LINUX TUTORIAL

Users, groups, and sudo

Create a user, see how groups bundle permissions, and grant sudo the least-privilege way: a single scoped command instead of full admin.

What we're doing

We create a user, add it to a group, then grant it sudo two ways: the broad way (the sudo group, full admin) and the least-privilege way (a scoped rule that allows one command). Then we verify what the user can and cannot do. There is a harmless demo-app service running to scope sudo to.

Watch the video first, then run these as we go. These commands change accounts, so they need sudo.

Users and groups

  • User: an account, with a UID (user ID). Listed in /etc/passwd.
  • Group: a set of users, with a GID (group ID). Listed in /etc/group.
  • Every user has one primary group (usually its own) and any number of supplementary groups. A group is how Linux gives the same permission to several users at once (e.g. members of sudo may run commands as root).

Step 1: create a user

sudo useradd -m -s /bin/bash deploy   # -m = make home dir, -s = login shell
id deploy                             # uid, primary group, all groups
grep deploy /etc/passwd               # the account's line

uid=1001(deploy) gid=1001(deploy) groups=1001(deploy)
deploy:x:1001:1001::/home/deploy:/bin/bash

(adduser is the friendlier interactive version. No password is set; we act as the user with sudo instead of logging in.)

Step 2: group membership

sudo groupadd developers
sudo usermod -aG developers deploy    # -aG = APPEND to groups (without -a, -G REPLACES them all)
id deploy

uid=1001(deploy) gid=1001(deploy) groups=1001(deploy),1002(developers)

The -a is critical: usermod -G without -a drops every other supplementary group.

Step 3: full admin the easy way (the sudo group)

sudo usermod -aG sudo deploy          # the 'sudo' group = full admin
sudo -lU deploy                       # list deploy's sudo rights (as root, no deploy password)

User deploy may run the following commands on prepare-vm:
    (ALL : ALL) ALL

(ALL : ALL) ALL = run anything as root. Full admin, almost always more than the account needs.

Step 4: least privilege (a scoped rule)

sudo gpasswd -d deploy sudo           # remove from the sudo group (no rights again)
echo 'deploy ALL=(root) NOPASSWD: /usr/bin/systemctl restart demo-app' | sudo tee /etc/sudoers.d/deploy
sudo chmod 0440 /etc/sudoers.d/deploy # perms sudo requires for a rules file
sudo visudo -cf /etc/sudoers.d/deploy # validate (visudo = the safe sudoers editor)

/etc/sudoers.d/deploy: parsed OK

The rule: user deploy, run as root, no password, only systemctl restart demo-app. Put it in /etc/sudoers.d/ (cleaner than editing /etc/sudoers), and always validate with visudo so a typo can't break sudo for everyone.

Step 5: verify can and can't

sudo -lU deploy                                   # now only the one command
sudo -u deploy sudo -n systemctl restart demo-app # the allowed command (works, no output)
systemctl is-active demo-app                      # confirm it restarted
sudo -u deploy sudo -n cat /etc/shadow            # anything else: refused

    (root) NOPASSWD: /usr/bin/systemctl restart demo-app
active
Sorry, user deploy is not allowed to execute '/usr/bin/cat /etc/shadow' as root on prepare-vm.

deploy can restart demo-app and nothing else as root. That is least privilege.

Cheat sheet

sudo useradd -m -s /bin/bash NAME      # create user (adduser = interactive)
sudo userdel -r NAME                    # delete user + home dir
id NAME                                 # uid, gid, groups
sudo usermod -aG GROUP NAME             # add to a group (-a APPENDS, never forget it)
sudo gpasswd -d NAME GROUP              # remove from a group

# full admin (broad):
sudo usermod -aG sudo NAME
# least privilege (scoped):
echo 'NAME ALL=(root) NOPASSWD: /full/path/to/cmd args' | sudo tee /etc/sudoers.d/NAME
sudo chmod 0440 /etc/sudoers.d/NAME
sudo visudo -cf /etc/sudoers.d/NAME     # validate
sudo -lU NAME                           # what NAME may run with sudo

In short: a user is an account, a group hands the same permission to several users, and sudo grants root rights per rule. The sudo group grants everything; a scoped rule in /etc/sudoers.d/ grants one command. Prefer the scoped rule (least privilege), and always edit sudo rules with visudo so a typo can't lock everyone out.

Next tutorial: one level lower, the file permissions that decide who can read, write, and run each file.

What's next

Just hit Start and go try this out in a live environment !

Start LINUX
Spec 2 CPU / 4 GiB ·Disk 25 GiB ·Lifetime 7 days
Before you start — your account isn't verified, so outbound internet will be restricted. We recommend verifying for free to enable it.
Sign in to launch this environment
Required 1 VM · 2 CPU · 4 GB · 25 GiB disk
Available 1 VM · 1 CPU · 2 GB · 10 GiB disk
Sign in