Add new users in linux and provide appropriate permissions using groups

Add new users in linux and provide appropriate permissions using groups

Why the need to add new users in linux? Well, we often work on a project with a large team having number of developers coding, deploying the code to the server constantly. Most of the team i have noticed uses single ssh key to log into the server. And that is definitely a security concern. Suppose if key gets compromised from one of the developer’s system during a hack or something, then your app can be hacked easily, which i am sure no team want.

How to AVOID This:

To avoid this situation, we can easily setup different linux users with different ssh keys to login with restricted access. This way even if one of the keys are compromised you won’t lose your server access and you can just delete user with ease.

Steps to Create linux users:
  • Login to server user root user, assuming root user is ec2-user.
  • Use the following adduser command to add the newuser account to the system (with an entry in the /etc/passwd file). This command also creates a group and a home directory for the account.
    [ec2-user ~]$ sudo adduser 

    [Ubuntu] When adding a user to an Ubuntu system, include the --disabled-passwordoption with this command to avoid adding a password to the account.

    [ubuntu ~]$ sudo adduser newuser --disabled-password
  • Switch to the new account so that newly created files have the proper ownership.
    [ec2-user ~]$ sudo su - newuser 
    [newuser ~]$

    Notice that the prompt changes from ec2-user to newuser to indicate that you have switched the shell session to the new account.

  • Create a .ssh directory in the newuser home directory and change its file permissions to 700 (only the owner can read, write, or open the directory).
    [newuser ~]$ mkdir .ssh 
    [newuser ~]$ chmod 700 .ssh

    Important: Without these exact file permissions, the user will not be able to log in.

  • Create a file named authorized_keys in the .ssh directory and change its file permissions to 600 (only the owner can read or write to the file).
    [newuser ~]$ touch .ssh/authorized_keys 
    [newuser ~]$ chmod 600 .ssh/authorized_keys

    Important: Without these exact file permissions, the user will not be able to log in.

  • Open the authorized_keys file using your favorite text editor (such as vim or nano).
    [newuser ~]$ nano .ssh/authorized_keys

    Paste the public key for your key pair into the file and save the changes. For example:

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V
    hz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXr
    lsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZ
    qaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb
    BQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLE

    The user should now be able to log into the newuser account on your instance using the private key that corresponds to the public key that you added to the authorized_keys file.

    So this was easy right?

To remove a user from the system

If a user account is no longer needed, you can remove that account so that it may no longer be used. When you specify the -r option, the user’s home directory and mail spool are deleted. To keep the user’s home directory and mail spool, omit the -r option.

[ec2-user ~]$ sudo userdel -r olduser

Now we need to setup appropriate permissions to our newly create user. This can be done by creating linux group.

Steps to PROVIDE READ/WRITE permissions on a folder to a linux user:
  • Create a new group:
    sudo groupadd newgroup
  • Add new user to this new group:
    sudo usermod -a -G newgroup newuser

     

  • Add group read/write permission to the directory which you want this new user to edit:
    sudo chgrp -R newgroup /var/www/newuser
  • sudo chmod 775 -R /var/www/newuser

And you are done.

By Abhishek Jain

Techie with 10+ years of experience and counting.

Leave a comment

Your email address will not be published. Required fields are marked *