Creating a new user in ubuntu. Ubuntu Server - administrative user rights. User and group management via GUI
In this tutorial, we'll look at how to delete a Linux user along with their data and home directory.
If you are a system administrator in a large company, then most likely, deleting linux users is a fairly common task for you. Once an account is no longer needed or a user leaves the organization, the account must be deleted to avoid leaving security holes.
When deleting Linux users, it is also important to delete their home directory to free up storage space for the new users and their files. First, we will look at how to delete a Linux user using the terminal, then we will talk about how this is done in the graphical interface of one of the most popular distributions - Ubuntu.
Before moving on to the real world, let's do some practice, let's create two users, losst and losst1, along with their home directories, and then delete them:
adduser losst
$passwd losst
adduser losst1
$ passwd losst1
Here the adduser command is used to create a user account and passwd to create a password.
Let's take a look at how to delete a Linux user in the terminal. This is done using the -deluser command on debian and derived systems, and on RedHat - userdel. Let's take a closer look at these two utilities.
Description of deluser
The syntax of the deluser command is very simple:
$ deluser parameters user
The deluser command settings are located in the /etc/deluser.conf file, among other settings, it specifies what to do with the user's home folder and files.
You can view and change these settings by running the command:
vi /etc/deluser.conf
Let's take a closer look at these settings:
- REMOVE_HOME- delete the user's home directory
- REMOVE_ALL_FILES- delete all user files
- BACKUP- fulfill backup user files
- BACKUP_TO- backup folder
- ONLY_IF_EMPTY- delete user group if it is empty.
These settings determine the default behavior of the utility when a user is deleted, of course, they can be overridden using parameters for the command.
The following parameters are supported, they are similar to the settings, but there are more options:
- --system- delete only if this is a system user
- --backup- do backup user files
- --backup-to- backup folder
- --remove-home- delete home folder
- --remove-all-files- delete all user files in the file system
Description of userdel
The userdel utility works a little differently, there is no settings file here, but there are options that you can use to tell the utility what to do. The syntax is similar:
$ userdel parameters user
- -f, --force- forced deletion even if the user is still logged in
- -r, --remove- delete the user's home directory and his files in the system.
- -Z- delete all SELinux objects for this user.
To remove a user from the server, it is better to use the advanced method, which we will discuss below. When users use the server, they run various programs and services. The user can only be properly deleted if he is not logged in on the server and all programs running on his behalf are stopped, because programs can use various files owned by the user, which prevents them from being deleted. Accordingly, then the user's files will not be completely deleted and will remain clog the system.
User account lockout
You can use the passwd utility to lock out a user account. This will deny the user access to the system and prevent new processes from starting:
Run the passwd command with the --lock option:
passwd --lock loss
passwd: Password expiration information changed.
Kill all running user processes
Now let's find all the processes running as user and kill them.
Find processes with pgrep:
You can see in more detail what these processes are by passing the pid of each of them to the ps command, like this:
ps -f --pid $(pgrep -u losst)
UID PID PPID C STIME TTY STAT TIME CMD
losst 14684 14676 0 22:15 pts/2 S 0:00 -bash
losst 14735 14684 0 22:15 pts/2 S+ 0:00 vi text
Now that you've made sure there's nothing important in there, you can kill all processes with the killall command:
Killall -9 -u loss
The -9 option tells the program to send a SIGKILL to these processes, and -u specifies the username.
On Red Hat based systems, to use killall you will need to install the psmisc package:
sudo yum install psmisc
Backing up user data
This is not necessary at all, but for a serious project it would not be superfluous to back up the user's files, especially if there could be important files there. To do this, you can use, for example, the tar utility:
tar jcvf /user-backups/losst-backup.tar.bz2 /home/losst
Deleting a user account
Now that everything is ready, let's start deleting the linux user. Just in case, we explicitly indicate that you need to delete the user's files and home directory. For Debian:
deluser --remove-home losst
userdel --remove loss
If you need to remove all files owned by a user on the system, use the --remove-all-files option, just be careful with it, as important files can be overwritten:
deluser --remove-all-files losst
The user is now completely removed, along with their files and home directory, from your system.
