Font Awesome Icons

Administration Users/Groups on Linux Servers

Creating and Administrating Users/Groups

In this blog I will make user’s and groups. I will then show how we can add users to groups. Since we usually have many services running on the server’s we will need add a layer of security to the services. This layer of security is called the principle of least privilege. To add this layer, we will add each user to an alias and give members of that alias only the privileges they require.

The step we will go through in this chapter will be:

1.  Creating a User.
1.  Deleting a User.
1.  Creating a Group.
1.  Adding and Deleting Users in a Group
1.  Assigning Privileges Using Sudoers File.

All the following commands require the user to be a root user. To do this follow the instructions below

Enter SU Mode

Creating a User

To create a user, we use the following command.

useradd <username>

This command does not give the user a home directory. To create the user and give the user a home directory.

useradd -m <username>

To give this user a password, we use the following command.

passwd <username>

Deleting a User

To delete a user, we use the following command.

userdel <username>

Creating a Group

To create a group, we use the following command.

groupadd <groupname>

Adding and Removing Users in a Group

To add a user to the group we will use the following command

usermod -G <groupname> <username>

To remove a user from a group we will use the following command

deluser <username> <groupname>

Assigning User Privileges.

To give a user privileges, we must open the “/etc/sudo” file. As this file is responsible for all user’s permissions it opens by default using a text editor called “vi”. Vi checks the file for errors before saving as a mistake in this file could lock all user’s out of the machine, but it has to be opened with special command, “visudo” to enable syntax validation upon saving.

To open the file, use the command below.

visudo

When you have this file open you will see the line “root ALL=(ALL:ALL) ALL” this line means user “root” permissions apply to “all” hosts on “all” users, on “all” groups and on “all” commands.

To give a user superuser permissions just add their name on a new line followed by “ALL=(ALL:ALL) ALL”.

For example if I was to make my colleague Maciej a super user on my server. I would add the line below

maciej ALL=(ALL:ALL) ALL 

Very similar to above with groups we just add an % in front of the group name followed by the permissions. So the line “%admin ALL=(ALL) ALL” means the group admin has all permissions on “all” hosts on “all” users, on “all” groups and on “all” commands.

User Alias

We will now show how to use an alias to give users specific permissions on a server. Let’s pretend we have a user call “networkadmin”. First of all, we must add the user networkadmin to an alias. To do this, create an alias using the command “User_Alias” followed by the alias name and an equality symbol. Now add the user name webmaster after the equal sign. If you wish to add more users, then use the comma symbol between each user name. Below is an example of the alias.

User_Alias      NET = networkadmin, tom

Host Alias

We must now create a command alias, which will define which hosts users will have permissions on. Again similar to the user alias we use the command “Host_Alias”. After declaring the Host_Alias we then follow this with the alias name and equality symbol. We then add the host name of the devices to the alias. An example of a Host_Alias is below.

Host_Alias   SER = ns1, ns2

Command Alias

The next step is to create a command alias. To do this we use the command “Cmnd_Alias” followed by the command name and an equals sign. Now we add the commands we want the networkadmin to use. Which are using networking applications such as Wireshark and Nmap. An example of the command alias is below.

Cmnd_Alias   DEBUG   = /usr/sbin/tcpdump,/usr/bin/wireshark,/usr/bin/nmap

Let’s now use these aliases so that all members of the alias “NET” will have the permissions defined in the alias “DEBUG”. To do this, just simply enter the user alias name on a new line followed by the hosts alias or all if you want the user alias to have permissions on all hosts. Again like the alias line follow the hosts argument by the equals symbol and “ALL” again. Now after all add the command alias name. An example of the rule is below.

NET     ALL =(ALL) NOPASSWD: DEBUG

In the above example I added the command “NOPASSWD:” which means the user does not have to enter their password every time they run a command defined in the command alias. If you would like the user to have to enter their password, then remove the “NOPASSWD:” command.

After you have added all the aliases and the rules, save the sudoers file and exit.

Testing Rules and Alias

To test all you will have to do is log in as one member for each alias and check are they able to use the commands they are supposed to and does the user get a permission error on commands they were not permitted to use.

Sudoers File

#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:$

# Host alias specification

# User alias specification
User_Alias   ADMINS  = alan, maciej
User_Alias   DEVEL  = webmaster, john
User_Alias      NET = networkadmin
User_Alias      PRINT = printadmin

# Cmnd alias specification
Cmnd_Alias   DEBUG   = /usr/sbin/tcpdump,/usr/bin/wireshark,/usr/bin/nmap
Cmnd_Alias   PRSYS  = /usr/sbin/service cups *
Cmnd_Alias   WEB  = /usr/sbin/service apache2 *,/usr/sbin/apache2ctl, /usr/sbin$

# User privilege specification
root,ADMINS     ALL=(ALL:ALL) ALL
DEVEL   ALL =(ALL) NOPASSWD: WEB
NET     ALL =(ALL) NOPASSWD: DEBUG
PRINT   ALL =(ALL) NOPASSWD: PRSYS

# Members of the admin group may gain root privileges
%admin ALL = (ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL