How to Configure Users and Permissions on Linux

User and permission management is fundamental to Linux system administration and security. This comprehensive guide explains how to create, modify, and manage users, groups, and file permissions on Linux servers, ensuring proper access control and system security through effective user configuration and permission management strategies.

Table of Contents

Prerequisites

Before configuring users and permissions, ensure you have:

  • Linux server (Ubuntu, Debian, CentOS, Rocky Linux, or similar)
  • Root access or sudo privileges
  • SSH access to the server
  • Basic understanding of Linux command line
  • Familiarity with terminal text editors (nano, vi, or vim)
  • Understanding of basic security concepts

Understanding Linux User and Permission System

Linux is a multi-user operating system with a robust permission model that controls access to files, directories, and system resources.

User Types

Root user (superuser):

  • UID (User ID): 0
  • Has unrestricted access to all system resources
  • Can perform any operation on the system
  • Should not be used for routine tasks

System users:

  • UIDs: Typically 1-999 (varies by distribution)
  • Used by services and daemons
  • Usually have no login shell (/sbin/nologin)
  • Examples: www-data, mysql, nginx

Regular users:

  • UIDs: Typically 1000 and above
  • Normal user accounts for humans
  • Have home directories (usually /home/username)
  • Can be granted sudo privileges for administrative tasks

Permission Model

Linux permissions operate on three levels:

  1. User (u): The file owner
  2. Group (g): Users in the file's group
  3. Others (o): Everyone else

Each level can have three types of permissions:

  • Read (r): View file contents or list directory contents
  • Write (w): Modify file or add/remove files in directory
  • Execute (x): Run file as program or access directory

Important System Files

  • /etc/passwd: User account information
  • /etc/shadow: Encrypted passwords (readable only by root)
  • /etc/group: Group information
  • /etc/gshadow: Encrypted group passwords
  • /etc/sudoers: Sudo configuration
  • /etc/login.defs: Default settings for user creation

Step 1: Managing User Accounts

Creating New Users

# Create user with default settings (Ubuntu/Debian)
sudo adduser username

# Create user with default settings (CentOS/Rocky Linux)
sudo useradd -m username
sudo passwd username

# Create user with specific UID and shell
sudo useradd -m -u 1500 -s /bin/bash username

# Create user with specific home directory
sudo useradd -m -d /custom/home/path username

# Create user with specific group
sudo useradd -m -g groupname username

# Create user with multiple groups
sudo useradd -m -G group1,group2,group3 username

# Create system user (for services)
sudo useradd -r -s /sbin/nologin servicename

Explanation of useradd options:

  • -m: Create home directory
  • -u: Specify user ID
  • -s: Set login shell
  • -d: Set home directory path
  • -g: Set primary group
  • -G: Set supplementary groups
  • -r: Create system account
  • -c: Add comment (full name)
  • -e: Set expiration date

Example: Create user with full options:

# Create comprehensive user account
sudo useradd -m \
  -u 2000 \
  -g developers \
  -G sudo,docker,www-data \
  -s /bin/bash \
  -c "John Doe" \
  -e 2025-12-31 \
  johndoe

# Set password
sudo passwd johndoe

Viewing User Information

# Display user information
id username

# View detailed user information
getent passwd username

# List all users
cat /etc/passwd

# List only regular users (UID >= 1000)
awk -F: '$3 >= 1000 {print $1}' /etc/passwd

# Display current logged-in user
whoami

# Show who is logged in
who
w

# View user's last login
last username
lastlog -u username

Modifying User Accounts

# Change user's full name
sudo usermod -c "Jane Smith" username

# Change user's login shell
sudo usermod -s /bin/zsh username

# Change user's home directory
sudo usermod -d /new/home/path username

# Move home directory contents
sudo usermod -d /new/home/path -m username

# Lock user account (disable login)
sudo usermod -L username
# Or
sudo passwd -l username

# Unlock user account
sudo usermod -U username
# Or
sudo passwd -u username

# Set account expiration date
sudo usermod -e 2025-12-31 username

# Add user to supplementary group
sudo usermod -aG groupname username

# Replace user's supplementary groups
sudo usermod -G group1,group2 username

# Change user's UID
sudo usermod -u 2500 username

Deleting Users

# Delete user (keep home directory)
sudo userdel username

# Delete user and home directory
sudo userdel -r username

# Delete user, home directory, and mail spool
sudo userdel -r -f username

# Find and remove user's files across system
sudo find / -user username -delete

# Find files owned by user before deletion
sudo find / -user username -ls

Important: Always backup important data before deleting users.