Deleting a User in Ubuntu
Open System Settings:
Open item Accounts:
As you can see, now all actions are unavailable, and are drawn in gray. Click the button to activate them. unlock and enter the user's password.
Now, in order to delete a user in linux, just click on it with the mouse, and then click on the minus sign.
In the window that opens, you can choose what to do with the user's files:
Naturally, only the home folder will be deleted, we are not talking about all the files. And for correct removal, the user must not work in the system.
conclusions
Deleting a user in linux is not that difficult, no matter where it needs to be done, on the server or home computer. Of course, the graphical interface is more convenient, but the terminal, as always, offers more options. If you have any other ideas about this, write in the comments!
Option -c - add a comment to the user
Option -g sudo - add the user to the sudo group.
The -s option will set the user as shell "a / bin / bash
Option -d used to specify the user's home folder
Option -m will indicate that the folder needs to be created immediately:
sudo useradd -c "Comment for user" -g sudo -d /home/NameUser -m -s /bin/bash NameUser
Set a password for the NameUser user:
sudo passwd NameUser
Adding a user with the adduser command
sudo useradd -c "Comment for user" -g sudo -d /home/NameUser -m -s /bin/bash NameUserWe enter the password, answer all the questions posed, get the user with the password and home directory
Change user password
sudo passwd NameUserAdd user to sudo group
usermod -a -G sudo NameUserAdd a user/user group to Sudores directly:
Let's edit the file /etc/sudores.tmp editor visudo
sudo visudo
Let's give root rights to a user with the name username
User_name ALL=(ALL:ALL) ALL
Give root permissions to a group of users group_name by adding a line to the sudoers file -
Group_name ALL=(ALL:ALL) ALL
User and his groups
We look at the available groups on the host
Cat /etc/group
Checking for the existence of a group examplegroup on the host where examplegroup is the group you are interested in
Grep examplegroup /etc/group
Checking / Finding out which groups the user is in (as well as his uid, gid)
IdNameUser
Adding the existing user NameUser to the existing group examplegroup
Usermod -g examplegroup NameUser
Removing an Ubuntu User
Use command, user folder will not be deleted
Sudo userdel NameUser
Delete the folder if necessary
Sudo rm -r /home/NameUser/
We check if the user has retired, if there is no output, then the user is deleted
sudo grep -R NameUser /etc/passwd --color
Get a list of all local users
sudo cat /etc/passwd sudo cat /etc/shadowFor a more detailed display of information about the user, install the package finger
sudo apt-get install finger
To view information about the NameUser user, run the command
FingerNameUser
To output information about all users to a file infoaboutalluser.txt create a script finger.sh
#!/bin/bash n=`cat /etc/passwd | cut -d: -f1` for i in $n; do echo "============================================= ================" finger $i done
Execute the script finger.sh and save its contents to a file infoaboutalluser.txt
./finger.sh infoaboutalluser.txt
List all privileged users:
egrep ":0:0:" /etc/passwdor not privileged
Egrep -v ":0:0:" /etc/passwd
List all users whose names start with the letters abcd:
cat /etc/passwd | grep "^.*"
As the reader's response shows, the issue of separation of administrative rights in Ubuntu is still obscure for most novice administrators, so we decided to bring some clarity to this issue with this material. Therefore, if you don’t know how su differs from sudo, where root was hidden, etc., etc. - it's time to start studying our article.
Let's start with a small digression. The Linux administrative rights system is rooted in the Unix OS and therefore has a lot in common with other Unix-like systems: BSD, Solaris, MacOS. At the same time, different distributions have their own implementation features of individual moments, so we will give specific examples regarding the Ubuntu family, but knowledge general rules will allow you to easily understand the environment of any other Unix-like operating system.
The user has full administrative rights in Linux. root, which cannot be limited in rights, so everyday work on behalf of this user is highly undesirable: the user's careless actions can damage the system, and compromising this account will give the attacker unlimited access to the system.
