User management is an important part of system security. Ineffective users and privilege management often lead many systems to be compromised. Therefore, it is important that you understand how to protect your server using simple and effective user account management techniques.
Where is the superuser?
The Ubuntu developers made a conscious decision to block the administrative root account (root) by default in all Ubuntu installations. This does not mean that the root account has been removed or cannot be accessed. It is simply assigned a password that does not match any possible encrypted value, so it cannot be used to log in directly.
Instead, users are encouraged to use a tool called sudo to transfer administrative duties. Sudo allows authorized users to temporarily escalate their privileges by using their own password instead of knowing the password assigned to the superuser. This simple yet effective technique ensures accountability for all user actions and gives administrative control over what actions a user with specified privileges can perform.
1. If for some reason you want to allow the superuser account, simply set a password for it:
Sudo passwd
Sudo will ask for your password and then prompt you to install New Password for root as below:
Password for username: (enter your own password) Enter new UNIX password: (enter the new superuser password) Retype new UNIX password: (repeat the new superuser password) passwd: password updated successfully
2. For blocking account root use the following passwd syntax:
Sudo passwd -l root
Man sudo
By default, the initial user created by the Ubuntu installer is a member of the "admin" group, which is added to the /etc/sudoers file as sudo-authorized users. If you wish to allow another account full access superuser via sudo, just add her to the group admin.
Adding and removing users
Management process local users and groups is simple and differs little from most others operating systems GNU/Linux. Ubuntu and other Debian-based distributions encourage the use of the "adduser" package for account management.
1. To add a user account, use the following syntax and follow the prompts to provide a password and identifying characteristics such as full name, phone number, etc.:
Sudo adduser username
2. To delete a user and its primary group, use the following syntax:
Sudo deluser username
Deleting a user does not delete its associated home directory. It is left to your discretion whether you want to delete the directory manually or leave it in accordance with your retention policies.
Remember that any user added later with the same UID/GID as the previous one will gain access to this directory unless you take the necessary precautions.
You may want to change these directory UID/GID values to something more appropriate, like superuser values, and perhaps move the directory to prevent future conflicts:
Sudo chown -R root:root /home/username/ sudo mkdir /home/archived_users/ sudo mv /home/username /home/archived_users/
3. To temporarily block or unblock, use the following syntax:
Sudo passwd -l username sudo passwd -u username
4. To add or remove a personal group, use the following syntax, respectively:
Sudo addgroup groupname sudo delgroup groupname
5. To add a user to a group, use:
Sudo adduser username groupname
User Profile Security
When created New user, the adduser utility creates, accordingly, a new named directory /home/username. The default profile is generated from the contents located in the /etc/skel directory, which includes all the basics for generating profiles.
If your server is home to many users, you must pay close attention to the permissions on user home directories to maintain confidentiality. By default, user home directories are created with read/execute permissions for everyone. This means that all users can view and access content from other home directories. This may not be suitable for your environment.
1. To check the access rights to the home directories of existing users, use the following syntax:
Ls -ld /home/username
The following output shows that the /home/username directory has read access for everyone:
Drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username
2. You can remove read permissions for everyone using the following syntax:
Sudo chmod 0750 /home/username
Some people tend to use the recursion (-R) option indiscriminately, which modifies all child directories and files, although this is not necessary and may have other undesirable consequences. The parent directory itself will prohibit unauthorized access to any of its contents.
A more efficient approach to this issue would be to change the default global permissions for adduser when creating home directories. Simply edit the /etc/adduser.conf file, changing the DIR_MODE variable to something more appropriate, and then all new home directories will have the correct permissions.
DIR_MODE=0750
3. After correcting directory permissions using any of the previously mentioned techniques, check the results using the following command:
Ls -ld /home/username
The output below shows that read permissions have been removed for everyone:
Drwxr-x--- 2 username username 4096 2007-10-02 20:03 username
Password Policy
A strong password policy is one of the most important aspects of your security approach. Many successful security breaches have used brute force attacks and dictionary guessing against weak passwords. If you intend to use any form remote access using your local password system, make sure you assign adequate minimum requirements to your password, maximum password lifetime, and check your authentication system frequently.
Minimum password length
By default, Ubuntu requires a minimum password length of 6 characters, as well as some basic scatter checks. These settings are controlled by the /etc/pam.d/common-password file and are listed below:
Password pam_unix.so obscure sha512
If you want to set the minimum length to 8 characters, change the corresponding variable to min=8. The changes are below:
Password pam_unix.so obscure sha512 min=8
Basic quality checks and minimum password length checks do not apply to an administrator using sudo-level commands to set up a new user.
