User management is one of the most important skills for a system administrator in a Linux environment. As a rule, in a new system, by default, there is only one user - root.
The root account has wide privileges and is very flexible, but running the server as root on a permanent basis is highly discouraged. The fact is that, having absolute rights, the root user can accidentally cause irreparable harm to the system and the server. Therefore, for everyday work, you need to create an additional user with normal privileges, and then transfer superuser rights to it. You can also create additional accounts for other users who should have access to the server.
This guide will teach you how to create new user accounts, transfer sudo rights and delete users.
Adding a user
To add a new user to the root session, type:
While in a non-root user session with sudo access, you can add a new user with the command:
sudo addusernewuser
The team will offer:
- Set and confirm a password.
- Enter additional user information. This is optional; to accept the default information, just press Enter.
- Confirm the information provided is correct (press Enter).
New user is ready! Now you can connect to the server using it.
Setting sudo permissions
To be able to use the new account to perform administrative tasks, the user must be allowed access to the sudo command. This can be done in two ways:
- Add user to sudo group
- Edit sudo settings in /etc/sudoers
Adding a user to the sudo group
In Ubuntu 16.04, all users in the sudo group have access to the sudo command by default.
To find out which groups a new user belongs to, type:
The command will return:
newuser: newuser
By default, each new user of the system is included only in the group of the same name. To add a user to a group, type:
usermod -aG sudo newuser
The -aG flag adds the user to the listed groups.
Testing the setup
Now we need to make sure that the new user has access to the sudo command.
By default, commands in a new user session are run like this:
To run a command as an administrator, add sudo to the beginning of the command:
sudo some_command
The system will then ask for the password of the current user.
Editing the /etc/sudoers file
An alternative way to extend a user's privileges is to edit the sudoers file. For this, the visudo command is used, which allows you to open the /etc/sudoers file in an editor and explicitly specify the privileges of each system user.
It is recommended that you only edit the sudoers file with visudo, as this command prevents multiple simultaneous edits and checks the contents before overwriting the file. This prevents misconfiguration of sudo that could result in loss of privileges.
If you are in a root session, type:
In a non-root user session with sudo access, type:
Typically, visudo opens /etc/sudoers in the vi editor, which can be difficult for beginners. By default on new installations of Ubuntu, visudo uses the more familiar nano editor. Use the arrow keys to move the cursor. Find the line:
root ALL=(ALL:ALL) ALL
Copy this line and paste it below, replacing root with the name of the user you want to transfer superuser rights to.
root ALL=(ALL:ALL) ALL
newuser ALL=(ALL:ALL) ALL
Add this line for each user who needs extended privileges. Save and close the file.
Deleting Users
Unnecessary accounts can be deleted.
To remove a user while leaving their files, type:
as root
deluser
as a normal user with extended privileges:
sudo deluser newuser
To remove a user along with their home directory, use:
in the root user session
deluser --remove-home newuser
in a user session with extended privileges:
sudo deluser --remove-home newuser
If the remote user had superuser rights, you need to take away these rights by editing the file:
visudo
Or
sudo visudo
root ALL=(ALL:ALL) ALL
newuser ALL=(ALL:ALL) ALL # remove this line
If the line had remained in the file, and the user of the same name had appeared in the system, he would have received extended privileges automatically. Now this won't happen.
Conclusion
User management is an essential skill when administering an Ubuntu 16.04 server. It will allow you to separate users and give them only the access they need to work.
For more information on setting up sudo, check out our .
Tags: ,User management is a critical part of maintaining a secure system. Ineffective user and privilege management often lead many systems into being compromised. Therefore, it is important that you understand how you can protect your server through simple and effective user account management techniques.
Ubuntu developers made a conscientious decision to disable the administrative root account by default in all Ubuntu installations. This does not mean that the root account has been deleted or that it may not be accessed. It has merely been given a password which matches no possible encrypted value, therefore may not log in directly by itself.
Instead, users are encouraged to make use of a tool by the name of sudo to carry out system administrative duties. Sudo allows an authorized user to temporarily elevate their privileges using their own password instead of having to know the password belonging to the root account. This simple yet effective methodology provides accountability for all user actions, and gives the administrator granular control over which actions a user can perform with said privileges.
If for some reason you wish to enable the root account, simply give it a password:
Configurations with root passwords are not supported.
sudo passwd
Sudo will prompt you for your password, and then ask you to supply a new password for root as shown below:
Password for username: (enter your own password) Enter new UNIX password: (enter a new password for root) Retype new UNIX password: (repeat new password for root) passwd: password updated successfully
To disable the root account password, use the following passwd syntax:
sudo passwd -l root
However, to disable the root account itself, use the following command:
usermod --expiredate 1
You should read more on Sudo by reading the man page:
man sudo
By default, the initial user created by the Ubuntu installer is a member of the group "sudo " which is added to the file /etc/sudoers as an authorized sudo user. If you wish to give any other account full root access through sudo , simply add them to the sudo group.
Adding and Deleting Users
The process for managing local users and groups is straightforward and differs very little from most other GNU/Linux operating systems. Ubuntu and other Debian based distributions encourage the use of the "adduser" package for account management.
To add a user account, use the following syntax, and follow the prompts to give the account a password and identifiable characteristics, such as a full name, phone number, etc.
sudo adduser username
To delete a user account and its primary group, use the following syntax:
sudo deluser username
Deleting an account does not remove their respective home folder. It is up to you whether or not you wish to delete the folder manually or keep it according to your desired retention policies.
Remember, any user added later on with the same UID/GID as the previous owner will now have access to this folder if you have not taken the necessary precautions.
You may want to change these UID/GID values to something more appropriate, such as the root account, and perhaps even relocate the folder to avoid future conflicts:
sudo chown -R root:root /home/username/
To temporarily lock or unlock a user account, use the following syntax, respectively:
sudo passwd -l username sudo passwd -u username
To add or delete a personalized group, use the following syntax, respectively:
sudo addgroup groupname sudo delgroup groupname
To add a user to a group, use the following syntax:
sudo adduser username groupname
User Profile Security
When a new user is created, the adduser utility creates a brand new home directory named /home/username . The default profile is modeled after the contents found in the directory of /etc/skel , which includes all profile basics.
If your server will be home to multiple users, you should pay close attention to the user home directory permissions to ensure confidentiality. By default, user home directories in Ubuntu are created with world read/execute permissions. This means that all users can browse and access the contents of other users home directories. This may not be suitable for your environment.
To verify your current user home directory permissions, use the following syntax:
ls -ld /home/username
The following output shows that the directory /home/username has world-readable permissions:
drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username
You can remove the world readable-permissions using the following syntax:
sudo chmod 0750 /home/username
Some people tend to use the recursive option (-R) indiscriminately which modifies all child folders and files, but this is not necessary, and may yield other undesirable results. The parent directory alone is sufficient for preventing unauthorized access to anything below the parent.
A much more efficient approach to the matter would be to modify the adduser global default permissions when creating user home folders. Simply edit the file /etc/adduser.conf and modify the DIR_MODE variable to something appropriate, so that all new home directories will receive the correct permissions.
After correcting the directory permissions using any of the previously mentioned techniques, verify the results using the following syntax:
ls -ld /home/username
The results below show that world-readable permissions have been removed:
drwxr-x--- 2 username username 4096 2007-10-02 20:03 username
Password Policy
A strong password policy is one of the most important aspects of your security posture. Many successful security breaches involve simple brute force and dictionary attacks against weak passwords. If you intend to offer any form of remote access involving your local password system, make sure you adequately address minimum password complexity requirements, maximum password lifetimes, and frequent audits of your authentication systems.
Minimum Password Length
By default, Ubuntu requires a minimum password length of 6 characters, as well as some basic entropy checks. These values are controlled in the file /etc/pam.d/common-password , which is outlined below.
password pam_unix.so obscure sha512
If you would like to adjust the minimum length to 8 characters, change the appropriate variable to min=8. The modification is outlined below.
password pam_unix.so obscure sha512 minlen=8
Basic password entropy checks and minimum length rules do not apply to the administrator using sudo level commands to setup a new user.
Password Expiration
When creating user accounts, you should make it a policy to have a minimum and maximum password age forcing users to change their passwords when they expire.
