If you are looking to set up well-

orchestrated Linux environments,

this guide explains the essential
concepts and practices for
advanced user management.
By Grant Knoetze

Advanced Linux User Management:

A Guide for IT Pros
NEXT
Advanced Linux User Management: A Guide for IT Pros

TABLE OF CONTENTS
Essential Principles and Practices for Managing Linux Users................................... 4

How To Use Linux Groups................................................................................... 9

How To Manage File Permissions...................................................................... 14

Secure Management of Remote Users and Groups............................................... 20

PREVIOUS NEXT
2
Advanced Linux User Management: A Guide for IT Pros
EDITOR’S NOTE
Many IT professionals are likely aware that Linux boasts a comprehensive
suite of user management tools. These tools provide precise control over
resource access while ensuring system integrity and security.
As open source systems like Linux gain popularity within organizations,
system administrators may find themselves needing to work with Linux
environments. As such, system administrators must master several critical
elements of Linux user management.
This guide introduces and examines fundamental concepts and principles
of user management in Linux. By the end of the guide, you should have the
knowledge and skills necessary to establish and maintain well-orchestrated
and secure Linux environments.
Whether you are responsible for a handful of systems or managing a
complex network of servers, this guide will empower you to:
• Create and Manage User Accounts: Learn how to create, modify, and
delete user accounts.
3
• Manage User Groups: Discover the benefits of user groups and how they
simplify permission management.
• Control Permissions and Access: Gain insight into Linux permissions
and access control mechanisms.
• Understand Authentication and Password Policies: See how different
authentication methods work and strategies for user authentication.
• Use Sudo and Privilege Escalation: Learn how to use sudo to delegate
administrative privileges while maintaining a secure system.
• Manage Users Remotely: Adopt best practices for remote user and
group management.
Within the four sections of the guide, you will find detailed explainers, step-
by-step tutorials, and numerous examples to help you become proficient in
advanced Linux user management. We encourage you to download the guide,
explore each section at your own pace, experiment in a safe environment,
and apply the principles you learn to your Linux systems.
PREVIOUS NEXT
Advanced Linux User Management: A Guide for IT Pros

Essential Principles and Practices for Managing Linux Users

We will start by exploring the main concepts you will need to know.

L
inux serves as the foundation for
various critical technologies used
by enterprises and other users.
That means it is essential for system
administrators and professionals to
understand advanced user management.
The understanding helps to maintain
security, optimize resources, and ensure
operational efficiency.
In this first article, we will delve into
the intricacies of advanced Linux
user management and outline steps
for managing well-orchestrated
Linux environments.
The Linux Environment: Considerations
A major difference between Linux and
Windows is the sheer number of Linux
variants available. Within a company, one
may even encounter multiple flavors or
distributions of Linux in use based on what
different teams prefer. Each Linux server has
a local database of users and groups, and
the replication of files across these servers
can complicate user management.
With security in mind, organizations
must have strict control over the root user
and root access. In practice, this usually
means using the sudo (Substitute User
Do) command. Consequently, system
administrations are responsible for
building and maintaining sudoers files. In
contrast, in Windows environments, user
authentication is often handled by Active

PREVIOUS NEXT
4
Advanced Linux User Management: A Guide for IT Pros

Directory, using Kerberos. • User Workstations (for standard users).

“When managing multiple servers and configuring them
In Linux, the proper use of sudo is critical, The idea behind PAW is to have a separate
especially when dealing with file replication across a cloud environment, it’s common to use Infrastructure machine exclusively used for performing
across many systems. When managing as Code (IaC).” privileged tasks, often referred to as the
multiple servers and configuring them across “administration/root machine.” This approach
a cloud environment, it’s common to use
directory, and so forth. There are two primary categories works well with Active Directory, especially
Infrastructure as Code (IaC). in Windows environments where Kerberos
of IT accounts (depending on the
Privileged access management is the authentication system.
Introduction to Linux User Management system, there may be a third): standard
Privileged access management (PAM) is
Let’s explore several key concepts for accounts and privileged accounts. Standard The root account
a security practice related to what actions
user management. accounts are used for performing day-to- All Linux operating systems have a
a user can take once they are logged into
day tasks and operations, while privileged common vulnerability: the root account.
User privileges and permissions an account with privileged access. PAM is
accounts are meant for root or privileged The root account grants the highest level
We’ll begin with the fundamentals of user a key piece of advanced user management.
access. Privileged accounts should be of control, making it extremely important to
privilege and permissions – an essential In the cybersecurity industry, many vendors
distinctly separate from standard accounts. protect root access. Unlike other accounts,
security concept in Linux. Managing the provide PAM offerings tailored to the needs
privileges and permissions of user accounts of businesses. there is no safety net with the root account.
Privileged access workstations
is typically one of the first tasks for an Even superusers can accidentally delete
PAM usually falls under the umbrella The security practice of privileged access
administrator to do. A basic principle in of identity and access management (IAM). critical system files.
workstations (PAW) categorizes workstations
user security is to always follow the “Least The core objective of implementing IAM and When an application is executed under the
into three types:
Privilege Rule.” by extension, user management, is to ensure root account, it inherits full root privileges.
• Power Workstations (administration with
By exercising control over user accounts, that once a digital identity is established, it If the executed application has any security
root or escalated privileges); vulnerability, it can potentially open the door
you ensure that each user is assigned is consistently monitored, maintained, and
only one username, ID, password, home modified as necessary. • Data Workstations (servers); and for attackers to gain access to the system.

