Mastering User Management in Linux

Kalpak GoshikwarKalpak Goshikwar
10 min read

Table of contents

Large Enterprises usually have multiple users performing different actions on a single linux server. Ever wondered how that works? This article will dive into the depths of user management via linux. By the end you will be able to easily create users in any linux server and hand someone their credentials.

What is an User?

Before getting started you will need to know what exactly does the word user mean in linux. An user in linux is an identity used to access and perform actions in the system. Every user in linux has:

  • an username

  • a unique ID (UID)

  • a home directory

  • and some permissions

There can be multiple users operating on the same system at any given time.

Why the need for multiple users?

You must be familiar with a root user in linux, which has every permission and can perform every action without any restrictions. So, why do we need multiple users? Well, here are some of the reasons:

  • Restricted/Limited Access: As there are multiple users in our system, we don’t want every user to have access to every function/command as it can become a large security threat. Also, when some anomaly/failure occurs in the system it will be very hard to pinpoint the source of the failure. Thats why we only give access as per the requirements of the user i.e. a developer will only have access to code/project they are working on, an HR will only have access to employee and hiring related data and so on.

  • Secure System: Having limited access means preventing unauthorized access to the sensitive data. Hence, securing the system.

  • Ownership: Linux stores all the logs of activities performed by users. Hence, making it easy to pinpoint the location of failure if anything goes down.

Types of Users in linux

Linux categorizes users into 3 types:

  1. Root User: It is the user with highest level of access, you can considere it as a super admin in linux system. It has an UID of 0. There is only one root and you cannot create another root user manually.

  2. System User: These are the services that are running on your linux system(eg. my-sql, docker, etc.). These services have the UID assigned in the range of 1 - 999.

  3. Local/Regular User: These are different user profiles created to have limited amount of access. This type of user is used to provide required access of our linux system to other people. These have the UID’s starting from 1000 to 59999. But can be increased based on the requirement.

While the range of assignable UID’s for different types is set by default, we can change the range based on our requirement. If all the UID’s available for system users are already taken, the linux system will automatically assign an available UID from local user range to a new service.

What are User Groups?

As the name suggests these are used to group the users. Groups are used to assign common permissions to multiple users. This simplifies the permission management for multiple users. There are 2 types of groups:

  1. Primary Group: It is the default group created whenever a new user is added to the system. This group has the same name as the username of the the user. For example, if I add a user named “kalpak“ then this user will also be added into a group named “kalpak“.

  2. Secondary Groups: Any groups that the user is part of other than primary group is termed as secondary group. For example, if an user named “kalpak“ can be a part of “developers” group, this “developers” group will be a secondary group for user “kalpak“.

An user can be a part of multiple groups.

Important File locations

Linux uses files to store details of users. These files are located at /etc.

  1. /etc/passwd: Stores the user information.

  2. /etc/shadow: Stores encrypted user passwords.

  3. /etc/group: Stores a list of user groups.

  4. /etc/sudoers: Stores a list of users with sudo access.

Commands you should know

Now that theory is over, we will focus on the different commands that are used for user management in linux.

whoami

This is a simple command used to check which account you are currently logged in as. It will give the username of the logged in user as output.

whoami
# output: <username>

Creating new user

There are 2 ways of creating a new user.

  1. Low Level: First you need to run the command: sudo useradd <username>. This command will add a new user to the linux system. You can check if the new user was added by running the command sudo cat /etc/passwd. This will print a list of all users. Your newly created user should be listed at the end of the list. To create a password run the command sudo passwd <username>, this will prompt you to type a password and once you confirm the password, the password will be set for that user.

    These are low level commands, which means you will have to manually do everything. The users created using this command do not have a home directory by default, we have to create one for it.

  2. High Level: This command abstracts the complexity of low level commands. It will create everything required for the user. Run the following command: sudo adduser <username>. The output of this command is given below:

Logging in using the created user

Once you have created a password for the user, you can log in using the command:

su <username>
# will prompt you to enter the password and log you in as that user

This command will prompt you to enter the password. Once correct password is entered, you will be logged in as that user.

Now you are logged in as that user. To logout run exit.

Getting user details

If you run the command

id <username>
# output: uid=____ gid=____ groups=________

you will get all the details related to that user. You should get output similar to the below image:

As you can see in the image, you get details like UID of the user and the groups that the user belongs to.

Renaming a user

sudo usermod -l <new-username> <old-username>
# will change the username of the user

This command will rename the user.

