{"id":12923,"date":"2019-03-29T03:02:21","date_gmt":"2019-03-29T03:02:21","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=12923"},"modified":"2019-03-29T03:02:21","modified_gmt":"2019-03-29T03:02:21","slug":"managing-users-groups-file-permissions-attributes-and-enabling-sudo-access-on-accounts","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/29\/managing-users-groups-file-permissions-attributes-and-enabling-sudo-access-on-accounts\/","title":{"rendered":"Managing Users &#038; Groups, File Permissions &#038; Attributes and Enabling sudo Access on Accounts"},"content":{"rendered":"<p>Last August, the Linux Foundation started the\u00a0<strong>LFCS<\/strong>\u00a0certification (<strong>Linux Foundation Certified Sysadmin<\/strong>), a brand new program whose purpose is to allow individuals everywhere and anywhere take an exam in order to get certified in basic to intermediate operational support for Linux systems, which includes supporting running systems and services, along with overall monitoring and analysis, plus intelligent decision-making to be able to decide when it\u2019s necessary to escalate issues to higher level support teams.<\/p>\n<div id=\"attachment_9532\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/lfcs-Part-8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9532\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/lfcs-Part-8.png\" alt=\"Linux Users and Groups Management\" width=\"600\" height=\"400\" aria-describedby=\"caption-attachment-9532\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9532\" class=\"wp-caption-text\">Linux Foundation Certified Sysadmin \u2013 Part 8<\/p>\n<\/div>\n<p>Please have a quick look at the following video that describes an introduction to the Linux Foundation Certification Program.<\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/Y29qZ71Kicg\" width=\"780\" height=\"439\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<p>This article is Part 8 of a 10-tutorial long series, here in this section, we will guide you on how to manage users and groups permissions in Linux system, that are required for the LFCS certification exam.<\/p>\n<p>Since Linux is a multi-user operating system (in that it allows multiple users on different computers or terminals to access a single system), you will need to know how to perform effective user management: how to add, edit, suspend, or delete user accounts, along with granting them the necessary permissions to do their assigned tasks.<\/p>\n<h3>Adding User Accounts<\/h3>\n<p>To add a new user account, you can run either of the following two commands as root.<\/p>\n<pre># adduser [new_account]\r\n# useradd [new_account]\r\n<\/pre>\n<p>When a new user account is added to the system, the following operations are performed.<\/p>\n<p><strong>1.<\/strong>\u00a0His\/her home directory is created (<b>\/home\/username<\/b>\u00a0by default).<\/p>\n<p><strong>2.<\/strong>\u00a0The following hidden files are copied into the user\u2019s home directory, and will be used to provide environment variables for his\/her user session.<\/p>\n<pre>.bash_logout\r\n.bash_profile\r\n.bashrc\r\n<\/pre>\n<p><strong>3.<\/strong>\u00a0A mail spool is created for the user at \/var\/spool\/mail\/<b>username<\/b>.<\/p>\n<p><strong>4.<\/strong>\u00a0A group is created and given the same name as the new user account.<\/p>\n<h5>Understanding \/etc\/passwd<\/h5>\n<p>The full account information is stored in the\u00a0<b>\/etc\/passwd<\/b>\u00a0file. This file contains a record per system user account and has the following format (fields are delimited by a colon).<\/p>\n<pre>[username]:[x]:[UID]:[GID]:[Comment]:[Home directory]:[Default shell]\r\n<\/pre>\n<ol>\n<li>Fields\u00a0<b>[username]<\/b>\u00a0and\u00a0<b>[Comment]<\/b>\u00a0are self explanatory.<\/li>\n<li>The\u00a0<b>x<\/b>\u00a0in the second field indicates that the account is protected by a shadowed password (in\u00a0<b>\/etc\/shadow<\/b>), which is needed to logon as\u00a0<b>[username]<\/b>.