Password lifetime
When creating user accounts, you should create a minimum and maximum password lifetime policy to force users to change their passwords after a certain time.
1. For easy viewing current user account status use the following syntax:
Sudo chage -l username
The output below shows Interesting Facts about the user account, namely that there are no policies applied:
Last password change: Jan 20, 2008 Password expires: never Password inactive: never Account expires: never Minimum number of days between password change: 0 Maximum number of days between password change: 99999 Number of days of warning before password expires: 7
2. To set these values, simply use the following command and follow the interactive prompts:
Sudo change username
The following is also an example of how you can manually change the explicit password expiration date (-E) to 01/31/2008, the minimum password expiration date (-m) to 5 days, the maximum expiration date (-M) for 90 days, an inactivity period (-I) for 5 days after the password expires, and a warning period (-W) for 14 days before the password expires.
Sudo chage -E 01/31/2011 -m 5 -M 90 -I 30 -W 14 username
3. To check the changes, use the same command as mentioned above:
Sudo chage -l username
The command output below shows the new policies that are applied to the account:
Last password change: Jan 20, 2008 Password expires: Apr 19, 2008 Password inactive: May 19, 2008 Account expires: Jan 31, 2008 Minimum number of days between password change: 5 Maximum number of days between password change: 90 Number of days of warning before password expires: 14
Other Security Considerations
Many applications use alternative authentication mechanisms that can easily be overlooked even by experienced users. system administrators. Therefore, it is important to understand and control how users log in and gain access to services and applications on your server.
SSH access by blocked users
Normal shutdown/blocking does not exclude remote connection user to the server if he has previously been authenticated by public key RSA. Such users will have access to the console shell on the server without having to enter any password. Remember to check user home directories for files that allow this type of SSH authorization, such as /home/username/.ssh/authorized_keys.
Removing or renaming the .ssh/ directory in the user's home directory will prevent further SSH authentication ability.
Be sure to check any SSH connections made by blocked users, as there may still be incoming or outgoing connections. Kill everything you find.
Limit SSH access to only user accounts that require it. For example, you could create a group called "sshlogin" and add the group name as a value for the AllowGroups variable located in the /etc/ssh/sshd_config file.
AllowGroups sshlogin
Then add your users who are allowed SSH access to the "sshlogin" group and restart the SSH service.
Sudo adduser username sshlogin sudo service ssh restart
Authentication using an external database
Majority corporate networks require centralized authentication and access control for all system resources. If you have configured your server to authenticate users by external base data, make sure that you disable both external and local accounts, this way you will be sure that a fallback to local authentication is impossible.
Let's say I'm a new user of Ubuntu Linux 16.04.xx LTS. I may immediately have a number of questions. How can I create a new sudo user on my server? How to add a new user to the sudoer file using a command line option on Ubuntu?
In Linux (and Unix in general) there is a superuser called root. The root user can do anything and everything and thus normal use of the system can become very dangerous. You may enter the command incorrectly and destroy the system. The sudo command allows an authorized user to run the command as superuser (root user) or another user as specified in the security policy. Often sudo is used on servers to provide administrative rights and privileges to regular users. In that quick guide you will learn how to create a sudo user on Ubuntu.
Few steps you need to take to create a sudo user on Ubuntu
Read more about admin group and sudo group on Ubuntu server
Members of the administrative group can gain root privileges. All members of the sudo group run any command on Ubuntu server. So just add the user to the sudo group on the Ubuntu server. The admin group's capabilities have been significantly reduced since Ubuntu 12.04 and higher. Therefore, the admin group no longer exists or is simply used in Ubuntu 12.04 or higher. The reason this works:
# grep -B1 -i "^%sudo" /etc/sudoers
$ sudo grep -B1 -i "^%sudo" /etc/sudoers
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
Let's look at some practical examples.
How to add a new user named vivek in sudo using command line?