Therefore, Linux has a different scheme, all users, including administrators, work under a limited account, and use one of the elevation mechanisms to perform administrative actions. To do this, you can elevate the rights using the utility sudo or log in as superuser (root "a) without ending the current session using the command su. Many mistakenly confuse these two mechanisms, so we will analyze them in more detail.
Team su allows you to log in as another user (not necessarily root) without ending the current session. So the command:
Su petrov
will allow you to log in as the user petrov, the user's environment (home folder) will also be changed to belong to this user.
Team su without specifying a username allows you to log in with an account root"a. However, this method has one significant drawback - to log in on behalf of another user, you need to know his password. If you have several administrators, then each of them will know the superuser password and you will not be able to restrict their rights.
In addition, it is not safe, knowing the password of the superuser and the ability to log in under his name in case of compromise can lead to a complete loss of control over the system.
What happens if we try to elevate rights in Ubuntu in this way? We won't succeed because we don't know the user's password root, at the same time, no one prevents us from logging in under a different user.
"Wait!" - another user will say, - “But doesn’t the first created user, which we specify during installation, get root rights?” Indeed, administrative tasks can only be performed on behalf of the user created during installation, if you try to do this on behalf of another user, we will suffer failure.
Here we come close to the second elevation mechanism - the utility sudo. However, before proceeding to its study, it is worth clarifying: the rights of the superuser (root) in Ubuntu belong to the root account, which is disabled by default. Therefore, elevate rights with the command su does not seem possible.
The main elevating mechanism in Ubuntu is the utility sudo. This utility allows you to elevate the rights to the superuser level for the command being executed, while you do not need to know the superuser password, the user must enter his own password. After that, the utility will check whether the given user has the right to execute the given command on the given host with superuser rights and, in case of successful passing of the checks, will execute it.
It is important! The main difference su from sudo serves what su allows you to change the current user to root, which requires an active superuser account in the system and knowledge of the password to it, sudo allows you to elevate the rights for the command being executed without specifying the superuser password, the user must enter his own password, logging in as root with this credentials will not work.
Another important circumstance, when using a pipeline or redirection with superuser rights, only the first part of the command will be executed, for example, in the construction:
sudo command1 | team2
With as root will only be performed team1. A team
Sudo cat sources.list > /etc/apt/sources.list
will give a permissions error because the entry in /etc/apt/sources.list will happen with normal user rights.
To execute complex combinations of commands, you can switch to superuser mode with the command
which is similar to elevating the rights with the command su, however, the user environment will not change and the current user's directory will be used as the home, which is convenient and safe. Each of the administrators will only have access to their home directory.
Now is the time to figure out who has the right to use the opportunities sudo and to what extent. The file is responsible for the settings of this utility. /etc/sudoers, despite the fact that this is a regular configuration file, it is highly recommended to use the command to edit it:
sudo visudo
This command locks the file and performs a syntax check, otherwise you risk losing administrative access to the PC due to a typo.
Syntax given file quite simple. For example, at the very end of the file there is an entry:
%admin ALL=(ALL) ALL
This means that the users of the group admin can execute any command on any host, on behalf of any user. How can we easily verify with the command groups in our case the user andrey belongs to the group admin, and the user petrov no.
But all the advantages of this utility lie in the ability to flexibly configure the parameters for obtaining rights in each specific case. For example:
Petrov ubuntu-lts=(andrey) ALL
This line allows the user petrov run any command on the host ubuntu-lts on behalf of the user andrey. When specifying commands, you should specify the full path to them, you can find it using the command which
For example, we want to allow users petrov and sidorov shutdown and restart the computer, and remove tasks. However, these commands should not require a password.
Another nice feature of the sudo utility is the creation of aliases, so in our case we add to /etc/sudoers the following lines:
User_Alias USERGROUP1 = petrov, sidorov
Cmnd_Alias CMDGROUP1 = /bin/kill, /sbin/reboot, /sbin/shutdown
With this we have created two aliases USERGROUP1, where we included the users we need and CMDGROUP1 with a set of necessary commands, later we can edit only aliases, without affecting all the rules where they can be used. Then let's add a rule:
USERGROUP1 ALL = (ALL) NOPASSWD:CMDGROUP1
which will allow users listed in the specified alias to execute commands from the specified alias on any host on behalf of any user without entering a password.
