Add users to root group linux

HowTo: Grant Root Access to User – Root Privileges – Linux

From this article you’ll learn how to create a user in Linux and grant root access to him or how to grant root privileges to already existent user.

This can be easily done by changing UID (user id) and GID (group id) in /etc/passwd file.

Also you will learn how to just add user to root group and i will explain how to delete user with root privileges.

Actually it is not a good idea to give all the privileges of root to a non-root user and outside the test environment i would not recommend to have multiply superusers.

Warning: Giving a non-root user all the permissions of root is very dangerous, because the non-root user will be able to do literally anything that could cause a big trouble if account is hijacked.

Check SSH Server Settings: If you have disabled root access in SSH server settings, by setting PermitRootLogin no in /etc/ssh/sshd_config – you won’t be able to login if your user has UID 0 .

Warning: Before moving forward, read the comments below and DON’T FOLLOW THE STEPS FROM THIS ARTICLE if you don’t understand of what you are doing and what impact this may have!

Grant Root Privileges To New User

To create a user with exactly the same privileges as root user, we have to assign him the same user ID as the root user has ( UID 0 ) and the same group ID ( GID 0 ).

Use the following commands to create a user john , grand him the same privileges as root and set him a password:

Grant Root Privileges To Existent User

Cool Tip: Dot the i’s and cross the t’s on file and folder permissions in Linux! Make it more clear! Read more →

Perhaps you already have a user john and you want to grant him root privileges (make him a second root user):

For this, it is required to edit the file /etc/passwd and just change UID and GID to 0 :

Add User To Root Group

If you just want to add john to root group, without granting him all root privileges, run the following command:

Delete User With Root Privileges

Cool Tip: Log in to a remote Linux server without entering password! Set up password-less SSH login! Read more →

You won’t be able to delete a user with UID 0 using userdel command:

To delete him, firstly open the /etc/passwd file and change his UID .

For example, change the line:

to something like:

After this, you’ll be able to delete user john with userdel command:

39 Replies to “HowTo: Grant Root Access to User – Root Privileges – Linux”

“For this, it is required to edit the file /etc/passwd and just change UID and GID to 0”
WRONG.
Baaaad idea. Much regret. Undo, undo.

$ ssh 192.168.88.16 -l pi
pi@192.168.88.16‘s password:
Permission denied, please try again.
pi@192.168.88.16‘s password:
Permission denied, please try again.
– – –
Nice explanation?)

Since noone elaborate how to undo this broken way of adding users, I will. The only way is to successful login to the linux machine, if you login via ssh or tty.
If you add a user with uid 0 to group uid 0, and you set in sshd_config AllowRootLogin NO, you`re access will be denied. So you will have to login to the linux machine via tty (this is the only way if you don`t have a correctly added backup user on the linux machine). Via tty you can login with any of the users, even root.
The correct way to add a user with root privileges is adding the user the normal way, useradd -m user, and then add privileges with visudo to the user.
So if you have a backup user that haves root privileges in visudo. you will be able to login to the linux machine via ssh, and you will be able to change the uid and group to the “broken” user.
I think this article explains more likely how to add a user with root privileges “the hacker way (which is a broken way)”, and repair the broken way after.
Also if you don`t have access to a tty console, and you want to test the commands of this article and be sure you did not broke something, STAY LOGGED in current session and open another one and test if all things are OK. If you can`t login in the new session, you still have opened the previous session and you can repair what have you broken.
Hope it helps to repair further mistakes.

Источник

Linux Add User To Group Using Command-Line

1. Primary user group. – It is the group that applied to you when login. Typically it is same as your login name. All of your process and files (including directories/folders) would have your primary group as the group membership. The primary group allows private group membership and security features. Your files or process cannot access by other group members or users on the Linux system.
2. Secondary or supplementary user group – Users can be a member of other groups on the Linux system. It is useful for file sharing and other purposes. A sysadmin can fine-tune security too. For example, if you are a member of a secondary group called cdrom, you can mount and unmout cd-rom drive.

