Using sudo Is Bad but What Can You Do About It?
Whenever we need to install some new program or access the Linux system each of the tutorials says you shouldn’t be using sudo
to run any command.
Avoiding sudo is considered a good practice. But why is that?
Today we will learn what is bad about using sudo and how we can avoid using sudo by creating new users. The command that we are going to use most today is adduser
.
What does sudo do?
When you run any command on a Linux machine with sudo as a prefix, it gives you elevated privileges over the system. So that you can run anything and everything. The system trusts you.
It’s fine as long as you know what you are doing. But most of the time it’s not the case because we are human and humans do mistakes.
Why Using sudo Excessively is Bad
You can mess with the sensitive part of your system without even knowing it. For example, you can delete the whole
/
folder with sudo,By default,
sudo
caches the password for 15 minutes. So If you forget to logout or close the session someone else may make dangerous changes to your system.If you make a
typo
while using a sudo command that can potentially disrupt the sensitive settings of your machine and pretty hard to deal with.Using
sudo
Excessively means you are violating the Principle of Least Privilege so try to avoid that.
Okay Fine... Show me What to Do
We can think of sudo as the gateway to becoming an admin user. What we can do instead is create multiple other users with specific privileges with a specific boundary so that they can only access the required resources to perform that specific task.
For Example
Create a user to manage a Tomcat server
Create another user to maybe manage an Nginx server
Create another user and allow to only do the development work.
There are so many use-cases for multiple users. We will learn about them later.
First, let’s see how we can create a new user in a Linux based system.
Create a New User
The command that allows us to create a new user is
sudo useradd username
the username
can be any name of your choice. For example, the following command will create a new user named faisal
.
sudo useradd faisal
Set a Password For User
Now in order to set a password for this user what we can do is
sudo passwd faisal
It will prompt us to input the password that we want to set for this particular user.
Login with New User
After creating our new user we can log in to that user using the following command
su faisal
This command will prompt us to input the password that we set earlier and voila! We are now inside that user.
Let’s talk a bit more about the useradd
command…..
Okay, I Have Created a New User. What Now?
If we want to know what can be done to our newly created users we have to understand this useradd
command a bit more….
What does this useradd
Command do?
When we run the useradd
command it does 3 things
- Saves Users Information
etc/passwd
, etc/shadow
, etc/group
, etc/gshadow
The first two files are used for saving users
authentication
informationThe Second two files are used for saving users
group
information
Sets the Home Directory for new user
Sets the permission of the newly created user
Let's talk a little bit about each of these things and what can we customize these to our needs.
Setting User ID
We can set a user id
for the newly created user with the following command
sudo useradd -u 1234 faisal
This will create a new user with the id of 1234.
Setting User Group
We can assign users to specific groups to track them and manage them. By default, the command creates a group with the same username and groupid
with the same userid
.
We can set users groupid
using the following command
sudo useradd -g group_name
Remember one thing. The group must be existing prior to this command in order to work properly
So if we want to create a new user
named
faisal
Belongs to the developer's group
Have a specific userid = 999
sudo useradd -u 999 -g developers faisal
By design, any user can belong to one primary group and to multiple secondary groups. We can pass the -G
flag to do that.
The following command will create a user who belongs to the developers
group and also included in juniors
group
sudo useradd -u 999 -g developers -G juniors faisal
Setting Default Home Directory
Most Linux distributions don’t automatically create a new home directory while creating a new user.
If we want to create a new user’s home directory by default under the /home/username
, we can pass the -m
flag.
sudo useradd -m faisal
This command will create a new folder inside the home
directory for the newly created user.
Setting the Home Directory of Choice
But what if we want to create a home directory for this user in another location?
Well for that we have to pass the -d
flag. If we want to create a new home directory for the user under /opt/username
what we can do is
sudo useradd -m -d /opt/faisal faisal
Creating a System User
We can create a system user with the -r
flag. This type of users don’t have much difference from the normal users but mostly we create system users to install some program.
To create a new system user named tomcat
sudo useradd -r tomcat
These system users don’t have any expiry date and their user id is chosen automatically which is different from normal users.
Setting the Shell
Shell is a program that accepts and interprets commands from a user. By default, some distributions have /bin/bash
as the default shell and others have/bin/sh
as the default shell.
However, if you want to set the default shell for your newly created user you can use the -s
flag.
To create a user with /usr/bin/zsh
as a login shell, you can write the following command
sudo useradd -s /usr/bin/zsh faisal
Add a Comment
If you want to have a comment about this user you can use the -c
command.
sudo useradd -c "Mohammad Faisal" faisal
Then a new user will be created with the comment associated with it.
Expiry Date for User
You can set an expiry date for a user. After that, the user won’t be able to log in.
sudo useradd -e 2019-01-22 faisal
This is useful for office environments where you want greater control over your machine and want to prevent unwanted access to the machine.
If you want to see the password expiry of the user you can type
sudo chage -l faisal
Which will give you a history of this user.
View Details
To see the details of any user you can type the following command
grep username /etc/passwd
It will give us the userid or groupid and other associated information about the username
that we specified.
Changing a User after Creation
You can change all of these properties using the commandusermod
of Linux. For example, if you want to change the default shell of a user what you can do is…
usermod --shell /bin/bash username
This will change de default shell of the user named username
to /bin/bash
That’s it. I hope now you have a better understanding of the useradd
command in Linux which is used to create a new user and set boundaries for the user. You can also check other commands like chown
to learn about how we can change ownership of a file or directory so that a specific type of user can access it.
Also, I am not a system admin and I don’t have any deep knowledge of Linux. These commands are useful for me as a day-to-day software developer. So if anything I mentioned here is wrong please feel free to correct me.
That’s it for today. Happy Coding! :D
Get in touch with me via LinkedIn