Password Management

# Change password for current user
passwd

# Change password for another user (as root)
sudo passwd username

# Force password change on next login
sudo passwd -e username
sudo chage -d 0 username

# Set password expiration
sudo chage -M 90 username

# Set password minimum age
sudo chage -m 7 username

# Set password warning period
sudo chage -W 14 username

# View password expiration info
sudo chage -l username

# Generate random password
openssl rand -base64 12

# Or using pwgen
sudo apt install pwgen -y  # Ubuntu/Debian
sudo dnf install pwgen -y  # CentOS/Rocky
pwgen 16 1

Step 2: Managing Groups

Groups allow you to manage permissions for multiple users efficiently.

Creating Groups

# Create new group
sudo groupadd groupname

# Create group with specific GID
sudo groupadd -g 5000 groupname

# Create system group
sudo groupadd -r systemgroup

Viewing Group Information

# List all groups
cat /etc/group

# View groups for specific user
groups username

# Display current user's groups
groups

# View detailed group information
getent group groupname

# List group members
getent group groupname | cut -d: -f4

Modifying Groups

# Rename group
sudo groupmod -n newname oldname

# Change group GID
sudo groupmod -g 6000 groupname

# Add user to group
sudo usermod -aG groupname username

# Add multiple users to group
for user in user1 user2 user3; do
    sudo usermod -aG groupname $user
done

# Remove user from group
sudo gpasswd -d username groupname

# Set group password (rarely used)
sudo gpasswd groupname

Deleting Groups

# Delete group
sudo groupdel groupname

# Find files owned by group before deletion
sudo find / -group groupname -ls

Primary vs Supplementary Groups

# View user's primary group
id -gn username

# View all groups (primary + supplementary)
id -Gn username

# Change user's primary group
sudo usermod -g newprimarygroup username

Example: Organize users by department:

# Create department groups
sudo groupadd developers
sudo groupadd designers
sudo groupadd marketing

# Create users and assign to groups
sudo useradd -m -G developers alice
sudo useradd -m -G developers bob
sudo useradd -m -G designers charlie
sudo useradd -m -G marketing diana

# Add shared access
sudo usermod -aG www-data alice
sudo usermod -aG www-data bob

Step 3: Understanding File Permissions

Reading Permission Notation

# List files with permissions
ls -l filename

# Example output:
# -rw-r--r-- 1 user group 4096 Jan 10 10:00 file.txt
#  │││││││││
#  ││││││││└─ Others execute
#  │││││││└── Others write
#  ││││││└─── Others read
#  │││││└──── Group execute
#  ││││└───── Group write
#  │││└────── Group read
#  ││└─────── User execute
#  │└──────── User write
#  └───────── User read

First character indicates file type:

  • -: Regular file
  • d: Directory
  • l: Symbolic link
  • c: Character device
  • b: Block device
  • s: Socket
  • p: Named pipe

Permission Numeric Values

Permissions can be expressed in octal (numeric) notation:

  • Read (r): 4
  • Write (w): 2
  • Execute (x): 1

Common permission combinations:

  • 0: --- (no permissions)
  • 1: --x (execute only)
  • 2: -w- (write only)
  • 3: -wx (write and execute)
  • 4: r-- (read only)
  • 5: r-x (read and execute)
  • 6: rw- (read and write)
  • 7: rwx (read, write, and execute)

Common permission sets:

  • 644: -rw-r--r-- (user: rw, group: r, others: r) - Standard file
  • 755: -rwxr-xr-x (user: rwx, group: rx, others: rx) - Executable/directory
  • 700: -rwx------ (user: rwx, group: none, others: none) - Private
  • 600: -rw------- (user: rw, group: none, others: none) - Private file
  • 777: -rwxrwxrwx (all: rwx) - Full access (insecure, avoid)

