Loading...

VONDS ©

Lab 26: User Setup and Permissions

Back to Lab Index

Onboard two developer accounts using both minimal and fully-specified user creation workflows. Validate identity and group state, then build a shared workspace with correct group ownership before cleaning everything up safely.

users permissions core

Scenario

You are onboarding two new developers: devstudent and devstudent2. The team needs a shared group called devteam and a shared workspace at /opt/devwork owned by that group. You will create one account using a minimal baseline workflow, create the second using advanced useradd flags, verify identity and group state using system files and CLI tooling, then clean up all changes.

Operator context

This is the user onboarding workflow you run when you want repeatable outcomes and clear verification, not “I think the account exists.”

Objective

  • Create a team group and two user accounts (basic and advanced methods).
  • Set passwords and enforce correct primary group assignment.
  • Create a shared directory and assign correct group ownership recursively.
  • Verify user records and group membership using /etc/passwd, id, and /etc/group.
  • Remove accounts and group cleanly, including home directory cleanup.

Concepts

  • Group-first onboarding ensures consistent file ownership in shared workspaces and reduces permission drift.
  • Minimal user creation relies on system defaults. Explicit user creation is repeatable and auditable.
  • Primary group affects default group ownership on new files. Supplementary groups affect access without changing defaults.
  • Verification is evidence: confirm account records and membership via system databases and CLI outputs.
  • Cleanup should be complete and ordered: remove users (and homes) before removing the group they depended on.

Walkthrough

Step 1 : Create the team group.
Command 
sudo groupadd devteam

The group is the shared access boundary. Create it first so both users can be anchored to the same team identity. 

getent group devteam
Step 2 : Create the first user with the minimal baseline workflow.
Command 
sudo useradd devstudent

This creates the user using system defaults. Home directory creation depends on distro defaults and configuration.

Step 3 : Set a password for the first user.
Command 
sudo passwd devstudent

Password assignment completes the onboarding baseline and allows interactive login, subject to policy and account state.

Step 4 : Set the first user’s primary group to the team group.
Command 
sudo usermod -g devteam devstudent

Primary group affects default group ownership for new files. This aligns the user with the team by default.

Step 5 : Create the second user with explicit attributes.
Command 
sudo useradd -g devteam -s /bin/bash -c "Dev employee" -m -d /home/devstudent2 devstudent2

This form is repeatable: define primary group, shell, comment, home directory path, and ensure the home directory exists immediately.

Step 6 : Set a password for the second user.
Command 
sudo passwd devstudent2

With the account created and home provisioned, password is the final access step before verification.

Step 7 : Create a shared workspace and assign group ownership.
Commands 
sudo mkdir -p /opt/devwork
sudo chgrp -R devteam /opt/devwork

This creates the directory and ensures all content under it is owned by the shared group. This is the minimum needed for controlled team collaboration. 

ls -ld /opt/devwork
Step 8 : Confirm both users exist in the local account database.
Commands 
grep devstudent /etc/passwd
grep devstudent2 /etc/passwd

This verifies the local account records and shows UID, primary GID, home, and shell fields.

Step 9 : Verify primary group assignment and memberships.
Commands 
id devstudent
id devstudent2
getent group devteam

Confirm the primary group is the team group, and confirm the group entry reflects expected membership.

Step 10 : Clean up by removing both users, the workspace, and the group.
Commands 
sudo userdel -r devstudent
sudo userdel -r devstudent2
sudo rm -rf /opt/devwork
sudo groupdel devteam

Remove users first, then remove the shared directory, then remove the group last to ensure nothing depends on it.

Breakpoints

Home directory not created for the first user

Minimal user creation may not create a home directory depending on system defaults. Confirm the record in /etc/passwd and decide whether to re-create the user using useradd with -m.

Group membership not shown in the group entry

If a user’s primary group is the team group, it may not appear in the member list of the group entry. Validate primary GID via id and the group record via getent group.

groupdel fails

A group cannot be removed if it is still referenced as a primary group for an existing user. Remove users first, then retry groupdel.

Cleanup checklist

  • Confirm both users are removed from /etc/passwd and no home directories remain.
  • Confirm the shared workspace at /opt/devwork is removed.
  • Confirm the group is removed from /etc/group.
Commands 
getent passwd devstudent
getent passwd devstudent2
getent group devteam
ls -ld /opt/devwork

Reference

  • groupadd: Creates a new group.
  • useradd: Creates a user account.
    • -g: Set primary group.
    • -s: Set login shell.
    • -c: Set comment field.
    • -m: Create home directory.
    • -d: Set home directory path.
  • passwd: Sets or changes a user password.
  • usermod: Modifies an existing user account.
    • -g: Change primary group.
  • mkdir: Creates directories.
    • -p: Create parent directories as needed.
  • chgrp: Changes group ownership.
    • -R: Apply recursively.
  • id: Displays UID, primary GID, and group memberships.
  • getent: Queries system databases.
  • grep: Searches text patterns in files.
  • userdel: Deletes a user account.
    • -r: Remove home directory and mail spool.
  • groupdel: Deletes a group.
  • /etc/passwd: Local user account database.
  • /etc/group: Local group membership database.
  • /opt/devwork: Shared workspace path used in this lab.