Understanding Linux File Permissions and Ownerships

Image
From one of our previous articles "How to manage Linux Users and Groups" we discussed on how Linux becomes a multi-user OS, what is a user and a group with their configurations. By design, even though Linux allows multiple users can use the same computer in the same time without affecting others, Linux doesn't allow you to access or modify files belonging to other users. If Linux allows you to do it, that would be a security risk. But somehow they have implemented a security measure to mitigate that security risk. With that we can make sure only desired users and groups can access the relevant files and directories.

If we take a small demonstration. Here, we will log in as a normal user and try to access a root directory.


It gave a permission denied error when accessing. Why ? That's because /root directory is owned by user root. Only a privileged user can access or modify that.

So, Linux introduces two kind of factors which tells who can access or modify a file as w…

How to manage Linux Users and Groups

What is a multi-user Operating system ? When the OS allows multiple people to use the computer at the same time without affecting other's stuff, it becomes a multi-user OS. Like wise Linux is also belongs to above mentioned category. There can be having multiple users, groups with their own personal files and preferences. So, this article will be helpful for you in below actions.

  • Managing Users ( Create/Edit/Delete accounts, Suspend accounts )
  • Manage User's Passwords ( Set Password policies, Expiration, further modifications )
  • Manage Groups ( Create/Delete user groups ) 
From this article we will discuss mostly useful Linux commands with their syntax's. 

How to create a user


1) useradd : Add a user

syntax : useradd <options> <username>

eg : We will create a user named ""Jesica". The command is useradd jesica . First i switch to root user with sudo su command as i am a sudo user. We discussed about how to grant sudo access to users in a previous article.

useradd command in linux

You can see when we created the user in root account, it just added the user without asking the password for the newly created user. So now we will create a password for the user jesica.

2) passwd : set a password for users

syntax : passwd <username>

passwd command in linux

Here, i set a password for jesica. I set the password also as "jesica".You can use your own. The password you are writing will not be displayed for security reasons. As my password only having 6 characters, we get a message saying password is shorter than 8 characters. Those are password policies. We will discuss later in this article.

Now we have created a new user with command useradd and set a password with passwd command. This is done in CentOS. But in some other linux distributions, adduser command will be used instead of useradd. 

* If you are a normal user, you have to be a super user to add a new user. So you have to use the commands as sudo useradd <username> and sudo passwd <username>.

Where all of these users are residing ? 

We discussed these stuff in "Linux File System Hierarchy" article. As /root directory is root user's home directory, normal user's home directory is /home. Inside of /home directory all the user's profiles are stored. You can use the command ls /home to check who are currently in your OS.
Check the below image, which shows my users in my OS.


What is /etc/passwd file ?

When you created a user with command useradd <username> without any options, there are some configuration file which are changing. Those are as below

  1. /etc/passwd
  2. /etc/shadow
  3. /etc/groups
  4. /etc/gshadow

Output of the above files are as below according to my OS.

1. /etc/passwd file
/etc/passwd file in linux

2. /etc/shadow file
/etc/shadow file in linux

3. /etc/group file
/etc/group file in linux
When we created a new user with useradd command without any options, /etc/passwd file sets reasonable defaults for all field in that file for the new user. It is just a text file which contains useful information about the users like username, user id, group id, user's home directory path, shell and etc.

If we discuss about the fields in /etc/passwd file,

eg : student:x:1000:1000:student:/home/student:/bin/bash

1. student : This is the username. To login we use this name.
2. x : This is the password. This is an encrypted password stored in /etc/shadow file. You can see the password record in /etc/shadow file for user student in the above image.
3. 1000 : This is the user id. Each an every user should have UID. This is zero for root user and 1-99 is for predefined user accounts and 100-999 is for system administrative accounts. Normal users are having User IDs starting from 1000. Extra - Also you can use command id <username> for viewing user details.
4. 1000 : Primary group ID ( GID ). see /etc/group file on left side.
5. student : Comment field
6. /home/student : User's home directory
7. /bin/bash : The shell used by the user


* Summary of the above

  • When a user created, new profile will be created in /home/username by default
  • Hidden files like .bashrc , .bash_profile , .bash_logout will be copied to user's home directory. Environmental variables for the user is set by those hidden files and they will be covered in future articles. 
  • A separate groups will be created for each user with their name. 

