Introduction: Why User Management Matters

Linux is a multi-user operating system. Multiple users can access the system simultaneously, each with unique permissions and workspace. The first line of defense in server security is proper user management and permission settings.

In this part, we cover everything from user account creation to group management, file permissions, special permissions, and sudo configuration—essential knowledge for any Linux administrator.

1. Understanding User Accounts

1.1 User Types

  • root user: UID 0, superuser with all system privileges
  • System users: UID 1-999, accounts for running services (nginx, mysql, etc.)
  • Regular users: UID 1000+, accounts for actual people

1.2 User Information Files

# /etc/passwd - Basic user information
username:x:1000:1000:Full Name:/home/username:/bin/bash
# Fields: username:password_placeholder:UID:GID:comment:home_directory:shell

# /etc/shadow - Encrypted passwords (root access only)
username:$6$salt$encrypted:19000:0:99999:7:::
# Fields: username:encrypted_password:last_change:min_days:max_days:warn_days:...

1.3 Checking User Information

# Current user
whoami
id

# Specific user info
id username
getent passwd username

# Currently logged in users
who
w

2. User Account Management

2.1 Creating Users

# Basic user creation
sudo useradd username

# Create with options
sudo useradd -m -d /home/devuser -s /bin/bash -c "Developer Account" devuser
# -m: Create home directory
# -d: Specify home directory path
# -s: Specify default shell
# -c: Comment/description

# Set password
sudo passwd devuser

2.2 Modifying Users

# Modify user information
sudo usermod -c "Updated Comment" username
sudo usermod -s /bin/zsh username        # Change shell
sudo usermod -d /new/home username       # Change home directory
sudo usermod -l newname oldname          # Change username
sudo usermod -aG groupname username      # Add to group (-a is essential!)

# Lock/unlock account
sudo usermod -L username    # Lock
sudo usermod -U username    # Unlock

2.3 Deleting Users

# Delete user only (keep home directory)
sudo userdel username

# Delete user and home directory
sudo userdel -r username

3. Group Management

3.1 Understanding Groups

Groups allow you to manage permissions for multiple users collectively. Each user has one primary group and can belong to multiple secondary groups.

# /etc/group - Group information
groupname:x:1000:user1,user2,user3
# Fields: groupname:password:GID:member_list

3.2 Group Management Commands

# Create group
sudo groupadd developers
sudo groupadd -g 2000 devops    # Specify GID

# Modify group
sudo groupmod -n newname oldname    # Rename
sudo groupmod -g 2001 groupname     # Change GID

# Delete group
sudo groupdel groupname

# Check group members
getent group developers
groups username

3.3 Group Usage Example

# Create development team group and add users
sudo groupadd developers
sudo usermod -aG developers alice
sudo usermod -aG developers bob

# Set up shared directory
sudo mkdir /srv/project
sudo chgrp developers /srv/project
sudo chmod 2775 /srv/project

4. File Permissions Deep Dive

4.1 Permission Structure Review

-rwxr-xr-- 1 owner group 1024 Jan 21 10:00 file.txt
│└─┬┘└─┬┘└─┬┘
│  │   │   └── Others: r-- (read only)
│  │   └────── Group: r-x (read, execute)
│  └────────── Owner: rwx (read, write, execute)
└───────────── File type: - (regular file)

4.2 chmod - Changing Permissions

# Numeric method (Octal)
chmod 755 script.sh    # rwxr-xr-x
chmod 644 file.txt     # rw-r--r--
chmod 700 private/     # rwx------
chmod 777 public/      # rwxrwxrwx (NOT recommended for security)

# Symbolic method
chmod u+x script.sh           # Add execute for owner
chmod g-w file.txt            # Remove write from group
chmod o=r file.txt            # Set others to read only
chmod a+r file.txt            # Add read for all
chmod u=rwx,g=rx,o=r file     # Combined setting

# Recursive application
chmod -R 755 directory/

4.3 chown - Changing Ownership

# Change owner
sudo chown newowner file.txt

# Change owner and group
sudo chown newowner:newgroup file.txt

# Change group only
sudo chown :newgroup file.txt
sudo chgrp newgroup file.txt

# Recursive application
sudo chown -R webuser:www-data /var/www/

5. Special Permissions

5.1 SUID (Set User ID)

When set on an executable, it runs with the file owner's privileges.

