Create User Ubuntu
Mirthe Luria
Adding and removing users on a Linux system is one of the most important system administration tasks to familiarize yourself with. When you create a new system, you are often only given access to the root account by default.
To complete this tutorial, you will need access to a server running Ubuntu 20.04. Ensure that you have root access to the server and firewall enabled. To set this up, follow our Initial Server Setup Guide for Ubuntu 20.04.
By default, a new user is only in their own group because adduser creates this in addition to the user profile. A user and its own group share the same name. In order to add the user to a new group, you can use the usermod command:
Using visudo is the only recommended way to make changes to /etc/sudoers because it locks the file against multiple simultaneous edits and performs a validation check on its contents before overwriting the file. This helps to prevent a situation where you misconfigure sudo and cannot fix the problem because you have lost sudo privileges.
Traditionally, visudo opened /etc/sudoers in the vi editor, which can be confusing for inexperienced users. By default on new Ubuntu installations, visudo will use the nano text editor, which provides a more convenient and accessible text editing experience. Use the arrow keys to move the cursor, and search for the line that reads like the following:
You should now have a fairly good handle on how to add and remove users from your Ubuntu 20.04 system. Effective user management will allow you to separate users and give them only the access that they are required to do their job.
User management is a critical part of maintaining a secure system. Ineffective user and privilege management often leads to a system being compromised. Therefore, it is important that you understand how to protect your server through simple and effective user account management techniques.
Ubuntu developers decided to disable the administrative root account by default in all Ubuntu installations. This does not mean that the root account has been deleted, or that it may not be accessed. Instead, it has been given a password hash that matches no possible value, and so may not log in directly by itself.
By default, the initial user created by the Ubuntu installer is a member of the group sudo which is added to the file /etc/sudoers as an authorised sudo user. To give any other account full root access through sudo, add them to the sudo group.
Managing local users and groups differs very little from most other GNU/Linux operating systems. Ubuntu and other Debian-based distributions encourage the use of the adduser package for account management.
When a new user is created, the adduser utility creates a brand new home directory named /home/username. The default profile is modelled after the contents found in the directory of /etc/skel, which includes all profile basics.
If your server will be home to multiple users, you should pay close attention to the user home directory permissions to ensure confidentiality. By default, user home directories in Ubuntu are created with world read/execute permissions. This means that all users can browse and access the contents of other users home directories, which may not be suitable for your environment.
Note:
Some people use the recursive option (-R) indiscriminately, which modifies all child folders and files. However, this is not necessary and may have undesirable/unintended consequences. Modifying only the parent directory is enough to prevent unauthorised access to anything below the parent.
A more efficient approach would be to modify the adduser global default permissions when creating user home folders. To do this, edit the /etc/adduser.conf file and modify the DIR_MODE variable to something appropriate, so that all new home directories will receive the correct permissions.
A strong password policy is one of the most important aspects of your security posture. Many successful security breaches involve simple brute force and dictionary attacks against weak passwords.
If you intend to offer any form of remote access involving your local password system, make sure you address minimum password complexity requirements, maximum password lifetimes, and frequent audits of your authentication systems.
By default, Ubuntu requires a minimum password length of 6 characters, as well as some basic entropy checks. These values are controlled in the file /etc/pam.d/common-password, which is outlined below.
Many applications use alternate authentication mechanisms that can be easily overlooked by even experienced system administrators. Therefore, it is important to understand and control how users authenticate and gain access to services and applications on your server.
Restrict SSH access to only user accounts that should have it. For example, you may create a group called sshlogin and add the group name as the value associated with the AllowGroups variable located in the file /etc/ssh/sshd_config:
Most enterprise networks require centralised authentication and access controls for all system resources. If you have configured your server to authenticate users against external databases, be sure to disable the user accounts both externally and locally. This way you ensure that local fallback authentication is not possible.
I would like to see if any one had suggestions on how to retry to create this user using cloud-init or any other process. NOTE: I will be isolated from any USB/HDMI ports, so creating a system-user assertion via USB/keyboard will not be possible.
cloud-init, while it works for this too, is rather focused on automated cloud installs and adds some extra overhead. But if you have no access to the device at all it might be the best way (beyond simply dumping a user assertion into /writable/system-data/var/lib/snapd/seed/assertions during the flash process while you install the image to the system.
Hi @andreas, I believe you are correct in creating the system user assertion. What you need to do, (instead of placing the assertion file into the root directory of the USB) is after creating the ubuntu core image, you must mount the image.
Then add the user to the wheel group. Adding and removing users with administrative priviledges now becomes a function of remembering to add them to wheel, instead of creating an entry in sudo. The great thing about using wheel is that you can extend this mechanism into other authentication schemes that support groups, i.e. winbind/Active Directory, and reap the benefits in the process. You would accomplish this by mapping wheel to a group in your authentication schema that has admin privileges.
I have to give a point to Bart Silverstrim for pointing out that Ubuntu uses admin as the group for this purpose. He got to this first, although I didn't notice an Ubuntu tag at the time. Again, it all depends on what distribution your are using.
See that third entry as zero? When you log into that account, you are, for all effective purposes, root. I do not recommend this. If you do not remember "who" you are, you can create all kinds of havoc as you start creating and touching files as root. You could also add your username to the root group. This has the same effect for file access but it creates other issues; programs will notice you are not user root and refuse to run, but you will gain access to files that belong to group root.
If you did this, you did use vipw instead of just editing with vi, right? (or whatever your favorite text editor is) After all, a single typo in this file can lock you out of your system - and that means a physical visit to the computer in question with a repair disc...
Well you may create user with adduser, see man adduser.
After you can add it to privileged group like root, or wheel.But i think that the most recommended way to have some permission is using sudo.
The "ugly and messy" way is to edit /etc/passwd to have UID=0 AND GID=0 for the new user. But this poses a LOT of security risks. You do know that if he is also root he may disable your accont, change your password, make you a "standard user"... right? so why not just give him you own account?
The Docker daemon binds to a Unix socket, not a TCP port. By default it's theroot user that owns the Unix socket, and other users can only access it usingsudo. The Docker daemon always runs as the root user.
If you don't want to preface the docker command with sudo, create a Unixgroup called docker and add users to it. When the Docker daemon starts, itcreates a Unix socket accessible by members of the docker group. On some Linuxdistributions, the system automatically creates this group when installingDocker Engine using a package manager. In that case, there is no need for you tomanually create the group.
Many modern Linux distributions usesystemd tomanage which services start when the system boots. On Debian and Ubuntu, theDocker service starts on boot by default. To automatically start Docker andcontainerd on boot for other Linux distributions using systemd, run thefollowing commands:
You can use systemd unit files to configure the Docker service on startup,for example to add an HTTP proxy, set a different directory or partition for theDocker runtime files, or other customizations. For an example, seeConfigure the daemon to use a proxy.
Docker provides logging drivers forcollecting and viewing log data from all containers running on a host. Thedefault logging driver, json-file, writes log data to JSON-formatted files onthe host filesystem. Over time, these log files expand in size, leading topotential exhaustion of disk resources.
Can you get into single user (maintenance) mode on the rhel machine? From there you should be able to reset the root or user passwords and not have to boot another OS. Unless you need tools from the ubuntu stick this may be faster.
You can add new users on a Linux system by booting up a Linux on a USB stick (with the same 32 or 64 bit OS) mount some directories, chroot into the Linux Distro so that you can add users and permission, unmount the directories and power down. When you boot up the additional users are available for use.
d3342ee215