published
priority 13
20 min. 30 XP.
Linux Users, Groups, Sudoers
Everything on Linux is either a file or a process, and everything has an owner. This lesson covers how users and groups work, how to add/modify/remove them, and how sudo rules are configured. because half of 'backdoor hunting' is 'who has root and why'.
Objectives
- Read /etc/passwd and /etc/shadow
- Add, modify, lock, and delete user accounts
- Understand primary vs supplementary groups
- Read /etc/sudoers and /etc/sudoers.d/* safely
- Detect rogue UID-0 accounts and NOPASSWD sudoers
Quick reference
| Command | Purpose |
|---|---|
| cat /etc/passwd | All user accounts (format: name:x:UID:GID:gecos:home:shell) |
| awk -F: '$3==0' /etc/passwd | Only UID-0 (root-equivalent) users |
| grep -E '/bin/(bash|sh|zsh)' /etc/passwd | Users with login shells |
| getent passwd <user> | NSS-aware lookup (includes LDAP etc) |
| useradd -m -s /bin/bash <user> | Create user with home dir + bash |
| passwd <user> | Set or change password |
| usermod -aG sudo <user> | Add user to sudo group |
| userdel -r <user> | Delete user + home |
| passwd -l <user> | Lock account (cannot log in with password) |
| groups <user> | List groups a user belongs to |
| visudo | Edit /etc/sudoers safely (validates syntax) |
| visudo -f /etc/sudoers.d/10-mygroup | Edit a drop-in sudoers file |
| sudo -l -U <user> | What can this user sudo? |
Common pitfalls
- Editing /etc/sudoers directly with vi and introducing a syntax error. locks you out of sudo
- Granting sudo to the `sudo` group but on Debian the group is actually `wheel` or vice versa
- Forgetting that `sudo` needs a shell. a user with `/usr/sbin/nologin` can't sudo
- UID 0 is root-equivalent regardless of name. name doesn't matter, UID does
- Adding a user to a group with `usermod -G` (replaces) instead of `usermod -aG` (appends)
Skill drills
-
1. Which UID has unrestricted privileges on Linux?0
-
2. File where password hashes are stored?/etc/shadow
-
3. Command to safely edit /etc/sudoers?visudo
-
4. Flag for usermod that APPENDS to groups instead of replacing?-a (always use with -G)
-
5. Command to see what a user can sudo?sudo -l -U <user>