Managing Users in Ubuntu is like protecting a bank from intruders, you make a single mistake, you are in a hot mess. User management is the most crucial part of maintaining a server, the rule is to trust no one. It's not even new anymore, the major system comprises issues are the lack of ineffective user and privilege management.
This is why you need to know how to manage permissions and limit user privileges. This part is so crucial to me, and since I am the one managing my servers, I decided to research tons of resources to bring the guide to life.
So,
You will learn the role of "root user", adding and creating users, user profile security, switching users, managing groups, and more related stuff to managing users securely and effectively.
To start with...
What is the root user and Why You Should Steer Clear
If you've set up your ubuntu server, you will notice by default there is a root user, and I recommended disabling root access in the guide Installing Ubuntu Server 18.04 Using Virtual Box on Windows.
Although by default, Ubuntu developers made a decision to disable the administrative root account. The reason for that is because the root user has the most superior privilege, and when used wrongly, it can be a disaster.
Think of root user as the guy holding the key to a bank vault, when intruders come into the bank (say for robbery), they would normally ask for the key to the vault, right?
Now assume, when the root user isn't disabled, the guy holding the key is within the bank and if the root user is disabled, the guy holding the key is always secure in an armor security door.
The question is, which is more secure? The guy holding the key within the bank or the guy holding the key in an armored security door?
I guess you would go for the guy in an armored security door, this is just an assumption but you get the idea.
Ubuntu disabling the administrative root account doesn't mean the root account has been deleted, it is just encrypted in a way it's almost impossible to unencrypt the value, you can also always allow the root if you wish, and I'll show you how to do that later, it's up to you to decide.
The question is, what if you want to perform root commands?
You can do that, instead of using the root directly, you make use of a tool or the sudo command to carry out the root privileges, this way you can limit what a specific user can do.
Note that, whenever you use the sudo command, you will be asked for your user's password for confirmation (which should be the new user passkey).
Whenever you install a new ubuntu server you will notice that Ubuntu asks you to create a new user account with a new password. What Ubuntu is doing is giving the first user account you create access to sudo.
If you plan on creating a new user, they won't have access to the sudo by default, so if you wish, you can grant them, which I will also show you how to do as well.
Adding & Deleting Users In Ubuntu
Adding a user in Ubuntu is relatively easy, but I'll want you to pay close attention to this section as there are some useful nuggets for you.
There are two ways you can add a user account in Ubuntu, which is useradd
and adduser
While this command performs the same task, they achieve it in a different way, so, let's start with useradd:
Say we plan on adding faruq:
sudo useradd -d /home/faruq -m faruq
You see what I did, I started with sudo, this is because the command I am planning to run requires root privilege, so using sudo would grant me the access, followed by useradd: which means add the user, but wait!
What is the use of the -d? This means I want the home directory /home/faruq for my new user, whenever you see -(letter), they are called flag or arguments, it is useful for giving more information about what you'd like to do (it's like customizing), in my case, I am telling the command I want the home directory to be /home/faruq
What about the -m? I want you to note this, whenever you are creating a user account with the useradd the home directory would not be created: /home/faruq, that home won't be created, so specifying with the -m flag tells the system that you would like to create a home directory during the process.
faruq - this is the name of the user I want to create. Look at the code again:
sudo useradd -d /home/faruq -m faruq
Let's list the home directory to confirm if a folder has been created for our new user:
ls -l /home
You should see the folder you created listed, see the below image for example:
ls: lets you list all the files and folders in a given directory.
-l: this argument lets you ls in a long print file in a long listing format as shown in the above image, it would also display the file permission, the file owner (you can see it display faruq in the above). and others.
So, basically ls -l /home is saying list the file inside the home directory in a long list file format, while also displaying the owner and other info of the file.
Now, let's create a password for our new user, use the below command:
sudo passwd faruq
You will be prompted to enter the password of the current user, once, you've entered it Create Your New Password and Confirm The New Password by rentering it, you should receive "password updated successfully"
This is one way of adding a user account, the second way of adding a user account is using the adduser command, this is the recommended way of adding a user because it's easy and it does the heavy lifting for you, for example:
sudo adduser ahmed
You should see the following output:
You would immediately see this is the best option, it added the '/home/ahmed' directory for us and added the necessary file. it added User ID(UID) and Group ID(GID) of 1002, and it also copied files from /etc/skel into our new user's home directory.
Go ahead and input your new password, you'll be asked for your full name, and other info, I'll leave it as default by Pressing the Enter Key. The system would ask if the info is correct, just type Y and hit Enter, and your new user should be in place.
You can see the adduser command is recommended because it is easier to add a new user account in the sense that it prompts you for various options for the user, unlike the useradd where more commands are required.