PREVIOUS NEXT
5
Advanced Linux User Management: A Guide for IT Pros
Resource limits and quotas
Resource management using quotas
is a technique for preventing resource
starvation and ensuring resource availability.
To set limits on user processes, you can
use the ulimit command, which gives you
control over the memory, CPU usage, and
the number of open file descriptors.
For control over system-wide resource
limits and quotas, you can use a text
or code editor like Nano to edit the /etc/
security/limits.conf file. In Figure 1, you
can see an example where I have used
the cat command to view the contents of
the /etc/security/limits.conf file.
User Roles and Responsibilities
In any organization, understanding user
roles and their associated responsibilities
is a must for systems management. As an
organization scales up, this understanding
becomes even more important.
Role-Based Access Control (RBAC) is
widely accepted as an excellent method for
granting permissions and resource access.
RBAC classifies users into roles based on
their specific job functions. Using RBAC
ensures that users are granted access to
only the resources relevant to their roles,
thereby reducing security risks while also
simplifying user management.
Additionally, it’s important to understand
the security principle of Separation of Duties.
When practiced, Separation of Duties prevents Figure 1. The output of the sudo cat /etc/security/limits.conf file. You can use a text or code editor to open this file
any single user from having excessive control
for configuration.
over the system. This principle is particularly
valuable in Linux environments, which often
involve users with diverse responsibilities –
e.g., regular users, system administrators,
and application managers.
Centralized Authentication With LDAP
LDAP, which stands for Lightweight
Directory Access Protocol, is the most widely
used method for centralized administration
and management of organizations.
Organizations that use LDAP are of all sizes
and span the globe. Figure 2. Here is the /etc/security/limits.conf file opened in Nano, ready for editing. In Nano, use Ctrl + O to save your
changes and Ctrl + X to close the file after making changes.
PREVIOUS NEXT
6
Advanced Linux User Management: A Guide for IT Pros
LDAP simplifies user administration by
centralizing and replicating user information
across the entire system and network. It
communicates over DNS port 53, making
it a powerful tool for centralizing user
management and authentication. LDAP
directories store information in a hierarchical
structure, facilitating user management and
reducing redundancy.
While the intricacies and implementation
details of LDAP are beyond the scope of this
article, it’s important to note that there is an
open-source implementation called Open-
LDAP available for Linux systems.
Implementing Single Sign-On
Single Sign-On (SSO) simplifies authentication
by allowing users to access multiple applications
and systems with a single set of credentials. SSO
can be implemented using various protocols,
including Security Assertion Markup Language
(or SAML) and OpenID Connect. SSO can also
be integrated into centralized management
systems, such as Microsoft Azure.
Securing User Accounts With strong protection when combined with solid such as username, user ID, group ID, home
Two-Factor Authentication
password policies. directory, and shell. There is a field for the
As part of a defense-in-depth strategy, the
password associated with each account
addition of an extra layer of security can Auditing and Monitoring User Activities
in the file, represented by an x character,
impede potential attackers. This is where Routine auditing of user activities should
indicating that an encrypted password exists
two-factor authentication (2FA) comes in. form part of standard operations. This
in the /etc/shadow file.
There are several methods of implementing practice provides valuable insights for threat
Write access to the /etc/passwd file must be
2FA, with varying levels of security. hunting hypothesis and contributes to overall
system security and compliance efforts. restricted to root users.
The least secure type of 2FA is using
In Linux systems, the auditd daemon (or Within the /etc/passwd file, each user has
simple message service (SMS) over a cellular
an entry, as can be seen in Figure 1 and
network. The SMS method is vulnerable to service) logs events such as user logins,
Figure 2. These entries are organized line by
“SIM-jacking,” a technique commonly used by privilege escalations, and file access.
line, with each field separated by a colon (:).
attackers due to the inherent vulnerabilities These logs are typically stored in the /
of cellular communication protocols. var/log directory. Additionally, you will find There are a total of seven fields:
logs like syslog, which records system Username: This field is between 1 and 32
A safer approach is application-based
activity, and kernlog, which documents characters long and is used for user logins.
2FA authentication, although determined
kernel events with elevated privileges.
attackers with the right tools can still Password: An x character indicates that
create phishing pages to steal 2FA codes Understand the /etc/passwd File the encrypted password is stored in the
and compromise your defenses. /etc/shadow file.
The /etc/passwd file stores critical login
The most secure form of 2FA uses FIDO information about user accounts. It’s User ID (UID): Each user is assigned a
(Fast Identity Online) certified physical a plain text file that contains a list of the unique user ID. User ID 0 (zero) is reserved
security keys. These keys are relatively system’s accounts. Each entry within the for the root account, while UIDs 1 to 99 are
cheap and easy to implement, offering /etc/passwd file has useful information, reserved for other predefined accounts.
PREVIOUS NEXT
7
Advanced Linux User Management: A Guide for IT Pros
UIDs 100 to 999, meanwhile, are reserved
by the system for administrative and system
accounts and groups.
Group ID (GID): This corresponds to the
group ID stored in the /etc/group file.
User ID Information (GECOS): This
command field allows administrators to add
extra information about the user, such as the
user’s full name, email address, etc.
Home Directory: This specifies the absolute
path to the directory the user will be located
when they log in.
Command/shell: This specifies the
absolute path of the user’s default command
or shell, such as /bin/bash.
Make sure to take advantage of
/etc/shadow passwords.
Understand the /etc/sudoers File and
sudo Privileges
The /etc/sudoers file is where information
about users with sudo privileges is
configured. To make changes to the file, you
can use your favorite text or code editor
(mine is Nano).
Here are the steps for using Nano:
•
O pen the file using Nano (sudo
nano /etc/sudoers)
• Make your modifications.
• Use Ctrl + O to save changes.
• To exit Nano, press Ctrl + X.
You may have to restart the system after
certain changes have been made.
Main Takeaways
Advanced Linux user management can
be made easier when you understand
configuration files and have a solid grasp
of Linux fundamentals, including basic
commands. Building on this foundation,
you can implement the best practices for
authentication, as we’ve explored here, with
a focus on prioritizing security.
PREVIOUS NEXT
8
Advanced Linux User Management: A Guide for IT Pros