Tutorial details
Difficulty level	Intermediate
Root privileges	Yes
Requirements	usermod/useradd
Est. reading time	5 minutes

How to add user to group in Linux

Please note that all user accounts related information are stored in the following files:

1. /etc/passwd – Contains one line for each user account.
2. /etc/shadow – Contains the password information in encrypted formatfor the system’s accounts and optional account aging information.
3. /etc/group – Defines the groups on the system.
4. /etc/default/useradd – This file contains a value for the default group, if none is specified by the useradd command.
5. /etc/login.defs – This file defines the site-specific configuration for the shadow password suite stored in /etc/shadow file.

We do not modify these files by hand. Instead, we add a user to a group in Linux using various commands.

Linux command to add user to group

Open the terminal and then type:

1. Add a new user called jerry to secondary group named cartoons on Linux:
   sudo useradd -G cartoons jerry
2. Want to add a new user called tom to primary group called cartoons? Run:
   useradd -g cartoons tom
3. We can add a existing user named spike to existing group named cartoons in Linux:
   useradd -g cartoons spike

How to become a root user

You must run all command as root user. To become a root user run:
su —
Alternatively use sudo command:
sudo -i

• No ads and tracking
• In-depth guides for developers and sysadmins at Opensourceflare✨
• Join my Patreon to support independent content creators and start reading latest guides:
  • How to set up Redis sentinel cluster on Ubuntu or Debian Linux
  • How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
  • How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
  • A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
  • How to protect Linux against rogue USB devices using USBGuard

Join Patreon ➔

Add a new user to secondary group using useradd

You need to the useradd command to add new users to existing group (or create a new group and then add user). If group does not exist, create it. The syntax is as follows:
useradd -G < group-name >username
In this example, create a new user called vivek and add it to group called developers. First, make sure group developers exists using grep command:
# grep «^developers» /etc/group
Sample outputs:

If you do not see any output then you need to add group developers using the groupadd command:
# sudo groupadd developers
Verify that user vivek does not exists:
# grep «^vivek» /etc/passwd
You should not see any outputs from above command. Finally, add a new user called vivek to group developers:
# useradd -G developers vivek
Setup password for user vivek:
# passwd vivek
Ensure that user added properly to group developers:
# id vivek
Sample outputs:

Please note that capital G ( -G ) option add user to a list of supplementary groups. Each group is separated from the next by a comma, with no intervening whitespace. For example, add user jerry to groups admins, ftp, www, and developers, enter:
# useradd -G admins,ftp,www,developers jerry

How to add a new user to primary group using useradd

How to add a existing user to existing group using usermod

Add existing user tony to ftp supplementary/secondary group with the usermod command using the -a option

i.e. add the user to the supplemental group(s). Use only with -G option:
# usermod -a -G ftp tony
In this example, change tony user’s primary group to www, enter:
# usermod -g www tony

usermod command options summary

Option	Purpose
-a —append	Add the user to the supplementary group(s). Use only with the -G option.
-g GROUP —gid GROUP	Use this GROUP as the default group.
-G GRP1,GRP2 —groups GRP1,GRP2	Add the user to GRP1,GRP2 secondary group.

A note about security

If you add or delete user to existing group, you must change the owner of any crontab files or at jobs manually. You must make any changes involving NIS on the NIS server too.

A note about GUI tool

You will probably find the use of the GUI tool easy. KDE user can use KUser tool and the GNOME user can use users-admin:

users-admin is part of the GNOME system tools, a set of tools to easily access and manage system configuration

One can easily add users as follows from the gnome 3 settings on a Debian/Ubuntu Linux:

Fedora/RHEL/CentOS user can use system-config-users command as follows
# system-config-users
$ ssh -X -t vivek@server1.cyberciti.biz sudo system-config-users
Sample outputs:

Click on the Groups tab to add or view groups:

Summing up

You learned how to add a new or existing user to group on Linux operating systems. For more information type the following command at the shell prompt to read man pages:
$ man usermod
$ man useradd

🐧 Get the latest tutorials on Linux, Open Source & DevOps via

Источник

Добавление пользователя в группу. Списки пользователей и групп в Linux

В данной заметке рассматривается как добавить пользователя в группу и как удалить из группы, вывод списка групп, в которых состоит пользователь, а также вывод всех пользователей и всех групп в системе Linux.