<\/li>\n<li>The\u00a0<b>[UID]<\/b>\u00a0and\u00a0<b>[GID]<\/b>\u00a0fields are integers that represent the User IDentification and the primary Group IDentification to which\u00a0<b>[username]<\/b>\u00a0belongs, respectively.<\/li>\n<li>The\u00a0<b>[Home directory]<\/b>\u00a0indicates the absolute path to\u00a0<b>[username]<\/b>\u2019s home directory, and<\/li>\n<li>The\u00a0<b>[Default shell]<\/b>\u00a0is the shell that will be made available to this user when he or she logins the system.<\/li>\n<\/ol>\n<h5>Understanding \/etc\/group<\/h5>\n<p>Group information is stored in the\u00a0<b>\/etc\/group<\/b>\u00a0file. Each record has the following format.<\/p>\n<pre>[Group name]:[Group password]:[GID]:[Group members]\r\n<\/pre>\n<ol>\n<li><b>[Group name]<\/b>\u00a0is the name of group.<\/li>\n<li>An\u00a0<b>x<\/b>\u00a0in\u00a0<b>[Group password]<\/b>\u00a0indicates group passwords are not being used.<\/li>\n<li><b>[GID]<\/b>: same as in \/etc\/passwd.<\/li>\n<li><b>[Group members]<\/b>: a comma separated list of users who are members of\u00a0<b>[Group name]<\/b>.<\/li>\n<\/ol>\n<div id=\"attachment_9522\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/add-user-accounts.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9522\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/add-user-accounts.png\" alt=\"Add User Accounts in Linux\" width=\"493\" height=\"96\" aria-describedby=\"caption-attachment-9522\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9522\" class=\"wp-caption-text\">Add User Accounts<\/p>\n<\/div>\n<p>After adding an account, you can edit the following information (to name a few fields) using the\u00a0<b>usermod<\/b>command, whose basic syntax of usermod is as follows.<\/p>\n<pre># usermod [options] [username]\r\n<\/pre>\n<h6>Setting the expiry date for an account<\/h6>\n<p>Use the\u00a0<b>\u2013expiredate<\/b>\u00a0flag followed by a date in\u00a0<b>YYYY-MM-DD<\/b>\u00a0format.<\/p>\n<pre># usermod --expiredate 2014-10-30 tecmint\r\n<\/pre>\n<h6>Adding the user to supplementary groups<\/h6>\n<p>Use the combined\u00a0<b>-aG<\/b>, or\u00a0<b>\u2013append<\/b>\u00a0<b>\u2013groups<\/b>\u00a0options, followed by a comma separated list of groups.<\/p>\n<pre># usermod --append --groups root,users tecmint\r\n<\/pre>\n<h6>Changing the default location of the user\u2019s home directory<\/h6>\n<p>Use the\u00a0<b>-d<\/b>, or\u00a0<b>\u2013home<\/b>\u00a0options, followed by the absolute path to the new home directory.<\/p>\n<pre># usermod --home \/tmp tecmint\r\n<\/pre>\n<h6>Changing the shell the user will use by default<\/h6>\n<p>Use\u00a0<b>\u2013shell<\/b>, followed by the path to the new shell.<\/p>\n<pre># usermod --shell \/bin\/sh tecmint\r\n<\/pre>\n<h6>Displaying the groups an user is a member of<\/h6>\n<pre># groups tecmint\r\n# id tecmint\r\n<\/pre>\n<p>Now let\u2019s execute all the above commands in one go.<\/p>\n<pre># usermod --expiredate 2014-10-30 --append --groups root,users --home \/tmp --shell \/bin\/sh tecmint\r\n<\/pre>\n<div id=\"attachment_9523\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/usermod-command-examples.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-9523\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/usermod-command-examples-620x161.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/usermod-command-examples-620x161.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/usermod-command-examples.png 896w\" alt=\"usermod Command Examples\" width=\"620\" height=\"161\" aria-describedby=\"caption-attachment-9523\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9523\" class=\"wp-caption-text\">usermod Command Examples<\/p>\n<\/div>\n<p>In the example above, we will set the expiry date of the\u00a0<strong>tecmint<\/strong>\u00a0user account to\u00a0<strong>October 30th, 2014<\/strong>. We will also add the account to the\u00a0<strong>root<\/strong>\u00a0and users group. Finally, we will set\u00a0<code>sh<\/code>\u00a0as its default shell and change the location of the home directory to\u00a0<strong>\/tmp<\/strong>:<\/p>\n<p><b>Read Also<\/b>:<\/p>\n<ol>\n<li><a href=\"https:\/\/www.tecmint.com\/add-users-in-linux\/\" target=\"_blank\" rel=\"noopener\">15 useradd Command Examples in Linux<\/a><\/li>\n<li><a href=\"https:\/\/www.tecmint.com\/usermod-command-examples\/\" target=\"_blank\" rel=\"noopener\">15 usermod Command Examples in Linux<\/a><\/li>\n<\/ol>\n<p>For existing accounts, we can also do the following.