Managing Users and Permissions on Ubuntu Server: A Comprehensive Guide

by

Managing users, groups, and permissions is one of the foundational tasks for Ubuntu Server administrators. Whether you’re setting up a multi-user environment or securing your server, understanding how to create, modify, and manage user accounts, groups, and permissions is essential. This guide provides an in-depth look at user and permission management, complete with real-world examples, command outputs, and best practices.

Table of Contents

  1. Introduction
  2. Creating and Managing User Accounts
  3. Managing Groups
  4. Understanding File and Directory Permissions
  5. Using Sudo for Privilege Escalation
  6. Best Practices for Securing User Accounts
    • Enforce Strong Password Policies
    • Limit Sudo Access
    • Disable Root Login
    • Use SSH Keys for Authentication
    • Monitor User Activity
  7. Conclusion

Introduction

Ubuntu Server is a powerful platform for hosting applications, managing services, and enabling multi-user environments. By mastering user and permission management, you can secure your server, control access effectively, and prevent unauthorized actions. This guide will cover everything from basic user account creation to advanced permission settings, complete with detailed examples.

Creating and Managing User Accounts

Creating a User

To create a user account on Ubuntu Server, use the adduser command. This command is interactive and prompts you for additional information about the user.

Example Command:

sudo adduser john

Example Output:

Adding user `john' ...
Adding new group `john' (1001) ...
Adding new user `john' (1001) with group `john' ...
Creating home directory `/home/john' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for john
Enter the new value, or press ENTER for the default
        Full Name []: John Doe
        Room Number []: 101
        Work Phone []: 555-1234
        Home Phone []: 555-5678
        Other []:
Is the information correct? [Y/n] Y

This creates a user named john with a home directory at /home/john and assigns them a unique user ID (UID).

Modifying a User

The usermod command allows you to modify user accounts. For example, you can change a user’s home directory, shell, or group memberships.

Change Home Directory:

sudo usermod -d /home/new_john john
sudo mv /home/john /home/new_john

Lock or Unlock a User Account:

  • Lock the account: sudo passwd -l john
  • Unlock the account: sudo passwd -u john

Example Output (Locking Account):

passwd: password expiry information changed.

Deleting a User

To delete a user, use the deluser command. You can also remove their home directory and associated files.

Example Command:

sudo deluser --remove-home john

Example Output:

Looking for files to backup/remove ...
Removing files ...
Removing user `john' ...
Warning: group `john' has no more members.
Done.

Managing Groups

Groups are a way to organize users and assign collective permissions. Each user can belong to multiple groups.

Creating and Managing Groups

To create a new group, use the addgroup command.

Example Command:

sudo addgroup developers

Example Output:

Adding group `developers' (GID 1002) ...
Done.

To delete a group:

sudo delgroup developers

Adding Users to Groups

To add a user to a group, use the usermod command with the -aG option.

Example Command:

sudo usermod -aG developers john

Verify Group Membership:

groups john

Example Output:

john : john developers

This shows that john belongs to the groups john and developers.

Understanding File and Directory Permissions

Linux file permissions are crucial for controlling access to files and directories. Permissions are defined for three categories: OwnerGroup, and Others.

Permission Types

Each category has three permission types:

  • Read (r): Allows viewing file contents or listing directory contents.
  • Write (w): Allows modifying file contents or creating/deleting files in a directory.
  • Execute (x): Allows running executable files or accessing directories.

Example:

Use ls -l to view file permissions:

ls -l /home/john

Example Output:

-rw-r--r-- 1 john john 4096 Mar 21 14:00 file.txt
  • rw-: The owner (john) has read and write permissions.
  • r--: The group (john) has read-only permissions.
  • r--: Others have read-only permissions.

Changing Permissions

Use the chmod command to modify permissions.

Example Commands:

  • Grant execute permission to the owner: chmod u+x file.txt
  • Remove write permission for others: chmod o-w file.txt

Using Numeric Values:

Permissions can also be set using numeric values:

chmod 755 file.txt: Full permissions for the owner, read/execute for group and others.

Understanding Numeric Permissions (755, 777, 744)

Linux permissions can be represented numerically, where each digit corresponds to a specific permission level:

Structure of Numeric Permissions:

Each numeric permission consists of three digits:

  • First digit: Permissions for the owner.
  • Second digit: Permissions for the group.
  • Third digit: Permissions for others.

