Overview
Managing multiple users and groups is a key part of system administration in an organization. It enables individuals and groups to have access to data, resources, and applications that are critical for them to perform their job functions. This can be referred to as the Principle of least privilege. No one should be granted more access than they need.
In this project, I am going to demonstrate this by creating users, groups, and directories for a fictitious organization, called “Level Up Bank”. The goals of this project are as follows:
- Create an EC2 instance in the AWS Console and SSH into the instance. If you do not how to do this or need further explanation, check out my article here.
- Create 3 directories: Development, Operations, and Analytics
- Create 3 groups: Developers, Operations, and Data Analysts
- Change the owner of each directory to the respective group and modify permissions so that only the owner of the group has full access to resources (i.e. can perform read, write, and execute actions)
NOTE: Other than creating the instance, all other actions will be performed on the Command Line Interface (CLI) as the root user. The root user can perform any actions on the CLI.
Let’s get into it!
Steps
- Log into your AWS Console, create an EC2 instance and SSH into it
- Use an Ubuntu AMI that is free tier eligible
- Select or create a key pair
- Select or create a security group to allow SSH access to the instance
- Wait for the instance to be in a “Running state” and SSH into it.
Again, if you do not know how to do this, check out my article.
2. Switch to the root user and navigate to the home directory by running the following commands:
sudo su
cd /home
3. Create the 3 directories using the following command:
mkdir Development Operations Analytics
You can run the ls -l command to list all files and directories.
4. Change into each directory and create blank dummy files. The commands to do that for the Analytics directory are below:
cd Analytics
touch analysis1 analysis2 analysis3
Once this is done, you can use the ‘cd ..’ command to go back up a level and repeat the process again for the Development and Operations directories
5. Create the 3 groups needed using the following commands:
groupadd Developers
groupadd Operations
groupadd Data_Analysts- The tail command can then be used to list the last few entries in the /etc/group directory as that directory has the list of all groups.
6. Use the chown command to change the group owner of each directory to its respective group
chown :Data_Analysts Analytics/
chown :Developers Development/
chown :Operations Operations/
7. Use the chmod command to modify permission to the directory so that only the owner of the group can read, write and execute. i.e. full permissions. These permissions can be done with the octal notation
- Read — 4
- Write — 2
- Execute — 1
chmod 770 Analytics/
chmod 770 Development/
chmod 770 Operations/
8. You will now create the needed users using the adduser command. The users I will create will have the following information.
- Jess Waller, username= jwaller, email=jwaller@levelupbank.com, group= Developers
- Blake Dorsey, username= bdorsey, email=bdorsey@levelupbank.com, group= Operations
- Joey Ewart, username= jewart, email=jewart@levelupbank.com, group= Data_Analysts
Run the following commands to create the user “jewart”. You will be asked to answer various prompts. Enter a password, full name, and email (in the other field). Repeat this step for the other users.
adduser jewart
Once that is done, you can use the ls command to see the created users.
Now, the users need to be added to the right groups. Run the following commands to achieve that.
usermod -a -G Developers jwaller
usermod -a -G Operations bdorsey
usermod -a -G Data_Analysts jewart9. All that is left is to test if the users can access the right directories and files.
- Run the following command to get out of the root user and sign in as one of the created users “jwaller”
exit
su jwaller- You will then be prompted to enter in the password you set earlier
- Change to the /home directory and run the ls command to see all the directories
cd /home
- User “jwaller” should only have access to the Development directory. Use the following command to verify access and check if the needed files can be seen
cd Development
ls
SUCCESS!
Now, you can cd into the Operations and Analytics directories and permission will be denied.
You can switch to the other users and check their access to the needed folders.
This is the end of the project. If you’ve made it this far, congratulations!
