Day 13 - Users and Groups
Today you’re going to set-up another user on your system. You’re going to imagine that this is a help-desk person that you trust to do just a few simple tasks:
- check that the system is running
- check disk space with:
…but you also want them to be able to reboot the system, because you believe that “turning it off and on again” resolves most problems :-)
You’ll be covering a several new areas, so have fun!
YOUR TASKS TODAY
- Create a new user
- Create a new group
- Create a new user and add to an existing group
- Make a new user a sudoer
Follow this demo
ADDING A NEW USER
Choose a name for your new user - we’ll use “helen” in the examples, so to add this new user:
sudo adduser helen
(Names are case-sensitive in Linux, so “Helen” would be a completely different user)
The “adduser” command works very slightly differently in each distro - if it didn’t ask you for a password for your new user, then set it manually now by:
sudo passwd helen
You will now have a new entry in the simple text database of users:
/etc/passwd (check it out with:
less), and a group of the same name in the file:
/etc/group. A hash of the password for the user is in:
/etc/shadow (you can read this too if you use “sudo” - check the permissions to see how they’re set. For obvious reasons it’s not readable to just everyone).
If you’re used to other operating systems it may be hard to believe, but these simple text files are the whole Linux user database and you could even create your users and groups by directly editing these files - although this isn’t normally recommended.
adduser will have created a home directory,
/home/helen for example, with the correct permissions.
useradd is not the same as
adduser. They both create a new user, but they interact very differently. Check the link in the EXTENSION section to see those differences.
ADDING A NEW GROUP
Let’s say we want to all of the developers in my organization to have their own group, so they can have access to the same things.
sudo groupadd developers
On most modern Linux systems there is a group created for each user, so user “ubuntu” is a member of the group “ubuntu”. But if you want, you can create a new user directly into an existing group, using the
ingroup flag. So a new user
fred would be created like this:
sudo adduser --ingroup developers fred
ADDING AN USER TO GROUPS
Users can also be part of more than one group, and groups can be added as required.
To see what groups you’re a member of, simply type:
On an Ubuntu system the first user created (in your case
ubuntu), should be a member of the groups:
admin - and if you list the
/var/log folder you’ll see your membership of the
sudo group is why you can use
less to read and view the contents of
The “root” user can add a user to an existing group with the command:
usermod -a -G group user
ubuntu user can do the same simply by prefixing the command with
Because the new user
helen is not the first user created in the system, they don’t have the power to run
sudo - which your user has by being a member of the group
So, to check which groups
helen is a member of, you can “become helen” by switching users like this:
sudo su helen
If you try to do stuff only a sudo user can do, i.e. read the contents of
/var/log/auth.log, even using the prefix
sudo won’t work. Helen is not a sudo and has no permissions to perform this action.
Now type “exit” to return to your normal user, and you can add
helen to this group with:
sudo usermod -a -G sudo helen
Instead of switching users again, simply run the
groups helen to check. Try that with
fred too and check how everything works.
See if any of your new users can
CLEVER SUDO TRICKS
Your new user is just an ordinary user and so can’t use
sudo to run commands with elevated privileges - until we set them up. We could simply add them to a group that’s pre-defined to be able to use sudo to do anything as root (like we did with
helen) - but we don’t want to give
fred quite that same amount of power.
ls -l to look at the permissions for the file:
/etc/sudoers This is where the magic is defined, and you’ll see that it’s tightly controlled, but you should be able to view it with:
sudo less /etc/sudoers You want to add a new entry in there for your new user, and for this you need to run a special utility:
To run this, you can temporarily “become root” by running:
Notice that your prompt has changed to a
Now simply run
visudo to begin editing
/etc/sudoers - typically this will use
All lines in
/etc/sudoers beginning with “#” are optional comments. You’ll want to add some lines like this:
# Allow user "fred" to run "sudo reboot"
# ...and don't prompt for a password
fred ALL = NOPASSWD:/sbin/reboot
You can add these line in wherever seems reasonable. The
visudo command will automatically check your syntax, and won’t allow you to save if there are mistakes - because a corrupt sudoers file could lock you out of your server!
exit to remove your magic hat and become your normal user again - and notice that your prompt reverts to:
Test by logging in as your test user and typing:
Note that you can “become” helen by:
sudo su helen
If your ssh config allows login only with public keys, you’ll need to setup
/home/helen/.ssh/authorized_keys - including getting the owner and permissions correct. A little challenge of your understanding of this area!
If you find this all pretty familiar, then you might like to check and update your knowledge on a couple of related areas:
- Restricting shell access
- Linux Password & Shadow File Formats
- What’s the difference between ‘useradd’ and ‘adduser’?
- How to create users and groups in Linux from the command line
- Learn how to use the $EDITOR environmental variable to set your default editor to
vim. With this done,
- How To Edit the Sudoers File
- Sudo – An Advanced Howto
- A cartoon that should now make sense!
- Basic Linux Permissions: sudo and sudoers (video)
Some rights reserved. Check the license terms here