Open a terminal or log into your remote server:
$ ssh root@server-name-IP-here $ ssh [email protected]( root@server:/root) #
# adduser vivek$ sudo adduser vivek
Figure 01: How to add a new user on Ubuntu
Examples of possible data outputs:
How to create a sudo user in Ubuntu for the vivek account
Enter the following command:
# adduser vivek sudo
OR use the usermod command to add a user to a group on Linux:
# usermod -aG sudo vivek
$ sudo usermod -aG sudo vivek
$ sudo adduser vivek sudo
Examples of possible data outputs:
Figure 02: Add user vivek to sudo to gain admin rights
Verify the new user and group member using:
$id vivek
Examples of possible data outputs:
Figure 03: Show user and group information
Now user vivek can login using ssh command as follows:
$ssh [email protected]
Make sure vivek can use the sudo command:
$ sudo cat /etc/sudoers
The first time you use the sudo command, you will be prompted to enter your vivek account password. Therefore, enter the vivek password to receive root access. Any type of command with sudo must be run with root privileges for the vivek account. To get the root shell, enter:
$sudo –s
Examples of possible data outputs:
Figure 03: Testing sudo access for the vivek user account
And now you've done it. You can now allow other users to run sudo on your Ubuntu server and give users admin rights.
Adding and removing users is one of the basic tasks that you may encounter when working on a new server running Linux OS. Typically, after you have installed new system, you only have one user - the superuser.
On the one hand, using a superuser is convenient, since it has wide capabilities; on the other hand, because of this, you may accidentally cause harm to just installed system. Therefore, to perform standard actions, it is better to create another user, but this time without such privileges. It is also recommended to create additional users for all people who will use the system. Each user must have their own account.
In this case, you will be able to perform administrative tasks using a user with sudo rights. In this tutorial, you'll learn how to create users, give them sudo rights, and delete them.
How to add a user
# addusernewuser
If you want to use a user with sudo rights to create a new user, then the command will look slightly different:
$ sudo adduser newuser
(In this case, instead of newuser, you can specify some other word, since this will be the name of the new user.)
After entering the command, you will need to answer several questions sequentially, namely:
- enter and confirm the password for the new user;
- write Additional information about the new user. This is not necessary; if you don't want to add anything, just press Enter;
- Finally, you will need to confirm the correctness of all the information entered so far - to do this, press y (yes).
The new user is now created and ready to use! You can log in using the password you set earlier.
If you want to give the user administrative rights, then read the next section.
How to give a user sudo rights
If you need a new user to be able to run administrative (root) commands, you need to give that user sudo access. This can be done in two ways: either add this user to the created group of users who can execute sudo commands, or grant this right to the user by making changes to the sudo utility configuration. Let's consider both options.
Adding a new user to the sudo group
By default, in Ubuntu 16.04, all users who are members of the appropriate group have the right to execute sudo commands.
In order to see which group the soz is currently in this user, use the following command:
$groupsnewuser
As a result, you will see on the screen:
Newuser: newuser
Because by default, each new user is in his own group, which is created simultaneously with the creation of the user himself and has the same name. In order to add a user to another group, you need to write the following command on the command line:
$ usermod -aG sudo newuser
(As a reminder, instead of newuser you need to write the name of the user you want to move to the group with administrative rights.)
The -aG switch is needed in order for the user to be added to one of the groups already existing in the list.
Checking for sudo rights
Now you need to check if your user can execute administrative commands.
$ command
You can run the same command, but with administrative rights, if you write sudo at the beginning:
$sudo command
In this case, you will need to enter the password for this user’s account.
Specifying user rights in /etc/sudoers
An alternative way to give the user sudo rights is to set up a configuration file. You need to use the visudo command to open the /etc/sudoers configuration file in your default editor and specify the permissions specifically for that user.
It is recommended to use the visudo command to edit the configuration file: firstly, it protects the file from several simultaneous changes, and secondly, it checks the file syntax before overwriting it. This will prevent you from setting up sudo incorrectly and then being unable to make the changes you want because you have lost administrative rights.
If you are using a user with sudo rights, then the command you need will look like this:
Typically, the visudo command would open /etc/sudoers in the vi editor, which could confuse less experienced users. That's why Ubuntu 16.04 replaces vi with nano, a tool that is much more familiar to most users. Use the arrow keys on your keyboard to find the desired line. It looks something like this:
Root ALL=(ALL:ALL) ALL
Copy this text just below and instead of “root” write the name of the user you want to grant the right to execute sudo commands. It will look something like this:
Root ALL=(ALL:ALL) ALL newuser ALL=(ALL:ALL) ALL
For each new user you must add new line. Once you have made all the necessary changes, save and close the file by pressing Ctrl-X, then Y and Enter to confirm.
How to delete users
If you no longer need one of the created users, the best solution will remove it.