Directory Permissions

For directories, permissions have different meanings:

  • Read (r): List directory contents
  • Write (w): Create, delete, rename files in directory
  • Execute (x): Access directory (cd into it)
# Common directory permissions
# 755: Standard directory (accessible to all, writable by owner)
# 775: Shared directory (writable by owner and group)
# 700: Private directory (accessible only by owner)
# 1777: Public directory with sticky bit (like /tmp)

Step 4: Modifying File Permissions with chmod

The chmod (change mode) command modifies file and directory permissions.

Symbolic Mode

# Add permission
chmod u+x file.txt          # Add execute for user
chmod g+w file.txt          # Add write for group
chmod o+r file.txt          # Add read for others
chmod a+x file.txt          # Add execute for all

# Remove permission
chmod u-x file.txt          # Remove execute from user
chmod g-w file.txt          # Remove write from group
chmod o-r file.txt          # Remove read from others
chmod a-x file.txt          # Remove execute from all

# Set exact permission
chmod u=rw file.txt         # User: read+write only
chmod g=r file.txt          # Group: read only
chmod o= file.txt           # Others: no permissions

# Combine operations
chmod u+x,g+x,o+x file.txt  # Add execute to all
chmod u=rwx,g=rx,o=r file.txt  # Set different permissions

Symbolic notation:

  • u: User (owner)
  • g: Group
  • o: Others
  • a: All (user, group, others)
  • +: Add permission
  • -: Remove permission
  • =: Set exact permission

Numeric Mode

# Set specific permissions using octal
chmod 644 file.txt          # rw-r--r--
chmod 755 script.sh         # rwxr-xr-x
chmod 600 private.key       # rw-------
chmod 700 /home/user/.ssh   # rwx------
chmod 400 readonly.txt      # r--------

# Set permissions recursively
chmod -R 755 /var/www/html
chmod -R 644 /var/www/html/*.txt

Practical Examples

# Make script executable
chmod +x script.sh
chmod 755 script.sh

# Secure SSH private key
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 700 ~/.ssh

# Set web directory permissions
sudo chmod 755 /var/www/html
sudo chmod 644 /var/www/html/*.html

# Secure configuration files
sudo chmod 600 /etc/mysql/my.cnf
sudo chmod 640 /etc/nginx/nginx.conf

# Make directory writable by group
chmod 775 /shared/directory

Recursive Permission Changes

# Change permissions recursively
chmod -R 755 /path/to/directory

# Change only files (not directories)
find /path -type f -exec chmod 644 {} \;

# Change only directories (not files)
find /path -type d -exec chmod 755 {} \;

# Make all .sh files executable
find /path -type f -name "*.sh" -exec chmod +x {} \;

Step 5: Changing File Ownership with chown

The chown (change owner) command modifies file and directory ownership.

Basic chown Usage

# Change file owner
sudo chown username file.txt

# Change file owner and group
sudo chown username:groupname file.txt

# Change only group (alternative to chgrp)
sudo chown :groupname file.txt

# Change ownership recursively
sudo chown -R username:groupname /path/to/directory

Practical chown Examples

# Change ownership of home directory
sudo chown -R john:john /home/john

# Set web server ownership
sudo chown -R www-data:www-data /var/www/html

# Change ownership of uploaded files
sudo chown -R nginx:nginx /var/www/uploads

# Set ownership for application directory
sudo chown -R appuser:appgroup /opt/application

# Change owner but preserve group
sudo chown username /path/to/file

Using chgrp

# Change group ownership only
sudo chgrp groupname file.txt

# Change group recursively
sudo chgrp -R developers /home/shared

# Multiple files
sudo chgrp www-data *.php

Advanced Ownership Management

# Copy ownership from reference file
sudo chown --reference=sourcefile targetfile

# Verbose output
sudo chown -v username file.txt

# Preserve root directory (don't follow symlinks)
sudo chown --preserve-root -R user:group /

# Change ownership only if currently owned by specific user
find /path -user olduser -exec sudo chown newuser {} \;

Step 6: Configuring Sudo Access

Sudo allows users to execute commands with elevated privileges.