Список групп, в которых состоит пользователь

Для вывода списка групп, в которых состоит конкретный пользователь используется команда groups.

При выполнении команды groups без аргументов, выводится список групп текущего пользователя.

Можно указать имя пользователя, для которого нужно вывести список групп, в которых он состоит. Например, выведем группы, в которых состоит пользователь root.

Добавление пользователя в группу

Чтобы в Linux добавить существующего пользователя в группу используется команда usermod с ключами -a и -G группа . Например, добавим пользователя pingvinus в группу editorsgroup.

После выполнения данной команды пользователю pingvinus необходимо выйти и снова войти в систему. Можно воспользоваться командой su, чтобы войти от имени пользователя pingvinus в текущем сеансе.

Удаление пользователя из группы

Удалим пользователя pingvinus из группы editorsgroup.

Чтобы изменения вступили в силу, нужно выйти и войти в систему.

Список всех групп

Выведем список всех групп в текущей системе Linux.

Список всех пользователей

Выведем список всех пользователей в текущей системе Linux.

Обычно список довольно большой, так как содержит всех пользователей, включая пользователей, которые используются для запуска некоторых программ и служб.

Можно ограничить вывод только теми пользователями, для которых домашняя директория расположена в директории /home.

Источник

Users and groups

Users and groups are used on GNU/Linux for access control—that is, to control access to the system’s files, directories, and peripherals. Linux offers relatively simple/coarse access control mechanisms by default. For more advanced options, see ACL, Capabilities and PAM#Configuration How-Tos.

Contents

Overview

A user is anyone who uses a computer. In this case, we are describing the names which represent those users. It may be Mary or Bill, and they may use the names Dragonlady or Pirate in place of their real name. All that matters is that the computer has a name for each account it creates, and it is this name by which a person gains access to use the computer. Some system services also run using restricted or privileged user accounts.

Managing users is done for the purpose of security by limiting access in certain specific ways. The superuser (root) has complete access to the operating system and its configuration; it is intended for administrative use only. Unprivileged users can use the su and sudo programs for controlled privilege elevation.

Any individual may have more than one account as long as they use a different name for each account they create. Further, there are some reserved names which may not be used such as «root».

Users may be grouped together into a «group», and users may be added to an existing group to utilize the privileged access it grants.

Permissions and ownership

The UNIX operating system crystallizes a couple of unifying ideas and concepts that shaped its design, user interface, culture and evolution. One of the most important of these is probably the mantra: «everything is a file,» widely regarded as one of the defining points of UNIX. This key design principle consists of providing a unified paradigm for accessing a wide range of input/output resources: documents, directories, hard-drives, CD-ROMs, modems, keyboards, printers, monitors, terminals and even some inter-process and network communications. The trick is to provide a common abstraction for all of these resources, each of which the UNIX fathers called a «file.» Since every «file» is exposed through the same API, you can use the same set of basic commands to read/write to a disk, keyboard, document or network device.

A fundamental and very powerful, consistent abstraction provided in UNIX and compatible operating systems is the file abstraction. Many OS services and device interfaces are implemented to provide a file or file system metaphor to applications. This enables new uses for, and greatly increases the power of, existing applications — simple tools designed with specific uses in mind can, with UNIX file abstractions, be used in novel ways. A simple tool, such as cat, designed to read one or more files and output the contents to standard output, can be used to read from I/O devices through special device files, typically found under the /dev directory. On many systems, audio recording and playback can be done simply with the commands, » cat /dev/audio > myfile » and » cat myfile > /dev/audio ,» respectively.

Every file on a GNU/Linux system is owned by a user and a group. In addition, there are three types of access permissions: read, write, and execute. Different access permissions can be applied to a file’s owning user, owning group, and others (those without ownership). One can determine a file’s owners and permissions by viewing the long listing format of the ls command:

The first column displays the file’s permissions (for example, the file initramfs-linux.img has permissions -rw-r—r— ). The third and fourth columns display the file’s owning user and group, respectively. In this example, all files are owned by the root user and the root group.

