Why Multi-User Management Matters
Prerequisites
| Requirement | Details |
|---|---|
| Access Level: | Root or a user with sudo privileges. |
| Software: | Any terminal emulator (SSH via PuTTY, Terminal, or VS Code Remote SSH). |
| Knowledge: | Basic CLI navigation (cd, ls), understanding of file permissions. |
Why and When
- Why it matters: Prevent security risks by avoiding shared root access, isolate WordPress site roles (admin, developer, backup).
- Why this approach: Managing users and groups to control access, isolate responsibilities, and enhance server security.
- When to use it: During initial server setup, team onboarding, automation script setup, or audit.
Why Multi-User Management Is Critical
| Concern | Without User Management | With Proper Setup |
|---|---|---|
| Security | Everyone uses root — total exposure | Isolated access, scoped permissions |
| File Ownership | Wrong user owns files — breaks uploads | Correct www-data or group ownership |
| Team Collaboration | Shared credentials — no accountability | Separate users and controlled access |
| Automation | Cron jobs run as root | Safer automated user like backupbot |
| Auditability | No logs by user | Logs tied to usernames |
| Deployment Workflow | All roles use one login | Clean separation of staging, dev, prod |
Conceptual Overview: Linux Users & Groups
User
- Individual login account with a UID.
- Has a home directory
/home/username. - Owns files and can execute commands/processes.
Group
- A logical collection of users (e.g.,
developers). - Has a GID.
- Files can be owned by a group.
- Allows shared access control.
Syntax Overview: Core Commands
| Command | Syntax | Purpose | Notes / Example |
|---|---|---|---|
adduser | adduser username | Create a new user | Prompts for password and user info |
userdel | userdel -r username | Delete user and home directory | Use -r to remove home and mail spool |
passwd | passwd username | Set or reset a user’s password | Can be used as root or by the user |
groupadd | groupadd groupname | Create a new group | Used for team-based access control |
usermod | usermod -aG group user | Add user to a group | Append (-a) to Group (-G) |
id | id username | Show UID, GID, and groups | Helpful for audit/log/debug |
groups | groups username | List groups the user belongs to | Also shows current user's groups |
whoami | whoami | Show currently logged-in user | For quick check |
w / who | w, who | Show who is logged in | Real-time login monitoring |
last | last | Show login history | Pulls from /var/log/wtmp |
cat /etc/passwd | N/A | List all system users | Format: user:x:UID:GID:comment:home:shell |
cat /etc/group | N/A | List all system groups | Format: group:x:GID:members |
Real Example Commands with Output
Create Developer User
sudo adduser dev1
Expected Output:
Adding user `dev1` ...
Creating home directory `/home/dev1` ...
New password:
Retype new password:
Create Group for Developers
sudo groupadd developers
No visible output if successful.
Add Users to Group
sudo usermod -aG developers dev1
sudo usermod -aG developers dev2
No visible output. Check with:
groups dev1
Expected Output:
dev1 : dev1 developers
Practical Example: WordPress Collaboration Setup
# Create users
sudo adduser dev1
sudo adduser dev2
# Create a shared group
sudo groupadd developers
# Add both users to the group
sudo usermod -aG developers dev1
sudo usermod -aG developers dev2
# Assign group ownership to theme folder
sudo chown -R www-data:developers /var/www/html/wp-content/themes/
# Set permissions
sudo chmod -R 775 /var/www/html/wp-content/themes/
Result: Developers can safely edit files in /themes/ without root access or breaking NGINX/OLS file ownership.
User Roles Reference for WordPress VPS
| Role | User | Groups | Access Level | Use Case |
|---|---|---|---|---|
| Web server | www-data | www-data | System | Runs PHP, writes uploads |
| Admin | donny | sudo, www-data | Root with sudo | Server owner |
| Developer | dev1 | developers | Limited | Edit themes/plugins |
| Backup bot | backupbot | backup | Cron only | Nightly backups |
| FTP User | ftp_editor | ftpusers | SFTP only | Limited access |
Security Risks Without Proper User Setup
| Issue | Example | Consequence |
|---|---|---|
| Shared Root | Everyone logs in as root | No traceability, total risk |
| File Ownership Conflict | dev1 uploads, server runs as www-data | Plugin update fails |
| Unnecessary Sudo | dev2 given full sudo | Can rm -rf / accidentally |
| No User Logging | Logs don’t show who did what | No accountability |
Cheat Sheet
| Task | Command |
|---|---|
| Create a user | sudo adduser john |
| Set password | sudo passwd john |
| Create group | sudo groupadd editors |
| Add user to group | sudo usermod -aG editors john |
| View user ID info | id john |
| View current user | whoami |
| List all users | cat /etc/passwd |
| Delete user | sudo userdel -r john |
Quick Lab
# Create dev user
sudo adduser dev1
# Create a group
sudo groupadd developers
# Assign group membership
sudo usermod -aG developers dev1
# Check group
id dev1
# Secure WP themes folder
sudo chown -R www-data:developers /var/www/html/wp-content/themes/
sudo chmod -R 775 /var/www/html/wp-content/themes/
Use Case Scenarios
| Scenario | Action | Command |
|---|---|---|
| Add staging-only SFTP user | Create user without sudo or shell | adduser sftp_user + restrict in sshd_config |
| Limit dev access | Remove from sudo group | deluser dev1 sudo |
| Temporary access | Set expiry on user | chage -E YYYY-MM-DD dev1 |
| Track login activity | View last logins | last |
Mini Quiz
- What command adds a user and prompts for password?
- What happens if you forget the
aflag inusermod -aG? - How do you check what groups a user belongs to?
- Why is
www-datathe owner of WordPress files? - What command removes a user and their home directory?