know the password belonging to the root account. This simple yet effective methodology provides accountability for all user actions, and gives the administrator granular control over which actions a user can perform with said privileges.

If for some reason you wish to enable the root account, simply give it a password:

Configurations with root passwords are not supported.

sudo passwd

Sudo will prompt you for your password, and then ask you to supply a new password for root as shown below:

Password for username: (enter your own password) Enter new UNIX password: (enter a new password for root) Retype new UNIX password: (repeat new password for root) passwd: password updated successfully

To disable the root account password, use the following passwd syntax:

sudo passwd -l root

However, to disable the root account itself, use the following command:

usermod --expiredate 1

You should read more on Sudo by reading the man page:

man sudo

By default, the initial user created by the Ubuntu installer is a member of the group "sudo " which is added to the file /etc/sudoers as an authorized sudo user. If you wish to give any other account full root access through sudo , simply add them to the sudo group.

Adding and Deleting Users

The process for managing local users and groups is straightforward and differs very little from most other GNU/Linux operating systems. Ubuntu and other Debian based distributions encourage the use of the "adduser" package for account management.

To add a user account, use the following syntax, and follow the prompts to give the account a password and identifiable characteristics, such as a full name, phone number, etc.

sudo adduser username

To delete a user account and its primary group, use the following syntax:

sudo deluser username

Deleting an account does not remove their respective home folder. It is up to you whether or not you wish to delete the folder manually or keep it according to your desired retention policies.

Remember, any user added later on with the same UID/GID as the previous owner will now have access to this folder if you have not taken the necessary precautions.

You may want to change these UID/GID values ​​to something more appropriate, such as the root account, and perhaps even relocate the folder to avoid future conflicts:

sudo chown -R root:root /home/username/ sudo mkdir /home/archived_users/ sudo mv /home/username /home/archived_users/

To temporarily lock or unlock a user account, use the following syntax, respectively:

sudo passwd -l username sudo passwd -u username

To add or delete a personalized group, use the following syntax, respectively:

sudo addgroup groupname sudo delgroup groupname

To add a user to a group, use the following syntax:

sudo adduser username groupname

User Profile Security

When a new user is created, the adduser utility creates a brand new home directory named /home/username . The default profile is modeled after the contents found in the directory of /etc/skel , which includes all profile basics.

If your server will be home to multiple users, you should pay close attention to the user home directory permissions to ensure confidentiality. By default, user home directories in Ubuntu are created with world read/execute permissions. This means that all users can browse and access the contents of other users home directories. This may not be suitable for your environment.

To verify your current user home directory permissions, use the following syntax:

ls -ld /home/username

The following output shows that the directory /home/username has world-readable permissions:

drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username

You can remove the world readable-permissions using the following syntax:

sudo chmod 0750 /home/username

Some people tend to use the recursive option (-R) indiscriminately which modifies all child folders and files, but this is not necessary, and may yield other undesirable results. The parent directory alone is sufficient for preventing unauthorized access to anything below the parent.

A much more efficient approach to the matter would be to modify the adduser global default permissions when creating user home folders. Simply edit the file /etc/adduser.conf and modify the DIR_MODE variable to something appropriate, so that all new home directories will receive the correct permissions.

After correcting the directory permissions using any of the previously mentioned techniques, verify the results using the following syntax:

ls -ld /home/username

The results below show that world-readable permissions have been removed:

drwxr-x--- 2 username username 4096 2007-10-02 20:03 username

Password Policy

A strong password policy is one of the most important aspects of your security posture. Many successful security breaches involve simple brute force and dictionary attacks against weak passwords. If you intend to offer any form of remote access involving your local password system, make sure you adequately address minimum password complexity requirements, maximum password lifetimes, and frequent audits of your authentication systems.

Minimum Password Length

By default, Ubuntu requires a minimum password length of 6 characters, as well as some basic entropy checks. These values ​​are controlled in the file /etc/pam.d/common-password , which is outlined below.

password pam_unix.so obscure sha512

If you would like to adjust the minimum length to 8 characters, change the appropriate variable to min=8. The modification is outlined below.

password pam_unix.so obscure sha512 minlen=8

Basic password entropy checks and minimum length rules do not apply to the administrator using sudo level commands to setup a new user.

Password Expiration

When creating user accounts, you should make it a policy to have a minimum and maximum password age forcing users to change their passwords when they expire.

To easily view the current status of a user account, use the following syntax:

sudo chage -l username

The output below shows interesting facts about the user account, namely that there are no policies applied:

Last password change: Jan 20, 2015 Password expires: never Password inactive: never Account expires: never Minimum number of days between password change: 0 Maximum number of days between password change: 99999 Number of days of warning before password expires: 7

To set any of these values, simply use the following syntax, and follow the interactive prompts:

sudo change username

The following is also an example of how you can manually change the explicit expiration date (-E) to 01/31/2015, minimum password age (-m) of 5 days, maximum password age (-M) of 90 days, inactivity period (-I) of 5 days after password expiration, and a warning time period (-W) of 14 days before password expiration:/home/username/.ssh/authorized_keys .

Remove or rename the directory .ssh/ in the user"s home folder to prevent further SSH authentication capabilities.

Be sure to check for any established SSH connections by the disabled user, as it is possible they may have existing inbound or outbound connections. Kill any that are found.

who | grep username (to get the pts/# terminal) sudo pkill -f pts/#

Restrict SSH access to only user accounts that should have it. For example, you may create a group called "sshlogin" and add the group name as the value associated with the AllowGroups variable located in the file /etc/ssh/sshd_config .

AllowGroups sshlogin

Then add your permitted SSH users to the group "sshlogin", and restart the SSH service.

sudo adduser username sshlogin sudo systemctl restart sshd.service

External User Database Authentication

Most enterprise networks require centralized authentication and access controls for all system resources. If you have configured your server to authenticate users against external databases, be sure to disable the user accounts both externally and locally. This way you ensure that local fallback authentication is not possible.