Useradd command with some options

1.) If accidentally user's home directory is not created with useradd <username> command.  

useradd command in linux

If you want to create a user without the home directory, useradd -M panda.

 2.) If you want to move your home directory to a separate directory


In the above command you have to use useradd command and then -d option for changing the default home directory path and /boo is the new home directory. Last put the username. You can see the below image. /etc/passwd file has a different home directory entry for user boo, Because we changed it's home directory.



3.) Add a comment for the user when adding


In /etc/passwd file :

4.) Create a user by your own UID, useradd -u <user id> <username>

5.) Create a user by your own UID and GID, useradd -u <user id> -g <group id> <username>

6.) Create a user adding to a different groups, useradd -G <groups> <username>
There groups can be one or more and should be separated with a comma (,) the groups. 

7.) To create a user, but disable shell login useradd -s /sbin/nologin <username>
With the above command, we can disable shell interaction with the user. But the account is active. 


How to remove an account


3. userdel : Remove a user

syntax : userdel <options> <username>

eg : userdel -r <username>

* When deleting the user, go with option -r. Why is it ? With -r option, it removes user with it's home directory. If removed without -r option, user's home directory will not be deleted.

How to modify an user account 

4. usermod : Modify a user

syntax : usermod <options> <username>

* Here we can use all the options used in useradd command. Below are some options which is not discussed above. 

1.) How to change the user's name

usermod -l <new user name> <old username>

2.) To lock a user

usermod -L <username>

3.) To unlock a user

usermod -U <username>

4.) To change the group of a user

usermod -G <group name> <username>

5.) To append a group to a user

usermod -aG <group name> <username>

* Here appending means adding groups without removing the already existing groups. But if we use without -a, it removes the existing groups and join to new groups. This is relevant under primary groups and supplementary groups.


What is a group ?

Group is a collection of one or more users in Linux OS. Same as users, groups also have a group name and a id ( GID ). The group details can be found in /etc/group file. There are two types of main groups in Linux OS. Those are Primary groups and Supplementary groups. Every user once created is getting a new groups with the user's account name. That is the primary group and Supplementary groups are groups having one or more users inside.

How to create a group

4. groupadd : create a linux group

syntax : groupadd <options> <group name>

Few examples

1.) To create a group named "student"

groupadd student

2.) Define a different group id ( GID )

groupadd -g 5000 student


How to modify an existing group

5. groupmod : modify a group

syntax : groupmod <options> <group name>

To change the name of the group, groupmod -n <new name> <old group name>
To change the group if, groupmod -g <new number> <group name>


How to delete an existing group

6. groupdel : delete a group

syntax : groupdel <group name>


How to manage user passwords using password policy ?

As we discussed above, while /etc/passwd file stores user details, /etc/shadow file stores user's password details. I attached an image of /etc/shadow file in the above. Here we use a term named Password aging. From that we use command chage edit the password aging policy.  Look at the below image.

Password aging in Linux

Refer the above image and the options are as below.

chage -d 0 <user name>  : Forcefully request the user to change the password in the next login.
chage -E Year-Month-Date : To expire an user account ( It should be in format YYYY-MM-DD )
chage -M 90 <user name> : Set password policy for requesting password should be renewed in every 90 days
chage -m 7 <user name> : Minimum days should be 7 to wait for changing the password again.

* Inactive days are set to define from how many days the account will be kept inactive after password expiration. If the user didn't change the password within inactive period, the account will be expired.

chage -l <user name> : To display user's current settings for password policy.

The default values for all of the above values ( password expiration days, inactive days and etc ) will be in the configuration file, /etc/login.defs text file. Including User account ID , Group Account ID configurations also can be seen there. You can change the values in the /etc/login.defs file as your requirement.


/etc/login.defs file in linux


Now you have learned mostly needed stuff in Linux Users and Groups. This is not a small topic. There are a lots of commands you need to refer under this topic. Please use man pages for more references.

If you have any questions, Please feel free to ask.

Other resources :



Cheers!


Comments

Popular posts from this blog

Different types of users in linux

SUDO: What is it in Linux ?

Linux Commands Tips and Tricks