Using sudo Is Bad but What Can You Do About It?

Whenever we need to install some new program or access the Linux system each of the tutorials says you shouldn’t be using sudo to run any command.

Avoiding sudo is considered a good practice. But why is that?

Today we will learn what is bad about using sudo and how we can avoid using sudo by creating new users. The command that we are going to use most today is adduser.

What does sudo do?

When you run any command on a Linux machine with sudo as a prefix, it gives you elevated privileges over the system. So that you can run anything and everything. The system trusts you.

It’s fine as long as you know what you are doing. But most of the time it’s not the case because we are human and humans do mistakes.

Why Using sudo Excessively is Bad

  • You can mess with the sensitive part of your system without even knowing it. For example, you can delete the whole / folder with sudo,

  • By default, sudo caches the password for 15 minutes. So If you forget to logout or close the session someone else may make dangerous changes to your system.

  • If you make a typo while using a sudo command that can potentially disrupt the sensitive settings of your machine and pretty hard to deal with.

  • Using sudo Excessively means you are violating the Principle of Least Privilege so try to avoid that.

Okay Fine... Show me What to Do

We can think of sudo as the gateway to becoming an admin user. What we can do instead is create multiple other users with specific privileges with a specific boundary so that they can only access the required resources to perform that specific task.

For Example

  • Create a user to manage a Tomcat server

  • Create another user to maybe manage an Nginx server

  • Create another user and allow to only do the development work.

There are so many use-cases for multiple users. We will learn about them later.

First, let’s see how we can create a new user in a Linux based system.

Create a New User

The command that allows us to create a new user is

sudo useradd username

the username can be any name of your choice. For example, the following command will create a new user named faisal.

sudo useradd faisal

Set a Password For User

Now in order to set a password for this user what we can do is

sudo passwd faisal

It will prompt us to input the password that we want to set for this particular user.

Login with New User

After creating our new user we can log in to that user using the following command

su faisal

This command will prompt us to input the password that we set earlier and voila! We are now inside that user.

Let’s talk a bit more about the useradd command…..

Okay, I Have Created a New User. What Now?

If we want to know what can be done to our newly created users we have to understand this useradd command a bit more….

What does this useradd Command do?

When we run the useradd command it does 3 things

  1. Saves Users Information

etc/passwd , etc/shadow , etc/group , etc/gshadow

  • The first two files are used for saving users authentication information

  • The Second two files are used for saving users group information

  • Sets the Home Directory for new user

  • Sets the permission of the newly created user

Let's talk a little bit about each of these things and what can we customize these to our needs.

Setting User ID

We can set a user id for the newly created user with the following command

sudo useradd -u 1234 faisal

This will create a new user with the id of 1234.

Setting User Group

We can assign users to specific groups to track them and manage them. By default, the command creates a group with the same username and groupid with the same userid.

We can set users groupid using the following command

sudo useradd -g group_name

Remember one thing. The group must be existing prior to this command in order to work properly

So if we want to create a new user

  • named faisal

  • Belongs to the developer's group

  • Have a specific userid = 999

sudo useradd -u 999 -g developers faisal

By design, any user can belong to one primary group and to multiple secondary groups. We can pass the -G flag to do that.

The following command will create a user who belongs to the developers group and also included in juniors group

sudo useradd -u 999 -g developers -G juniors faisal

Setting Default Home Directory

Most Linux distributions don’t automatically create a new home directory while creating a new user.

If we want to create a new user’s home directory by default under the /home/username , we can pass the -m flag.

sudo useradd -m faisal

This command will create a new folder inside the home directory for the newly created user.

Setting the Home Directory of Choice

But what if we want to create a home directory for this user in another location?

Well for that we have to pass the -d flag. If we want to create a new home directory for the user under /opt/username what we can do is

sudo useradd -m -d /opt/faisal faisal

Creating a System User

We can create a system user with the -r flag. This type of users don’t have much difference from the normal users but mostly we create system users to install some program.

To create a new system user named tomcat

sudo useradd -r tomcat

These system users don’t have any expiry date and their user id is chosen automatically which is different from normal users.

Setting the Shell

Shell is a program that accepts and interprets commands from a user. By default, some distributions have /bin/bash as the default shell and others have/bin/sh as the default shell.

However, if you want to set the default shell for your newly created user you can use the -s flag.

To create a user with /usr/bin/zsh as a login shell, you can write the following command

sudo useradd -s /usr/bin/zsh faisal

Add a Comment

If you want to have a comment about this user you can use the -c command.

sudo useradd -c "Mohammad Faisal" faisal

Then a new user will be created with the comment associated with it.

Expiry Date for User

You can set an expiry date for a user. After that, the user won’t be able to log in.

sudo useradd -e 2019-01-22 faisal

This is useful for office environments where you want greater control over your machine and want to prevent unwanted access to the machine.

If you want to see the password expiry of the user you can type

sudo chage -l faisal

Which will give you a history of this user.

View Details

To see the details of any user you can type the following command

grep username /etc/passwd

It will give us the userid or groupid and other associated information about the username that we specified.

Changing a User after Creation

You can change all of these properties using the commandusermod of Linux. For example, if you want to change the default shell of a user what you can do is…

usermod --shell /bin/bash username

This will change de default shell of the user named username to /bin/bash

That’s it. I hope now you have a better understanding of the useradd command in Linux which is used to create a new user and set boundaries for the user. You can also check other commands like chown to learn about how we can change ownership of a file or directory so that a specific type of user can access it.

Also, I am not a system admin and I don’t have any deep knowledge of Linux. These commands are useful for me as a day-to-day software developer. So if anything I mentioned here is wrong please feel free to correct me.

That’s it for today. Happy Coding! :D

Get in touch with me via LinkedIn


Share this post


Read more articles...

team

3D Graphics in ReactJS and ThreeJS

team

11 Unwanted Ridiculous NPM Packages

team

How I Reduced Docker Image Size from 1.43 GB to 22.4 MB

team

Using NGINX to serve React Application Static vs Reverse Proxy

Profile Image

Who I am

Hi, I amMohammad Faisal, A full-stack software engineer @Cruise , working remotely from a small but beautiful country named Bangladesh.

I am most experienced inReactJS,NodeJS andAWS

Buy Me a Coffee Widget