How To Use Linux Groups

We will cover the tasks of creating, managing, and removing users from groups in Linux.
This article covers both GUI and command-line approaches.

L
inux provides fine-grained control over the group they belong to. The permissions
user management. Part of this relates govern the extent of users’ access to files,
to the concept of groups, which are folders, and devices.
collections of user accounts with shared When a user is added to a group, the user
permissions. When you add new users to acquires the permissions of that group,
a Linux group, they automatically gain the allowing the user to access the shared
group’s permissions. resources within the group and perform
In this article, we will cover the steps group-level actions.
involved in adding a user to a group. This
includes exploring the methods available in Why You Might Need To Add Users to
a Group
the Linux graphical user interface (GUI) and
Administrators may draw on groups for
the terminal.
easier user management and control over
Understanding Users and Groups permissions and system resource access.
In Linux, user accounts are typically linked The concept is like RBAC, which we touched
with one or more groups. Groups gather on in the previous article.
user accounts together, and these accounts Groups are designed to enhance security;
share common permissions determined by streamline workflows; facilitate team

PREVIOUS NEXT
9
Advanced Linux User Management: A Guide for IT Pros

collaboration; and provide access to relevant

information while eliminating the clutter of
files and folders that are unnecessary to
specific users.
Using groups in Linux takes advantage of
the full versatility of Linux.

Listing Users and Groups

It can be helpful to first map the users and
groups present on the system. Figure 5. The sudo apt-get install gnome-system-tools command is run
in the Ubuntu terminal.
You can obtain a list of all users on the system
by using the cat /etc/passwd command. We
use the cat command to display all the users
contained in the passwd file, located in the /
Figure 3. The users are listed in the /etc/passwd directory. Figure 4. The output of the cat /etc/
etc directory. You can see an example of group command displays all the groups
this in Figure 3. on the system in the group file.

