Day 4: Master Linux User Management for Secure DevOps & Cloud

By /
CommandDescriptionUsage Example
adduserCreates a new user with a home directory and default settings.sudo adduser devuser (Creates a user devuser and prompts for a password)
deluserDeletes a user from the system.sudo deluser devuser (Removes devuser but keeps the home directory)
deluser --remove-homeDeletes a user and removes their home directory.sudo deluser --remove-home devuser (Removes devuser and its home directory)
passwdChanges a user’s password.passwd (Changes password for the current user)
sudo passwd usernameSets a new password for a specific user.sudo passwd devuser (Changes password for devuser)
passwd --expire usernameForces a user to change their password on the next login.sudo passwd --expire devuser (Forces devuser to reset password)
sudoRuns a command as a superuser (root).sudo apt update (Runs the apt update command with admin privileges)
sudo suSwitches to the root user.sudo su (Gives root access until the session ends)
usermod -aG sudo usernameAdds a user to the sudo group, granting admin rights.sudo usermod -aG sudo devuser (Gives devuser sudo privileges)
sudo -l -U usernameChecks what sudo commands a user can execute.sudo -l -U devuser (Lists allowed sudo commands for devuser)
groupaddCreate a new group.sudo groupadd devops_team
gpasswd -aAdd user to a group.sudo gpasswd -a devuser devops_team
gpasswd -MAdd multiple users to a group.sudo gpasswd -M user1,user2 developers
groupdelDelete a group.sudo groupdel devops_team

User management is critical in DevOps & Cloud environments to ensure secure access control, privilege management, and compliance. In this guide, we’ll cover essential user management commands, how they work, and provide real-world examples.

πŸ”Ή Why Is User Management Important in DevOps & Cloud?

User management in DevOps & Cloud computing is crucial for:
βœ… Access Control – Restrict unauthorized access to cloud instances.
βœ… Security – Prevent unauthorized privilege escalation.
βœ… Audit & Compliance – Maintain logs for security policies.
βœ… Automation – Manage users efficiently in large-scale infrastructure.
βœ… Multi-user Collaboration – Assign permissions in a controlled manner.

1. adduser – Add a New User

The adduser command is used to create a new user account.

Why Use It?

  1. To create user accounts for team members in a cloud or DevOps environment.
  2. Assign roles and permissions to users.
  3. Manage user groups and access control.

Usage:

sudo adduser devuser

This command:

  • Creates a new user devuser.
  • Sets up a home directory (/home/devuser).
  • Prompts for a password.
  • Creates a default shell (/bin/bash).

Example:

sudo adduser cloudadmin

Output:

Adding user `cloudadmin' ...
Adding new group `cloudadmin' (1001) ...
Adding new user `cloudadmin' (1001) with group `cloudadmin' ...
Creating home directory `/home/cloudadmin' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:

2. deluser – Remove a User

The deluser command deletes a user account.

Why Use It?

  • To remove users who no longer need system access.
  • Keep the system secure by removing unused accounts.
  • Manage user lifecycle in cloud deployments.

Usage:

sudo deluser devuser

Note: Removes devuser but keeps home directory and files.

To remove the user and their home directory:

sudo deluser --remove-home devuser

Example:

sudo deluser cloudadmin --remove-home

Output:

Removing user `cloudadmin' ...
Warning: group `cloudadmin' has no more members.

3. passwd – Manage User Passwords

The passwd command sets or changes a user’s password.

Why Use It?

  • Enforce strong authentication in cloud servers.
  • Reset forgotten passwords for users.
  • Secure privileged user accounts.

Usage:

passwd               # Change password for the current user
sudo passwd devuser  # Change password for another user

Example:

sudo passwd cloudadmin

Output:

Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

To expire a password (force user to change password on next login):

sudo passwd --expire cloudadmin

4. sudo – Grant Admin Privileges

The sudo command allows a user to run commands as a superuser.

Why Use It?

  • Provide controlled root access to specific users.
  • Prevent accidental system changes by restricting root access.
  • Implement the Principle of Least Privilege (PoLP).

Usage:

sudo command         # Run command as root
sudo su             # Switch to root user

To add a user to the sudo group:

sudo usermod -aG sudo devuser
# usermod -aG sudo devuser adds devuser to the sudo group.

Example:

sudo usermod -aG sudo cloudadmin

Output:

Adding user `cloudadmin' to group `sudo' ...

To verify sudo access:

sudo -l -U cloudadmin

What are the best practices for managing users and privileges in DevOps?

Answer:

  • Follow the Principle of Least Privilege (PoLP), giving users only the access they need.
  • Use groups to manage permissions instead of assigning permissions to individual users.
  • Regularly audit and remove inactive users.
  • Implement role-based access control (RBAC) using tools like IAM (AWS), sudo groups, or LDAP.
sudo usermod -aG developers devuser
# This adds devuser to the developers group, which has predefined permissions.

Principle of Least Privilege (PoLP)

  • Developer (developer user) should have access only to the Rails application files and database.
  • DevOps (devops user) should have system-wide privileges to manage the server.