You can delete only the user, without deleting his files, using the command:
# deluser newuser
If you are using a user with sudo rights, then the command will look like this:
$ sudo deluser newuser
In order to delete a user along with his home directory, as a superuser you need to enter:
# deluser --remove-home newuser
For users with sudo rights:
$ sudo deluser --remove-home newuser
And if you want to deprive remote user sudo is correct, you need to open the configuration file:
(if from superuser)
or
(if from a user with sudo rights)
Root ALL=(ALL:ALL) ALL newuser ALL=(ALL:ALL) ALL # Remove this line.
This is necessary so that in the future a created user with the same name does not accidentally receive sudo rights.
Conclusion
Now you know how to properly create and delete users, as well as give them permission to run the sudo command. For effective management, separate users into different groups and give administrative rights only to those who really need it to do their job.
As the reader's response shows, the issue of separation of administrative rights in Ubuntu still remains unclear to most novice administrators, so we decided to bring some clarity to this issue with this material. Therefore, if you don’t know how su differs from sudo, where you hid root, etc., etc., it’s time to start studying our article.
Let's start with a small digression. The Linux administrative rights system goes back to the Unix OS and therefore has much in common with other Unix-like systems: BSD, Solaris, MacOS. At the same time, different distributions have their own implementation characteristics of certain aspects, so we will give specific examples regarding the Ubuntu family, but knowledge of the general rules will allow you to easily understand the environment of any other Unix-like OS.
The user has full administrative rights in Linux. root, whose rights cannot be limited, so everyday work on behalf of this user is extremely undesirable: careless actions of the user can lead to damage to the system, and compromising this account will give the attacker unlimited access to the system.
Therefore, a different scheme has been adopted in Linux: all users, including administrators, work under a limited account, and to perform administrative actions they use one of the rights escalation mechanisms. To do this, you can increase rights using the utility sudo or log in as superuser (root) without completing current session using the command su. Many people mistakenly confuse these two mechanisms, so let’s look at them in more detail.
Team su allows you to log in as another user (not necessarily root) without terminating the current session. So the command:
Su petrov
will allow you to log in as the user petrov, the user environment (home folder) will also be changed to belong to this user.
Team su allows you to log in under your account without specifying a username root"a. However this method has one significant drawback - to log in on behalf of another user you need to know his password. If you have several administrators, then each of them will know the superuser password and you will not be able to limit their rights.
In addition, it is unsafe; knowing the superuser password and the ability to log in under his name in case of compromise can lead to a complete loss of control over the system.
What happens if we try to increase rights in Ubuntu this way? We won't be able to do anything because we don't know the user's password root, at the same time, no one is stopping us from logging in as a different user.
"Wait!" - another user will say, “aren’t root rights given to the first created user, whom we specify during installation?” Indeed, administrative tasks can only be performed on behalf of the user created during installation; if we try to do this on behalf of another user, we will suffer failure.
Here we come close to the second mechanism for increasing rights - the utility sudo. However, before moving on to studying it, it is worth clarifying: superuser (root) rights in Ubuntu belong to the root account, which is disabled by default. Therefore, increase permissions using the command su does not seem possible.
The main mechanism for elevating rights in Ubuntu is the utility sudo. This utility allows you to elevate rights to the superuser level for the command being executed, but you do not need to know the superuser password; the user must enter his own password. After which the utility will check whether this user has the right to execute this command on this host with superuser rights and, if the checks are successfully passed, will execute it.
It is important! The main difference su from sudo serves what su allows you to change current user to root, which requires an active superuser account in the system and knowledge of its password, sudo allows you to elevate rights for the command being executed without specifying a superuser password; the user must enter his own password; logging in as root with these credentials will not work.
Another important circumstance is that when using a pipeline or redirection with superuser rights, only the first part of the command will be executed, for example in the design:
Sudo command1 | team2
With root rights will only be executed team1. And the team
Sudo cat sources.list > /etc/apt/sources.list
will give an access rights error because the entry is in /etc/apt/sources.list will occur with normal user rights.
To perform complex combinations of commands, you can switch to superuser mode with the command
which is similar to elevating rights with a command su, however, this will not change the user environment and the current user’s directory will be used as the home directory, which is convenient and safe. Each administrator will only have access to their home directory.
Now is the time to figure out who has the right to use the opportunities sudo and to what extent. The file is responsible for the settings of this utility /etc/sudoers, despite the fact that this is a regular configuration file, to edit it it is highly recommended to use the command:
Sudo visudo
This command locks the file and checks the syntax, otherwise you risk losing administrative access to your PC due to a typo.
Syntax this file quite simple. For example, at the very end of the file there is an entry:
%admin ALL=(ALL) ALL
This means that the users of the group admin can execute any command on any host, on behalf of any user. As we can easily verify using the command groups in our case the user andrey belongs to the group admin, and the user petrov No.