To list all the groups on the system, use
the cat /etc/group command. This command
displays all the groups in the group file, as
can be seen in Figure 4.
Adding Users to Groups in the GUI
For this explainer, I will use the GNOME noting that there are other popular desktop the terminal. Figure 5 illustrates this process.
Users and Groups tool, which is part of the environments available for Linux, as well. Other popular tools for managing users and
GNOME system utilities package. GNOME groups within different desktop environments
If you are using GNOME on distributions
is a popular desktop environment for Linux. include specific options designed for each
like Ubuntu or Kali, you can install the Users
When you install the operating system, environment. For example, KDE offers its
you may be given the option to include the and Groups tool by running the sudo apt-get own tool for managing users and groups in
GNOME desktop environment. It’s worth install gnome-system-tools command in the GUI.
To access the Users and Groups tool,

PREVIOUS NEXT
10
Advanced Linux User Management: A Guide for IT Pros
simply search for its name and open it,
as can be seen in Figure 6.
Once you are in the Users and Groups
GUI, select “Manage Groups” (see
Figure 7).
Before adding a user to a group, you
can verify that the group does not already
exist using the commands we learned at
the beginning of this article. Double-click
on the group you would like to modify
from the provided list (Figure 8). Now
you can simply designate members for
the group by clicking on the checkbox
next to their respective names (Figure
9). Conversely, to remove a user from
the group, simply uncheck the checkbox
next to their name.
Adding Users to Groups in
the Terminal
In the Linux terminal, there are various
commands available for tasks like adding
users to groups and managing users
and groups. You can always first verify
the existence of the group you want to
add the user to, using the commands
introduced earlier in this article. If that
group does not exist, you can create it
using the groupadd command.
Adding users to groups using the Figure 6. Search for and open the Users and Groups tool
usermod command in GNOME.
While the primary purpose of
Figure 8. The available groups for you to scroll through.
the usermod command is to modify
account settings, we can also use it to
add a user to a group.
To add a user to a group, the command
would look like this:
sudo usermod -aG
The -a flag (which stands for “add)
ensures the addition of the user to the Figure 7. Where to select “Manage Groups” inside the Users
and Groups GUI.
group without removing them from their
original primary group. In this context, Figure 9. Check or uncheck the checkbox next to a user’s name
to add them to a group or remove them from a group.
the -a flag is used in conjunction with
the G flag. The usermod command
can function with other flags, as well.
To access these options, run usermod
PREVIOUS NEXT
11
Advanced Linux User Management: A Guide for IT Pros

--help to get help and see the range of Adding users to groups using the
flags available.
In Figure 10, you will notice that I have
used the above command to add the user
“grant” to the “adm” group. Furthermore, in
the same figure, I have run the id command
followed by the grant username to verify the
list of groups the user belongs to.
gpasswd command
The gpasswd command is typically used
to manage group passwords. However, the Figure 10. Using the usermod command to add a user to a group.
command can also be used to add a user
to a group.
Start by checking the existing groups.
If the group does not exist, use the
Figure 11. The useradd command is used to simultaneously create a new user and
groupadd command to create it. As with add the user to a group.

Adding users to groups using the all Linux commands, after entering the
useradd command command, you can append --help to
If you want to create a new user and at access help specific to that command.
the same time add them to a group, use This help output often includes details
the useradd command. As always, to get about the available flags or switches for the Figure 12. The gpasswd command is used to add a user to the root group.

help and look for extra flags or switches, command, along with their explanations and
invoke the --help command. sometimes examples. are making by using the id command, using the commands we have just learned.

In our case, we will use useradd with the
-G flag, resulting in the following command: -a flag. When using the gpasswd command example, executing id Katye will display through the Users and Groups tool in the
sudo useradd -G
Refer to Figure 11 to see where I have used
the above command to create a new user and
assign them to a group. You can verify the user’s
group memberships by using the id command.
For this example, we will be using the which provides user information. For Alternatively, you can easily achieve this
to add a user to a group, the command will information for the Katye user in the GUI by unchecking the user’s association
look something like this: terminal, including the groups the user with the group.
belongs to.
sudo gpasswd The gpasswd command can be used for
This process is shown in Figure 12. How to remove a user from a group removing a user from a group in Linux. Here
You can always verify the changes you Users can be removed from groups by is the command structure for removing a

PREVIOUS NEXT
12
Advanced Linux User Management: A Guide for IT Pros

user from a group using gpasswd: holds substantial advantages for system
sudo gpasswd -d administrators. For example, this level of
control over privileges, permissions, and
We use the -d flag for deletion. As always,
access to resources enables an enhanced
you can invoke the --help command to
security posture.
access guidance and use the id command
to verify changes afterward. In addition, using groups can contribute
to the management of user accounts.
See Figure 13 for an illustration of how the
gpasswd command removes a user from It simplifies the overall administration
a group. of accounts and improves efficiency.
Furthermore, groups can assist in user
Main takeaways classification based on factors like Figure 13. The gpasswd command is used to add and remove a user from a group.
Having fine-grained control over access to department affiliation, skillsets, and positions
files, folders, applications, and commands within the organization.

