Ubuntu Server – User Management

Netshock on User Management

Using the root user of your Ubuntu server is never suggested. This is because, if you and several other users are managing a server, you’ll have no record of who did what, also, everyone will have access to do everything.

This probably isn’t a huge issue in the early phases of your application / website deployment, but imagine you’ve grown, your website is making a significant amount of money daily and you’ve started to hire new system administrators.

They all have root access to your servers and one of them decides to make a change. That change brings the system crashing down, you’re website / application goes offline and you have no idea who was responsible.

These issues happen, in the most part, not because of malicious intent by your employee, but rather because they have access to commands and functionality that they do not know or understand.

As is mentioned above, it’s never the best idea. The safer option is to make use of a function called sudo (super user do), which enables the user to temporarily increase their privileges on the system, using their own password, rather than root. This enables you to control which user can carry out each of the server commands and it also means you can track what actions each user is taking.

You can disable the root password (sudo passwd -1 root) and even disable the root account all together (usermod –expiredate 1), all of these commands can be read about further by typing man sudo into your terminal.

User Management

User management on Ubuntu is very straightforward. In order to add a user, you can use the sudo functionality (outlined above) and type sudo adduser username, this will then prompt you to enter lots of information about that user, such as name, phone number etc…

Deleting a user is just as simple (dangerously simple). Again, using the sudo command, you can type sudo deluser username.

Deleting the user is not the same as deleting all the related data for that user. For example, deleting the user John, will not delete John’s home folder – this is useful if you have certain data retention policies that you must adhere to. It does, however, cause an issue if you have a new member of the team called John – if you add that individual with the same username as was used for the original John, they will have access to his home folder. To avoid this, you might want to rename his folder, or create the user with a new user ID.

You can also lock a user account (sudo passwd -l username) or unlock a user account (sudo passwd -u username).

You can also group users. This could be useful as you’d be able to add a user to the HR group & assign system privileges to the users based on what group they’re in. To do that, you’ll first need to create a group (sudo addgroup groupname) – you can, of course, always delete a group too (sudo delgroup groupname).

To add a user to that group simply type sudo adduser username groupname.

Profile security

When you create a new user, they will also have a home directory created for them (under /home/username). This can cause problems as those folders are created with global read and write capability. That means that any user can look in any other users home folder.

In order to check the users home directory status, just type ls -ld /home/username into the terminal. The output is likely to start with something like this: drwxr-xr-x. The three blocks of letters determine the permissions that each user will have. The first block shows the permissions of the directory owner, the second shows the permissions of the group and the final block shows the permissions of all other users.

R = Read
W = Write
X = Execute

To remove the world readable syntax, simply type sudo chmod 0750 /home/username. This will ensure that you’re protecting both the parent and all sub directories.

That’s great, you’ve controlled the access to your user file, but, this should never have been a problem. The best thing you can do is edit the adduser global default permissions which are applied when creating home folders. To do this, find the adduser.conf file located in the /etc/ directory.

Within this folder, modify the DIR_MODE variable to reflect the permissions that you want the users to have. I find that this tool: http://permissions-calculator.org/ is extremely helpful when it comes to finding out which permissions you want to give users.

You can now verify that your changes have worked. You can do this by typing in ls -ld /home/username. Your results should now have changed.

Password Policy

You can implement stringent firewall rules along with other security features, but, if your passwords are poor, all of that is pointless. If you’re going to enable SSH (which I imagine you will), then you will need to implement a strong password policy.

You can control the password policy from the common-password file, located in the /etc/pam.d/ directory.

You can update the minimum length of password by editing the password minlen=8 line to enforce a larger number of characters. It should be noted though, the administrator does not need to adhere to these requirements when creating users.

You can also set your passwords to expire by setting a maximum password age.

Image used under creative commons

This article was brought to you by Netshock. Netshock aim to provide technology guides and insight to our readers.

Tagged under: