How to Manage Users and Permissions on Linux

Introduction

Every Linux server is multi-user by design. Whether you run a website, a database, or an application on a cloud server, proper user and permission management is the foundation of security. It lets you give each person and service exactly the access they need — and nothing more.

This guide covers the essentials on Ubuntu 22.04/24.04 LTS: creating users, working with groups, granting sudo access, and controlling file permissions. The same commands apply to almost any modern Linux distribution. To follow along you need a server and a login with sudo privileges — exactly what you get on a managed Skyline Cloud VPS.

Creating and Removing Users

On Debian and Ubuntu, the friendly tool is adduser. It creates the user, a home directory, and prompts for a password:

sudo adduser sara

The lower-level useradd is also available and is more scriptable. The flags below create the home directory (-m), set the login shell, and add a comment:

sudo useradd -m -s /bin/bash -c "Sara Ahmed" sara
sudo passwd sara

To remove a user but keep their files:

sudo deluser sara

To remove the user and delete their home directory and mail spool, use --remove-home:

sudo deluser --remove-home sara

Understanding Groups

Groups let you grant the same access to many users at once. List a user's groups with:

groups sara
id sara

Create a group and add a user to it:

sudo groupadd developers
sudo usermod -aG developers sara

The -aG flags are critical: -a means append, and -G sets supplementary groups. Omitting -a would replace all of the user's existing supplementary groups — a common and dangerous mistake. The change takes effect on the user's next login.

To remove a user from a group:

sudo gpasswd -d sara developers

Granting Administrative Access with sudo

On Ubuntu, members of the sudo group can run commands as root. Add a user to it:

sudo usermod -aG sudo sara

For finer control, edit the sudoers configuration — always with visudo, which validates syntax before saving and prevents you from locking yourself out:

sudo visudo

Better still, create a dedicated file in /etc/sudoers.d/ so your rules survive package upgrades:

sudo visudo -f /etc/sudoers.d/sara

To let sara restart only a specific service without a password, add:

sara ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx

This principle — granting the narrowest privilege that gets the job done — is the heart of least privilege.

Linux File Permissions

Every file and directory has an owner, a group, and a permission set for three classes: owner (u), group (g), and others (o). View them with ls -l:

ls -l report.txt
# -rw-r--r-- 1 sara developers 1240 Jun  8 10:12 report.txt

The three permission types are read (r/4), write (w/2), and execute (x/1). For directories, x means the ability to enter the directory.

Change permissions with chmod, using either symbolic or octal notation:

# Symbolic: add execute for the owner
chmod u+x script.sh

# Octal: owner rwx, group rx, others r (754)
chmod 754 script.sh

Change ownership with chown (user and group together):

sudo chown sara:developers report.txt

Apply changes recursively to a whole tree with -R:

sudo chown -R sara:developers /var/www/project
sudo chmod -R 750 /var/www/project

A safe default for web content is 644 for files and 755 for directories, so the web server can read but not write them.

Fine-Grained Control with ACLs

Standard permissions only express one owner and one group. When you need a third party to have specific access, use Access Control Lists. They are installed by default on Ubuntu:

# Give user 'omar' read/write on a file
sudo setfacl -m u:omar:rw report.txt

# View the ACLs
getfacl report.txt

# Remove omar's entry
sudo setfacl -x u:omar report.txt

ACLs are ideal when several teams share a directory on a hosting environment without needing to restructure groups.

Account Security and Expiry

Use chage to enforce password aging and review account status:

# Show current aging settings
sudo chage -l sara

# Require a password change every 90 days
sudo chage -M 90 sara

To lock or unlock an account temporarily:

sudo usermod -L sara   # lock
sudo usermod -U sara   # unlock

For day-to-day administration, prefer SSH keys over passwords and disable root SSH login entirely in /etc/ssh/sshd_config.

Putting It Together on a Managed Cloud Server

These commands are universal, but where you run them matters. On a Skyline Cloud VPS, your server lives inside the Kingdom — keeping your data subject to Saudi PDPL, NCA, and SDAIA requirements — with local Arabic support if you get stuck. Pair it with business email hosting for a complete, compliant stack.

Good user hygiene — one account per person, least-privilege sudo, tight file permissions, SSH keys — is the cheapest security you will ever deploy.

Ready to spin up a server and apply what you learned? Create your Skyline Cloud account and launch an in-Kingdom VPS in minutes.