PREVIOUS NEXT
13
Advanced Linux User Management: A Guide for IT Pros

How To Manage File Permissions

Here’s everything you need to know about setting file permissions in Linux.

I
n computer security, key concepts What Are File Permissions in Linux?
include confidentiality, integrity, and In Linux, permissions control the access
availability. When it comes to the to files and directories for different types of
computer’s file system, file permissions users. There are three main permissions in
play a crucial role in securing sensitive Linux: read, write, and execute.
information (confidentiality), preventing Read: Read permissions allow users to
unauthorized modifications to files (integrity), view the contents of a file, but they cannot
and allowing appropriate access to files for edit or modify it. Read permissions do not
authorized users (availability). In Linux, file grant users the ability to execute the file.
permissions can be set using both the GUI Write: Write permissions enable users
and the command line in the terminal. to make changes to a file, such as adding
This article will explain how to set file new entries to a .CSV file. However,
permissions using the GUI and the terminal, write permissions alone do not permit
enabling you to protect your system against file execution.
unauthorized access and modifications. We Execute: Execute permissions authorize
will also examine how to use permissions the user to run a file, which can be a program
symbolically and numerically. or script. This permission is required to

PREVIOUS NEXT
14
Advanced Linux User Management: A Guide for IT Pros

execute the file’s code. represents the permissions for the file owner,
the second trio represents the permissions
How Do We Use File Permissions? for the group the file belongs to, and the
We use file permissions to maintain the
third trio represents the permissions for all
confidentiality, integrity, and availability of Figure 14. The output of ls -l to the terminal. Figure 15. The first trio of bits represents owner
other users. permissions for the file. Here, grant is the owner.
files and folders. File permissions allow us
letter d indicates a folder. In the figure, the
to manage access to these resources. File Set Permissions Based on Role in Linux the terminal, the owner role is represented
d in the first line of the first column indicates
permissions can be set either through the Linux offers us the ability to set permissions by the character “u”.
a directory (named volatility3), while the dash
GUI or from the terminal. (-) in the second line represents a file. based on specific roles. There are three
main roles: owner, group, and all other users Group role
Using the ls Command To Visualize Now, let’s take a closer look at the ls -l The next trio of bits represents the group to
and groups.
File Permissions command output. In the first column, we
which the file belongs. In Figure 16, the file
To visualize file permissions in Linux, we see the sequence drwxr-xr-x. Notice that there Owner role belongs to the grant group. In the command
use the ls command, which stands for “list.” are 10 bits in total. The owner role refers to the person line, the group role is represented by the
The ls command provides a detailed list of Within the 10 bits, each bit represents who owns the file. When we look at the character “g”.
the folder’s contents. When using the -l flag a specific permission: read (r), write (w), nine permission bits displayed by the ls
with the ls command, it displays additional and execute (x). In binary notation, a bit is -l command in a directory, the first set of All other users and groups role
information, including permissions. Figure considered enabled (set) if it is represented by three bits is reserved for the owner. These The last trio defines the permissions for
14 shows an example of how the permission a letter (r, w, x). Conversely, a dash (-) signifies bits determine the permissions and can be
details are displayed in the terminal. a disabled bit. Therefore, by examining the 10 set to any combination of read (r), write (w),
In Figure 14, we can see 10 highlighted bits, we can determine the file permissions and execute (x).
bits in the first column. The first bit indicates for different roles. In Figure 15, we can see that the file
whether it is a file or a folder we are dealing These permissions are divided into sets volatility3_install.sh has read, write, and
Figure 16. The second trio of bits represents
with. A dash (-) represents a file, while the of three. Starting from the left, the first trio execute permissions set for the owner. In group permissions.

