Linux User and Permission Management

Essential Linux user and permission management for homelab operators.

5 min read

Why Linux Permissions Matter

If you've spent most of your career in Windows/Active Directory environments like I have, Linux permissions can feel like stepping back into the wild west. There's no Group Policy to enforce settings, no domain-wide password rules, and no central audit trail -- unless you set it up yourself. Understanding Linux user and permission management is essential for anyone running Linux in their homelab, whether it's Docker hosts, file servers, or application servers.

Users and Groups Fundamentals

Linux uses a simple but powerful model: every file belongs to a user and a group, with read/write/execute permissions for each.

Creating users and managing groups:

For homelab users, I create a standard user account and add them to the groups they need. I never give users direct root access -- sudo is configured via /etc/sudoers with specific command restrictions.

File Permission Basics

Linux file permissions use a 10-character string shown by ls -la:

-rw-r--r-- 1 root root 4096 Jan 15 10:30 config.yml

The first character indicates file type (- = regular file, d = directory, l = symlink). The next 9 characters are 3 sets of rwx (read, write, execute) for owner, group, and others.

Changing permissions with chmod:

Changing ownership with chown:

Sudo Configuration

Edit sudoers with visudo -- never edit /etc/sudoers directly. The visudo command checks syntax before saving, preventing you from locking yourself out:

# Allow jdoe to run Docker commands without password
jdoe ALL=(ALL) NOPASSWD: /usr/bin/docker, /usr/bin/docker-compose

# Allow admins full sudo access
%admins ALL=(ALL) ALL

# Deny root login via sudo for security
root ALL=(ALL) NOPASSWD: ALL

For homelab security, grant the minimum sudo privileges needed. If a user only needs to manage Docker containers, don't give them full root access.

Access Control Lists (ACLs)

When standard Unix permissions aren't enough, ACLs let you set fine-grained permissions:

# Install ACL tools
apt install acl # Debian/Ubuntu
yum install acl # RHEL/CentOS

# Set ACL for a specific user on a directory
setfacl -m u:jdoe:rwX /srv/shared

# Set ACL for a group
setfacl -m g:developers:rx /srv/project

# View ACLs
getfacl /srv/shared

# Remove ACL
setfacl -x u:jdoe /srv/shared

ACLs are particularly useful for shared directories where multiple users and groups need different levels of access. The X (capital X) permission means execute only for directories and files that already have execute permission for someone.

Password Management

Set global password policies in /etc/login.defs:

PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
MIN_UID 1000

SSH Key Management

For homelab automation, SSH keys are essential. No passwords, no brute force attacks, fully scriptable:

Lock down SSH in /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers jdoe admin

Homelab-Specific Tips