一键在 Manus 中运行任何 Skill

linux-access-control

Manage users, groups, SSH keys, sudo access, and file permissions on Ubuntu/Debian servers. Create/delete users, manage sudo group, add/revoke SSH authorized_keys, audit who has access, fix file permissions in web roots and credential files.

在 Manus 中运行

概览

安装命令

npx skills add https://github.com/peterbamuhigire/linux-skills --skill linux-access-control

复制此命令并粘贴到 Claude Code 中以安装该技能

来源

peterbamuhigire/linux-skills

星标2

分支0

更新时间2026年4月13日 09:45

文件资源管理器

3 个文件

SKILL.md

readonly

name	linux-access-control
description	Manage users, groups, SSH keys, sudo access, and file permissions on Ubuntu/Debian servers. Create/delete users, manage sudo group, add/revoke SSH authorized_keys, audit who has access, fix file permissions in web roots and credential files.
license	MIT
metadata	{"author":"Peter Bamuhigire","author_url":"techguypeter.com","author_contact":"+256784464178"}

Access Control

Use when

Managing Linux users, groups, sudo access, SSH keys, or file permissions.
Auditing who can log in or who has elevated access on a server.
Fixing ownership or permission problems in web roots, home directories, or credential files.

Do not use when

The task is firewalling or TLS; use linux-firewall-ssl.
The task is broader security analysis or hardening; use linux-security-analysis or linux-server-hardening.

Required inputs

The target usernames, groups, paths, or key files.
Whether the action is audit-only or will change access.
Any expected ownership and permission state to enforce.

Workflow

Identify the account or path being changed and inspect current state first.
Apply the least-privilege change with the manual commands below.
Re-check login access, sudo membership, and file ownership after the change.
Use optional scripts only when they are installed and clearly match the task.

Quality standards

Prefer reversible, explicit changes over blanket permission fixes.
Preserve SSH access and validate the impact before removing keys or users.
Credential files must remain tightly permissioned.

Anti-patterns

Running recursive chmod or chown without scoping the target.
Granting sudo or shell access without an explicit need.
Deleting an account before confirming whether its data or keys are still required.

Outputs

The access change or audit result.
The exact commands or files touched.
A verification result showing the final access state.

References

This skill is self-contained. Every command below is a standard Ubuntu/Debian tool. The sk-* scripts in the Optional fast path section are convenience wrappers — never required.

User Management

sudo adduser <username>                         # create (interactive)
sudo usermod -aG sudo <username>                # grant sudo
sudo deluser <username>                         # remove user (keeps home)
sudo deluser --remove-home <username>           # remove user + home
sudo passwd -l <username>                       # lock account
sudo passwd -u <username>                       # unlock account

# Audit
grep -v "nologin\|false" /etc/passwd | cut -d: -f1,3
grep ^sudo /etc/group                           # who has sudo
awk -F: '$3 == 0 {print $1}' /etc/passwd       # UID-0 accounts

SSH Key Management

# Add a key for a user
mkdir -p /home/<username>/.ssh
chmod 700 /home/<username>/.ssh
echo "<public-key>" >> /home/<username>/.ssh/authorized_keys
chmod 600 /home/<username>/.ssh/authorized_keys
chown -R <username>:<username> /home/<username>/.ssh

# Audit all keys on the server
find /home /root -name authorized_keys 2>/dev/null | \
    while read f; do echo "=== $f ==="; cat "$f"; done

# Revoke: edit the file, delete the key line
sudo nano /home/<username>/.ssh/authorized_keys

# Test before restarting SSH (keep existing session open!)
sudo sshd -t && sudo systemctl restart sshd

File Permissions — Quick Reference

# Web root standard
sudo find /var/www -type d -exec chmod 755 {} \;
sudo find /var/www -type f -exec chmod 644 {} \;
sudo chown -R www-data:www-data /var/www/html/
sudo find /var/www -type f -perm -0002 -exec chmod o-w {} \;   # remove world-write

# Critical system files
sudo chmod 640 /etc/shadow /etc/gshadow
sudo chmod 644 /etc/passwd /etc/group

# Backup credentials (must be 600)
chmod 600 ~/.mysql-backup.cnf ~/.backup-encryption-key
chmod 600 ~/.config/rclone/rclone.conf
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys

Full permission patterns and audit commands: references/permissions-reference.md

Optional fast path (when sk-* scripts are installed)

Running sudo install-skills-bin linux-access-control installs:

Task	Fast-path script
All users, UID, lock state, sudo, password age	`sudo sk-user-audit`
All authorized_keys across users	`sudo sk-ssh-key-audit`
Create user + SSH key + sudo in one step	`sudo sk-new-sudoer --user <u> --key <file>`
Lock or unlock a user account	`sudo sk-user-suspend --user <u> --lock\|--unlock`

These are optional wrappers. The manual commands above are the source of truth.