<\/p>\n<h6>Disabling account by locking password<\/h6>\n<p>Use the\u00a0<b>-L<\/b>\u00a0(uppercase L) or the\u00a0<b>\u2013lock<\/b>\u00a0option to lock a user\u2019s password.<\/p>\n<pre># usermod --lock tecmint\r\n<\/pre>\n<h6>Unlocking user password<\/h6>\n<p>Use the\u00a0<b>\u2013u<\/b>\u00a0or the\u00a0<b>\u2013unlock<\/b>\u00a0option to unlock a user\u2019s password that was previously blocked.<\/p>\n<pre># usermod --unlock tecmint\r\n<\/pre>\n<div id=\"attachment_9524\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/lock-user-in-linux.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-9524\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/lock-user-in-linux-620x224.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/lock-user-in-linux-620x224.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/lock-user-in-linux.png 745w\" alt=\"Lock User in Linux\" width=\"620\" height=\"224\" aria-describedby=\"caption-attachment-9524\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9524\" class=\"wp-caption-text\">Lock User Accounts<\/p>\n<\/div>\n<h6>Creating a new group for read and write access to files that need to be accessed by several users<\/h6>\n<p>Run the following series of commands to achieve the goal.<\/p>\n<pre># groupadd common_group # Add a new group\r\n# chown :common_group common.txt # Change the group owner of common.txt to common_group\r\n# usermod -aG common_group user1 # Add user1 to common_group\r\n# usermod -aG common_group user2 # Add user2 to common_group\r\n# usermod -aG common_group user3 # Add user3 to common_group\r\n<\/pre>\n<h6>Deleting a group<\/h6>\n<p>You can delete a group with the following command.<\/p>\n<pre># groupdel [group_name]\r\n<\/pre>\n<p>If there are files owned by\u00a0<b>group_name<\/b>, they will not be deleted, but the group owner will be set to the\u00a0<b>GID<\/b>\u00a0of the group that was deleted.<\/p>\n<h3>Linux File Permissions<\/h3>\n<p>Besides the basic read, write, and execute permissions that we discussed in\u00a0<a href=\"https:\/\/www.tecmint.com\/compress-files-and-finding-files-in-linux\/\" target=\"_blank\" rel=\"noopener\">Archiving Tools and Setting File Attributes \u2013 Part 3<\/a>\u00a0of this series, there are other less used (but not less important) permission settings, sometimes referred to as \u201c<b>special permissions<\/b>\u201d.<\/p>\n<p>Like the basic permissions discussed earlier, they are set using an octal file or through a letter (symbolic notation) that indicates the type of permission.<\/p>\n<h6>Deleting user accounts<\/h6>\n<p>You can delete an account (along with its home directory, if it\u2019s owned by the user, and all the files residing therein, and also the mail spool) using the\u00a0<b>userdel<\/b>\u00a0command with the\u00a0<b>\u2013remove<\/b>\u00a0option.<\/p>\n<pre># userdel --remove [username]\r\n<\/pre>\n<h4>Group Management<\/h4>\n<p>Every time a new user account is added to the system, a group with the same name is created with the username as its only member. Other users can be added to the group later. One of the purposes of groups is to implement a simple access control to files and other system resources by setting the right permissions on those resources.<\/p>\n<p>For example, suppose you have the following users.