Adding Users to Sudo Group

Ubuntu/Debian:

# Add user to sudo group
sudo usermod -aG sudo username

# Verify group membership
groups username

CentOS/Rocky Linux:

# Add user to wheel group
sudo usermod -aG wheel username

# Verify group membership
groups username

Editing Sudoers File

Always use visudo to edit /etc/sudoers to prevent syntax errors:

# Edit sudoers file safely
sudo visudo

Sudoers Configuration Examples

# Allow user to run all commands with sudo
username ALL=(ALL:ALL) ALL

# Allow user to run commands without password (use cautiously)
username ALL=(ALL) NOPASSWD: ALL

# Allow user to run specific commands
username ALL=(ALL) NOPASSWD: /usr/bin/systemctl, /usr/bin/apt

# Allow group to run all commands
%groupname ALL=(ALL:ALL) ALL

# Allow user to run commands as specific user
username ALL=(otheruser) ALL

# Restrict user to specific commands
username ALL=(ALL) /bin/systemctl restart nginx, /bin/systemctl reload nginx

# Require password for all commands except specific ones
username ALL=(ALL) ALL
username ALL=(ALL) NOPASSWD: /usr/bin/apt update

Creating Sudoers Drop-in Files

# Create sudoers file for specific user
sudo visudo -f /etc/sudoers.d/username

# Add configuration:
username ALL=(ALL) NOPASSWD: /usr/bin/systemctl

# Set proper permissions
sudo chmod 440 /etc/sudoers.d/username

Testing Sudo Configuration

# Test sudo access
sudo -v

# List sudo privileges
sudo -l

# Run command as specific user
sudo -u username command

# Run command with specific group
sudo -g groupname command

# Sudo with environment preservation
sudo -E command

Step 7: Implementing Special Permissions

Beyond standard read, write, and execute, Linux has three special permissions.

Setuid (SUID) - Set User ID

Allows users to execute file with file owner's permissions.

# Set SUID bit
chmod u+s file
chmod 4755 file

# Example: passwd command has SUID
ls -l /usr/bin/passwd
# Output: -rwsr-xr-x (note the 's' in user execute position)

# Remove SUID
chmod u-s file

Security warning: SUID on shell scripts is dangerous and ignored by most systems.

Setgid (SGID) - Set Group ID

On files: Execute with file's group permissions On directories: New files inherit directory's group

# Set SGID on file
chmod g+s file
chmod 2755 file

# Set SGID on directory (useful for shared directories)
chmod g+s /shared/directory
chmod 2775 /shared/directory

# Example: Shared project directory
sudo mkdir /shared/projects
sudo chown :developers /shared/projects
sudo chmod 2775 /shared/projects

# Now all files created in /shared/projects inherit 'developers' group

Sticky Bit

On directories: Only owner can delete their files (like /tmp)

# Set sticky bit
chmod +t directory
chmod 1777 directory

# Example: /tmp has sticky bit
ls -ld /tmp
# Output: drwxrwxrwt (note the 't' at the end)

# Create public upload directory
sudo mkdir /var/www/uploads
sudo chmod 1777 /var/www/uploads

# Users can create files but only delete their own

Viewing Special Permissions

# List files with special permissions
ls -l

# Find files with SUID
sudo find / -type f -perm -4000 -ls 2>/dev/null

# Find files with SGID
sudo find / -type f -perm -2000 -ls 2>/dev/null

# Find directories with sticky bit
sudo find / -type d -perm -1000 -ls 2>/dev/null

Special Permission Numeric Values

  • 4000: SUID
  • 2000: SGID
  • 1000: Sticky bit

Combined with regular permissions:

  • 4755: SUID + rwxr-xr-x
  • 2755: SGID + rwxr-xr-x
  • 1777: Sticky + rwxrwxrwx

Step 8: Managing Default Permissions with umask

Umask defines default permissions for newly created files and directories.