In this example, the sf_Shared directory is owned by the root user and the vboxsf group. It is also possible to determine a file’s owners and permissions using the stat command:

Access permissions are displayed in three groups of characters, representing the permissions of the owning user, owning group, and others, respectively. For example, the characters -rw-r—r— indicate that the file’s owner has read and write permission, but not execute ( rw- ), whilst users belonging to the owning group and other users have only read permission ( r— and r— ). Meanwhile, the characters drwxrwx— indicate that the file’s owner and users belonging to the owning group all have read, write, and execute permissions ( rwx and rwx ), whilst other users are denied access ( — ). The first character represents the file’s type.

List files owned by a user or group with the find utility:

A file’s owning user and group can be changed with the chown (change owner) command. A file’s access permissions can be changed with the chmod (change mode) command.

Shadow

The user, group and password management tools on Arch Linux come from the shadow package, which is a dependency of the base meta package.

File list

File	Purpose
/etc/shadow	Secure user account information
/etc/passwd	User account information
/etc/gshadow	Contains the shadowed information for group accounts
/etc/group	Defines the groups to which users belong

User management

To list users currently logged on the system, the who command can be used. To list all existing user accounts including their properties stored in the user database, run passwd -Sa as root. See passwd(1) for the description of the output format.

To add a new user, use the useradd command:

-m / —create-home the user’s home directory is created as /home/username . The directory is populated by the files in the skeleton directory. The created files are owned by the new user. -G / —groups a comma separated list of supplementary groups which the user is also a member of. The default is for the user to belong only to the initial group. -s / —shell a path to the user’s login shell. Ensure the chosen shell is installed if choosing something other than Bash.

If an initial login group is specified by name or number, it must refer to an already existing group. If not specified, the behaviour of useradd will depend on the USERGROUPS_ENAB variable contained in /etc/login.defs . The default behaviour ( USERGROUPS_ENAB yes ) is to create a group with the same name as the username.

When the login shell is intended to be non-functional, for example when the user account is created for a specific service, /usr/bin/nologin may be specified in place of a regular shell to politely refuse a login (see nologin(8) ).

See useradd(8) for other supported options.

Example adding a user

To add a new user named archie , creating its home directory and otherwise using all the defaults in terms of groups, folder names, shell used and various other parameters:

Although it is not required to protect the newly created user archie with a password, it is highly recommended to do so:

The above useradd command will also automatically create a group called archie and makes this the default group for the user archie . Making each user have their own group (with the group name same as the user name) is the preferred way to add users.

You could also make the default group something else using the -g option, but note that, in multi-user systems, using a single default group (e.g. users ) for every user is not recommended. The reason is that typically, the method for facilitating shared write access for specific groups of users is setting user umask value to 002 , which means that the default group will by default always have write access to any file you create. See also User Private Groups. If a user must be a member of a specific group specify that group as a supplementary group when creating the user.

In the recommended scenario, where the default group has the same name as the user name, all files are by default writeable only for the user who created them. To allow write access to a specific group, shared files/folders can be made writeable by default for everyone in this group and the owning group can be automatically fixed to the group which owns the parent directory by setting the setgid bit on this directory:

Otherwise the file creator’s default group (usually the same as the user name) is used.

If a GID change is required temporarily you can also use the newgrp command to change the user’s default GID to another GID at runtime. For example, after executing newgrp groupname files created by the user will be associated with the groupname GID, without requiring a re-login. To change back to the default GID, execute newgrp without a groupname.

Example adding a system user

System users can be used to run processes/daemons under a different user, protecting (e.g. with chown) files and/or directories and more examples of computer hardening.

With the following command a system user without shell access and without a home directory is created (optionally append the -U parameter to create a group with the same name as the user, and add the user to this group):

If the system user requires a specific user and group ID, specify them with the -u / —uid and -g / —gid options when creating the user:

Change a user’s login name or home directory

To change a user’s home directory:

The -m option also automatically creates the new directory and moves the content there.

Make sure there is no trailing / on /my/old/home .

To change a user’s login name:

Changing a username is safe and easy when done properly, just use the usermod command. If the user is associated to a group with the same name, you can rename this with the groupmod command.

Alternatively, the /etc/passwd file can be edited directly, see #User database for an introduction to its format.

