Table of contents
Managing users and groups is a fundamental part of maintaining a Linux system. Managing user accounts, groups, and permissions can keep your system secure and organized. In this blog, we’ll explore how Linux handles users and groups, and walk through a practical example of creating a user, adding them to a group, setting a password, granting sudo access, and restricting SSH login for certain users.
What You Need to Know: Users, Groups, and Permissions
1. Linux Users
A user in Linux is essentially an account that has privileges and access to certain files and directories. Every user has information stored in a file called /etc/passwd. Here’s a breakdown of what it contains:
Username: The name of the user.
Password: Usually stored in a separate file (
/etc/shadow).UID: The unique user ID number.
GID: The group ID that the user belongs to.
Home directory: Where the user's files are stored.
Shell: The program that runs when the user logs in.
Example entry in /etc/passwd:
username:x:1001:1001:John Doe:/home/username:/bin/bash
2. Linux Groups
Groups are collections of users who share certain permissions. Instead of assigning permissions to individual users, you can assign them to a group. Users in that group will inherit the group’s permissions.
Group information is stored in the /etc/group file:
Group name: The name of the group.
Group password (if any).
GID: The unique group ID.
Members: The users that belong to the group.
Example entry in /etc/group:
Group1:x:1001:John Doe
This shows that John Doe is a member of the group Group1.
3. Permissions in Linux
Linux uses a permission system to control who can access files and directories. There are three types of permissions:
Read (r): Permission to view a file's contents.
Write (w): Permission to modify or delete a file.
Execute (x): Permission to run a file as a program.
These permissions are given to the file's owner, the group, and everyone else. Permissions can be modified using the chmod command.
Let’s Walk Through an Example
Let’s create a user, assign them to a group, set a password, grant sudo access, and restrict their SSH login.
1. Create a User and Add Them to a Group
We will create a user called devops_user and add them to a group named devops_team:
To create a user devops_user, run this command:
sudo useradd -m devops_user
- The
-moption creates a home directory for the user.
To create a group devops_team, run this command:
sudo groupadd devops_team
To add user devops_user to the group devops_team, run this command:
sudo usermod -aG devops_team devops_user
Alternatively, we can use the below command to create a group and add a user in one line.
sudo useradd -m -G devops_team devops_user
The
-moption creates a home directory for the user.The
-Goption adds the user to an additional group (devops_teamin this case).
2. Set a Password for the User
To set a password for devops_user, run this command:
sudo passwd devops_user
You’ll be asked to enter a new password for the user.
3. Grant Sudo Access to the User
To allow devops_user to run commands as a superuser, we need to grant them sudo access.
You can either add the user to the sudo group or directly edit the /etc/sudoers file.
To add the user to the sudo group, run:
sudo usermod -aG sudo devops_user
Alternatively, you can open the sudoers file:
sudo visudo
And add the following line to allow devops_user to run any command with sudo:
devops_user ALL=(ALL) NOPASSWD:ALL
This will allow devops_user to use sudo without needing to enter a password.
4. Restrict SSH Login for Certain Users
You can edit the SSH configuration file to prevent certain users from logging in via SSH.
To block devops_user from logging in through SSH:
Open the SSH configuration file:
sudo vim /etc/ssh/sshd_config
Add this line at the end of the file:
DenyUsers devops_user
Save and exit the file, then restart the SSH service:
sudo systemctl restart sshd
Now, devops_user will not be able to log in via SSH.
Conclusion
Understanding how to create users, assign them to groups, set permissions, and control SSH access can help organize and secure the system.