<\/p>\n<ol>\n<li>user1 (primary group: user1)<\/li>\n<li>user2 (primary group: user2)<\/li>\n<li>user3 (primary group: user3)<\/li>\n<\/ol>\n<p>All of them need\u00a0<b>read<\/b>\u00a0and\u00a0<b>write<\/b>\u00a0access to a file called\u00a0<b>common.txt<\/b>\u00a0located somewhere on your local system, or maybe on a network share that\u00a0<b>user1<\/b>\u00a0has created. You may be tempted to do something like,<\/p>\n<pre># chmod 660 common.txt\r\nOR\r\n# chmod u=rw,g=rw,o= common.txt [notice the space between the last equal sign and the file name]\r\n<\/pre>\n<div class=\"google-auto-placed ap_container\">\n<p>However, this will only provide\u00a0<b>read<\/b>\u00a0and\u00a0<b>write<\/b>\u00a0access to the owner of the file and to those users who are members of the group owner of the file (<b>user1<\/b>\u00a0in this case). Again, you may be tempted to add\u00a0<b>user2<\/b>\u00a0and\u00a0<b>user3<\/b>to group\u00a0<b>user1<\/b>, but that will also give them access to the rest of the files owned by user\u00a0<b>user1<\/b>\u00a0and group\u00a0<b>user1<\/b>.<\/p>\n<p>This is where groups come in handy, and here\u2019s what you should do in a case like this.<\/p>\n<h5>Understanding Setuid<\/h5>\n<p>When the\u00a0<b>setuid<\/b>\u00a0permission is applied to an executable file, an user running the program inherits the effective privileges of the program\u2019s owner. Since this approach can reasonably raise security concerns, the number of files with setuid permission must be kept to a minimum. You will likely find programs with this permission set when a system user needs to access a file owned by root.<\/p>\n<p>Summing up, it isn\u2019t just that the user can execute the binary file, but also that he can do so with root\u2019s privileges. For example, let\u2019s check the permissions of\u00a0<b>\/bin\/passwd<\/b>. This binary is used to change the password of an account, and modifies the\u00a0<b>\/etc\/shadow<\/b>\u00a0file. The superuser can change anyone\u2019s password, but all other users should only be able to change their own.<\/p>\n<div id=\"attachment_9525\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/passwd-command.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9525\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/passwd-command.png\" alt=\"passwd Command Examples\" width=\"448\" height=\"64\" aria-describedby=\"caption-attachment-9525\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9525\" class=\"wp-caption-text\">passwd Command Examples<\/p>\n<\/div>\n<p>Thus, any user should have permission to run\u00a0<b>\/bin\/passwd<\/b>, but only root will be able to specify an account. Other users can only change their corresponding passwords.<\/p>\n<div id=\"attachment_9526\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/change-user-password.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9526\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/change-user-password.png\" alt=\"Change User Password in Linux\" width=\"446\" height=\"180\" aria-describedby=\"caption-attachment-9526\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9526\" class=\"wp-caption-text\">Change User Password<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<h5>Understanding Setgid<\/h5>\n<p>When the\u00a0<b>setgid<\/b>\u00a0bit is set, the effective\u00a0<b>GID<\/b>\u00a0of the real user becomes that of the group owner. Thus, any user can access a file under the privileges granted to the group owner of such file. In addition, when the setgid bit is set on a directory, newly created files inherit the same group as the directory, and newly created subdirectories will also inherit the setgid bit of the parent directory. You will most likely use this approach whenever members of a certain group need access to all the files in a directory, regardless of the file owner\u2019s primary group.<\/p>\n<pre># chmod g+s [filename]\r\n<\/pre>\n<p>To set the\u00a0<b>setgid<\/b>\u00a0in octal form, prepend the number\u00a0<b>2<\/b>\u00a0to the current (or desired) basic permissions.<\/p>\n<pre># chmod 2755 [directory]\r\n<\/pre>\n<h6>Setting the SETGID in a directory<\/h6>\n<div id=\"attachment_9527\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/add-setgid-to-directory.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-9527\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/add-setgid-to-directory-620x190.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/add-setgid-to-directory-620x190.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/add-setgid-to-directory.png 625w\" alt=\"Add Setgid in Linux\" width=\"620\" height=\"190\" aria-describedby=\"caption-attachment-9527\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9527\" class=\"wp-caption-text\">Add Setgid to Directory<\/p>\n<\/div>\n<h5>Understanding Sticky Bit<\/h5>\n<p>When the \u201c<b>sticky bit<\/b>\u201d is set on files, Linux just ignores it, whereas for directories it has the effect of preventing users from deleting or even renaming the files it contains unless the user owns the directory, the file, or is root.<\/p>\n<pre># chmod o+t [directory]\r\n<\/pre>\n<p>To set the\u00a0<b>sticky bit<\/b>\u00a0in octal form, prepend the number\u00a0<b>1<\/b>\u00a0to the current (or desired) basic permissions.<\/p>\n<pre># chmod 1755 [directory]\r\n<\/pre>\n<p>Without the sticky bit, anyone able to write to the directory can delete or rename files. For that reason, the sticky bit is commonly found on directories, such as\u00a0<b>\/tmp<\/b>, that are world-writable.<\/p>\n<div id=\"attachment_9528\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/add-sticky-bit-to-directory.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9528\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/add-sticky-bit-to-directory.png\" alt=\"Add Stickybit in Linux\" width=\"576\" height=\"263\" aria-describedby=\"caption-attachment-9528\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9528\" class=\"wp-caption-text\">Add Stickybit to Directory<\/p>\n<\/div>\n<h3>Special Linux File Attributes<\/h3>\n<p>There are other attributes that enable further limits on the operations that are allowed on files. For example, prevent the file from being renamed, moved, deleted, or even modified. They are set with the\u00a0<a href=\"https:\/\/www.tecmint.com\/chattr-command-examples\/\" target=\"_blank\" rel=\"noopener\">chattr command<\/a>and can be viewed using the\u00a0<strong>lsattr<\/strong>\u00a0tool, as follows.<\/p>\n<pre># chattr +i file1\r\n# chattr +a file2\r\n<\/pre>\n<p>After executing those two commands,\u00a0<b>file1<\/b>\u00a0will be immutable (which means it cannot be moved, renamed, modified or deleted) whereas\u00a0<b>file2<\/b>\u00a0will enter append-only mode (can only be open in append mode for writing).<\/p>\n<div id=\"attachment_9529\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/chattr-command.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9529\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/chattr-command.png\" alt=\"Protect File from Deletion\" width=\"608\" height=\"429\" aria-describedby=\"caption-attachment-9529\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9529\" class=\"wp-caption-text\">Chattr Command to Protect Files<\/p>\n<\/div>\n<h3>Accessing the root Account and Using sudo<\/h3>\n<p>One of the ways users can gain access to the root account is by typing.<\/p>\n<pre>$ su\r\n<\/pre>\n<p>and then entering root\u2019s password.<\/p>\n<p>If authentication succeeds, you will be logged on as\u00a0<b>root<\/b>\u00a0with the current working directory as the same as you were before. If you want to be placed in root\u2019s home directory instead, run.<\/p>\n<pre>$ su -\r\n<\/pre>\n<p>and then enter root\u2019s password.<\/p>\n<div id=\"attachment_9530\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/Enable-Sudo-Access.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9530\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/Enable-Sudo-Access.png\" alt=\"Enable sudo Access on Linux\" width=\"413\" height=\"248\" aria-describedby=\"caption-attachment-9530\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9530\" class=\"wp-caption-text\">Enable Sudo Access on Users<\/p>\n<\/div>\n<p>The above procedure requires that a normal user knows root\u2019s password, which poses a serious security risk. For that reason, the sysadmin can configure the\u00a0<b>sudo<\/b>\u00a0command to allow an ordinary user to execute commands as a different user (usually the superuser) in a very controlled and limited way. Thus, restrictions can be set on a user so as to enable him to run one or more specific privileged commands and no others.