Note that some GNU/Linux distros do not support the adduser command, so, make sure you understand the concept of the useradd in the situation whereby you find yourself using a GNU/Linux distro that isn't Ubuntu.
Deleting Users
Be careful! You just don't remove an account without having a solid reason or an account removal policy. If you are only using the server for basic tasks such as hosting a small application or a small website, then most times, you will have a root and a single sudo account for performing high privilege task, you won't most likely remove that, you would only remove on a rare occasion, where maybe, an account as been compromised or you want to host two different application on a server with two distinct user.
In an organization, there are removal policies, for example, whenever a user leaves the company, their data are usually stored in an archive, which would be useful for future reference, or for new employees to continue where the former employees left off. So, it basically depends on the policy of the organization. Let's see ways we can remove a user.
To delete a user account, use the following syntax:
sudo userdel username
where username would be the username you wish to delete, the below image shows I am deleting the user ahmed:
Alright, let's ls the users in our home directly:
sudo ls -l /home
You will notice you still see the user you just deleted their, for example, I deleted ahmed and it still shows its home directory:
drwxr-xr-x 2 1002 1002 4096 Jan 14 22:31 ahmed {This} drwxr-xr-x 2 faruq faruq 4096 Jan 14 17:23 faruq pascal@devsrealm:~$
the userdel command doesn't remove the content of the user's home directory, but we can still remove it by using an argument together with the command userdel, which I'll show you in a bit.
Before we do, let me show you how you can move the content of the user in any location fo your choice in the hope you might want to use the content for future reference, use the following syntax:
sudo chown -R user:user /home/username/ sudo mkdir /home/archived_users/ sudo mv /home/username /home/archived_users/
Let me explain the above commands, starting with the first line:
Chown -R: The chown command is used to change the ownership and group ownership of files and directories. The -R argument is called recursive, which means that the command should work with the contents of directories, and if a directory has subdirectories and files, the command works on those files too, to put it in one word, recursively. the user is the user I want to give ownership of the directories /home/username. for example sudo chown -R pascal:pascal /home/ahmed means to change the owner of the home/ahmed directory to pascal, I hope that makes sense.
sudo mkdir /home/archived_users/ - this means, make a directory of /home/archived_useraccount, this is the place I would be storing the user contents. You can store the archives anywhere,
e.g sudo mkdir -p /company/archived_users/
The -p flag simply creates the parent directory(e.g company) if it didn't already exist, you don't need the -p flag when you are storing in the home directory since that already existed.
sudo mv /home/username /home/archived_users/ - this means move(mv) the directory /home/username to /home/archive_users, an example sudo mv /home/ahmed /home/archived_users/
If you've moved the file, try using this syntax to see if the archive_users directory has been created:
sudo ls -l /home
This is my output:
If you cd (change directory) into the archived_users you would see the content of the user has been moved, for clarity, let's cd into the archived_users:
cd /home/archived_users
Now, ls the file in that folder using ls, this is my output:
Go back to your home directory using cd ~ and let's proceed.
If you don't wanna store the deleted user directory, you can remove it using
sudo userdel -r user
this would remove the account and at the same time, remove the home directory.
To remove the home directory after the user has been removed, which means you didn't use the -r before, then use the below syntax:
sudo rm -r /home/user
I want you to do a simple task for me, run this command: cd /
You probably won't see anything, that command changed the directory into the system files, you don't believe me, try listing the file using ls, you should see the below image:
The reason why I am telling you to cd into the system directory is because of the last command we used, I meant this one:
sudo rm -r /home/user , consider you mistakenly use this sudo rm -r / home/user , you see that space between the / and the home is your system directory, if you run that command, your whole system is down, which is why sudo is recommended, if you use sudo, at least, you will be prompted the password, so, luckily, you can see the mistake before you entered the password.
That said, Change directory back to home directory cd ~
Switching User In an Ubuntu Server
Since we have few users on our server, it is good to know how to switch between them providing you either have a sudo access or know the user's passkey.
su - This is the command you will use to switch from one user to another.
Wait! I said I'll show you how to enable the root the other time right?
This is how it is done, if you enter the su with no options, it will assume you are switching to root, and since this is disabled by default, you won't be able to switch. So, the first thing you have to do is to create the root password using sudo passwd
You will be asked to create and confirm your root password, and from now on, you will be able to use the root account.
This is strongly discouraged, but if you really want to use the root account without enabling it, you can run the command sudo su - you will be prompted to enter the sudo user password, enter the passkey and you will be switched to root.
You can see I am logged in as root, to return to the previous user account, enter the exit command, and you would be automatically logged in back to the sudo user account, it is that simple.