In addition to the above two, aliases are also available for the host name and users on behalf of which it is allowed to execute commands, for example:
Host_Alias www = webserver1, webserver2
Runas_Alias WWW = www-data, www-developer
USERGROUP1 WWW=(WWW)ALL
The above set of records will allow users logged in to USERGROUP1 execute any commands on behalf of users www-data and www-developer on the company's web servers.
Finally, consider what to do if the root account is still needed. It's simple, to enable it, just set a password:
sudo passwd root
You can lock the superuser account again with the command:
sudo passwd -l root
Remember that all administrative tasks in Ubuntu can be done using the sudo utility, so don't enable the root account unless you really need to!
As you can see, Ubuntu has rich administrative rights management capabilities, which allows you to flexibly distribute rights among several administrators, as well as give the ability to elevate rights to some users, and do it efficiently and securely.
User management is an important part of system security. Inefficient users and privilege management often lead many systems to be compromised. Therefore, it is important that you understand how to secure your server with simple and effective user account management techniques.
Where is the superuser?
The Ubuntu developers have made a conscious decision to disable the administrative root account (root) by default in all Ubuntu installations. This does not mean that the root account has been deleted or cannot be accessed. It has simply been assigned a password that does not match any possible encrypted value, so it cannot be used to log in directly.
Instead, users are encouraged to use a tool named sudo to transfer administrative duties. sudo allows authorized users to temporarily elevate their privileges by using their own password instead of knowing the password assigned to the superuser. This simple yet powerful technique ensures accountability for all user actions and gives administrative separate control over what actions a user with specified privileges can perform.
1. If for some reason you want to allow the superuser account, just set a password for it:
sudo passwd
Sudo will prompt you for your password and then prompt you to set a new root password as shown below:
Password for username: (enter your own password) Enter new UNIX password: (enter new superuser password) Retype new UNIX password: (retype new superuser password) passwd: password updated successfully
2. To disable the root account, use the following passwd syntax:
sudo passwd -l root
man sudo
By default, the initial user created by the Ubuntu installer is a member of the "admin" group, which is added to the /etc/sudoers file as sudo authorized users. If you wish to allow another account full superuser access via sudo just add it to the group admin.
Adding and removing users
The process of managing local users and groups is simple and little different from most others. operating systems GNU/Linux. Ubuntu and other Debian-based distributions encourage the use of the "adduser" package for account management.
1. To add a user account, use the following syntax and follow the prompts for password and authentication characteristics such as full name, phone number, etc.:
sudo adduser username
2. To remove a user and their primary group, use the following syntax:
sudo deluser username
Deleting a user does not delete its associated home directory. It is up to you whether you want to delete the directory manually or leave it in accordance with your retention policies.
Be aware that any user added later with the same UID/GID as the previous one will have access to this directory unless you take the necessary precautions.
You may want to change these directory UID/GID values to something more appropriate, such as superuser values, and possibly move the directory to prevent future conflicts:
sudo chown -R root:root /home/username/ sudo mkdir /home/archived_users/ sudo mv /home/username /home/archived_users/
3. To temporarily block or unblock, use the following syntax:
sudo passwd -l username sudo passwd -u username
4. To add or remove a personal group, use the following syntax, respectively:
sudo addgroup groupname sudo delgroup groupname
5. To add a user to a group, use:
Sudo adduser username groupname
User profile security
When created New user, the adduser utility creates a new named directory accordingly /home/username. The default profile is generated from the content found in the /etc/skel directory, which includes all the basics for generating profiles.
If your server is home to multiple users, you should pay close attention to the permissions on user home directories to maintain privacy. By default, user home directories are created with read/execute permissions for everyone. This means that all users can view and access the contents of other home directories. This may not be suitable for your environment.