Understanding umask

Umask subtracts from maximum permissions:

  • Files: 666 (rw-rw-rw-)
  • Directories: 777 (rwxrwxrwx)

Common umask values:

  • 022: Files: 644, Directories: 755 (default for most systems)
  • 002: Files: 664, Directories: 775 (group-writable)
  • 077: Files: 600, Directories: 700 (private)

Viewing and Setting umask

# View current umask
umask

# View in symbolic notation
umask -S

# Set umask for current session
umask 022
umask 002
umask 077

# Set umask in user's profile (persistent)
echo "umask 002" >> ~/.bashrc
echo "umask 002" >> ~/.profile

# Set system-wide umask
sudo vi /etc/profile
# or
sudo vi /etc/bash.bashrc

umask Calculation Examples

# umask 022
# Files: 666 - 022 = 644 (rw-r--r--)
# Dirs:  777 - 022 = 755 (rwxr-xr-x)

# umask 002
# Files: 666 - 002 = 664 (rw-rw-r--)
# Dirs:  777 - 002 = 775 (rwxrwxr-x)

# umask 077
# Files: 666 - 077 = 600 (rw-------)
# Dirs:  777 - 077 = 700 (rwx------)

Testing umask

# Set umask
umask 022

# Create test file and directory
touch testfile
mkdir testdir

# Check permissions
ls -l testfile testdir
# testfile: -rw-r--r--
# testdir: drwxr-xr-x

Step 9: Access Control Lists (ACLs)

ACLs provide more fine-grained permission control beyond standard user/group/other model.

Installing ACL Tools

# Ubuntu/Debian
sudo apt install acl -y

# CentOS/Rocky Linux
sudo dnf install acl -y

Viewing ACLs

# View file ACLs
getfacl filename

# View directory ACLs
getfacl dirname

# Check if ACLs are set (+ sign in ls output)
ls -l
# -rw-r--r--+ indicates ACLs are present

Setting ACLs

# Give specific user read/write access
setfacl -m u:username:rw filename

# Give specific group read/execute access
setfacl -m g:groupname:rx directory

# Remove ACL for specific user
setfacl -x u:username filename

# Remove all ACLs
setfacl -b filename

# Set default ACLs for directory (inherited by new files)
setfacl -d -m u:username:rw directory

# Recursive ACL setting
setfacl -R -m u:username:rw directory

Practical ACL Examples

# Allow specific user to access your home directory
setfacl -m u:collaborator:rx /home/yourusername
setfacl -m u:collaborator:rw /home/yourusername/shared.txt

# Set up shared project directory
sudo mkdir /projects/shared
sudo setfacl -m u:alice:rwx /projects/shared
sudo setfacl -m u:bob:rwx /projects/shared
sudo setfacl -d -m u:alice:rwx /projects/shared
sudo setfacl -d -m u:bob:rwx /projects/shared

# Give read-only access to specific user
setfacl -m u:auditor:r-- /var/log/application.log

Copying and Backing Up ACLs

# Backup ACLs
getfacl -R /path/to/directory > acl_backup.txt

# Restore ACLs
setfacl --restore=acl_backup.txt

# Copy ACLs from one file to another
getfacl source_file | setfacl --set-file=- target_file

Step 10: User Password Policies

Implement password policies to enforce strong authentication.

Configuring Password Quality

Ubuntu/Debian:

# Install password quality library
sudo apt install libpam-pwquality -y

# Edit configuration
sudo nano /etc/security/pwquality.conf

CentOS/Rocky Linux:

# Install password quality library
sudo dnf install libpwquality -y

# Edit configuration
sudo nano /etc/security/pwquality.conf

Configure password requirements:

# Minimum password length
minlen = 14

# Require at least one digit
dcredit = -1

# Require at least one uppercase
ucredit = -1

# Require at least one lowercase
lcredit = -1

# Require at least one special character
ocredit = -1

# Maximum number of consecutive characters
maxrepeat = 3

# Minimum number of character classes
minclass = 4

# Check against dictionary words
dictcheck = 1

Password Aging Policies

# Edit login.defs
sudo nano /etc/login.defs

# Set password aging policies:
PASS_MAX_DAYS 90     # Maximum password age
PASS_MIN_DAYS 7      # Minimum days between changes
PASS_WARN_AGE 14     # Warning days before expiration
PASS_MIN_LEN 14      # Minimum password length