If you want to switch to a user account that isn't root, enter the su command followed by the username, e.g
su - user
You will be asked the username of the user, input the user and you would be switched to the new user.
What if you don't know the passkey of the user you are trying to switch to. You can also do that provided you have a sudo user or a root user.
exit and go back to the sudo account, then use the below syntax to switch to any user in the system, even if you have forgotten or don't their password:
sudo su - user
Managing Groups in an Ubuntu Server
You will notice that the other time we created our new user, it also created a new group for our new user, groups are relatively easy to understand, you just need to pay attention.
The concept is something like this:
- Hey Server, create a new user blah blah!
- Okay, I would create you one, but you can't share other users resources on the server, so, I'll create you your own group (the name of the primary group is the same as the name of the user in GNU/Linux), so, it basically means you are the owner of the new group and you'll be the only one to access that group (excluding the sudo or root users).
Let's see an example,
Let's see the users and groups of the home directory: sudo ls -l /home
Of course, it would differ from yours since we have different user:
drwxr-xr-x 2 faruq faruq 4096 Jan 14 17:23 faruq drwxr-xr-x 6 pascal pascal 4096 Jan 14 11:46 pascal
Let's ignore the drwxr... for now. Let's use the first line as an example, you can see that user "faruq" as a group "faruq" which owns a directory "faruq".
It doesn't have to be identical, this just happened to be identical, I illustrated it better in the below image:
The name doesn't have to be identical, it just happened to be in this directory.
The good thing about this is that any user account can be a member of any number of groups but a file or directory can only have one group assignment.
For example, say user faruq is the owner of a group called red, and pascal is the owner of a group called blue, faruq can be a member of the group blue while also still maintaining the group red, you get the idea.
But wait, can't we see all the groups created on our server? Yes, you can, use the below syntax to list the groups that have been created in your system:
sudo cat /etc/group
The cat is short for concatenate, in this case, it helps in displaying the content of the /etc/group file:
These are all the groups created in our system, and you can see the white arrow pointing to the one I just created. Most of these groups are created by your system by default, so you don't have to be nervous.
The last group created as these string: faruq:x:1001.
The first column is the name of the group, the x means an encrypted password of the group, but this isn't needed, and the last digit value is called the Group ID, this group id is what the computer understands, which means the name of the group is the human-readable format, we aren't that good at remembering numbers.
Creating a New Group In Ubuntu Server
Creating a group could help in categorizing what a user could do, say you have some clerks, you can a group clerk for them or you have Directors, you can create a group director. This would better help in categorizing what various user could do, you get the idea.
To create a group you use the command groupadd, followed by the name of the group, for example
sudo groupadd directors
Now, cat the /etc/group and you would see the new group is added
To remove a group, you can use the groupdel command:
sudo groupdel directors
Associating Users With Groups In Ubuntu Server
Just creating a new group won't automatically associate it to your preferred user account, to do this, we would take advantage of the usermod command.
So, let's say we created a group directors and we want it associated with the user faruq, you can simply use the following syntax:
sudo usermod -aG directors faruq
or
sudo usermod -a -G directors faruq
-a flag means append to, while G only modifies the secondary group, your primary group won't be changed.
sudo usermod -a -G directors faruq - append group director to faruq's secondary group
A user account can be part of multiple groups (which would be stored in the "secondary group"), but a user has a primary group by default, which is associated with the user files and folders.
To change the primary group a user is assigned to, run the usermod command with the -g flag, we use the uppercase G for the secondary and lowercase for the primary.
usermod -g groupname username
I would write more guides about using a group in the future!
Giving Sudo Access To User In Ubuntu Server
We have been using sudo to perform most commands in this guide, sudo is simply acting in place of a root user or to put in in another way, it allows you to execute commands as if you are a root user.
Another reason sudo is recommended is that you can restrict what a user can do with sudo or even limit the privileges of what they can modify on the system. So, never ever give out your root password (although, we already disabled it), grant them sudo access instead.
You can remember I said the other time, that multiple users can be in a group and the group governs what files a user can modify/have access to.
There is a group in ubuntu called sudo, this was the group our first user was added when we set up our Ubuntu Server.
The problem with the sudo group is that any member of the sudo group are able to use sudo like the root user, they can even go far with destroying a whole system, so, you should be wary of the user you add to that group.
If you would want to give users access to sudo, all you have to do is add them to the sudo group, it is that simple.
For example:
usermod -aG sudo faruq
This would add user faruq to the sudo group, and it is that simple.
I have covered so much already, so, I will be saving my words for future articles, there are still tons of interesting stuff to share, please comment if you have any question or perhaps you spotted an error, you are very welcome to point it out, bye for now.