Managing User Accounts, Groups, and Restricted Sudo Privileges
Securing a Hovixa VPS begins with the Principle of Least Privilege (PoLP). Running every task as the root user is a significant security risk. Instead, you should create individual user accounts, organize them into functional groups, and grant only the specific sudo (superuser do) permissions required for their roles.
1. User and Group Architecture
In Linux, users are identified by a UID (User ID) and groups by a GID (Group ID). Groups allow you to apply permissions to multiple users simultaneously, which is essential for collaborative environments like a web development team.
Primary Commands:
- Create a User:
sudo adduser username(Interactive and creates a home directory). - Create a Group:
sudo groupadd developers. - Add User to Group:
sudo usermod -aG developers username(The-aflag is critical to append, not replace).
2. Understanding the Sudoers File
The /etc/sudoers file defines who can run which commands as which user. You should never edit this file directly with a standard text editor. Always use visudo, which performs a syntax check before saving to prevent you from being locked out of administrative access.
3. Restricting Sudo Privileges
Instead of granting full ALL=(ALL:ALL) ALL access, you can restrict users to specific binaries. For example, you might want a junior dev to be able to restart Nginx but not modify the firewall or view the database.
# 1. Run visudo sudo visudo # 2. Grant specific command access to user 'dev_junior' dev_junior ALL=(ALL) /usr/bin/systemctl restart nginx, /usr/bin/systemctl status nginx
4. User Management Command Matrix
| Requirement | Command | Technical Impact |
|---|---|---|
| Lock Account | sudo passwd -l [user] |
Prevents login without deleting data. |
| Force Password Change | sudo chage -d 0 [user] |
User must change password on next login. |
| Delete User & Home | sudo deluser --remove-home [user] |
Permanently removes user and their files. |
| Check User Groups | groups [user] |
Lists all group memberships for a user. |
5. Technical Implementation Details
- The Sudo Group: On Ubuntu/Debian, users in the
sudogroup have full privileges. On AlmaLinux/CentOS, this group is namedwheel. - Passwordless Sudo: For automation (like backup scripts), you can allow a command without a password prompt:
username ALL=(ALL) NOPASSWD: /usr/bin/rsync. Use this sparingly as it bypasses a key security layer. - The /etc/shadow File: Encrypted passwords and aging information are stored here. Ensure permissions are set to
600(root only) to prevent credential harvesting.
Sysadmin Advice: Use sudo -l as the target user to verify their effective permissions. It will list exactly what commands that specific user is authorized to run, allowing you to audit your restricted sudo rules instantly.
