The root user is all-powerful and has access to all commands. It has the power to read, write and execute absolutely anything on your server. It is better to disable direct root access to you box and instead log in as another user with more limited privileges. When you need to undertake administrative tasks, you can temporarily elevate to superuser privileges by prefixing commands with the
sudo command. Examples:
sudo apt-get install <package>
sudo program is shipped by default with most Linux distributions, but not all. You will need to install it if it is not part of your distribution. The command for Debian/Ubuntu is:
apt-get install sudo
yum install sudo
In the following instructions, commands that require root privileges have the
sudo prefix. The instructions use low-level
user* commands and so should work on most Linux distributions. There is a higher-level program called
adduser which is recommended for administration of user accounts on Debian-based distributions, including Ubuntu. Instructions for
adduser are at the bottom of this tutorial.
To create a new Linux user account, type the following commands, replacing "<username>" with the actual username. For username, I prefer to use people's full names, e.g. "kieranpotts".
sudo useradd <username> sudo passwd <username>
Create the user's password at the prompt. My preference is to use 12-character strings consisting of a-z, A-Z, 0-9 and special characters. The random.org string generator is an excellent tool for making strong random passwords.
useradd command accepts a wide variety of parameters.
-d <home_dir> sets the user's home directory, which by default would be
useradd -d /home/<custom_dir> <username>
To create a user without a home directory (something that you might want to do for security reasons):
useradd -M <username>
-e <date> sets the date when the account will expire;
useradd -e 2017-12-31 <username>
More useful still is a feature that allows you to specify an expiry time for the user's password. User accounts effectively become inactive when their passwords expire, unless an administrator extends the expiry time. The
-f argument takes an integer for the number of days that the password will remain valid.
useradd -f <username>
In Linux, each user has its own UID (Unique Identification Number). By default, the UID is assigned automatically when you create a new user account (starting at UID 500, 501, 502...). Specify the UID with the
useradd -u 999 <username>
Users can be immediately added to one or more groups with the
-G option. Groups are covered in more detail below.
useradd -G admins,webmasters,hostmasters <username>
-c flag allows you to add comments to a user account. You may use this feature to log a user's full name or employee ID, for example.
useradd -c "Any comment here" <username>
Finally, sometimes you will create user accounts that will not be used for the purpose of logging in. You can assign different shells to users, and in the following example the user account is given the
useradd -s /sbin/nologin <username>
Once a user is created, all of the user account details can be seen in the
/etc/passwd file. The following command is also useful for retrieving security information about an account, such as when the password expires or was last changed.
Changing user accounts
To rename a user:
sudo usermod -l <newusername> <oldusername>
usermod command accepts the same parameters as
useradd. To change a user's password, run
To change the user's home directory and move all the files over from the old home directory:
sudo usermod -d /home/<newhomedir> -m <newusername>
After this command, you can delete the user's old home directory.
sudo rm -rf /home/<oldhomedir>
Use the following command to delete user accounts. The
-r flag removes the user's home directory, too.
sudo userdel -r <username>
In Linux, user groups are a way of organising users. Group membership is administered through the
/etc/group file. To create a new user group, use the
sudo groupadd <group_name>
sudo groupadd webmasters
To add a user to a group:
sudo usermod -G <group_name> <username>
To list all users in a group:
getent group <group_name>
To rename a user group:
sudo groupmod -n <newname> <oldname>
Every user has a default or primary group, which is what they join automatically when they login. When a user creates a file or launches a program, the file or the running process will be associated with the user's current group membership. To create files or run programs in a different group, the user must first call
chgrp to switch to another group (of which they must be a member).
newgrp command has the same effect and works in the same way.
If the user will need root-level privileges, add the user to the sudoers group. In Ubuntu, this group is appropriately called "sudo", while in CentOS it is known as the "wheel" group.
sudo usermod -aG sudo <username> sudo usermod -aG wheel <username>
Limited user accounts that are part of the sudo/wheel group can switch to full administrator privilges by prepending administrator commands with "
Or, to switch to the root user for the remainder of the session:
sudo su -
To logout of the root user account and return to your own, type "
The sudoers file at
/etc/sudoers provides a list of users that have root-level privileges. The file should not be edited directly with a text editor because if you make a mistake with the configuration you could lock out all users from the box entirely. Instead, use the
visudo command to edit the sudoers configuration.
For security, all
sudo commands require password entry to confirm the action. To receive an email whenever someone uses
sudo, you will need to extend the sudoers configuration. Again, rather than edit the
/etc/sudoers file directly, you should create an extension file in the
/etc/sudoers.d directory. Any files in the
/etc/sudoers.d directory will be automatically included and will extend the default configuration from
Create a new file at
sudo nano /etc/sudoers.d/sudoers
Add the following lines to the file:
Defaults mail_always Defaults mailto="<email_address>"
Close and save the file, then set permissions on the file:
sudo chmod 0440 /etc/sudoers.d/sudoers
You'll need to install a mailserver application if you have not already.
sendmail is as good as any. Use the
apt package managers to install it.
Test the configuration by running some commands with
sudo. Just listing the contents of the current directory should be enough to trigger the email alert.
sudo ls -lha
adduser program provides a high-level API that wraps the various low-level
user* commands. It is shipped with some Debian/Ubuntu distributions by default and is recommended for administration of user accounts on those distributions.
To add a user with
sudo adduser <username>
This single command:
- creates a new user account;
- creates a home directory for the user (
/home/<username>) and copies default files from
- creates a group with the same name as the user and add the user to the group;
- prompts for the user's password; and
- prompts for additional information about the user including her full name.
To add a user to a custom group:
sudo adduser <username> <group_name>
I recommend that you harden SSH access by disabling root access and requiring everyone to use private keys to login, in place of passwords.