Ubuntu VPS User Management: Users, Groups, and Sudo

Why User Management Matters

Treating root as the only account on a VPS is the fastest way to end up with compromised services, overwritten configs, and audit logs that can't tell you who did what. Ubuntu 22.04 and 24.04 LTS ship with a mature user and group model that lets you give each administrator, developer, and service its own identity. This guide covers the core commands and patterns for clean user management.

Users, Groups, and the Core Files

Three files on Ubuntu define all local identity: /etc/passwd (accounts), /etc/shadow (password hashes), and /etc/group (group membership). You rarely edit these directly — instead, use the adduser, usermod, and groupadd tools. Each user has a numeric UID and a primary group with a matching GID. Supplementary groups grant additional access, typically to shared directories or privileged operations.

Create and Remove Users

The friendly Ubuntu wrapper adduser creates a home directory, copies skeleton dotfiles, and prompts for a password:

sudo adduser alice

For service accounts that should never log in interactively, use the --system flag and disable the shell:

sudo adduser --system --group --no-create-home --shell /usr/sbin/nologin appsvc

Remove a user and their home directory when they leave:

sudo deluser --remove-home bob

Lock an account without deleting it — useful during investigations or temporary suspensions:

sudo passwd -l bob
sudo usermod -L bob

Groups for Shared Access

Groups let multiple users share files without making everything world-readable. Create a group, add members, and set group ownership on the shared directory:

sudo groupadd webteam
sudo usermod -aG webteam alice
sudo usermod -aG webteam carol
sudo chown -R root:webteam /srv/www
sudo chmod -R 2775 /srv/www

The leading 2 on the mode sets the setgid bit so new files in the directory inherit the webteam group automatically. The trailing 775 gives the group read/write/execute while others can only read and traverse.

Always use usermod -aG (append) when adding groups — plain -G replaces the user's entire supplementary group list and will silently lock them out of things like sudo.

Sudo: Controlled Privilege Escalation

Sudo lets ordinary users run specific commands as root without sharing the root password. The default Ubuntu policy grants full root access to members of the sudo group:

sudo usermod -aG sudo alice

For more granular control, drop a file into /etc/sudoers.d/. Always edit it with visudo to catch syntax errors before committing them.

sudo visudo -f /etc/sudoers.d/deploys

Example policy that lets the deploy user restart only the app service without a password:

deploy ALL=(root) NOPASSWD: /bin/systemctl restart myapp.service, /bin/systemctl status myapp.service

The file name must not contain dots and its permissions must be 0440. Reserve NOPASSWD for narrow, automation-only commands — interactive admins should always re-enter their password.

SSH Key Management

Passwords are brute-forceable; SSH keys are not. Generate a key on your workstation with ssh-keygen -t ed25519 and copy the public key to the server:

ssh-copy-id alice@vps.example.com

Then disable password logins in /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Restart SSH with sudo systemctl restart ssh after verifying key login works from a second terminal. For a full server lockdown workflow, follow our Ubuntu VPS security hardening guide.

Password and Account Policies

Set sensible aging defaults for human accounts. Edit /etc/login.defs or use chage per-user:

sudo chage -M 90 -W 14 alice    # max 90 days, warn 14 days before
sudo chage -l alice              # review policy

Install libpam-pwquality to enforce complexity:

sudo apt install libpam-pwquality -y

Then tune /etc/security/pwquality.conf with minlen=12, minclass=3, and retry=3.

Auditing Who Did What

Ubuntu logs authentication events to /var/log/auth.log. Useful commands include:

sudo grep 'sudo:' /var/log/auth.log — every sudo invocation
last and lastlog — recent logins and last login per user
who and w — currently logged in users
sudo journalctl _COMM=sshd — SSH daemon activity

For long-term retention, ship these logs to a central SIEM or at least rotate and archive them with logrotate.

Quick Reference

Task	Command
Add user	`sudo adduser name`
Delete user + home	`sudo deluser --remove-home name`
Add to group	`sudo usermod -aG group name`
List groups	`groups name`
Edit sudoers	`sudo visudo`
Lock account	`sudo passwd -l name`

Managing multiple production servers? MassiveGRID's Cloud VPS gives you root access, private networking, and the control you need for clean user policies across fleets. Contact our team to discuss your infrastructure.

Published by MassiveGRID, your trusted Linux VPS hosting partner. Explore our Cloud VPS plans for root-access Ubuntu hosting.