Each digit is calculated based on the following values:

  • 4: Read (r)
  • 2: Write (w)
  • 1: Execute (x)

The sum of these values determines the permission level for each category.

Common Numeric Permissions:

  1. 777: Full permissions for everyone (read, write, execute).
    • Owner: rwx
    • Group: rwx
    • Others: rwx
    • Use Case: Rarely used for security reasons, but can be applied to temporary directories like /tmp.
  2. 755: Full permissions for the owner, read and execute permissions for group and others.
    • Owner: rwx
    • Group: r-x
    • Others: r-x
    • Use Case: Common for executable files or directories.
  3. 744: Full permissions for the owner, read-only for group and others.
    • Owner: rwx
    • Group: r--
    • Others: r--
    • Use Case: Common for private files.

Example:

To set permissions to 755 for a script:

chmod 755 script.sh

Example Output:

-rwxr-xr-x 1 john john 4096 Mar 21 14:00 script.sh

Ownership Management

Change ownership using the chown command.

Example Command:

sudo chown john:developers file.txt

This sets the owner to john and the group to developers.

Example Output:

-rw-r--r-- 1 john developers 4096 Mar 21 14:00 file.txt

Using Sudo for Privilege Escalation

The sudo command allows users to execute commands with elevated privileges. To grant a user sudo access, add them to the sudo group.

Example Command:

sudo usermod -aG sudo john

Verify Sudo Access:

sudo -l -U john

Example Output:

User john may run the following commands on this host:
    (ALL : ALL) ALL

Best Practices for Securing User Accounts

  • Enforce Strong Password Policies:
    Use passwd to set password expiration: sudo passwd -e john
  • Limit Sudo Access:
    Only grant sudo privileges to trusted users.
  • Disable Root Login:
    Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config

Set: 

PermitRootLogin no
  • Use SSH Keys for Authentication:
    Replace password-based login with SSH keys.
  • Monitor User Activity:
    Use last or who to track login activity:
last

Output Explanation

uadmin   pts/1   192.168.255.48   Fri Mar 21 13:55   still logged in
uadmin   pts/0   192.168.255.48   Fri Mar 21 13:54   still logged in
uadmin   pts/1   192.168.255.48   Fri Mar 21 01:49 - 08:19  (06:29)
uadmin   pts/0   192.168.255.48   Fri Mar 21 00:53 - 08:19  (07:26)
reboot   system boot   6.8.0-1021-azure   Fri Mar 21 00:22   still running

Line-by-Line Analysis

User Login: uadmin pts/1 192.168.255.48 Fri Mar 21 13:55 still logged in

  • uadmin: The username of the user who logged in.
  • pts/1: The pseudo-terminal session used for the login. Pseudo-terminals (pts) are virtual terminals, typically created when users log in via SSH.
  • 192.168.255.48: The IP address of the remote machine from which the user connected.
  • Fri Mar 21 13:55: The date and time the user logged in.
  • still logged in: Indicates the user is currently logged in and active.
ColumnMeaning
UsernameName of the user or event (uadminreboot).
TerminalPseudo-terminal session (pts/X) or system event (system boot).
Remote Host/IPIP address or hostname of the remote machine initiating the connection.
Login Date/TimeDate and time when the login or event started.
Logout TimeDate and time when the session ended (if applicable).
DurationTotal time the session lasted (if applicable).
Session StatusCurrent status of the session (still logged instill running).

Additional Commands for Insights

  • Show Currently Logged-In Users: who
  • Example Output:
uadmin pts/1 2023-03-21 13:55 (192.168.255.48) 
uadmin pts/0 2023-03-21 13:54 (192.168.255.48)
  • Check System Uptime: uptime
  • Example Output:
14:15:32 up 13:53, 2 users, load average: 0.10, 0.12, 0.15

Conclusion

Managing users, groups, and permissions is a fundamental skill for Ubuntu Server administrators. By mastering these tasks, you can secure your server, prevent unauthorized access, and improve operational efficiency.

Next Tutorial: Networking Basics for Ubuntu Server

In the next tutorial, we’ll cover networking basics for Ubuntu Server, including configuring network interfaces, setting up static IPs, troubleshooting network connectivity, and using Ubuntu’s netplan for networking tasks. Stay tuned for actionable insights to optimize your server’s network configuration.

Leave a Comment