To easily view the current status of a user account, use the following syntax:
sudo chage -l username
The output below shows interesting facts about the user account, namely that there are no policies applied:
Last password change: Jan 20, 2015 Password expires: never Password inactive: never Account expires: never Minimum number of days between password change: 0 Maximum number of days between password change: 99999 Number of days of warning before password expires: 7
To set any of these values, simply use the following syntax, and follow the interactive prompts:
sudo change username
The following is also an example of how you can manually change the explicit expiration date (-E) to 01/31/2015, minimum password age (-m) of 5 days, maximum password age (-M) of 90 days, inactivity period (-I) of 5 days after password expiration, and a warning time period (-W) of 14 days before password expiration:/home/username/.ssh/authorized_keys .
Remove or rename the directory .ssh/ in the user's home folder to prevent further SSH authentication capabilities.
Be sure to check for any established SSH connections by the disabled user, as it is possible they may have existing inbound or outbound connections. Kill any that are found.
who | grep username (to get the pts/# terminal) sudo pkill -f pts/#
Restrict SSH access to only user accounts that should have it. For example, you may create a group called "sshlogin" and add the group name as the value associated with the AllowGroups variable located in the file /etc/ssh/sshd_config .
AllowGroups sshlogin
Then add your permitted SSH users to the group "sshlogin", and restart the SSH service.
sudo adduser username sshlogin
External User Database Authentication
Most enterprise networks require centralized authentication and access controls for all system resources. If you have configured your server to authenticate users against external databases, be sure to disable the user accounts both externally and locally. This way you ensure that local fallback authentication is not possible.
Adding and deleting users is one of the basic tasks that you may encounter when working on a new server with a Linux family OS. As a rule, after you have installed a new system, you have only one user - the superuser.
On the one hand, using the superuser is convenient, since it has a wide range of capabilities; on the other hand, because of this, you can accidentally harm the newly installed system. Therefore, to perform standard actions, it is better to create another user, but this time without such privileges. It is also recommended to create additional users for all the people who will use the system. Each user must have their own account.
In this case, you will be able to perform administrative tasks using a user with sudo rights. In this tutorial, you will learn how to create users, give them sudo rights, and delete them.
How to add a user
# addusernewuser
If you want to use a user with sudo rights to create a new user, then the command will look a little different:
$ sudo addusernewuser
(In this case, instead of newuser, you can specify some other word, since this will be the name of the new user.)
After entering the command, you will need to sequentially answer several questions, namely:
- enter and confirm a password for the new user;
- write additional information about the new user. Doing this is optional; if you don't want to add anything, just press Enter;
- finally, you will need to confirm the correctness of all the information entered so far - for this you need to press y (yes - yes).
The new user is now created and ready to use! You can log in under it using the password that you set earlier.
If you want to give the user administrative rights, then read the next section.
How to give a user sudo rights
If you need a new user to be able to execute administrative (root) commands, you need to give that user sudo access. There are two ways to do this: either add this user to the created user group that can execute sudo commands, or give this right to the user by making changes to the configuration of the sudo utility. Let's consider both options.
Adding a new user to the sudo group
By default, in Ubuntu 16.04, all users who belong to the appropriate group have the right to execute sudo commands.
In order to see which group the created user is currently in, use the following command:
$ groupsnewuser
As a result, you will see on the screen:
newuser: newuser
Because by default, each new user is in its own group, which is created simultaneously with the creation of the user itself and has the same name. In order to add a user to another group, you need to write the following command on the command line:
$ usermod -aG sudo newuser
(I remind you that instead of newuser, you need to write the name of the user you want to move to a group with administrative rights.)
The -aG switch is needed in order for the user to be added to one of the groups already existing in the list.
Checking for sudo rights
Now you need to check if your user can execute administrative commands.
$ command
You can run the same command, but with administrative rights, if you write sudo at the beginning:
$ sudo command
In this case, you will need to enter the password for the account of this user.
Clarification of user rights in /etc/sudoers
An alternative way to give the user sudo rights is to set up a configuration file. You need to use the visudo command to open the /etc/sudoers configuration file in your default editor and set the permissions for that user specifically.
It is recommended to use the visudo command to edit the configuration file: firstly, it protects the file from several simultaneous changes, and secondly, it checks the file syntax before overwriting. Thanks to this, you will not have a situation where you have configured sudo incorrectly, and then you cannot make the necessary changes, because you have lost administrative rights.
If you are using a user with sudo rights, then the command you need will look like this:
Typically, the visudo command would open /etc/sudoers in the vi editor, which could confuse inexperienced users. Therefore, Ubuntu 16.04 uses nano instead of vi, a tool that is much more familiar to most users. Use the arrow keys on your keyboard to find the line you need. It looks something like this:
Root ALL=(ALL:ALL) ALL
Copy this text just below and instead of “root” write the name of the user you want to grant the right to execute sudo commands. It will look something like this:
Root ALL=(ALL:ALL) ALL newuser ALL=(ALL:ALL) ALL
For each new user, a new row must be added. Once you've made all the necessary changes, save and close the file by pressing Ctrl-X, then Y and Enter to confirm.
How to delete users
If you no longer need one of the created users, the best solution is to delete it.
You can only delete a user, without deleting their files, using the command:
# deluser newuser
If you are using a user with sudo rights, then the command will look like this:
$ sudo deluser newuser
In order to delete a user along with their home directory, as the superuser, you need to enter:
# deluser --remove-home newuser
For users with sudo rights:
$ sudo deluser --remove-home newuser
And if you want to remove sudo rights from a remote user, you need to open the configuration file:
(if from superuser)
or
(if from a user with sudo rights)
Root ALL=(ALL:ALL) ALL newuser ALL=(ALL:ALL) ALL # Remove this line.
This is necessary so that in the future a created user with the same name does not accidentally get sudo rights.
Conclusion
Now you know how to properly create and delete users, as well as give them the right to execute the sudo command. For effective leadership, separate users into different groups and give administrative rights only to those who really need it for their work.
In this tutorial, we'll look at how to delete a Linux user along with their data and home directory.
If you are a system administrator in a large company, then most likely, deleting linux users is a fairly common task for you. Once an account is no longer needed or a user leaves the organization, the account must be deleted to avoid leaving security holes.
When deleting Linux users, it is also important to delete their home directory to free up storage space for the new users and their files. First, we will look at how to delete a Linux user using the terminal, then we will talk about how this is done in the graphical interface of one of the most popular distributions - Ubuntu.
Before moving on to the real world, let's do some practice, let's create two users, losst and losst1, along with their home directories, and then delete them:
adduser losst
$passwd losst
adduser losst1
$ passwd losst1
Here the adduser command is used to create a user account and passwd to create a password.
Let's take a look at how to delete a Linux user in the terminal. This is done using the -deluser command on debian and derived systems, and on RedHat - userdel. Let's take a closer look at these two utilities.
Description of deluser
The syntax of the deluser command is very simple:
$deluser parameters user
The deluser command settings are located in the /etc/deluser.conf file, among other settings, it specifies what to do with the user's home folder and files.
You can view and change these settings by running the command:
vi /etc/deluser.conf
Let's take a closer look at these settings:
- REMOVE_HOME- delete the user's home directory
- REMOVE_ALL_FILES- delete all user files
- BACKUP- back up user files
- BACKUP_TO- backup folder
- ONLY_IF_EMPTY- delete user group if it is empty.
These settings determine the default behavior of the utility when a user is deleted, of course, they can be overridden using parameters for the command.
The following parameters are supported, they are similar to the settings, but there are more options:
- --system- delete only if this is a system user
- --backup- backup user files
- --backup-to- backup folder
- --remove-home- delete home folder
- --remove-all-files- delete all user files in the file system
Description of userdel
The userdel utility works a little differently, there is no settings file here, but there are options that you can use to tell the utility what to do. The syntax is similar:
$ userdel parameters user
- -f, --force- forced deletion even if the user is still logged in
- -r, --remove- delete the user's home directory and his files in the system.
- -Z- delete all SELinux objects for this user.
To remove a user from the server, it is better to use the advanced method, which we will discuss below. When users use the server, they run various programs and services. A user can only be properly deleted if he is not logged in on the server and all programs running under his name are stopped, because programs can use various files owned by the user, and this will prevent them from being deleted. Accordingly, then the user's files will not be completely deleted and will remain clog the system.
User account lockout
You can use the passwd utility to lock out a user account. This will deny the user access to the system and prevent new processes from starting:
Run the passwd command with the --lock option:
passwd --lock loss
passwd: Password expiration information changed.
Kill all running user processes
Now let's find all the processes running as user and kill them.
Find processes with pgrep:
You can see in more detail what these processes are by passing the pid of each of them to the ps command, like this:
ps -f --pid $(pgrep -u losst)
UID PID PPID C STIME TTY STAT TIME CMD
losst 14684 14676 0 22:15 pts/2 S 0:00 -bash
losst 14735 14684 0 22:15 pts/2 S+ 0:00 vi text
Now that you've made sure there's nothing important in there, you can kill all processes with the killall command:
Killall -9 -u loss
The -9 option tells the program to send a SIGKILL to these processes, and -u specifies the username.
On Red Hat based systems, to use killall you will need to install the psmisc package:
sudo yum install psmisc
Backing up user data
This is not necessary at all, but for a serious project it would not be superfluous to back up the user's files, especially if there could be important files there. To do this, you can use, for example, the tar utility:
tar jcvf /user-backups/losst-backup.tar.bz2 /home/losst
Deleting a user account
Now that everything is ready, let's start deleting the linux user. Just in case, we explicitly indicate that you need to delete the user's files and home directory. For Debian:
deluser --remove-home losst
userdel --remove loss
If you need to remove all files owned by a user on the system, use the --remove-all-files option, just be careful with it, as important files can be overwritten:
deluser --remove-all-files losst
The user is now completely removed, along with their files and home directory, from your system.
Deleting a User in Ubuntu
Open System Settings:
Open item Accounts:
As you can see, now all actions are unavailable, and are drawn in gray. Click the button to activate them. unlock and enter the user's password.
Now, in order to delete a user in linux, just click on it with the mouse, and then click on the minus sign.
In the window that opens, you can choose what to do with the user's files:
Naturally, only the home folder will be deleted, we are not talking about all the files. And for correct removal, the user must not work in the system.
conclusions
Deleting a user in linux is not that difficult, no matter where it needs to be done, on a server or home computer. Of course, the graphical interface is more convenient, but the terminal, as always, offers more options. If you have any other ideas about this, write in the comments!
Let's say I'm a new user of Ubuntu Linux 16.04.xx LTS. I immediately have a number of questions. How to create a new sudo user on my server? How to add new user to sudoer file using command line option on Ubuntu?
On Linux (and Unix in general) there is a superuser called root. The root user can do anything and everything, and thus the normal use of the system can become very dangerous. You can enter the command incorrectly and destroy the system. The sudo command allows an authorized user to run a command as the superuser (root user) or another user as specified in the security policy. Often sudo is used on servers to grant administrative rights and privileges to regular users. This quick tutorial will show you how to create a sudo user on Ubuntu.
A few steps to follow in order to create a sudo user on Ubuntu
More about admin group and sudo group on Ubuntu Server
Members of the administrative group can be granted root privileges. All members of the sudo group run any command on the Ubuntu server. So just add the user to the sudo group on the Ubuntu server. The capabilities of the admin group have been significantly reduced since Ubuntu 12.04 and later. Therefore, the admin group no longer exists, or it is simply used in Ubuntu 12.04 or later. Reason why this works:
# grep -B1 -i "^%sudo" /etc/sudoers
$ sudo grep -B1 -i "^%sudo" /etc/sudoers
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
Let's look at some practical examples.
How to add a new user named vivek to sudo using the command line?
Open a terminal or login to your remote server:
$ ssh [email protected]$ ssh [email protected] { [email protected]:/root) #
# adduser vivek$ sudo adduser vivek
Figure 01: How to add a new user on Ubuntu
Examples of possible data outputs:
How to create sudo user in Ubuntu for vivek account
Enter the following command:
# adduser vivek sudo
OR use the usermod command to add a user to a group on Linux:
# usermod -aG sudo vivek
$ sudo usermod -aG sudo vivek
$ sudo adduser vivek sudo
Examples of possible data outputs:
Figure 02: Add user vivek to sudo to get admin rights
Confirm the new user and group member with:
$id vivek
Examples of possible data outputs:
Figure 03: Show user and group information
The vivek user can now login using the ssh command as follows:
$ ssh [email protected]
Make sure vivek can use the sudo command:
$ sudo cat /etc/sudoers
The first time you use the sudo command, you will be prompted for the password for the vivek account. So enter the password vivek to gain root access. Any type of command with sudo must be run with root privileges for the vivek account. To get a root shell, type:
$ sudo -s
Examples of possible data outputs:
Figure 03: Testing sudo access for the vivek user account
And so you did it. You can now allow other users to run sudo on the Ubuntu server and give users admin rights.