# Set SUID
chmod u+s program
chmod 4755 program

# Example: passwd command
ls -l /usr/bin/passwd
# -rwsr-xr-x 1 root root ... /usr/bin/passwd
# Regular users can change their own passwords

5.2 SGID (Set Group ID)

On files, runs with group privileges. On directories, new files inherit the directory's group.

# Set SGID
chmod g+s directory/
chmod 2775 directory/

# Useful for team shared folders
sudo mkdir /srv/shared
sudo chgrp developers /srv/shared
sudo chmod 2775 /srv/shared
# All files created here belong to the developers group

5.3 Sticky Bit

On directories, only file owners can delete their own files.

# Set Sticky Bit
chmod +t directory/
chmod 1777 directory/

# Example: /tmp directory
ls -ld /tmp
# drwxrwxrwt 12 root root ... /tmp
# Everyone can create files, but only delete their own

5.4 Special Permissions Numeric Notation

PermissionValueDisplayApplied To
SUID4s (in owner execute position)Executables
SGID2s (in group execute position)Files/Directories
Sticky1t (in others execute position)Directories

6. sudo Configuration and Management

6.1 What is sudo?

sudo (Superuser Do) allows regular users to execute commands with administrator privileges. It's safer than logging in as root directly, and all actions are logged.

6.2 Editing sudoers File

# Always use visudo (performs syntax checking)
sudo visudo

# /etc/sudoers basic structure
# username    host=(run_as_user)    command
root        ALL=(ALL:ALL)        ALL
%sudo       ALL=(ALL:ALL)        ALL

# Example: Grant sudo access to devuser
devuser     ALL=(ALL:ALL)        ALL

# Allow only specific commands
webadmin    ALL=(ALL)    /usr/bin/systemctl restart nginx, /usr/bin/systemctl status nginx

# Allow without password
deploy      ALL=(ALL)    NOPASSWD: /usr/bin/git pull

6.3 Using sudo Groups

# Ubuntu/Debian: sudo group
sudo usermod -aG sudo username

# RHEL/CentOS: wheel group
sudo usermod -aG wheel username

# Verify group settings
getent group sudo
getent group wheel

6.4 Checking sudo Logs

# sudo usage logs
sudo cat /var/log/auth.log | grep sudo     # Debian/Ubuntu
sudo cat /var/log/secure | grep sudo       # RHEL/CentOS

7. Practical Scenarios

7.1 Setting Up a Web Development Team Environment

# 1. Create group
sudo groupadd webdev

# 2. Create users and add to group
sudo useradd -m -s /bin/bash -G webdev alice
sudo useradd -m -s /bin/bash -G webdev bob
sudo passwd alice
sudo passwd bob

# 3. Set up project directory
sudo mkdir -p /var/www/project
sudo chown root:webdev /var/www/project
sudo chmod 2775 /var/www/project

# 4. Grant specific sudo permissions
sudo visudo
# Add: %webdev ALL=(ALL) /usr/bin/systemctl restart nginx

7.2 Security Audit Checklist

# Find SUID files (security audit)
sudo find / -perm -4000 -type f 2>/dev/null

# Find files without owners
sudo find / -nouser -o -nogroup 2>/dev/null

# Find world-writable files
sudo find / -perm -0002 -type f 2>/dev/null

# Find accounts with empty passwords
sudo awk -F: '($2 == "") {print $1}' /etc/shadow

8. Common Mistakes and Solutions

  • usermod -G vs usermod -aG: -aG appends to existing groups, -G alone replaces all groups
  • chmod 777: Never use this. It's a security vulnerability
  • Editing /etc/sudoers directly: Always use visudo. Syntax errors can lock you out
  • Using root account directly: Use sudo for privilege escalation. It creates audit logs

Conclusion

User and permission management is the foundation of Linux server security. Proper user separation, applying the principle of least privilege, and managing privileges through sudo are essential for secure server operations.

In Part 3, we'll cover Package Management and Service Operations.