As a long-time SysAdmin, one of the core tasks I’ve always had to tackle is managing users and groups on Linux systems. Whether you’re running a personal server or managing an entire fleet of Linux boxes, understanding how to efficiently handle user and group permissions is essential for maintaining a secure and organized system. In this post, we’ll dive into the nuts and bolts of user and group management on Linux, walking through practical examples and providing some handy commands to keep in your toolbox!

Why User and Group Management Matters

Before we jump into the command line, let’s talk about why user and group management is so crucial. Linux is a multi-user operating system, meaning that it allows multiple users to work on the same machine simultaneously. Each user has their own unique environment, including their files, processes, and settings. Proper management of users and groups ensures that everyone has the right access to the resources they need while keeping sensitive data protected.

Adding Users: The Basics

Let’s start with the basics—adding a new user. In Fedora Linux, which I am using as my distribution, the command to add a user is useradd. Here’s a simple example:

sudo useradd eric

This command adds a new user named “eric” to the system. However, this is just the beginning. By default, useradd creates a user with a locked password and no home directory. To make the user account functional, you’ll want to add a few more options.

Creating a Home Directory and Setting a Password

To create a home directory for the user and set a password, you can use the -m option to create the home directory and passwd to set the password:

sudo useradd -m eric
sudo passwd eric

The -m option ensures that a home directory (/home/eric) is created automatically. The passwd command then prompts you to set a password for the new user, which is crucial for allowing them to log in.

Assigning a User to a Group

In Linux, groups are used to manage permissions for multiple users at once. Each user can belong to one or more groups. By default, when you create a user, they are assigned a private group with the same name as their username. However, you can also add them to additional groups as needed.

To add the user “eric” to a specific group, say “developers,” you can use the usermod command:

sudo usermod -aG developers eric

The -aG options append the user to the group without removing them from any other groups they might already belong to. This is important—forgetting the -a option will remove the user from all other groups, which could cause unintended access issues.

Creating and Managing Groups

Creating a new group is straightforward with the groupadd command. Let’s say you want to create a group called “admins”:

sudo groupadd admins

Once the group is created, you can add users to it using the usermod command, as we discussed earlier. You can also assign group ownership of files and directories, which is useful for collaborative environments. For example, to change the group ownership of a directory:

sudo chgrp admins /opt/project

The chgrp command changes the group ownership to “admins” for the /opt/project directory.

User and Group Management Best Practices

Managing users and groups efficiently isn’t just about knowing the right commands—it’s about understanding best practices to keep your system secure and organized. Here are a few tips to keep in mind:

1. Use Groups for Permissions: Instead of assigning permissions directly to individual users, assign them to groups. This makes it easier to manage access as your user base grows.
2. Limit Root Access: Only grant administrative privileges to users who absolutely need it. For others, use the sudo command to allow them temporary access to elevated privileges when necessary.
3. Regularly Review Group Membership: Periodically check which users belong to which groups. Over time, users might change roles, and their access needs will change too. Keeping group memberships up-to-date helps prevent unnecessary access.
4. Use Strong Password Policies: Ensure that all users have strong, unique passwords. You can enforce password complexity and expiration policies using tools like chage and pam_pwquality.

Wrapping Up

Managing users and groups on Fedora Linux—or any Linux distribution—is a foundational skill for any SysAdmin. By understanding and applying the commands and best practices we’ve covered in this post, you’ll be well on your way to maintaining a secure and efficient Linux environment.

If you found this guide helpful, be sure to check out more content on The IT Guy Blog and tune in to my podcast, where I dive deeper into topics just like this one. Whether you’re just getting started with Linux or you’re looking to refine your skills, there’s always something new to learn.

Happy SysAdmin-ing!

The Apple Vision Pro stands to be one of the next innovations that changes how we use technology. Is it there yet? Not quite, but read on to see what I discovered. 

I’ve been in IT since before it was my chosen career path. When I first started out in my career, I was just an enthusiast. I enjoyed getting the latest gadgets, learning about them, and playing with them. I remember being a senior in high school and buying a Palm Pilot. I may have even played Hearts during our science class.

A lot of days, it’s a slog. If you are a SysAdmin, like I was, it takes many days to work to keep the lights on. You try to learn and grow your toolbox, but most days, it’s resetting that same user’s password for the third time this month.

Now and then, you have those days where you sit back and go, “This could be something!” I did that today. I’m in the grind of getting video and presentation content ready for the following Red Hat Enterprise Linux release ready to go out the door, as well as our upcoming Red Hat Summit conference. I needed a break.

I’ve heard people talking about Apple’s first steps into the VR world, and I wanted to see them for myself. While I bleed Linux, I am an undying Apple Fanboy. I have most of their tech somewhere in my house. So, why not!?

You can reserve a slot online for an in-person, 30-minute guided demonstration of how to fit, calibrate, and use the device. Wear prescription glasses? No problem; they can scan your lenses and fit your unit with inserts to match.

I have only played with Meta Quest 2 for a couple of days, so I had little more experience to go on for my demo. I initially thought it was a sleek-looking headset, but how heavy would this be?

Once you put on the device, you adjust a knob on the side of the headband. You can tighten it to wear it; it’s solid yet comfortable. My initial fear was that it would be too heavy, not so! Yes, it has some weight, but it took a little time to get used to it.

For my demo, I wanted the full experience. I wanted to be guided through the basics – you can customize your tour, but I wanted to avoid going in with any preconceptions. We started with hand gestures and the home screen.

Apple Watch users will be familiar with the crown that twists and clicks. However, the main interaction isn’t with hand gestures or the crown; it’s with your eyes! Tiny cameras line the inside of the visor and track your eye’s movements. You look at an icon, and it will highlight. Then, all you have to do is pinch two fingers together to select.

We looked at pictures from standard images to iPhone-based panoramas to something new called immersive mode (available now on iPhone 15 Pros and Max Pros). I won’t spoil anything, but it looked like I was in the room!

We moved to playing a pinball game, watching movie trailers, and searching the internet. Moving windows around, resizing, and scrolling was a breeze! I got tripped up a little when it came to typing.

Ultimately, it was an exciting experience. I really enjoyed the digital tour. I can see many use cases for travel and taking my books, studies, and multimedia.

Is it a daily driver? I do online research, work on Linux servers, and interact with an office suite all day. I recommend not. Is it worth the price tag to not be a daily driver? No.

However, that is today. The hardware and interactivity were far beyond my expectations. I count this as a public beta, version 1.0. The Vision Pro has come a very long way since its release. Third-party and iOS mobile apps are getting better support all the time.

So, when it’s released, the Apple Vision Pro 2 will be hard to say no to!

I get asked on a regular basis how I got my start in Linux; over the last couple of days, I put together my most comprehensive list yet and I wanted to share it with all of you!

Where do I start!?

One of the best ways to get comfortable with Linux is to utilize it everywhere you are. The first place I think about is your daily computer driver. I learned so much by working in Linux on a daily basis. Linux-powered laptops are far more prevalent than they were a decade ago. I can recommend a few companies that I know are dedicated to Linux: System76, Lenovo, and Slimbook to name a few. Of course, you can buy a lot of these second hand on eBay or similar.

What distribution do I pick?

(Disclaimer, I work for Red Hat, so I maybe a bit biased.) I talk to Sysadmins regularly who are split between different distribution families. For instance, Ubuntu and Red Hat-based distributions are very different in terms of operation, commands, and…we’ll call them “ idiosyncrasies”. I would recommend if your work uses Red Hat, to focus on learning Red Hat based distros. I, myself, came up in much the same way: I learned Red Hat as a Linux Systems Administrator, so, that’s what I primarily use even at home.

These include:
– Red Hat Enterprise Linux (Free Developer Subscription!)
– CentOS Stream
– Fedora

What advice can you give for someone interested in learning more about Linux distributions? Where should I start?

Linux is one of the most studied topics online. There are countless YouTube videos, blogs, and podcasts. I started learning about Linux and Open Source through a podcasting community called Jupiter Broadcasting. They have Matrix channels, live podcasts, and an amazing community of people to help new members learn and grow. I actually got my start podcasting on Linux Unplugged, one of their shows.

If you want to get your hands dirty, I would also recommend a Linux laptop and get comfortable with virtual machines and cloud providers. You can get a free credit when you sign up for Digital Ocean (FYI, that’s a referral link tied to my account.) You can spin up all sorts of servers, distros, and play with different applications. Their documentation and walkthroughs are next level! I also help support a series of labs for learning on RHEL (Red Hat Enterprise Linux). There are some Admin 101 and Developer 101 labs that are great at teaching the basics of Linux and moving into more complex topics: https://lab.redhat.com. (They are free to use!)

Number one thing I can recommend here is to find a community of people to learn and grow with.

How did you discover that you wanted to focus on System Administration, and do you have any insights for someone interested in this specialization?

Great question. Since I was 5, I had an interest in computers. I learned how to change my Dad’s desktop wallpaper on an old Mac PC and never stopped learning from there. Once I graduated high school and started college at DeVry University, I did the obvious thing: I signed up for a computer science degree. A couple of semesters in, I was taking a C# class and knew I would never survive as a developer. I got so lost with arrays, ha ha! So, I distinctly remember walking by this lab with racks of hardware, cables, and flashing lights. I knew that was where I needed to be. I went to my school advisor and switched my major to Network Communications Management. I started learning Cisco, firewalls, switching, and my favorite – operating systems.

Around the same time, I got a job as an IT Support Intern for a local municipality. I got to do desktop support, help desk, and even some Active Directory management. I loved what I was doing. After college, I got a job doing IT support – desktop and servers. After a couple of years, I was managing all sorts of servers and working on desktop refresh programs – new hardware every few years, desktop imaging and the like. I helped manage a handful of Linux servers that no one else really wanted to touch; I had tinkered with Linux in my college days, and decided I wanted to specialize.

I pursued a new job that would allow me to focus on Linux Systems Administration and started studying for my RHCSA (Red Hat Certified Systems Administrator). Over almost a decade, I was a Linux Systems Administrator, a Linux Systems Engineer, then a Solutions Architect (pre-sales Sysadmin basically), then finally about 2 1/2 years ago moved into Technical Marketing for RHEL where I really hit my stride!


What experiences and skills would be helpful for someone entering this field?

In today’s computer-driven resume world, its important to check as many boxes as you can. Have a “home lab” (like Digital Ocean or a PC at home you use as a “server”). Showing that you are constantly learning is huge. A bachelors degree is a huge plus as well as a technical certification in a field related to what you are interested. You don’t have to have all this up front but every step you take makes it easier to get the next job then the next and so on.

In your opinion, where’s the best place for me to find out about openings within this field?

Now, its been 6+ years since I had to job hunt… However, from what I’ve kept my eye on, LinkedIn is a HUGE place to get started. In fact, LinkedIn Premium is a good way to go. You can use their “AI” to help you write a title and about sections. LinkedIn has job postings, but you can also mark yourself as “open to work” and job recruiters will find you and match you to jobs they have available. (The link above will give you 2 months of Premium for free, after that it gets really expensive but you can cancel at any time.)

There are still other sites like Monster and Dice, but I haven’t had good luck there. Though if you are really eager to start your IT career you can never send out enough resumes!


Do you know of any programs or webinars that you think could be helpful to someone looking to enter the IT Support field?

Oh do I! You can check out the Sudo Show where I am a founder and former host. The Sudo Show is part of the Tux Digital Network, home of Destination Linux among others. There’s Jupiter Broadcasting and the Ask Noah Show. There’s the Fedora Podcast, the CentOS video podcast (new), and the RHEL YouTube channel. Our show Into the Terminal is a great place to start learning.


Do you know of other individuals in the field whom I could contact?

I’d start with posting questions on LinkedIn or Mastodon and using hashtags, like #linux. Get invovled with podcasting communities like the Ask Noah Show or Jupiter Broadcasting. They are on Discord, Mastodon, Telegram, and others!

---

I hope these questions and answers help you in your journey. I’d love to know what other topics you’d like me to cover or what other questions you may have. My virtual door is always open!

I know a lot of these resources have my name attached to them in some way, but one of the reasons I moved from Systems Administration to Technical Marketing was to build tools and resources I could have used when I was in your place – to learn and grow into a field I was very interested in.

Image courtesy of Max Duzij, Unsplash

Way back in the day, humanity created computers to help make our lives easier. In a lot of ways, they have; in others, it’s made life much more tedious, especially for the SysAdmin. What used to be a mainframe has turned into hundreds of servers, containers, and virtual machines spread across data centers, clouds, and even laptops!

Never fear, Infrastructure as Code (IaC) is here. Tools like Ansible have been around for over a decade or more but in the past few years they have really picked up speed. Ansible is a simple, efficient approach to automating and standardizing our environments while cutting down on the time, increasing reliability, and removing the human error factor from operations and deployments!

My Story

Probably around 2012 or so, I was a rookie Linux Systems Administrator just making the move away from managing Windows servers and desktops. I remember how much fun patch days were…at first. We got to take the morning off, spend an evening at our off-site data center, order in some Jimmy John’s, and once the corporate office closed, start patching systems. We ran CentOS, RHEL, Oracle Enterprise, and maybe even an Ubuntu system or two.

Looking back, it was actually an unnecessary time suck! Why!? Patch a couple of hundred servers, by hand, rebooting systems manually, and hoping that nothing broke because the application and database administrators were already at home enjoying the end of their workday. The one saving grace at that point was Tmux (an amazing tool to manage multiple terminal sessions at once). At least then I didn’t have to type yum update 200 times!

I guess Charles Dickens might have said of my career: “It was the best of times, it was the worst of times…” I finally got to focus on Linux Servers, bye-bye Windows, but who wants to spend their Thursday nights patching a couple of hundred servers by hand?

That’s not why you’re here, though. You all know I have my SysAdmin scars and I wear them with pride because now, I get to share amazing lessons I learned (or in today’s case should have learned back then). Today, I want to introduce a tool that could have taken our patching times from 6-7 hours down to what could have been less than an hour. Even more, that process could have been completely automated!

What is Ansible?

Ansible is a project bred from the idea that all infrastructure (even security, networking, and cloud) should be code. In other words, if you think of your lab, network, enterprise, whatever as a restaurant, Ansible would be the recipes the cooks used to make every dish. Ansible is written predominantly in Python and utilizes YAML or “YAML Ain’t Markup Language” (who doesn’t love a good recursive acronym?) for its playbooks.

Ansible, not to be confused with the Red Hat product Ansible Automation Platform, is an open-source project that runs across most Linux and Unix systems as well as Mac and Windows and even networking gear, clouds, and security appliances! The list of modules and supported platforms grows with every release.

[ansible@fedora-server-34 ~]$ ansible --version
ansible 2.9.21
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.9.5 (default, May 14 2021, 00:00:00) [GCC 11.1.1 20210428 (Red Hat 11.1.1-1)]
[ansible@fedora-server-34 ~]$ 

The name was inspired by Rocannon’s World, a novel by Ursula K. Le Guin. In the 1966 novel, ansible was a fictional, instantaneous communication system. Ansible would later become the name of the open-source tool. Michael DeHann, the original developer decided to build a company around his new tool and with the help of Said Ziouani and Timothy Gerald founded AnsibleWorks Inc. Later, the company was renamed Ansible Inc and eventually was acquired by Red Hat in 2015.

Why Ansible?

Ansible burst onto the field in an age where Infrastructure As Code (IaC) tools seemed to be everywhere. However, Ansible had a few attributes that set it apart from its competition.

For one, Ansible is agent-less. In other words, there is no software to deploy across your enterprise. You could install the Ansible package on your laptop and manage thousands of servers across bare metal, virtual machines, and even the cloud!

Being agentless also opened the door for another advantage: Ansible utilizes OpenSSH to execute remote commands instead of proprietary or platform-specific tools.

Thirdly, Ansible set itself apart by choosing simple, YAML-based text files to define its environments and code. Want to have a pre-defined list of servers to manage? Add it to an inventory file! Want to use Ansible to create a user, set its password, and add an SSH key? Write a playbook. Want to have support for different environments (dev, prod, etc.)? Easy, just create a variable file!

Getting Started

Did I sell you on how easy and awesome Ansible is? Good, because here is the entrée for today’s meal: Let’s install Ansible and use Ansible to add a package on our local system. For the sake of this demonstration, I’ll be using one of my favorite server distros, Fedora Server, specifically Fedora 34. Ansible is available for most major distros, so, consult your package manager to find the correct package.

The first step is to install the required Ansible package and its dependencies:

[ansible@fedora-server-34 ~]$ sudo dnf install -y ansible
Last metadata expiration check: 0:05:30 ago on Tue 22 Jun 2021 04:13:57 PM CDT.
Dependencies resolved.
===============================================================================================================================================================================================================
 Package                                                    Architecture                                Version                                             Repository                                    Size
===============================================================================================================================================================================================================
Installing:
 ansible                                                    noarch                                      2.9.21-1.fc34                                       updates                                       15 M
Installing dependencies:
 libsodium                                                  x86_64                                      1.0.18-7.fc34                                       fedora                                       165 k
 python3-babel                                              noarch                                      2.9.1-1.fc34                                        updates                                      5.8 M
 python3-bcrypt                                             x86_64                                      3.1.7-7.fc34                                        fedora                                        44 k
 python3-cffi                                               x86_64                                      1.14.5-1.fc34                                       fedora                                       244 k
 python3-chardet                                            noarch                                      4.0.0-1.fc34                                        fedora                                       214 k
 python3-cryptography                                       x86_64                                      3.4.6-1.fc34                                        fedora                                       1.4 M
 python3-idna                                               noarch                                      2.10-3.fc34                                         fedora                                        99 k
 python3-jinja2                                             noarch                                      2.11.3-1.fc34                                       fedora                                       493 k
 python3-jmespath                                           noarch                                      0.10.0-1.fc34                                       updates                                       46 k
 python3-markupsafe                                         x86_64                                      1.1.1-10.fc34                                       fedora                                        32 k
 python3-ntlm-auth                                          noarch                                      1.5.0-2.fc34                                        fedora                                        53 k
 python3-ply                                                noarch                                      3.11-11.fc34                                        fedora                                       103 k
 python3-pycparser                                          noarch                                      2.20-3.fc34                                         fedora                                       126 k
 python3-pynacl                                             x86_64                                      1.4.0-2.fc34                                        fedora                                       110 k
 python3-pysocks                                            noarch                                      1.7.1-8.fc34                                        fedora                                        35 k
 python3-pytz                                               noarch                                      2021.1-2.fc34                                       fedora                                        49 k
 python3-pyyaml                                             x86_64                                      5.4.1-2.fc34                                        fedora                                       194 k
 python3-requests                                           noarch                                      2.25.1-1.fc34                                       fedora                                       114 k
 python3-requests_ntlm                                      noarch                                      1.1.0-14.fc34                                       fedora                                        18 k
 python3-urllib3                                            noarch                                      1.25.10-4.fc34                                      fedora                                       175 k
 python3-xmltodict                                          noarch                                      0.12.0-11.fc34                                      fedora                                        23 k
 sshpass                                                    x86_64                                      1.09-1.fc34                                         fedora                                        27 k
Installing weak dependencies:
 python3-paramiko                                           noarch                                      2.7.2-4.fc34                                        fedora                                       287 k
 python3-pyasn1                                             noarch                                      0.4.8-4.fc34                                        fedora                                       133 k
 python3-winrm                                              noarch                                      0.4.1-2.fc34                                        fedora                                        79 k

Transaction Summary
===============================================================================================================================================================================================================
Install  26 Packages

Total download size: 25 M
Installed size: 143 M
Downloading Packages:

<<< Output Truncated >>>            

Complete!
[ansible@fedora-server-34 ~]$

Excellent, feel the power yet? Let’s get a little crazy. Let’s write a playbook. Let’s install a package!

I really like htop. It is a “graphical” tool that, in this author’s opinion, makes it much easier to read and understand the output of the top command.

Luckily, it’s available from the default Fedora repos. So, using your favorite text editor, create htop.yml:

---
- name: installing packages
  hosts: localhost
  become: yes
  tasks:
    - name: install htop
      package:
        name: htop
        state: latest

What’s all this mean? Let’s break it down line by line. Make sure to start your playbook with three hyphens (-), then name tags are just that, it lets you know what task is being run to make it easier to understand the output (and especially troubleshoot any problems). Next, we have the hosts. For this super-simple example, we are only calling localhost. This could also call any number of hostnames or groups listed in an inventory file. Become is basically your sudo command. If you set Become to yes, Ansible will run with administrative privileges. Otherwise, the playbook will run as whatever user calls the playbook.

Under tasks, we have another name tag. We are calling the package module. This is what is so cool about Ansible; you can actually build playbooks that will run over differing distributions! The package module is intuitive enough to know what your system’s package manager is: apt for Ubuntu, yum for CentOS, dnf for Fedora, and so on. Next, we call the package, in our case, htop. The final line is the state of the package. We can set this to a specific version, to absent (if we don’t want the called package installed), or latest, which (you guessed it!) means the package will be on the latest version.

Now, save your config file, and let’s run our playbook:

[ansible@fedora-server-34 ~]$ rpm -qa|grep htop
[ansible@fedora-server-34 ~]$ ansible-playbook htop.yml 
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [installing packages] ************************************************************************************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************************************************************************
ok: [localhost]

TASK [install htop] *******************************************************************************************************************************************************************************************
changed: [localhost]

PLAY RECAP ****************************************************************************************************************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[ansible@fedora-server-34 ~]$ rpm -qa|grep htop
htop-3.0.5-4.fc34.x86_64
[ansible@fedora-server-34 ~]$

You can see htop is not installed before we run our playbook, then after we run it, htop is indeed present!

Wrap Up

So, there you have it. You now have the power to go out and install a package on any SSH-enabled host system. Go forth and blow people’s minds! When you take this simple example and zoom out, you start to see the sheer power that Ansible can bring to a Systems Administrator. Step aside, Luke Skywalker, we don’t need the Force anymore to move your X-Wing. We’ll do it with Ansible!

Okay…That may be over the top. However, I can’t overstate the truth: Build out your playbooks. Grow your Ansible skills. The rule is, if you have to do a task more than once: AUTOMATE IT! Stop installing packages by hand. Quit wasting your time bootstrapping servers by copy-pasting commands out of a shared document. Take those commands, add in some Jinja-variable goodness, and let computers do what they were meant to do: make the lives of humans easier.

Need some more ideas to get you going? No problem! Ansible has AH-MAZE-ZING documentation and an awesome Getting Started landing page.

Like a terrible TV infomercial, just wait, there’s more! Have a favorite open source project you like or a system service that you tend to modify? You may not even have to start from scratch! Ansible has galaxies (pun intended) of pre-built roles and playbooks available. Ansible Galaxy is a community-driven effort to provide pre-built code to get your systems up and running fast. They have playbooks for Nextcloud Server, LAMP, and even desktop applications!

I use Ansible every time I build out a new VM. I use Ansible to ensure my user account is configured exactly the same way across all my systems: laptop, desktop, server, VMs, and cloud! Admittedly, my list of Ansible To-Dos is still fairly large, however, I try to spend a little time each month adding to it. Slowly but surely, I am automating and standardizing my home lab and home production systems. You can too!

Let me know below how you are or are planning to use Ansible.

Did you like this post? Let me know in the comments if there is more you’d like to read on this topic. There is SO much more we could talk about from products like Red Hat’s Ansible Tower (or the upstream AWX project) to large-scale use cases, bootstrapping, and more. So, by all means, let me know what you are interested in.

Thank you so much for spending your valuable time to hear my “war stories” and letting me share a tool with you I am quite passionate about.

(This post originally appeared here and is used with permission.)