1. To check permissions on the home directories of existing users, use the following syntax:
ls -ld /home/username
The following output shows that the /home/username directory has read access to everyone:
Drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username
2. You can remove read permissions for everyone using the following syntax:
Sudo chmod 0750 /home/username
Some tend to use the recursion (-R) option indiscriminately, which modifies all child directories and files, although this is optional and may have other undesirable consequences. The parent directory itself will prevent unauthorized access to any of its contents.
A more efficient approach to this issue would be to change the default global permissions for adduser when creating home directories. Simply edit the /etc/adduser.conf file, changing the DIR_MODE variable to something more appropriate, and then all new home directories will have the correct permissions.
DIR_MODE=0750
3. After correcting directory permissions using any of the previously mentioned techniques, check the results using the following command:
ls -ld /home/username
The output below shows that read permissions for everyone have been removed:
Drwxr-x--- 2 username username 4096 2007-10-02 20:03 username
Password policy
A strong password policy is one of the most important aspects of your security approach. Many successful security breakthroughs have used brute force attacks and dictionary guessing against weak passwords. If you intend to use any form remote access using your local password system, make sure you set adequate minimum password requirements, maximum password lifetime, and check your authentication system frequently.
Minimum password length
By default, Ubuntu requires a minimum password length of 6 characters, as well as some basic scatter checks. These options are controlled by the /etc/pam.d/common-password file and are listed below:
Password pam_unix.so obscure sha512
If you want to set the minimum length to 8 characters, change the corresponding variable to min=8. The changes are listed below:
Password pam_unix.so obscure sha512 min=8
Basic checks for quality and minimum password length do not apply to an administrator using sudo-level commands to set up a new user.
Password lifetime
When creating user accounts, you must create a minimum and maximum password lifetime policy to force users to change their passwords after a certain amount of time.
1. To easily view the current status of a user account, use the following syntax:
sudo chage -l username
The output below shows Interesting Facts about the user account, namely that there are no policies applied:
Last password change: Jan 20, 2008 Password expires: never Password inactive: never Account expires: never Minimum number of days between password change: 0 Maximum number of days between password change: 99999 Number of days of warning before password expires: 7
2. To set these values, simply use the following command and follow the interactive prompts:
Sudo change username
The following is also an example of how you can manually change the explicit password expiration date (-E) to 01/31/2008, minimum password age (-m) to 5 days, maximum expiration (-M) for 90 days, an inactivity period (-I) for 5 days after the password expires, and a warning period (-W) for 14 days before the password expires.
Sudo chage -E 01/31/2011 -m 5 -M 90 -I 30 -W 14 username
3. To check the changes, use the same command as mentioned above:
sudo chage -l username
The command output below shows the new policies that apply to the account:
Last password change: Jan 20, 2008 Password expires: Apr 19, 2008 Password inactive: May 19, 2008 Account expires: Jan 31, 2008 Minimum number of days between password change: 5 Maximum number of days between password change: 90 Number of days warning before password expires: 14
Other security considerations
Many applications use alternative authentication mechanisms that can easily be overlooked even by experienced system administrators. Therefore, it is important to understand and control how users log in and access services and applications on your server.
SSH access by blocked users
Normal shutdown/blocking does not exclude remote connection user to the server, if he was previously set authentication by public key R.S.A. Such users will access the console shell on the server without having to enter any password. Remember to check the user's home directories for files that allow this type of SSH authorization, such as /home/username/.ssh/authorized_keys.
Removing or renaming the .ssh/ directory in the user's home directory will prevent further SSH authentication being possible.
Be sure to check any established SSH connections of blocked users as there may be incoming or outgoing connections left. Kill everything you find.
Restrict SSH access to only user accounts that require it. For example, you can create a group called "sshlogin" and add the group name as a value to the AllowGroups variable found in the /etc/ssh/sshd_config file.
AllowGroups sshlogin
Then add your users who are allowed SSH access to the "sshlogin" group and restart the SSH service.
sudo adduser username sshlogin sudo service ssh restart
External database authentication
Most corporate networks require centralized authentication and access control for all system resources. If you have configured your server to authenticate users against an external database, make sure you disable Accounts both external and local, so you will be sure that you cannot fall back to local authentication.