Scripts

This skill installs the following scripts to /usr/local/bin/. To install:

sudo install-skills-bin linux-access-control

Script	Source	Core?	Purpose
sk-user-audit	scripts/sk-user-audit.sh	yes	All users, UID/GID, lock state, password age, last login, sudoers.
sk-ssh-key-audit	scripts/sk-ssh-key-audit.sh	yes	All `authorized_keys` across users, key type/age/comment, orphaned keys.
sk-new-sudoer	scripts/sk-new-sudoer.sh	no	Create user, deploy SSH key, add to sudo group, verify with `sudo -l`.
sk-user-suspend	scripts/sk-user-suspend.sh	no	Lock or unlock a user account (`passwd -l`, `usermod -s /usr/sbin/nologin`), with audit log.

同仓库更多 Skills

同仓库

linux-repo-sync

peterbamuhigire/linux-skills

Safely update git repositories on a server without ever destroying uncommitted local work. Defines the binding doctrine for any automated or menu-driven repo-update script — pull --rebase --autostash, porcelain dirty-checks, conflict recovery, never git reset --hard or git clean -fd. Load before writing, reviewing, or running any script that pulls repos on a managed server.

2026-05-312

linux-site-deployment

peterbamuhigire/linux-skills

Deploy a new website to an Ubuntu/Debian server running Nginx + Apache dual-stack. Interactive — asks domain name and site type (Astro static / PHP app / Astro+PHP hybrid), generates the correct Nginx config, walks the full 8-step deployment, issues SSL, and registers the repo in update-all-repos.

2026-05-312

linux-sysadmin

peterbamuhigire/linux-skills

Linux server management hub for Ubuntu/Debian production servers. Use for any server management task — security analysis, hardening, services, deployment, monitoring, troubleshooting, disaster recovery, networking, mail, virtualization, secrets, observability. Routes to the right specialist skill.

2026-05-312

linux-bash-scripting

peterbamuhigire/linux-skills

Write interactive, secure, powerful Bash scripts for the linux-skills engine. Defines the canonical script template, the common.sh library contract, standard flags, interactive UX rules, and safety patterns every `sk-*` script must follow. Use before writing or reviewing any script in this repo.

2026-04-132

linux-cloud-init

peterbamuhigire/linux-skills

Design, validate, and debug cloud-init user-data and Ubuntu autoinstall configurations. Use when bootstrapping fresh servers from YAML — first-boot package installs, user creation, SSH keys, network config, and custom runcmd blocks.

2026-04-132

linux-config-management

peterbamuhigire/linux-skills

Keep Ubuntu/Debian servers in lockstep with declared state using Ansible and git-tracked config. Use for drift detection, dry-running playbooks, snapshotting /etc, and shifting from pet-server management to reproducible automation.

2026-04-132

来源

peterbamuhigire

peterbamuhigire/linux-skills

打开 GitHub 仓库查看创作者相关仓库

安装命令

下载

在 Manus 中运行

适用职业SOC

网络与计算机系统管理员计算机与数学类职业15-1244L4

name	linux-access-control
description	Manage users, groups, SSH keys, sudo access, and file permissions on Ubuntu/Debian servers. Create/delete users, manage sudo group, add/revoke SSH authorized_keys, audit who has access, fix file permissions in web roots and credential files.
license	MIT
metadata	{"author":"Peter Bamuhigire","author_url":"techguypeter.com","author_contact":"+256784464178"}

Access Control

Use when

Managing Linux users, groups, sudo access, SSH keys, or file permissions.
Auditing who can log in or who has elevated access on a server.
Fixing ownership or permission problems in web roots, home directories, or credential files.

Do not use when

The task is firewalling or TLS; use linux-firewall-ssl.
The task is broader security analysis or hardening; use linux-security-analysis or linux-server-hardening.