Also keep in mind the following notes:

• If you are using sudo make sure you update your /etc/sudoers to reflect the new username(s) (via the visudo command as root).
• Personal crontabs need to be adjusted by renaming the user’s file in /var/spool/cron from the old to the new name, and then opening crontab -e to change any relevant paths and have it adjust the file permissions accordingly.
• Wine’s personal folders/files’ contents in

/.local/share/applications/wine/Programs and possibly more need to be manually renamed/edited.

Certain Thunderbird addons, like Enigmail, may need to be reinstalled.

Anything on your system (desktop shortcuts, shell scripts, etc.) that uses an absolute path to your home dir (i.e. /home/oldname ) will need to be changed to reflect your new name. To avoid these problems in shell scripts, simply use the

or $HOME variables for home directories.

Also do not forget to edit accordingly the configuration files in /etc/ that relies on your absolute path (e.g. Samba, CUPS, so on). A nice way to learn what files you need to update involves using the grep command this way: grep -r old_user *

Other examples of user management

To enter user information for the GECOS comment (e.g. the full user name), type:

(this way chfn runs in interactive mode).

Alternatively the GECOS comment can be set more liberally with:

To mark a user’s password as expired, requiring them to create a new password the first time they log in, type:

User accounts may be deleted with the userdel command:

The -r option specifies that the user’s home directory and mail spool should also be deleted.

To change the user’s login shell:

User database

Local user information is stored in the plain-text /etc/passwd file: each of its lines represents a user account, and has seven fields delimited by colons.

• account is the user name. This field can not be blank. Standard *NIX naming rules apply.
• password is the user password.

Broken down, this means: user jack , whose password is in /etc/shadow , whose UID is 1001 and whose primary group is 1003. Jack Smith is his full name and there is a comment associated to his account; his home directory is /home/jack and he is using Bash.

The pwck command can be used to verify the integrity of the user database. It can sort the user list by GID at the same time, which can be helpful for comparison:

Automatic integrity checks

Instead of running pwck / grpck manually, the systemd timer shadow.timer , which is part of, and is enabled by, installation of the shadow package, will start shadow.service daily. shadow.service will run pwck(8) and grpck(8) to verify the integrity of both password and group files.

If discrepancies are reported, group can be edited with the vigr(8) command and users with vipw(8) . This provides an extra margin of protection in that these commands lock the databases for editing. Note that the default text editor is vi, but an alternative editor will be used if the EDITOR environment variable is set, then that editor will be used instead.

Group management

/etc/group is the file that defines the groups on the system (see group(5) for details). There is also its companion gshadow which is rarely used. Its details are at gshadow(5) .

Display group membership with the groups command:

If user is omitted, the current user’s group names are displayed.

The id command provides additional detail, such as the user’s UID and associated GIDs:

To list all groups on the system:

Create new groups with the groupadd command:

Add users to a group with the gpasswd command (see FS#58262 regarding errors):

Alternatively, add a user to additional groups with usermod (replace additional_groups with a comma-separated list):

Modify an existing group with the groupmod command, e.g. to rename the old_group group to new_group :

To delete existing groups:

To remove users from a group:

The grpck command can be used to verify the integrity of the system’s group files.

Group list

This section explains the purpose of the essential groups from the filesystem package. There are many other groups, which will be created with correct GID when the relevant package is installed. See the main page for the software for details.

User groups

Non-root workstation/desktop users often need to be added to some of following groups to allow access to hardware peripherals and facilitate system administration:

Group	Affected files	Purpose
adm	Administration group, commonly used to give read access to protected logs. It has full read access to journal files.
ftp	/srv/ftp/	Access to files served by FTP servers.
games	/var/games	Access to some game software.
http	/srv/http/	Access to files served by HTTP servers.
log	Access to log files in /var/log/ created by syslog-ng.
rfkill	/dev/rfkill	Right to control wireless devices power state (used by rfkill).
sys	Right to administer printers in CUPS.
systemd-journal	/var/log/journal/*	Can be used to provide read-only access to the systemd logs, as an alternative to adm and wheel [1]. Otherwise, only user generated messages are displayed.
uucp	/dev/ttyS4+ , /dev/tts/8+ , /dev/ttyUSB1+ , /dev/ttyACM9+ , /dev/rfcomm5+	RS-232 serial ports and devices connected to them.
wheel	Administration group, commonly used to give privileges to perform administrative actions. It has full read access to journal files and the right to administer printers in CUPS. Can also be used to give access to the sudo and su utilities (neither uses it by default).