PREVIOUS NEXT
15
Advanced Linux User Management: A Guide for IT Pros
Figure 17. The trio of bits that sets the permissions for the “all other
users and groups” role.
the “all other users and groups” role. Figure
17 illustrates these permissions. In the
terminal, “all other users” is denoted by the
character “o”.
Modifying Permissions in Linux
Permissions can be modified for files and
folders both through the GUI and the terminal.
Let’s examine how to set permissions in the
GUI first, then how to set permissions in
the terminal.
Modifying File Permissions in the GUI
Modifying file permissions in the GUI is Modifying File Permissions in the Terminal
straightforward. Right-click on a given file,
Figure 18. The Properties option when a file is right-
clicked on.
Figure 19. Where to modify permissions in Properties in the GUI.
select Properties, and then navigate to the the permissions using the chmod (change the minus symbol (-). After specifying the
Permissions table, as can be seen in Figures mode) command. This powerful command role in the command, we need to include the
18 and 19. allows us to change permissions for the actual permission as a parameter. In the Linux
three role types: owner, group, and all other terminal, those are “r” for read permissions,
In the GUI, we can change permissions
users. To indicate the role, we use the “w” for write permissions, and “x” for execute
according to the role (owner, group,
following symbols: “u” for the owner, “g” for (run) permissions.
and others).
the group, and “o” for all other users. So, to add write permissions for the group
To add permissions, we use the plus role, the command would look like this:
Inside the Linux terminal, we can change symbol (+). To remove permissions, we use sudo chmod g+w
PREVIOUS NEXT
16
Advanced Linux User Management: A Guide for IT Pros

The command’s output can be seen in Figure 20, where it

displays that the write permission has been successfully added
to the group role. Additionally, the group role also has read and
execute permissions set.

To remove write permissions from the group role, you can use
the following command:

sudo chmod g-w

Figure 20. The result of the sudo chmod g+w volatility_install.sh command.
The output can be seen in Figure 21, where the group role has
had the write permission removed.

In a single command, you can modify multiple permissions for

a specific role. For example, the following command grants read,
write, and execute permissions for the owner role:

sudo chmod u+rwx

Figure 20. The result of the sudo chmod g+w volatility_install.sh command.

Figure 21. The result of the sudo chmod g-w volatility_install.sh command.

PREVIOUS NEXT
17
Advanced Linux User Management: A Guide for IT Pros
The result is shown in Figure 22. The owner has been
successfully granted read, write, and execute permissions
for the specified file (volatility3_install.sh).
Alternatively, you can add a single permission to multiple
roles simultaneously. The command would look like this:
sudo chmod ugo+r
The command adds the read permission to the owner,
group, and all other users and groups roles. The results
of this command can be seen in Figure 23.
You can also reverse the process and remove a
Figure 22. The result of the sudo chmod u+rwx command.
permission from multiple roles at once. For example: Here are the numerical equivalents for
permissions: 4 for read (r), 2 for write (w), and 1 for execute
sudo chmod ugo-r
(x). To set permissions, we add these values for each group
This command removes the read permission from the we want to affect.
owner, group, and other users and groups roles.
For example, if we want to add read (4) and execute (1)
This format of using rwx and ugo to denote permissions permissions, we add those numbers together, resulting
and users in the chmod command is known as Symbolic in 5. This means that the role we are modifying will have
Format. However, there is another format, Numeric read and execute permissions. We can illustrate this
Format, which offers a faster and simpler way to change by setting the permissions for the owner role using the
permissions. In the Numeric Format, we assign numeric number 5. The command will look like this:
values to each permission (read, write, and execute). sudo chmod 5
Figure 23. The result of adding and then removing the read permission for and from multiple
roles simultaneously.
PREVIOUS NEXT
18
Advanced Linux User Management: A Guide for IT Pros

When setting permissions numerically, the positions from
left to right represent the owner, group, and “all other users
and groups” roles. For example, if you want to set read and
write permissions for the owner role; read permissions for
the group role; and read, write, and execute permissions
for the “all other users and groups” role, you can use the
following command:
sudo chmod 637
In this case, you add the numerical values for the desired
permissions: 4 for read, 2 for write, and 1 for execute.
Adding these values for each role results in the numerical
representation 637.
Additionally, if you want to set all permissions for all
roles, you can use the number 7, which represents the
sum of 4 (read), 2 (write), and 1 (execute). The command
would look like this:
sudo chmod 777
Figure 24 shows the outcome of executing the command,
where all permissions have been granted to all roles.
In contrast, we can revoke permissions numerically
using the “0” character from our numbers set. To remove
all permissions from all roles, the command would look
like this:
sudo chmod 000
The outcome can be seen in Figure 25, where all
permissions have been revoked for all roles.

