Linux Hands-On Lab -> Basics of Managing Users in Linux

Linux Hands-On Lab -> Basics of Managing Users in Linux

Linux Learning Path for Cloud and DevOps Engineers

Francisco Souza's photo
Francisco Souza
·

4 min read

Table of contents

📝Introduction

This post demonstrates, how we are going to manage users and groups, and also work with elevating privileges to keep the servers more secure.

📝Log in to the AWS Management Console

Using your credentials, make sure you're using the right Region. In my case, I am using AWS as my cloud provider and chose us-east-1. However, you are free to choose any cloud provider and create your Linux Server VM (I am using a CentOS 7 distro) for this hands-on lab.

Note: You must create the AWS Access Key and AWS Secret Access Key and configure the AWS CLI in the terminal to use it.

You can use link1 and link2 for it.

📝Manage users and groups

1- Log in to the Linux Server VM using the credentials created

ssh <user>@<PUBLIC_IP>
#Become root
sudo -i  
#Enter the user password at the prompt

2- Adding new users:

useradd user1
useradd user2
useradd user3
#To make sure it worked:
getent passwd | grep user

3- Create a new Group, called test:

groupadd test
#To make sure it worked:
getent group | grep test

4- Set wheel Group as the user1 Account's Primary Group

The usermod command will change which group a user is in. Change user1:

usermod -g wheel user1
#To check if his primary group is now wheel
id user1

5- Add test as a Supplementary Group on All 3 Users previously created:

Run the usermod command for each user:

usermod -aG superhero user1
usermod -aG superhero user2
usermod -aG superhero user3
#Check with any of the users to make sure it worked:

id <USERNAME>
#We should see they're now in test, as well as their own groups.

6- How to Lock an Account, in this case, we will lock user2 account:

usermod -L user2
#To make sure it worked there are 2 ways to check it:
passwd -S <username> 
#Checking using the passwd command and the output of the command will provide information about the account status. 
#If the account is locked, you will see an “L” or “LK” in the second field of the output. 
#If the account is unlocked, you will see “P” or “PS” in the second field.
sudo grep "^user2:" /etc/shadow
#Checking directly on the /etc/shadow file
#The password field (2nd field) is where you can see if an account is locked. 
#If the password field contains `!` or `*`, the account is locked.

7- Create new users that will be granted varying degrees of sudo access

#Create 2 new users
sudo useradd <username1>
#The 2nd user create, and assign it to the wheel supplemental group
sudo useradd -G wheel -m <username2>
#Set a password for both accounts
sudo passwd <username1>
sudo passwd <username2>

8- Verify the /etc/sudoers File and Test Access

#Verify /etc/sudoers file will allow the wheel group access to run all commands as sudo
sudo visudo
#Note there should not be a comment (#) on this line of the file
%wheel  ALL=(ALL)       ALL
#Switch to the test2 account, and use the dash (-) to utilize a login shell
sudo su - test2
#Attempt to read the /etc/shadow file at the console, should fail.
cat /etc/shadow
#Rerun the command with the sudo command, it will work.
sudo cat /etc/shadow
#After you have verified test2 can read the /etc/shadow file
#Log out of that account

9- Set Up an Administrator(Web) account

#Create a new sudoers file in the /etc/sudoers.d directory /
#It will contain a standalone entry for webmaster
sudo visudo -f /etc/sudoers.d/web_admin
#Enter in the following at the top of the file
Cmnd_Alias  WEB = /bin/systemctl restart httpd.service, /bin/systemctl reload httpd.service
#Add another line in the file for test1 to be able to use the sudo command /
#In conjunction with any commands listed in the WEB alias
test1 ALL=WEB
#Save and close the file with :wq!
#Log in to the test1 account
sudo su - test1
#Attempt to restart the web service
sudo systemctl restart httpd.service
#Try to read the new web_admin sudoers file
sudo cat /etc/sudoers.d/web_admin
#the cat command is not listed in the command alias group for WEB /
#Test1 user cannot use sudo to read this file

Congratulations — you have completed this hands-on lab covering the basics of managing users and groups, also working with elevating privileges to keep the servers more secure.

Thank you for reading. I hope you were able to understand and learn something helpful from my blog.

Please follow me on CloudDevOpsToLearn and LinkedIn franciscojblsouza

DevopsCloud ComputingLinuxCloudAWS