System groups

The following groups are used for system purposes, an assignment to users is only required for dedicated purposes:

Group	Affected files	Purpose
dbus	used internally by dbus
kmem	/dev/port , /dev/mem , /dev/kmem
locate	/usr/bin/locate , /var/lib/locate , /var/lib/mlocate , /var/lib/slocate	See Locate.
lp	/dev/lp1* , /dev/parport9*	Access to parallel port devices (printers and others).
mail	/usr/bin/mail
nobody	Unprivileged group.
proc	/proc/pid/	A group authorized to learn processes information otherwise prohibited by hidepid= mount option of the proc file system. The group must be explicitly set with the gid= mount option.
root	/*	Complete system administration and control (root, admin).
smmsp	sendmail group.
tty	/dev/tty , /dev/vcc , /dev/vc , /dev/ptmx
utmp	/run/utmp , /var/log/btmp , /var/log/wtmp

Pre-systemd groups

Before arch migrated to systemd, users had to be manually added to these groups in order to be able to access the corresponding devices. This way has been deprecated in favour of udev marking the devices with a uaccess tag and logind assigning the permissions to users dynamically via ACLs according to which session is currently active. Note that the session must not be broken for this to work (see General troubleshooting#Session permissions to check it).

There are some notable exceptions which require adding a user to some of these groups: for example if you want to allow users to access the device even when they are not logged in. However, note that adding users to the groups can even cause some functionality to break (for example, the audio group will break fast user switching and allows applications to block software mixing).

Group	Affected files	Purpose
audio	/dev/audio , /dev/snd/* , /dev/rtc0	Direct access to sound hardware, for all sessions. It is still required to make ALSA and OSS work in remote sessions, see ALSA#User privileges. Also used in JACK to give users realtime processing permissions.
disk	/dev/sd[a-zA-Z]*1*	Access to block devices not affected by other groups such as optical , floppy , and storage .
floppy	/dev/fd9*	Access to floppy drives.
input	/dev/input/event4* , /dev/input/mouse6*	Access to input devices. Introduced in systemd 215 [2].
kvm	/dev/kvm	Access to virtual machines using KVM.
optical	/dev/sr1 , /dev/sg3	Access to optical devices such as CD and DVD drives.
scanner	/var/lock/sane	Access to scanner hardware.
storage	/dev/st7*[lma]* , /dev/nst2*[lma]*	Used to gain access to removable drives such as USB hard drives, flash/jump drives, MP3 players; enables the user to mount storage devices.[3] Now solely for direct access to tapes if no custom udev rules is involved.[4][5][6][7]
video	/dev/fb/0 , /dev/misc/agpgart	Access to video capture devices, 2D/3D hardware acceleration, framebuffer (X can be used without belonging to this group).

Unused groups

The following groups are currently not used for any purpose:

Group	Affected files	Purpose
bin	none	Historical
daemon
lock	Used for lockfile access. Required by e.g. gnokii AUR .
mem
network	Unused by default. Can be used e.g. for granting access to NetworkManager (see NetworkManager#Set up PolicyKit permissions).
power
uuidd
users	The primary group for users when user private groups are not used (generally not recommended), e.g. when creating users with USERGROUPS_ENAB no in /etc/login.defs or the -N / —no-user-group option of useradd.

Other tools related to these databases

This article or section is a candidate for merging with #Shadow.

The factual accuracy of this article or section is disputed.

getent(1) can be used to read a particular record.

As warned in #User database, using specific utilities such as passwd and chfn , is a better way to change the databases. Nevertheless, there are times when editing them directly is looked after. For those times, vipw , vigr are provided. It is strongly recommended to use these tailored editors over using a general text editor as they lock the databases against concurrent editing. They also help prevent invalid entries and/or syntax errors. Note that Arch Linux prefers usage of specific tools, such as chage, for modifying the shadow database over using vipw -s and vigr -s from util-linux . See also FS#31414.

Источник