INTRO
Today you’re going to set-up another user on your system. You’re going to imagine that this is a help-desk person that you trust to do just a few simple tasks:
- check that the system is running
- check disk space with:
df -h
…but you also want them to be able to reboot the system, because you believe that “turning it off and on again” resolves most problems :-)
You’ll be covering a several new areas, so have fun!
ADDING A USER
Choose a name for your new user - we’ll use “helen” in the examples, so to add this new user:
sudo adduser helen
(Names are case-sensitive in Linux, so “Helen” would be a completely different user)
The “adduser” command works very slightly differently in each distro - if it didn’t ask you for a password for your new user, then set it manually now by:
sudo passwd helen
You will now have a new entry in the simple text database of users: /etc/passwd (check it out with: less), and a group of the same name in the file: /etc/group. A hash of the password for the user is in: /etc/shadow (you can read this too if you use “sudo” - check the permissions to see how they’re set. For obvious reasons it’s not readable to just everyone).
If you’re used to other operating systems it may be hard to believe, but these simple text files are the whole Linux user database and you could even create your users and groups by directly editing these files - although this isn’t normally recommended.
Additionally, adduser will have created a home directory, /home/helen for example, with the correct permissions.
Login as your new user to confirm that everything works. Now while logged in as this user try to run reboot - then sudo reboot.
CLEVER SUDO TRICKS
Your new user is just an ordinary user and so can’t use sudo to run commands with elevated privileges - until we set them up. We could simply add them to a group that’s pre-defined to be able to use sudo to do anything as root - but we don’t want to give “helen” quite that amount of power.
Use ls -l to look at the permissions for the file: /etc/sudoers This is where the magic is defined, and you’ll see that it’s tightly controlled, but you should be able to view it with: sudo less /etc/sudoers You want to add a new entry in there for your new user, and for this you need to run a special utility: visudo
To run this, you can temporarily “become root” by running:
sudo -i
Notice that your prompt has changed to a “#”
Now simply run visudo to begin editing /etc/sudoers - typically this will use nano.
All lines in /etc/sudoers beginning with “#” are optional comments. You’ll want to add some lines like this:
# Allow user "helen" to run "sudo reboot"
# ...and don't prompt for a password
#
helen ALL = NOPASSWD:/sbin/reboot
You can add these line in wherever seems reasonable. The visudo command will automatically check your syntax, and won’t allow you to save if there are mistakes - because a corrupt sudoers file could lock you out of your server!
Type exit to remove your magic hat and become your normal user again - and notice that your prompt reverts to: $
TESTING
Test by logging in as your test user and typing: sudo reboot
Note that you can “become” helen by:
sudo su helen
If your ssh config allows login only with public keys, you’ll need to setup /home/helen/.ssh/authorized_keys - including getting the owner and permissions correct. A little challenge of your understanding of this area!
EXTENSION
If you find this all pretty familiar, then you might like to check and update your knowledge on a couple of related areas:
- Restricting shell access
- Linux Password & Shadow File Formats)
- What’s the difference between ‘useradd’ and ‘adduser’?
- How to create users and groups in Linux from the command line
- Learn how to use the $EDITOR environmental variable to set your default editor to
vim. With this done, ‘‘visudo’’ will use ‘‘vim’’ rather than ‘‘nano’’ for editing.
RESOURCES
- Sudo – An Advanced Howto
- A cartoon that should now make sense!
- Basic Linux Permissions: sudo and sudoers (video)
Some rights reserved. Check the license terms here