Basics of Managing Users on CentOS Systems

Managing users can be a daunting task: from day-to-day maintenance, security risks, and lack of thorough online documentation. This article will help start you off by explaining the basics of properly managing users on CentOS systems.

Theory: sudo

sudo is a command used when a user is not logged in as the root user, but wants to execute a command as the root user. For example, say that only the root user has access to the /etc/test.txt file. Trying to open the file with vi /etc/test.txt as a “normal” user would not work, whereas sudo vi /etc/test.txt would work, because the command is executed with root privileges.

Adding a User

Adding users on CentOS is performed with the adduser command. Simply type:

adduser UserName

Given that you want to give this user a password, type:

passwd UserName

If you do not manually do this, the user will not have a password.

Deleting a User

If a user does not need to have access to your system anymore, you should delete it. In order to delete a user, you can use userdel:

userdel UserName

Adding the -r switch to the userdel command will cause their home directory to be deleted as well (/home/UserName). Be sure to make a backup of this folder first, if needed.

userdel -r UserName

Granting a User Sudo Privileges

A common use case for “sudo” exists when you do not want to share the password of the root user account, but you still want users on your system to be able to run root-level commands. Running sudo as the root user is useless, as the account already has root privileges.

You can give a user permission to use sudo with the following command:

gpasswd -a UserName wheel

This adds a user to the wheel group, which always has access to the sudo command. Now the user can run sudo.

When running sudo, a user is prompted for their password before the command will execute. This is normal behavior, and can be disabled by editing the sudo settings in /etc/sudoers.

Monitoring Sudo Attempts

For the security of your system, Linux logs both successful and unsuccessful attempts at using sudo. When a user tries to use sudo without having access to it, the following error will be displayed:

UserName is not in the sudoers file. This incident will be reported.

Sudoers incidents are logged to /var/log/secure.