Provision two developer accounts and a shared team group, then secure a project directory with correct ownership and setgid inheritance. Verify state directly via system identity files and filesystem metadata.
A new secure development environment is coming online. You need to provision two developer accounts, place them under a shared group (devteam), and enforce least-privilege access to a shared project directory while keeping collaboration friction-free.
Treat the identity files and filesystem metadata as the source of truth. Do not assume a change “took” until you validate it with direct inspection.
dev1 and
dev2 with home directories.
devteam and add both
users.
/etc/passwd,
/etc/shadow, and /etc/group.
/srv/devdata using group
ownership and setgid inheritance.
useradd -m and
password assignment with passwd.
groupadd and usermod -aG.
/etc/passwd, /etc/shadow, and
/etc/group.
chgrp and directory permissions.
chmod 2770) to enforce
group inheritance on create.
sudo useradd -m dev1 && sudo useradd -m dev2
-m
creates the home directory. This is the baseline onboarding
state before assigning group access or placing files under a
shared project path.
sudo passwd dev1 && sudo passwd dev2
Password changes update /etc/shadow. This is
required for interactive login unless you are using
centralized auth or key-based access.
sudo groupadd devteam && sudo usermod -aG devteam dev1 && sudo usermod -aG devteam dev2
-aG
appends supplementary membership. Omitting
-a
overwrites a user’s existing supplementary groups.
grep -E '^(dev1|dev2):' /etc/passwddev1:x:1002:1002::/home/dev1:/bin/bash
dev2:x:1003:1003::/home/dev2:/bin/bashsudo grep -E '^(dev1|dev2):' /etc/shadowdev1:$6$oDc1f9nF$somehashedstring:19384:0:99999:7:::
dev2:$6$Qp31ab2X$somehashedstring:19384:0:99999:7:::grep '^devteam:' /etc/groupdevteam:x:1005:dev1,dev2
These files confirm local identity state. For effective
membership in a running session, validate with
id dev1 and id dev2
after re-login (or after starting a new shell).
sudo mkdir -p /srv/devdata && sudo chgrp devteam /srv/devdata && sudo chmod 2770 /srv/devdata
This sets devteam as the owning group and
applies 2770 permissions. The leading
2 enables setgid so new files and directories
inherit the devteam group.
ls -ld /srv/devdatadrwxrws--- 2 root devteam 4096 Aug 2 02:42 /srv/devdata
Confirm the account does not already exist with
grep '^dev1:' /etc/passwd (and the same for
dev2). If it exists, decide whether you are
updating an existing identity or starting clean.
Existing login sessions may not pick up new supplementary
groups immediately. Start a new shell or re-login, then
verify with id dev1 and id dev2.
Confirm group ownership and permissions:
ls -ld /srv/devdata. The directory should show
group devteam and setgid (
drwxrws---
). If setgid is missing, group inheritance will not apply.
setgid must be set on the directory to enforce group
inheritance. Re-apply
chmod 2770 /srv/devdata
and confirm the
s
bit appears in the group execute position.
If this was a lab-only change set, remove the created users, group, and directory to return the host to a clean state.
sudo userdel -r dev1
sudo userdel -r dev2
sudo groupdel devteam
sudo rm -rf /srv/devdata
The accounts no longer appear in
/etc/passwd
and the project directory is removed:
ls -ld /srv/devdata
returns “No such file or directory.”
useradd -m <user>
: Creates a user and home directory.
-m
: Creates the user’s home directory if it does not
exist.
passwd <user>
: Sets or changes a user password.
/etc/shadow
.
groupadd <group>
: Creates a new local group.
usermod -aG <group> <user>
: Appends supplementary group membership.
-a
: Append; required to avoid overwriting existing
supplementary groups.
-G <group>
: Sets the supplementary group list (combined with
-a
to append).
grep -E '^(dev1|dev2):' /etc/passwd
: Confirms local account entries for the target users.
/etc/passwd
: User account database (UID, GID, home, shell).
sudo grep -E '^(dev1|dev2):' /etc/shadow
: Confirms password entry lines exist for the target users.
/etc/shadow
: Password hashes and aging policy (root-readable).
grep '^devteam:' /etc/group
: Confirms group membership listing for devteam.
/etc/group
: Group membership database.
mkdir -p <dir>
: Creates a directory path if it does not exist.
-p
: Creates parent directories as needed.
chgrp <group> <path>
: Changes group ownership of a file or directory.
chmod 2770 <dir>
: Sets directory permissions and setgid inheritance.
2
: setgid bit (new files inherit the directory’s group).
7 : owner rwx.7 : group rwx.0 : other ---.ls -ld <dir>
: Shows directory permissions, ownership, and setgid state.
-l
: Long listing format (permissions/owner/group).
-d
: Lists the directory entry itself (not its contents).
userdel -r <user>
: Removes a user and (optionally) their home directory.
-r
: Removes the user’s home directory and mail spool.
groupdel <group>
: Deletes a local group.
rm -rf <path>
: Removes a path recursively and without prompting.
-r
: Recursively removes directories and contents.
-f
: Forces removal without prompting on missing entries.