comments |
---|
true |
Today you're going to set-up another user on your system. You're going to imagine that this is a help-desk person that you trust to do just a few simple tasks:
- check that the system is running
- check disk space with:
df -h
...but you also want them to be able to reboot the system, because you believe that "turning it off and on again" resolves most problems :-)
You'll be covering a several new areas, so have fun!
- Create a new user
- Create a new group
- Create a new user and add to an existing group
- Make a new user a sudoer
Follow this demo
Choose a name for your new user - we'll use "helen" in the examples, so to add this new user:
sudo adduser helen
(Names are case-sensitive in Linux, so "Helen" would be a completely different user)
The "adduser" command works very slightly differently in each distro - if it didn't ask you for a password for your new user, then set it manually now by:
sudo passwd helen
You will now have a new entry in the simple text database of users: /etc/passwd
(check it out with: less
), and a group of the same name in the file: /etc/group
. A hash of the password for the user is in: /etc/shadow
(you can read this too if you use "sudo" - check the permissions to see how they're set. For obvious reasons it's not readable to just everyone).
If you're used to other operating systems it may be hard to believe, but these simple text files are the whole Linux user database and you could even create your users and groups by directly editing these files - although this isn’t normally recommended.
Additionally, adduser
will have created a home directory, /home/helen
for example, with the correct permissions.
ATTENTION! useradd
is not the same as adduser
. They both create a new user, but they interact very differently. Check the link in the EXTENSION section to see those differences.
Let's say we want to all of the developers in my organization to have their own group, so they can have access to the same things.
sudo groupadd developers
On most modern Linux systems there is a group created for each user, so user "ubuntu" is a member of the group "ubuntu". But if you want, you can create a new user directly into an existing group, using the ingroup
flag. So a new user fred
would be created like this:
sudo adduser --ingroup developers fred
Users can also be part of more than one group, and groups can be added as required.
To see what groups you're a member of, simply type: groups
On an Ubuntu system the first user created (in your case ubuntu
), should be a member of the groups: ubuntu
, sudo
and admin
- and if you list the /var/log
folder you'll see your membership of the sudo
group is why you can use less
to read and view the contents of /var/log/auth.log
The "root" user can add a user to an existing group with the command:
usermod -a -G group user
so your ubuntu
user can do the same simply by prefixing the command with sudo
.
Because the new user helen
is not the first user created in the system, they don't have the power to run sudo
- which your user has by being a member of the group sudo
.
So, to check which groups helen
is a member of, you can "become helen" by switching users like this:
sudo su helen
Then:
groups
If you try to do stuff only a sudo user can do, i.e. read the contents of /var/log/auth.log
, even using the prefix sudo
won't work. Helen is not a sudo and has no permissions to perform this action.
Now type "exit" to return to your normal user, and you can add helen
to this group with:
sudo usermod -a -G sudo helen
Instead of switching users again, simply run the groups helen
to check. Try that with fred
too and check how everything works.
See if any of your new users can sudo reboot
.
Your new user is just an ordinary user and so can't use sudo
to run commands with elevated privileges - until we set them up. We could simply add them to a group that's pre-defined to be able to use sudo to do anything as root (like we did with helen
) - but we don't want to give fred
quite that same amount of power.
Use ls -l
to look at the permissions for the file: /etc/sudoers
This is where the magic is defined, and you'll see that it's tightly controlled, but you should be able to view it with: sudo less /etc/sudoers
You want to add a new entry in there for your new user, and for this you need to run a special utility: visudo
To run this, you can temporarily "become root" by running:
sudo -i
Notice that your prompt has changed to a #
Now simply run visudo
to begin editing /etc/sudoers
- typically this will use nano
.
All lines in /etc/sudoers
beginning with "#" are optional comments. You'll want to add some lines like this:
# Allow user "fred" to run "sudo reboot"
# ...and don't prompt for a password
#
fred ALL = NOPASSWD:/sbin/reboot
You can add these line in wherever seems reasonable. The visudo
command will automatically check your syntax, and won't allow you to save if there are mistakes - because a corrupt sudoers file could lock you out of your server!
Type exit
to remove your magic hat and become your normal user again - and notice that your prompt reverts to: $
Test by logging in as your test user and typing: sudo reboot
Note that you can "become" helen by:
sudo su helen
If your ssh config allows login only with public keys, you'll need to setup /home/helen/.ssh/authorized_keys
- including getting the owner and permissions correct. A little challenge of your understanding of this area!
If you find this all pretty familiar, then you might like to check and update your knowledge on a couple of related areas:
- Restricting shell access
- Linux Password & Shadow File Formats
- What's the difference between 'useradd' and 'adduser'?
- How to create users and groups in Linux from the command line
- Learn how to use the $EDITOR environmental variable to set your default editor to
vim
. With this done,visudo
will usevim
rather thannano
for editing.
- How To Edit the Sudoers File
- Sudo – An Advanced Howto
- A cartoon that should now make sense!
- Basic Linux Permissions: sudo and sudoers (video)
Some rights reserved. Check the license terms here