Required inputs

The target usernames, groups, paths, or key files.
Whether the action is audit-only or will change access.
Any expected ownership and permission state to enforce.

Workflow

Identify the account or path being changed and inspect current state first.
Apply the least-privilege change with the manual commands below.
Re-check login access, sudo membership, and file ownership after the change.
Use optional scripts only when they are installed and clearly match the task.

Quality standards

Prefer reversible, explicit changes over blanket permission fixes.
Preserve SSH access and validate the impact before removing keys or users.
Credential files must remain tightly permissioned.

Anti-patterns

Running recursive chmod or chown without scoping the target.
Granting sudo or shell access without an explicit need.
Deleting an account before confirming whether its data or keys are still required.

Outputs

The access change or audit result.
The exact commands or files touched.
A verification result showing the final access state.

References

This skill is self-contained. Every command below is a standard Ubuntu/Debian tool. The sk-* scripts in the Optional fast path section are convenience wrappers — never required.

User Management

sudo adduser <username>                         # create (interactive)
sudo usermod -aG sudo <username>                # grant sudo
sudo deluser <username>                         # remove user (keeps home)
sudo deluser --remove-home <username>           # remove user + home
sudo passwd -l <username>                       # lock account
sudo passwd -u <username>                       # unlock account

# Audit
grep -v "nologin\|false" /etc/passwd | cut -d: -f1,3
grep ^sudo /etc/group                           # who has sudo
awk -F: '$3 == 0 {print $1}' /etc/passwd       # UID-0 accounts

SSH Key Management

# Add a key for a user
mkdir -p /home/<username>/.ssh
chmod 700 /home/<username>/.ssh
echo "<public-key>" >> /home/<username>/.ssh/authorized_keys
chmod 600 /home/<username>/.ssh/authorized_keys
chown -R <username>:<username> /home/<username>/.ssh

# Audit all keys on the server
find /home /root -name authorized_keys 2>/dev/null | \
    while read f; do echo "=== $f ==="; cat "$f"; done

# Revoke: edit the file, delete the key line
sudo nano /home/<username>/.ssh/authorized_keys

# Test before restarting SSH (keep existing session open!)
sudo sshd -t && sudo systemctl restart sshd

File Permissions — Quick Reference

# Web root standard
sudo find /var/www -type d -exec chmod 755 {} \;
sudo find /var/www -type f -exec chmod 644 {} \;
sudo chown -R www-data:www-data /var/www/html/
sudo find /var/www -type f -perm -0002 -exec chmod o-w {} \;   # remove world-write

# Critical system files
sudo chmod 640 /etc/shadow /etc/gshadow
sudo chmod 644 /etc/passwd /etc/group

# Backup credentials (must be 600)
chmod 600 ~/.mysql-backup.cnf ~/.backup-encryption-key
chmod 600 ~/.config/rclone/rclone.conf
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys

Full permission patterns and audit commands: references/permissions-reference.md

Optional fast path (when sk-* scripts are installed)

Running sudo install-skills-bin linux-access-control installs:

Task	Fast-path script
All users, UID, lock state, sudo, password age	`sudo sk-user-audit`
All authorized_keys across users	`sudo sk-ssh-key-audit`
Create user + SSH key + sudo in one step	`sudo sk-new-sudoer --user <u> --key <file>`
Lock or unlock a user account	`sudo sk-user-suspend --user <u> --lock\|--unlock`

These are optional wrappers. The manual commands above are the source of truth.

Scripts

This skill installs the following scripts to /usr/local/bin/. To install:

sudo install-skills-bin linux-access-control

Script	Source	Core?	Purpose
sk-user-audit	scripts/sk-user-audit.sh	yes	All users, UID/GID, lock state, password age, last login, sudoers.
sk-ssh-key-audit	scripts/sk-ssh-key-audit.sh	yes	All `authorized_keys` across users, key type/age/comment, orphaned keys.
sk-new-sudoer	scripts/sk-new-sudoer.sh	no	Create user, deploy SSH key, add to sudo group, verify with `sudo -l`.
sk-user-suspend	scripts/sk-user-suspend.sh	no	Lock or unlock a user account (`passwd -l`, `usermod -s /usr/sbin/nologin`), with audit log.