<\/p>\n<p><b>Read Also<\/b>:\u00a0<a href=\"https:\/\/www.tecmint.com\/su-vs-sudo-and-how-to-configure-sudo-in-linux\/\" target=\"_blank\" rel=\"noopener\">Difference Between su and sudo User<\/a><\/p>\n<p>To authenticate using\u00a0<b>sudo<\/b>, the user uses his\/her own password. After entering the command, we will be prompted for our password (not the superuser\u2019s) and if the authentication succeeds (and if the user has been granted privileges to run the command), the specified command is carried out.<\/p>\n<p>To grant access to sudo, the system administrator must edit the\u00a0<b>\/etc\/sudoers<\/b>\u00a0file. It is recommended that this file is edited using the\u00a0<b>visudo<\/b>\u00a0command instead of opening it directly with a text editor.<\/p>\n<pre># visudo\r\n<\/pre>\n<p>This opens the\u00a0<b>\/etc\/sudoers<\/b>\u00a0file using\u00a0<b>vim<\/b>\u00a0(you can follow the instructions given in\u00a0<a href=\"https:\/\/www.tecmint.com\/vi-editor-usage\/\" target=\"_blank\" rel=\"noopener\">Install and Use vim as Editor \u2013 Part 2<\/a>\u00a0of this series to edit the file).<\/p>\n<p>These are the most relevant lines.<\/p>\n<pre>Defaults    secure_path=\"\/usr\/sbin:\/usr\/bin:\/sbin\"\r\nroot        ALL=(ALL) ALL\r\ntecmint     ALL=\/bin\/yum update\r\ngacanepa    ALL=NOPASSWD:\/bin\/updatedb\r\n%admin      ALL=(ALL) ALL\r\n<\/pre>\n<p>Let\u2019s take a closer look at them.<\/p>\n<pre>Defaults    secure_path=\"\/usr\/sbin:\/usr\/bin:\/sbin:\/usr\/local\/bin\"\r\n<\/pre>\n<p>This line lets you specify the directories that will be used for\u00a0<b>sudo<\/b>, and is used to prevent using user-specific directories, which can harm the system.<\/p>\n<p>The next lines are used to specify permissions.<\/p>\n<pre>root        ALL=(ALL) ALL\r\n<\/pre>\n<ol>\n<li>The first\u00a0<b>ALL<\/b>\u00a0keyword indicates that this rule applies to all hosts.<\/li>\n<li>The second\u00a0<b>ALL<\/b>\u00a0indicates that the user in the first column can run commands with the privileges of any user.<\/li>\n<li>The third\u00a0<b>ALL<\/b>\u00a0means any command can be run.<\/li>\n<\/ol>\n<pre>tecmint     ALL=\/bin\/yum update\r\n<\/pre>\n<p>If no user is specified after the\u00a0<b>=<\/b>\u00a0sign, sudo assumes the root user. In this case, user\u00a0<b>tecmint<\/b>\u00a0will be able to run\u00a0<b>yum update<\/b>\u00a0as root.<\/p>\n<pre>gacanepa    ALL=NOPASSWD:\/bin\/updatedb\r\n<\/pre>\n<p>The\u00a0<b>NOPASSWD<\/b>\u00a0directive allows user gacanepa to run\u00a0<b>\/bin\/updatedb<\/b>\u00a0without needing to enter his password.<\/p>\n<pre>%admin      ALL=(ALL) ALL\r\n<\/pre>\n<p>The\u00a0<b>%<\/b>\u00a0sign indicates that this line applies to a group called \u201c<b>admin<\/b>\u201d. The meaning of the rest of the line is identical to that of an regular user. This means that members of the group \u201c<b>admin<\/b>\u201d can run all commands as any user on all hosts.<\/p>\n<p>To see what privileges are granted to you by sudo, use the \u201c<b>-l<\/b>\u201d option to list them.<\/p>\n<div id=\"attachment_9531\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/sudo-access-rules.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-9531\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/sudo-access-rules-620x305.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/sudo-access-rules-620x305.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/sudo-access-rules.png 628w\" alt=\"Sudo Access Rules\" width=\"620\" height=\"305\" aria-describedby=\"caption-attachment-9531\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9531\" class=\"wp-caption-text\">Sudo Access Rules<\/p>\n<\/div>\n<h3>PAM (Pluggable Authentication Modules)<\/h3>\n<p><strong>Pluggable Authentication Modules<\/strong>\u00a0(PAM) offer the flexibility of setting a specific authentication scheme on a per-application and \/ or per-service basis using modules. This tool present on all modern Linux distributions overcame the problem often faced by developers in the early days of Linux, when each program that required authentication had to be compiled specially to know how to get the necessary information.