Administration Users/Groups on Linux Servers
Tue, Jan 23, 2018Creating and Administrating Users/Groups
In this blog I will make user’s and groups. I will then show how we can add users to groups. Since we usually have many services running on the server’s we will need add a layer of security to the services. This layer of security is called the principle of least privilege. To add this layer, we will add each user to an alias and give members of that alias only the privileges they require.
The step we will go through in this chapter will be:
1. Creating a User.
1. Deleting a User.
1. Creating a Group.
1. Adding and Deleting Users in a Group
1. Assigning Privileges Using Sudoers File.
All the following commands require the user to be a root user. To do this follow the instructions below
Creating a User
To create a user, we use the following command.
useradd <username>
This command does not give the user a home directory. To create the user and give the user a home directory.
useradd -m <username>
To give this user a password, we use the following command.
passwd <username>
Deleting a User
To delete a user, we use the following command.
userdel <username>
Creating a Group
To create a group, we use the following command.
groupadd <groupname>
Adding and Removing Users in a Group
To add a user to the group we will use the following command
usermod -G <groupname> <username>
To remove a user from a group we will use the following command
deluser <username> <groupname>
Assigning User Privileges.
To give a user privileges, we must open the “/etc/sudo” file. As this file is responsible for all user’s permissions it opens by default using a text editor called “vi”. Vi checks the file for errors before saving as a mistake in this file could lock all user’s out of the machine, but it has to be opened with special command, “visudo” to enable syntax validation upon saving.
To open the file, use the command below.
visudo
When you have this file open you will see the line “root ALL=(ALL:ALL) ALL” this line means user “root” permissions apply to “all” hosts on “all” users, on “all” groups and on “all” commands.
To give a user superuser permissions just add their name on a new line followed by “ALL=(ALL:ALL) ALL”.
For example if I was to make my colleague Maciej a super user on my server. I would add the line below
maciej ALL=(ALL:ALL) ALL
Very similar to above with groups we just add an % in front of the group name followed by the permissions. So the line “%admin ALL=(ALL) ALL” means the group admin has all permissions on “all” hosts on “all” users, on “all” groups and on “all” commands.
User Alias
We will now show how to use an alias to give users specific permissions on a server. Let’s pretend we have a user call “networkadmin”. First of all, we must add the user networkadmin to an alias. To do this, create an alias using the command “User_Alias” followed by the alias name and an equality symbol. Now add the user name webmaster after the equal sign. If you wish to add more users, then use the comma symbol between each user name. Below is an example of the alias.
User_Alias NET = networkadmin, tom
Host Alias
We must now create a command alias, which will define which hosts users will have permissions on. Again similar to the user alias we use the command “Host_Alias”. After declaring the Host_Alias we then follow this with the alias name and equality symbol. We then add the host name of the devices to the alias. An example of a Host_Alias is below.
Host_Alias SER = ns1, ns2
Command Alias
The next step is to create a command alias. To do this we use the command “Cmnd_Alias” followed by the command name and an equals sign. Now we add the commands we want the networkadmin to use. Which are using networking applications such as Wireshark and Nmap. An example of the command alias is below.
Cmnd_Alias DEBUG = /usr/sbin/tcpdump,/usr/bin/wireshark,/usr/bin/nmap
Let’s now use these aliases so that all members of the alias “NET” will have the permissions defined in the alias “DEBUG”. To do this, just simply enter the user alias name on a new line followed by the hosts alias or all if you want the user alias to have permissions on all hosts. Again like the alias line follow the hosts argument by the equals symbol and “ALL” again. Now after all add the command alias name. An example of the rule is below.
NET ALL =(ALL) NOPASSWD: DEBUG
In the above example I added the command “NOPASSWD:” which means the user does not have to enter their password every time they run a command defined in the command alias. If you would like the user to have to enter their password, then remove the “NOPASSWD:” command.
After you have added all the aliases and the rules, save the sudoers file and exit.
Testing Rules and Alias
To test all you will have to do is log in as one member for each alias and check are they able to use the commands they are supposed to and does the user get a permission error on commands they were not permitted to use.
Sudoers File
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:$
# Host alias specification
# User alias specification
User_Alias ADMINS = alan, maciej
User_Alias DEVEL = webmaster, john
User_Alias NET = networkadmin
User_Alias PRINT = printadmin
# Cmnd alias specification
Cmnd_Alias DEBUG = /usr/sbin/tcpdump,/usr/bin/wireshark,/usr/bin/nmap
Cmnd_Alias PRSYS = /usr/sbin/service cups *
Cmnd_Alias WEB = /usr/sbin/service apache2 *,/usr/sbin/apache2ctl, /usr/sbin$
# User privilege specification
root,ADMINS ALL=(ALL:ALL) ALL
DEVEL ALL =(ALL) NOPASSWD: WEB
NET ALL =(ALL) NOPASSWD: DEBUG
PRINT ALL =(ALL) NOPASSWD: PRSYS
# Members of the admin group may gain root privileges
%admin ALL = (ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL