User configuration and management in Linux VPS

Basic account model (1 minute of theory)

• Users: /etc/passwd (UID, GID, shell, $HOME).
• Password hashes: /etc/shadow (root only).
• Groups: /etc/group (GID and members).
• Home directories — usually /home/<user>, initial content template — /etc/skel.

Creating a user

1. Convenient adduser wizard (Debian/Ubuntu)

2. “Low-level” via useradd (universal)

Custom home + rights:

Verification:

Groups and roles

Adding to additional groups

Removing from a group

Role group for the project/service

Secure sudo (via visudo and /etc/sudoers.d)

Edit rules only via visudo — validates syntax and saves you from the admin panel “brick.”

Full sudo (as in the sudo group):

Minimum privileges (example for nginx):

Tips

• Issue permissions through a group whenever possible:
• %webadmins ALL=(root) NOPASSWD: NGINX_CMDS → add users to webadmins.
• NOPASSWD — only where automation is needed.

Password policy (password aging) and complexity

Individual terms via chage

Defaults for new users (login.defs)

Password complexity (PAM, Ubuntu/Debian)

Install libpam-pwquality and configure /etc/pam.d/common-password, for example:

SSH keys and SSH restrictions

Add a public key to a user

Restrict access in sshd_config

“Technical” user without shell

Collaborative work in a directory (group + ACL)

setgid on the project directory (group inheritance)

Point ACLs (if rights beyond the standard are required)

Audit and debugging of inputs

Blocking and deleting accounts

Production readiness checklist

• User created, $HOME and shell are correct, SSH key added.
• Role-based groups assigned (sudo/adm/www-data/docker/…).
• sudo issued via /etc/sudoers.d with minimal privileges.
• Password policy: chage/login.defs/PAM configured.
• Passwords and root login are disabled in SSH; AllowGroups sshusers restriction is enabled.
• Setgid and, if necessary, setfacl are configured for projects.
• Logins are audited; there is an offboarding procedure (lock → kill → backup → remove).

Table of Contents