User Role Segmentation

UserAccessPermissions
developerApp codebase, logsNo sudo access, restricted shell
devopsServer configurations, deployment scriptsSudo access for system administration

Grant Developer Access Without Admin Rights

Developers should not have root or sudo access but need access to the application directory.

5. useradd – Create a New User

Usage: Adds a new user account to the system.
How It Works:

  • Updates /etc/passwd, /etc/shadow, and /home/<username>/.
Example:
sudo useradd -m -s /bin/bash devuser

πŸ“Œ Best Practice: Use -m to create a home directory automatically.

6. su – Switch User

Usage: Switches to another user account.
How It Works:

  • Requires password authentication.
Example:
su devuser

πŸ“Œ Best Practice: Use sudo su - username for a full login environment.

7. groupadd – Create a New User Group

Usage: Creates a new user group.
How It Works:

  • Updates /etc/group.
Example:
sudo groupadd devops_team

πŸ“Œ Best Practice: Use group-based permissions for better security.

8. gpasswd -a – Add User to a Group

Usage: Assigns a user to a group.
How It Works:

  • Updates /etc/group.

Example:

sudo gpasswd -a devuser devops_team

πŸ“Œ Best Practice: Use groups devuser to verify group membership.

9. gpasswd -M – Add Multiple Users to a Group

Usage: Adds multiple users to a group.

Example:

sudo gpasswd -M user1,user2 devops_team

πŸ“Œ Best Practice: Use groups instead of assigning permissions individually.

10. groupdel – Delete a Group

Usage: Removes a group from the system.
How It Works:

  • Deletes the group entry from /etc/group.

Example:

sudo groupdel devops_team

πŸ“Œ Best Practice: Ensure no users belong to the group before deleting.

Create and Assign Users

Step 1: Create Users

sudo adduser developer
sudo adduser devops

Set strong passwords:

sudo passwd developer
sudo passwd devops

Step 2: Create a Group

sudo groupadd railsapp

Step 3: Assign the Developer to This Group

sudo usermod -aG railsapp developer

Step 4: Set Permissions for the Rails App

sudo chown -R devops:railsapp /var/www/rails_app
sudo chmod -R 770 /var/www/rails_app
  • devops can manage the application.
  • developer can work within /var/www/rails_app but cannot modify system files.

Secure SSH Access

Step 5: Enable Key-Based Authentication

Developers and DevOps should use SSH key authentication instead of passwords.

  • Generate SSH Key:
ssh-keygen -t rsa -b 4096 -C "developer@example.com"
  • Add the public key to the server:
ssh-copy-id developer@server-ip
ssh-copy-id devops@server-ip
  • Disable Password Authentication:
sudo nano /etc/ssh/sshd_config

Set:

PasswordAuthentication no

Restart SSH:

sudo systemctl restart ssh

Monitor User Activities

Step 6: Enable Logging & Auditing

  • Install auditd for user activity tracking:
sudo apt install auditd
  • Log user actions:
sudo auditctl -a always,exit -F arch=b64 -S execve -F key=commands
  • View logs:
sudo ausearch -k commands

Why should we avoid using the default root user for DevOps tasks?

Answer:

  • The root user has unrestricted access, increasing the risk of accidental system changes or security breaches.
  • Attackers commonly target the root account for brute-force attacks.
  • Best practice: Disable direct root login and use sudo for privilege escalation.

Example: Disable root SSH login in /etc/ssh/sshd_config

PermitRootLogin no

Restart SSH service:

sudo systemctl restart ssh

How do you securely manage SSH access for users?

Answer:

  • Disable password authentication and enforce SSH key-based login.
  • Use Jump Hosts or Bastion Servers for controlled SSH access.
  • Rotate SSH keys regularly.
  • Use tools like AWS Systems Manager Session Manager instead of SSH for cloud instances.

Example: Disable password authentication in /etc/ssh/sshd_config:

PasswordAuthentication no

Restart SSH service:

sudo systemctl restart ssh

How can you monitor and get alerts if any unauthorized access happens?

Answer:

  • Use Fail2Ban or OSSEC to block repeated failed login attempts.
  • Enable auditd to log authentication failures.
  • Use CloudWatch, Prometheus, or ELK (Elasticsearch, Logstash, Kibana) to set up real-time alerts.

Example: Configure Fail2Ban to block repeated SSH failures:

sudo apt install fail2ban
sudo systemctl enable fail2ban
How do you check which users have sudo privileges?

Answer:

  • Use sudo -l -U username to list sudo permissions for a specific user.
  • Check /etc/sudoers or grep the sudo group.

Example:

grep '^sudo:.*$' /etc/group

Lists all users in the sudo group.

What is the best way to grant temporary access to a user?

Answer:

  • Use sudo with a time-based policy (timestamp_timeout).
  • Remove access automatically after a period using at or cron.

Example: Allow access for 30 minutes:

echo "usermod -L devuser" | at now + 30 minutes
How do you enforce two-factor authentication (2FA) for SSH users?

Answer:

  • Install and configure google-authenticator or Duo Security for SSH.

Example: Install Google Authenticator for 2FA:

sudo apt install libpam-google-authenticator
google-authenticator

Update /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes

Restart SSH:

sudo systemctl restart ssh

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top