Figure 24. The result of the sudo chmod 777 volatility3_install.sh command. Figure 25. The results of the sudo chmod 000 volitility_install.sh command.

PREVIOUS NEXT
19
Advanced Linux User Management: A Guide for IT Pros

Secure Management of Remote Users and Groups

Learn how to manage Linux users and groups remotely without compromising security.

I
f you need to remotely manage Linux remotely log in to a Linux virtual machine. I
users and groups, this article will detail frequently use SSH to access my Linux VMs
how to securely do so. directly from my Windows host machine or
To get started, here are the key ideas and other Linux system, as I work on red team and
practices to know. purple team labs that involve both Windows
and Linux virtual machines hosted on AWS.
Secure Shell (SSH) Once connected through SSH, you can run
Secure Shell (SSH) is an excellent Linux commands directly on that machine.
protocol for connecting to remote systems
As shown in Figure 26, I have run the
and running commands on them simply
ls command on the Linux VM.
and securely. Figure 26. This shows how I SSH into a Linux virtual machine that is part of a cloud lab for purple teaming.
While there are GUI applications like
To illustrate this, I will explain how I use
TeamViewer available, SSH remains a reliable stores essential login information. The file restrict write access to the /etc/passwd file
SSH to connect to Linux machines hosted contains a list of the system’s accounts, to root users. In the password field of
choice for secure remote access.
on AWS in my purple team cloud lab from with each entry providing user-related data each account entry, there should be an
my Windows workstation. The /etc/passwd file such as username, user ID, group ID, home “x” character, indicating that an encrypted
In Figure 26, you can see how I use SSH to As previously noted, the /etc/passwd file directory, shell, and more. It’s important to password exists in the /etc/shadow file.

PREVIOUS NEXT
20
 Advanced Linux User Management: A Guide for IT Pros

List all users Manage group membership various commands, including: Create, modify, and delete user accounts
To list all users on the system, simply run For managing group memberships, you To remotely manage users and groups
usermod
have the option of using a GUI application from the terminal, you can use the
the following command: useradd
or a command-line tool. To create a new useradd, usermod, and userdel utilities.
sudo /etc/passwd group, you can use the groupadd command. gpasswd When you create a user, the default settings
Additionally, there are several other To remove a user from a group, you can are defined in the /etc/login.defs file. In
The command displays a list of all users
commands available for tasks like creating use the same commands with the relevant
on the terminal. If want to save this list to new groups, deleting existing groups, and
option or switch. You can find the options
a text file, you can use the standard output modifying group properties. and switches specific to each command by
redirector operator (>). To add a new user to a group, there are running the --help option with the command.

Figure 27. When we cat the /etc/passwd file, we can see all users. The root user Figure 28. The rest of the output of the cat /etc/passwd command. We can see our three Figure 29. The output of the sudo cat /etc/login.defs file.
entry is highlighted. users: grant, kelly, and Katye.

PREVIOUS NEXT
21
Advanced Linux User Management: A Guide for IT Pros

Figure 29, you can see where I use the cat groupadd, groupdel, and groupmod. They can and difficult-to-crack passwords. Additionally, Furthermore, in scenarios where centralized
command to output the contents of the all be used in the command line for remote the use of a password manager can help user authentication and login management
/etc/login.defs file. management of users and groups. users manage their passwords securely. are needed, you might be using Active
If you need to modify configuration files in Linux offers Pluggable Authentication Directory or Open-LDAP. In such cases, you
Linux, you can use built-in text editors such Manage user password requirements Modules that can be downloaded and would usually configure group policies to
as Nano (see Figure 30). Password management is critical in the integrated into the system. Pluggable enforce password-related rules and policies
overall security of remote systems and Authentication Modules provide Linux system across the network.
Use command-line tools to manage users users. It is important to establish password administrators with tools and techniques for
Managing users remotely via the command Remotely Managing Groups
policies that force users to create complex authenticating users.
line is a straightforward process. In the Managing groups remotely can present
previous article on using groups, I highlighted challenges, but luckily, we have many
several Linux commands for managing tools at our disposal. To gain a complete
users, like useradd, userdel, usermod, understanding of Linux group management,

Figure 30. The /etc/login.defs file is open in Nano for modification.