<\/p>\n<p>For example, with PAM, it doesn\u2019t matter whether your password is stored in\u00a0<strong>\/etc\/shadow<\/strong>\u00a0or on a separate server inside your network.<\/p>\n<p>For example, when the login program needs to authenticate a user, PAM provides dynamically the library that contains the functions for the right authentication scheme. Thus, changing the authentication scheme for the login application (or any other program using PAM) is easy since it only involves editing a configuration file (most likely, a file named after the application, located inside\u00a0<code>\/etc\/pam.d<\/code>, and less likely in\u00a0<code>\/etc\/pam.conf<\/code>).<\/p>\n<p>Files inside\u00a0<code>\/etc\/pam.d<\/code>\u00a0indicate which applications are using PAM natively. In addition, we can tell whether a certain application uses PAM by checking if it the PAM library (<strong>libpam<\/strong>) has been linked to it:<\/p>\n<pre># ldd $(which login) | grep libpam # login uses PAM\r\n# ldd $(which top) | grep libpam # top does not use PAM\r\n<\/pre>\n<div id=\"attachment_21275\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/Check-Linux-PAM-Library.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-21275\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/Check-Linux-PAM-Library.png\" alt=\"Check Linux PAM Library\" width=\"654\" height=\"106\" aria-describedby=\"caption-attachment-21275\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-21275\" class=\"wp-caption-text\">Check Linux PAM Library<\/p>\n<\/div>\n<p>In the above image we can see that the\u00a0<strong>libpam<\/strong>\u00a0has been linked with the login application. This makes sense since this application is involved in the operation of system user authentication, whereas top does not.<\/p>\n<p>Let\u2019s examine the PAM configuration file for\u00a0<strong>passwd<\/strong>\u00a0\u2013 yes, the well-known utility to change user\u2019s passwords. It is located at\u00a0<strong>\/etc\/pam.d\/passwd<\/strong>:<\/p>\n<pre># cat \/etc\/passwd\r\n<\/pre>\n<div id=\"attachment_21276\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/PAM-Configuration-File-for-Linux-Password.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-21276\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/PAM-Configuration-File-for-Linux-Password.png\" alt=\"PAM Configuration File for Linux Password\" width=\"516\" height=\"159\" aria-describedby=\"caption-attachment-21276\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-21276\" class=\"wp-caption-text\">PAM Configuration File for Linux Password<\/p>\n<\/div>\n<p>The first column indicates the\u00a0<code>type<\/code>\u00a0of authentication to be used with the\u00a0<code>module-path<\/code>\u00a0(third column). When a hyphen appears before the type, PAM will not record to the system log if the module cannot be loaded because it could not be found in the system.<\/p>\n<p>The following authentication types are available:<\/p>\n<ol>\n<li><code>account<\/code>: this module type checks if the user or service has supplied valid credentials to authenticate.<\/li>\n<li><code>auth<\/code>: this module type verifies that the user is who he \/ she claims to be and grants any needed privileges.<\/li>\n<li><code>password<\/code>: this module type allows the user or service to update their password.<\/li>\n<li><code>session<\/code>: this module type indicates what should be done before and\/or after the authentication succeeds.<\/li>\n<\/ol>\n<p>The second column (called\u00a0<code>control<\/code>) indicates what should happen if the authentication with this module fails:<\/p>\n<ol>\n<li><code>requisite<\/code>: if the authentication via this module fails, overall authentication will be denied immediately.