3  Managing users and permissions

As administrators of a linux server, we often need to perform changes in configurations, install software or create users accounts for our collegues or guests. This can’t be done without some privileges, as a normal user can only modify its own personal folder, while the rest of the system is read-only.

3.1 root user

Every Linux installation has a root user account. This root has all privileges and can access, create, modify, remove files from any folder, included system folders. Also has access to system processes and the kernel.

Note

This is why using the root account directly is discouraged, as it is a risk. We can, however, grant some privileges to some users to be able to act as root when needed.

3.2 sudo access

sudo is the tool we are going to use to act as administrators (superusers). For example, if we want to check if there is any system update, we need to run apt update. Let’s see what happens when we run it as a normal user:

victor@aula:~$ apt update
Reading package lists... Done
E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
E: Unable to lock directory /var/lib/apt/lists/
W: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)
W: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)

Now, let’s see what happens when run as a superuser:

victor@aula:~$ sudo apt update
[sudo] password for victor: 
Hit:1 http://mirror.hetzner.com/ubuntu/packages noble InRelease
Hit:2 http://mirror.hetzner.com/ubuntu/packages noble-updates InRelease                                            
Hit:3 http://mirror.hetzner.com/ubuntu/packages noble-backports InRelease                                          
Hit:4 http://mirror.hetzner.com/ubuntu/packages noble-security InRelease                                           
Hit:5 http://security.ubuntu.com/ubuntu noble-security InRelease                                                   
Hit:6 http://archive.ubuntu.com/ubuntu noble InRelease
Hit:7 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:8 http://archive.ubuntu.com/ubuntu noble-backports InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
5 packages can be upgraded. Run 'apt list --upgradable' to see them.

But, when run by an user that don’t have sudo privileges, the command fails:

test_user@aula:~$ sudo apt update
[sudo] password for test_user: 
test_user is not in the sudoers file.

This means that test_user can’t modify or do anything harmful in the system, only access its own home folder and little else.

Tip

Is always recommended to create users without sudo access, except for the person responsible of the server, the administrator. sudo access can always be granted later in case it’s needed.

3.3 Creating users

To create new users, we are going to use the useradd command. We are going to need serveral things:

  • An username
  • An user folder at /home/username (flag -m)
  • A shell, in this case /usr/bin/bash (flag -s)
  • (optional) A group like sudo in case the user is going to have administrative privileges (flag -G)
  • A password for the user, we will add it after the user creation with passwd

Let’s see an example:

victor@aula:~$ sudo useradd -m -s /usr/bin/bash -G sudo test_user_2
victor@aula:~$ sudo passwd test_user_2
New password: 
Retype new password: 
passwd: password updated successfully

We have succesfully created an user with administrative privileges. We can check it by login into the server with the newly created user and try to check for system updates:

test_user_2@aula:~$ sudo apt update
[sudo] password for test_user_2: 
Hit:1 http://mirror.hetzner.com/ubuntu/packages noble InRelease
Hit:2 http://mirror.hetzner.com/ubuntu/packages noble-updates InRelease                                            
Hit:3 http://mirror.hetzner.com/ubuntu/packages noble-backports InRelease                                          
Hit:4 http://mirror.hetzner.com/ubuntu/packages noble-security InRelease                                           
Hit:5 http://archive.ubuntu.com/ubuntu noble InRelease                                                             
Hit:6 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:7 http://security.ubuntu.com/ubuntu noble-security InRelease
Hit:8 http://archive.ubuntu.com/ubuntu noble-backports InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
5 packages can be upgraded. Run 'apt list --upgradable' to see them.

In case we need to modify something, we can use the usermod command. For example, to grant administrative privileges to the user_test user, we can do:

victor@aula:~$ sudo usermod -aG sudo test_user
[sudo] password for victor:

Here, the flags -aG sudo means add to sudo Group.

3.4 Exercise

NoteExercise: Lets create users for everyone!

In this exercise you are going to work by pairs (if possible, by 3 people if not).
Using the test_user account (password test_user) you are going to create an user for your partner and give it a password. Then, you will have to check that everything worked as intended and both/all of you can access the server with your brand new aacounts.

Remember, use useradd with the necessary flags for creating the user, and don’t forget to add the password with passwd or the new user will not be allowed to access the server.

3.5 Deleting users

In order to maintain a healthy remote server, we also need to periodically remove old users that are not working anymore in the server. This can be done with userdel. For example, now that we don’t need anymore the test_user and test_user_2 users, we can safely remove them from the system, as well as their personal folders:

victor@aula:~$ sudo userdel -r test_user_2
[sudo] password for victor: 
userdel: test_user_2 mail spool (/var/mail/test_user_2) not found
victor@aula:~$ sudo userdel -r test_user
userdel: test_user mail spool (/var/mail/test_user) not found