PREVIOUS NEXT
22
Advanced Linux User Management: A Guide for IT Pros
let’s start by exploring the /etc/group file.
The /etc/group file
In Figure 31, you can see where I have
used the cat /etc/group command to
output the contents of the /etc/group file.
To modify the file, you can use a text or
code editor like Nano, as can be seen in
Figure 32.
There are four fields in each entry, from
left to right:
group_name (group name)
Password (password, usually place held
by an “x” character in the /etc/group file)
GID (Group ID)
Group List (List of all usernames who
are members of the group)
Associate a new user with an
existing group
As discussed in the previous article
on managing users, there are various
commands for remotely adding a user
to a group, including usermod, useradd, and
the gpasswd commands.
Remove a user from a group
When you need to remove a user from a
group, you can use the same commands
as before but with different switches or
options selected. Remember to run the
--help command for any command to see
the options and switches that are available.
Figure 31. The cat command is run on the /etc/group file
to show its contents.
23
The commands typically used for this task
include usermod, useradd, and gpasswd.
Create a new group
You can use the groupadd command to
create a group.
Change primary group
In Linux, the primary group is a special
group assigned by the operating system
Figure 32. The /etc/group file is opened in Nano for
configuration.   
to files created by the user, and each
user must belong to a primary group.
Secondary groups are all the other groups
to which a user can belong. A user can be
a member of up to 15 groups.
To find out a user’s groups, use cat or
another command to output or save the
contents of the /etc/passwd file, as we
discussed earlier. To remotely change
a user’s primary group, you can use the
commands that we have already mentioned,
such as useradd, groupadd, and gpasswd.
Command-Line Tools for
Remote Management
You can use a variety of command-line
tools for remote management of Linux users
and groups. These include the commands
that we have already discussed extensively,
plus a few others.
For users:
useradd (to add a new user)
usermod (to modify user attributes)
PREVIOUS NEXT
Advanced Linux User Management: A Guide for IT Pros
userdel (to delete a user)
For groups:
groupadd (to add a new group)
gpasswd (to manage group passwords)
groupdel (to delete a group)
groupmod (to modify a group)
Infrastructure as Code for Managing
Multiple Servers at Scale
For managing multiple servers at scale,
IaC tools are invaluable. IaC tools let you
use declarative programming languages
in scripts, which can be replicated across
multiple servers or systems, allowing
large-scale management.
One popular IaC tool is Puppet, although
there are other IaC offerings available, as
well.
When working with IaC tools like Puppet,
you will typically configure files that can
be replicated across systems. To do
this successfully, you must have a basic
understanding of how to use text and code remotely managing Linux users and groups. Review group permissions and home
editors from the command line in Linux. We Use Secure Shell (SSH). SSH is a secure directories. Regularly review group
have already introduced Nano as a tool, but protocol for remote management of Linux permissions to ensure they have access
there are other options available like Vim systems and is highly recommended for to the necessary resources. Likewise,
manage user home directories and set
and Vi. secure access.
correct permissions.
Verify user and group information. Ensure
Tips and Best Practices that user and group information is correct Enable shadow passwords. The file that
Here are several tips and best practices for and not duplicated anywhere. stores encrypted user passwords is the /
etc/shadow file and is only accessible by
the root user. Storing passwords in the /etc/
passwd file is an unsafe practice.
Review password policies. Regularly
assess and update password policies
and procedures.
Check group membership. Use the
groups command to verify a user’s group
membership. Simply follow the command
with the username to display all the groups
the user belongs to, as can be seen in
Figure 33.
Test in a non-production environment. Test
commands in a safe test environment before
Figure 33. The output of the groups command when run with my username as an argument. All the groups
that I belong to are listed here. applying them in a production system.
PREVIOUS NEXT
24
Advanced Linux User Management: A Guide for IT Pros

Use tools like sudo and Pluggable is one example of software available for for reference and troubleshooting. terminal-based, such as SSH, or GUI-based
Authentication Modules. Sudo provides remote system administration, especially like TeamViewer. Thanks to Linux’s flexibility
Main Takeaways
fine-grained access control, while Pluggable for day-to-day remote management. as an operating system, as well as its support
Whether you are performing actions at
Authentication Modules offer flexible Maintain documentation. Keep a detailed scale across multiple systems or managing for protocols like SSH, remote administration
user authentication. user database and documentation for users a single system, Linux provides a range of of users and groups can be straightforward
Use GUI tools where possible. TeamViewer and groups. Documentation can be valuable tools to suit your needs. These tools can be and efficient.

PREVIOUS NEXT
25
CONTRIBUTORS
Wendy Schuchart
Editor-in-Chief
Brian Holak
Senior Managing Editor
Spencer Smith
Senior Editor
Grant Knoetze
Lead Writer
Tara DeFilippo
Creative Lead