Managing Password Expiration

# Set password expiration for user
sudo chage -M 90 username      # Max 90 days
sudo chage -m 7 username       # Min 7 days between changes
sudo chage -W 14 username      # Warn 14 days before expiration
sudo chage -I 30 username      # Inactive 30 days after expiration

# Set expiration date
sudo chage -E 2025-12-31 username

# View password aging information
sudo chage -l username

# Force password change on next login
sudo chage -d 0 username

Account Lockout Policies

# Configure account lockout (faillock)
sudo nano /etc/security/faillock.conf

# Add:
deny = 5              # Lock after 5 failed attempts
unlock_time = 900     # Unlock after 15 minutes
fail_interval = 900   # Reset count after 15 minutes

View locked accounts:

# Check faillock status
sudo faillock --user username

# Unlock user
sudo faillock --user username --reset

Verification

Verify User Configuration

# Check user exists and has correct settings
id username
getent passwd username

# Verify group membership
groups username

# Check home directory permissions
ls -ld /home/username

# Verify SSH access
ssh username@localhost

Verify Permissions

# Check file permissions
ls -l filename

# Check directory permissions recursively
ls -lR /path/to/directory

# Verify ownership
stat filename

# Check ACLs
getfacl filename

Verify Sudo Access

# Test sudo access
su - username
sudo -v

# List sudo privileges
sudo -l

Comprehensive Permission Audit

# Find world-writable files (potential security issue)
sudo find / -type f -perm -002 ! -path "/proc/*" ! -path "/sys/*" 2>/dev/null

# Find files with SUID bit
sudo find / -type f -perm -4000 2>/dev/null

# Find files with SGID bit
sudo find / -type f -perm -2000 2>/dev/null

# Find files without owner
sudo find / -nouser -o -nogroup 2>/dev/null

Troubleshooting

Permission Denied Errors

Problem: User cannot access file or directory.

Solution:

# Check file permissions
ls -l filename

# Check directory permissions in path
namei -l /full/path/to/file

# Check user and group membership
id username

# Fix permissions if needed
sudo chmod 755 /path/to/directory
sudo chmod 644 /path/to/file

# Fix ownership
sudo chown username:groupname file

Cannot Execute Script

Problem: Script won't run despite having execute permission.

Solution:

# Check if executable bit is set
ls -l script.sh

# Add execute permission
chmod +x script.sh

# Check shebang line
head -n 1 script.sh
# Should have: #!/bin/bash or #!/usr/bin/env bash

# Check if interpreter exists
which bash

# Run explicitly if needed
bash script.sh

Sudo Access Not Working

Problem: User added to sudo/wheel group but cannot use sudo.

Solution:

# Verify group membership
groups username

# User must log out and back in for group changes to take effect
# Or force group refresh:
newgrp sudo  # Ubuntu/Debian
newgrp wheel # CentOS/Rocky

# Check sudoers configuration
sudo visudo -c

# Verify group is configured in sudoers
grep -E "^%(sudo|wheel)" /etc/sudoers

# Check for user-specific restrictions
sudo grep username /etc/sudoers.d/*

File Ownership Issues

Problem: Files created in shared directory have wrong owner/group.

Solution:

# Set SGID bit on directory
chmod g+s /shared/directory

# Set proper group ownership
chown :sharedgroup /shared/directory

# Verify settings
ls -ld /shared/directory
# Should show: drwxrwsr-x with 's' in group execute position

# Fix existing files
chown -R :sharedgroup /shared/directory

ACL Not Working

Problem: ACL settings not taking effect.

