Managing Users and Permissions on Linux

By Anurag Singh

Updated on Sep 18, 2024

Managing Users and Permissions on Linux

In this tutorial, we're managing users and permissions on Linux servers.  You'll learn how to efficiently manage users, groups, and permissions on Linux servers to secure access to system resources. The guide covers step-by-step instructions for creating user accounts, assigning users to groups, and setting file permissions.

It also explores advanced permission settings like Setuid, Setgid, and Sticky Bit, along with best practices for managing SSH access and locking inactive accounts. Whether you're a beginner or looking to improve server security, this post provides the essential tools to control access and safeguard your Linux environment.

Managing users and permissions is a fundamental aspect of securing Linux servers. By carefully controlling who has access to system resources, you can safeguard data and prevent unauthorized actions. This tutorial will walk you through creating and managing user accounts, organizing them into groups, and assigning permissions to ensure secure access.

Prerequisites

Before you begin, make sure you have the following:

  • A server running AlmaLinux 9 dedicated server or KVM VPS with systemd (most popular distros like Ubuntu, CentOS, Fedora).
  • Basic knowledge of the Linux command line.
  • A root user access or normal user with sudo rights.

Managing Users and Permissions on Linux

1. Creating User Accounts

To create new users on a Linux system, use the useradd or adduser command. The useradd command is more flexible, while adduser is friendlier for beginners.

Steps to Create a New User:

Open the terminal. To create a new user, use:

sudo useradd -m username
  • -m creates a home directory for the user.

Replace username with the actual username.

Set a password for the new user:

sudo passwd username

To view the newly created user, you can list all users:

cut -d: -f1 /etc/passwd

Add a user to a specific group (e.g., sudo group for administrative privileges):

sudo usermod -aG groupname username
  • -aG adds the user to the group without removing them from any other group.

Example:

sudo usermod -aG sudo username

2. Managing User Groups

Groups help organize users, making permission management more efficient. Each user can belong to multiple groups, and each file or directory can be assigned a group with specific permissions.

Common Group Management Commands:

Create a new group:

sudo groupadd groupname

Add a user to a group:

sudo usermod -aG groupname username

Remove a user from a group:

sudo gpasswd -d username groupname

List all groups:

cat /etc/group

List groups a user belongs to:

groups username

3. Setting Permissions

Linux permissions consist of three types: read (r), write (w), and execute (x). These permissions can be set for three categories: the owner, group, and others.

Understanding Permissions

Each file or directory has permissions in the following format:

-rwxr-xr--
  • The first character (-) indicates the file type.
  • The next three characters (rwx) represent the owner’s permissions.
  • The middle three (r-x) represent the group’s permissions.
  • The last three (r--) represent others’ permissions.

Changing File/Directory Permissions

Use the chmod command to change permissions. You can use symbolic or numeric modes.

Symbolic mode:

chmod u=rwx,g=rx,o=r file.txt

This command grants read, write, and execute permissions to the user (u), read and execute permissions to the group (g), and read-only permission to others (o).

Numeric mode:

chmod 755 file.txt
  • 7 represents full permission (rwx), 5 represents read and execute (r-x), and 5 again for the group and others.

View file permissions:

ls -l filename

4. Advanced Permission Settings

Linux allows advanced permission management using special permission bits like Setuid, Setgid, and Sticky Bit.

Setuid (Set User ID)

When applied to an executable file, this bit allows the file to be executed with the permissions of the file’s owner. To set it:

chmod u+s file

Setgid (Set Group ID)

This bit allows new files in a directory to inherit the group of the directory. It is useful in shared group directories:

chmod g+s directory

Sticky Bit

This ensures that only the owner can delete files within a directory. It's often used in directories like /tmp:

chmod +t directory

5. Managing SSH Access

For remote access, SSH is the most secure and commonly used method.

Disabling Password Authentication

You can enhance security by disabling password authentication and using SSH keys instead.

Generate an SSH key pair on your local machine:

ssh-keygen -t rsa

Copy the public key to the server:

ssh-copy-id username@server_ip

Disable password-based login:

Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Set the following parameters:

PasswordAuthentication no
PermitRootLogin no

Restart the SSH service:

sudo systemctl restart ssh

6. User Management Best Practices

To effectively manage users and permissions on Linux servers, keep the following best practices in mind:

Principle of Least Privilege: Grant users only the permissions they need. Avoid giving users sudo access unless absolutely necessary.

Use Groups to Simplify Permissions: Instead of assigning individual permissions, use groups to manage multiple users at once.

Monitor User Activity: Regularly check login records and monitor system activity using commands like:

last
who

Lock Inactive Accounts: Disable accounts that are no longer in use:

sudo usermod -L username

Regularly Audit Permissions: Regularly review user and group permissions to ensure they follow the principle of least privilege.

Conclusion

We have seen managing users and permissions on Linux server, Managing users, groups, and permissions is critical to maintaining security on Linux servers. By following this guide, you'll be equipped to create user accounts, organize them into groups, and configure permissions effectively. Regular monitoring and good user management practices will help keep your server secure from unauthorized access.