But all the advantages of this utility lie in the ability to flexibly configure the parameters for obtaining rights in each specific case. For example:
Petrov ubuntu-lts=(andrey) ALL
This line allows the user petrov execute any command on the host ubuntu-lts on behalf of the user andrey. When specifying commands, you should indicate the full path to them; you can find it using the command which
For example, we want to allow users petrov And sidorov shut down and restart the computer, as well as remove tasks. However, these commands should not require entering a password.
Another nice feature of the sudo utility is the creation of aliases, so in our case we will add in /etc/sudoers the following lines:
User_Alias USERGROUP1 = petrov, sidorov
Cmnd_Alias CMDGROUP1 = /bin/kill, /sbin/reboot, /sbin/shutdown
With this we created two aliases USERGROUP1, where we included the users we need and CMDGROUP1 with a set of necessary commands, we can subsequently edit only aliases without affecting all the rules where they can be used. Then let's add a rule:
USERGROUP1 ALL = (ALL) NOPASSWD:СMDGROUP1
which will allow users listed in the specified alias to execute commands from the given alias on any host on behalf of any user without entering a password.
In addition to the above two, aliases are also available for the host name and users on whose behalf it is allowed to execute commands, for example:
Host_Alias WWW = webserver1, webserver2
Runas_Alias WWW = www-data, www-developer
USERGROUP1 WWW = (WWW) ALL
The given set of records will allow users entering USERGROUP1 execute any commands on behalf of users www-data And www-developer on the company's web servers.
Finally, let’s look at what to do if a root account is still needed. It's simple, to enable it, just set a password:
Sudo passwd root
You can lock the superuser account again with the command:
Sudo passwd -l root
Remember that all administrative tasks in Ubuntu can be done using the sudo utility, so don't enable the root account unless absolutely necessary!
As you can see, Ubuntu has rich administrative rights management capabilities, which allows you to flexibly distribute rights among several administrators, as well as give the ability to increase rights for some users, and do this efficiently and securely.
Option -c - add a comment to the user
Option -g sudo - add a user to the sudo group.
The -s option will set the user's shell to /bin/bash
Option -d used to specify the user's home folder
Option -m will indicate that the folder needs to be created immediately:
Sudo useradd -c "Comment for user" -g sudo -d /home/NameUser -m -s /bin/bash NameUser
Set a password for the NameUser user:
Sudo passwd NameUser
Add a user using the adduser command
sudo useradd -c "Comment for user" -g sudo -d /home/NameUser -m -s /bin/bash NameUserEnter the password, answer all the questions asked, get a user with a password and home directory
Changing the user password
sudo passwd NameUserAdd a user to the sudo group
usermod -a -G sudo NameUserAdd a user/user group to Sudores directly:
Let's edit the file /etc/sudores.tmp editor visudo
Sudo visudo
Let's give root rights to the user named user_name
User_name ALL=(ALL:ALL) ALL
Let's give root rights to a group of users group_name by adding a line to the sudoers file -
Group_name ALL=(ALL:ALL) ALL
User and his groups
We look at the available groups on the host
Cat /etc/group
Checking the existence of a group examplegroup on the host where examplegroup is the group you are interested in
Grep examplegroup /etc/group
We check/find out which groups the user belongs to (as well as his uid, gid)
Id NameUser
Add an existing user NameUser to an existing group examplegroup
Usermod -g examplegroup NameUser
Removing an Ubuntu user
We use the command, the user's folder will not be deleted
Sudo userdel NameUser
Delete the folder if necessary
Sudo rm -r /home/NameUser/
We check whether the user has deleted; if there is no output, then the user has been deleted
Sudo grep -R NameUser /etc/passwd --color
List all local users
sudo cat /etc/passwd sudo cat /etc/shadowTo display more detailed information about the user, install the package finger
Sudo apt-get install finger
To view information about the user NameUser, run the command
Finger NameUser
To output information about all users to a file infoaboutalluser.txt let's create a script finger.sh
#!/bin/bash n=`cat /etc/passwd | cut -d: -f1` for i in $n; do echo "=========================================================================== ================" finger $i done
Let's run the script finger.sh and save its contents to a file infoaboutalluser.txt
./finger.sh infoaboutalluser.txt
List all privileged users:
egrep ":0:0:" /etc/passwdor not privileged
Egrep -v ":0:0:" /etc/passwd
List all users whose names begin with the letters abcd:
Cat /etc/passwd | grep "^.*"
Loading...