Solution:

# Check if filesystem supports ACLs
mount | grep acl

# If not, remount with ACL support
sudo mount -o remount,acl /

# Make permanent in /etc/fstab
sudo nano /etc/fstab
# Add 'acl' to options: defaults,acl

# Verify ACLs are set
getfacl filename
ls -l filename
# Should show '+' sign if ACLs present

Best Practices

User Management Best Practices

  1. Never use root for routine tasks - Always use sudo
  2. Implement principle of least privilege - Grant minimum necessary permissions
  3. Use groups for permission management - Easier than managing individual users
  4. Regular audits - Review user accounts and permissions quarterly
  5. Remove unused accounts - Delete or lock accounts no longer needed
  6. Strong password policies - Enforce complexity and expiration
  7. Document user purposes - Use comment field to note why user exists
  8. Separate system and regular users - Keep UID ranges distinct

Permission Best Practices

  1. Never use 777 permissions - Almost always unnecessary and insecure
  2. Protect sensitive files - Use 600 for private files, 400 for read-only secrets
  3. Secure directories - Use 755 for public, 700 for private, 750 for group-shared
  4. Review SUID files - Audit regularly, minimize usage
  5. Use ACLs for complex scenarios - When standard permissions insufficient
  6. Set appropriate umask - Match your security requirements
  7. Monitor permission changes - Log and audit modifications
  8. Backup permissions - Include in backup strategy

Security Recommendations

# Secure home directories
sudo chmod 750 /home/*

# Secure SSH directory
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/config

# Secure web directories
sudo chown -R www-data:www-data /var/www
sudo find /var/www -type d -exec chmod 755 {} \;
sudo find /var/www -type f -exec chmod 644 {} \;

# Secure configuration files
sudo chmod 640 /etc/mysql/my.cnf
sudo chmod 640 /etc/nginx/nginx.conf
sudo chmod 600 /etc/ssh/sshd_config

# Regular permission audits
sudo find / -type f \( -perm -4000 -o -perm -2000 \) -ls 2>/dev/null
sudo find / -type f -perm -002 -ls 2>/dev/null

Documentation Template

# Create user documentation script
cat << 'EOF' | sudo tee /usr/local/bin/user-audit.sh
#!/bin/bash

echo "=== User Audit Report ==="
echo "Generated: $(date)"
echo ""

echo "=== Regular Users (UID >= 1000) ==="
awk -F: '$3 >= 1000 {printf "%-15s UID: %5s Groups: ", $1, $3; system("groups " $1)}' /etc/passwd

echo ""
echo "=== Users with Sudo Access ==="
grep -Po '^sudo|wheel.+:\K.*$' /etc/group

echo ""
echo "=== Recent Logins ==="
last -n 10

echo ""
echo "=== Failed Login Attempts ==="
sudo grep "Failed password" /var/log/auth.log 2>/dev/null | tail -10

echo ""
echo "=== Files with SUID/SGID ==="
sudo find / -type f \( -perm -4000 -o -perm -2000 \) -ls 2>/dev/null | head -20

EOF

sudo chmod +x /usr/local/bin/user-audit.sh

Conclusion

Proper user and permission management is fundamental to Linux security and system administration. By implementing the configurations and best practices outlined in this guide, you've established robust access control mechanisms that protect your server while enabling legitimate users to perform their tasks efficiently.

Key achievements:

  • Understanding of Linux user and permission model
  • Ability to create, modify, and manage user accounts
  • Proficiency in group management for organizing users
  • Mastery of file permissions using chmod and chown
  • Configuration of sudo access for administrative tasks
  • Implementation of special permissions (SUID, SGID, sticky bit)
  • Understanding of umask for default permissions
  • Knowledge of ACLs for fine-grained access control
  • Password policy enforcement for security

Next steps:

  • Implement automated user provisioning for larger environments
  • Set up centralized authentication (LDAP, Active Directory)
  • Configure audit logging for permission changes
  • Regular security audits and permission reviews
  • Document user roles and responsibilities

Remember that permission management is an ongoing responsibility. Regular audits, prompt removal of unnecessary access, and adherence to the principle of least privilege are essential for maintaining a secure Linux environment.

Additional Resources

Related Guides

  • Initial Security Configuration on Ubuntu/Debian
  • Initial Security Configuration on CentOS/Rocky Linux
  • Linux Server Hardening: Complete Guide
  • SSH Key Management: Generation and Best Practices
  • How to Connect to Your Server via SSH