<\/li>\n<li><code>required<\/code>\u00a0is similar to requisite, although all other listed modules for this service will be called before denying authentication.<\/li>\n<li><code>sufficient<\/code>: if the authentication via this module fails, PAM will still grant authentication even if a previous marked as required failed.<\/li>\n<li><code>optional<\/code>: if the authentication via this module fails or succeeds, nothing happens unless this is the only module of its type defined for this service.<\/li>\n<li><code>include<\/code>\u00a0means that the lines of the given type should be read from another file.<\/li>\n<li><code>substack<\/code>\u00a0is similar to includes but authentication failures or successes do not cause the exit of the complete module, but only of the substack.<\/li>\n<\/ol>\n<p>The fourth column, if it exists, shows the arguments to be passed to the module.<\/p>\n<p>The first three lines in\u00a0<strong>\/etc\/pam.d\/passwd<\/strong>\u00a0(shown above), load the\u00a0<strong>system-auth<\/strong>\u00a0module to check that the user has supplied valid credentials (account). If so, it allows him \/ her to change the authentication token (password) by giving permission to use passwd (<strong>auth<\/strong>).<\/p>\n<p>For example, if you append<\/p>\n<pre>remember=2\r\n<\/pre>\n<p>to the following line<\/p>\n<pre>password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok\r\n<\/pre>\n<p>in\u00a0<strong>\/etc\/pam.d\/system-auth<\/strong>:<\/p>\n<pre>password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2\r\n<\/pre>\n<p>the last two hashed passwords of each user are saved in\u00a0<strong>\/etc\/security\/opasswd<\/strong>\u00a0so that they cannot be reused:<\/p>\n<div id=\"attachment_21277\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/Linux-Password-Fields.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-21277\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/10\/Linux-Password-Fields.png\" alt=\"Linux Password Fields\" width=\"600\" height=\"228\" aria-describedby=\"caption-attachment-21277\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-21277\" class=\"wp-caption-text\">Linux Password Fields<\/p>\n<\/div>\n<h3>Summary<\/h3>\n<p>Effective user and file management skills are essential tools for any system administrator. In this article we have covered the basics and hope you can use it as a good starting to point to build upon. Feel free to leave your comments or questions below, and we\u2019ll respond quickly.<\/p>\n<p><a style=\"font-size: 1rem;\" href=\"https:\/\/www.tecmint.com\/manage-users-and-groups-in-linux\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Last August, the Linux Foundation started the\u00a0LFCS\u00a0certification (Linux Foundation Certified Sysadmin), a brand new program whose purpose is to allow individuals everywhere and anywhere take an exam in order to get certified in basic to intermediate operational support for Linux systems, which includes supporting running systems and services, along with overall monitoring and analysis, plus &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/29\/managing-users-groups-file-permissions-attributes-and-enabling-sudo-access-on-accounts\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Managing Users &#038; Groups, File Permissions &#038; Attributes and Enabling sudo Access on Accounts&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-12923","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12923","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=12923"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12923\/revisions"}],"predecessor-version":[{"id":12925,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12923\/revisions\/12925"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=12923"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=12923"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=12923"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}