Deleting the user

To delete any user, run this command:

sudo deluser <username>

Creating a User Group

To create a group run the following command:

sudo groupadd <group-name>

To check if the group was created run sudo cat /etc/group. This will give a output of all the groups that are present in the system. Your newly created should also be listed there.

Adding user to the group

To add an user to the group you created this:

sudo usermod -aG <group-name> <user-name>

The -aG flag stands for append group. If the flag is not mentioned in the above command, it will overwrite the previous users in the group with the user mentioned in the command.

You can check if the user was added either by using command: groups <username> command. You will be able to see the groups that the user belongs to.

You can see that the “test2” user is successfully added to “test-group”.

Deleting the group

To delete the group, run the command:

sudo delgroup <group-name>

What is sudo?

sudo stands for superuser do. It provides an user with root privileges without needing to login as root user. Only the users mentioned in the sudoers file are allowed to use the sudo command. This sudoers file is located at /etc/sudoers. We will learn more about it in the upcoming sections.

Giving access to sudo

When a user who is not in the sudoers list tries to access any command using sudo, they will get this error stating “<username> is not in the sudoers file”. You can try this by loging in using any newly created user and running a command with sudo.

To give access of the sudo keyword to the any user, you need to add that user to the sudo group. For this you need to run:

sudo usermod -aG sudo <username>

Now if you relogin as that user again, you will be able access sudo and run commands that can only be used with sudo privileges.

Creating an ssh login key

For this I will be using an EC2 instance from AWS. You can check out this blog, if you are not familiar with it.

In the earlier section, we were using password to login. But it is not the most secure method, which is why we use an ssh key to login. This method does not require any password. Here are the steps to generate an ssh key for a user you just created:

First make sure you have created a user using the adduser command.

Next create a .ssh directory inside the home directory. To do so, we need to run the command:

sudo -u <username> mkdir -p /home/<username>/.ssh

  • -u flag is used to set the user with username as the owner of the directory.

  • -p flag defines the path to create the directory.

You can check if the folder was created using sudo ls -la /home/<username>.

Then run:

sudo chmod 700 /home/<username>/.ssh

This command will set the permissions such that only the owner i.e. is our user has the permission to read and write into this directory.

Now we generate an ssh key-pair using ssh-keygen. Use the command given below locally to generate an ssh key-pair:

ssh-keygen -t rsa -b 4096 -f /path/to/save/key-pair/filename

You can save this key-pair anywhere you want. You will get an output similar to the image below:

You can choose to keep the passphrase empty. We can see that on doing ls, there are 2 files that were created. The id_rsa.test1 is a private key and id_rsa.test1.pub is a public key.

We can print the contents of these files using the cat <filename> command.

Now that we have created ssh-keys, we need to put the public key inside the .ssh directory that we created for our user.

For that first copy the contents of public key. You can do so by using cat <name-of-public-key-file> and then copying the output content. Refer to the image below in case of doubt:

To copy this content into the file you can use the command:

echo '<copied-content>' | sudo -u <username> tee /home/<username>/.ssh/authorized_keys

Example:

You can check the creation of file using command: sudo cat /home/<username>/.ssh/authorized_keys.

Next we need to reset the permissions of this created file so that only owner is able to access it. For this run:

sudo chmod 600 /home/<username>/.ssh/authorized_keys

Now we can login using the private key that we previously created. For that use the command locally:

ssh -i /path/to/private/key/file <username>@<public-ip-address>

Summary

To summarize, here is the list of commands:

whoamito check which user you are currently logged in as.
sudo useradd <username>low-level command to add new user.
sudo passwd <username>used to set password for a user.
sudo adduser <username>high-level command to create user and is interactive.
id <username>display user info like UID and groups that the user belongs to.
sudo usermod -l <new-username> <old-username>Used to rename user.
sudo deluser <username>used to delete user.
su <username>used to login as another user.
sudo groupadd <group-name>create a new user group.
sudo usermod -aG <group-name> <user-name>add user to a group.
groups <username>used to check the groups an user belongs to.
sudo delgroup <group-name>used to delete a group.
sudo visudoTo edit sudoers file.
ssh-keygenTo generate a ssh key.

That’s all the user management stuff you need to properly handle users. Your feedbacks are very much appreciated. If you liked the blog do consider to follow me.

Thanks for Reading!!! Happy Learning!!!

6
Subscribe to my newsletter

Read articles from Kalpak Goshikwar directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Linuxuser managementChaiCode

Written by

Kalpak Goshikwar
Kalpak Goshikwar