Let's talk about Linux and how system admins handle user management and permissions in it.
Jargon to Remember :
Files and folders created by one user cannot be accessed by another user by default.
There can be multiple users in a Linux system besides the root and the current user which are created by humans.
There are multiple system users that are not created by the owner/humans, such as system daemons.
Users and Groups
When you open your home directory on a Linux machine and run the command pwd
,
you will see your username attached to the path.
as you can see above my username is yagya.
same way there can be multiple user and they are going to have different directory like ours.
The Linux system doesn't use names it uses UIDs to differentiate between users.
Similarly, the Linux system also maintains a group ID to differentiate between various groups. A user can be part of multiple groups.
Creating groups is really helpful. Let's say this Linux system has multiple users: some are web developers, some are database administrators, and some are DevOps engineers. Each group requires different permissions. Instead of repeatedly granting the same permissions to each user, we can use groups. By adding a user to a group, we can grant the necessary permissions all at once and revoke them when they are no longer needed.
There are multiple users besides those created by humans, such as users responsible for displaying the GUI and system daemons that ensure other processes run smoothly. Among these, there is one user who is the most powerful, known as the root or superuser.
Root / Superuser
There are multiple files and folders that are not accessible by the current user. This is because these files and folders contain important and sensitive information that a normal user could alter. To prevent this, there exists a root user who can access those files. The root user is the owner of these files.
To access these files, you can use a simple command known as sudo
, which stands for "superuser do." sudo
is a very powerful instruction that allows you to execute commands as the superuser. Here is an example below:
sudo <command>
There is also a command known as sudo su
, which allows the user to remain as the superuser until they type exit
. This is a very dangerous command and should be executed cautiously.
/etc/sudoers file
Now you might be thinking, can all users execute the sudo command? By default, the answer is yes, but we can change this in the sudoers file located in the /etc directory.
Here is the file below:
Here, as you can see, sudo is allowed for all users. Now we know how to change it.
/etc/passwd file
So now you might be wondering, "Okay, there are multiple users apart from me. What are they doing on my system? Who are they?" To see all the users that exist in a Linux system, you can check a file called /etc/passwd
. Here, you'll find a list of the various users.These users are responsible for various function like showing you GUI allow you to access media,making sure the process run fine etc.
Here you can see a variety of users such as daemon, bin, sys, and games, each with different roles and features.
You might notice there is additional information separated by colons (:) alongside the usernames. Let's use the root user as an example to understand this:
root:x:0:0:root:/root:/bin/bash
The first field is the username.
The second field, represented by an 'x', indicates the password, which is stored in the
/etc/shadow
file.The third field is the user ID (UID), with root having a UID of 0.
The fourth field is the group ID (GID), which is also 0 for root.
The fifth field contains user information, in this case, "root."
The sixth field is the home directory of the user.
The seventh and final field specifies the shell the user is using.
/etc/shadow file
Now lets talk about the /etc/shadow
As I mentioned before, the /etc/shadow file stores information about user passwords. Let's break it down:
root:!:19539:0:99999:7:::
The first field is the username.
The second field is the password, stored as a hash. The '!' means it matches the main user's password.
The third field shows the number of days since the password was last changed, usually based on epoch time.
The fourth field is the minimum password age, indicating the minimum number of days it must stay the same.
The fifth field is the maximum password age, showing how long the password is valid.
The sixth field is the warning period, which starts giving warnings 7 days before the password expires.
The seventh field is the password expiry period, indicating how many days the password has been expired. It's empty here because the password hasn't expired.
The eighth field is the account expiry period. As a sysadmin, you can set this to prevent the user from accessing the system after a certain number of days.
The last field is extra and can be used for future purposes.
In modern Linux, we can also use PAM (Pluggable Authentication Module).
/etc/group file
We have a file called /etc/group, which lists all the groups that exist in the system.
So again, here are the four fields: the first one is the group name, the second is the group password, the third is the group ID, and the fourth is the list of users in the group, separated by commas.
As a sysadmin, you can use the useradd
command to add a user and the userdel
command to delete a user.
sudo useradd <newusername>
There also exist a passwd command that can be used to create a new password or changing the password.
sudo passwd <username>
Now lets talk about permissions
So each file has a owner and the group of owner attached to it
also it has permission along with it which help the file to make more secure and only accesseble to the party intended
we have three types of permissions
first is user the the group then we have others
here is an example below
As you can see, we have:
drwxrwxr-x 7 yagya yagya
The d
stands for directory. It would be a dash (-
) if it was a file and l
for a link.
First, we have permissions for the user:
r
stands for readw
stands for writex
stands for execute
So, the user can read, write, and execute the file. Next, we have permissions for the group, which are similar.
Finally, we have permissions for others. "Others" means users who are not in the same group as the owner of the file. Here, r-x
means other users can read and execute the file, but they cannot write to it (-
stands for no write permission).
chmod
To set permissions, we can use the chmod
command. Here’s how it works:
Let's say you want to give write permission to others. You can use chmod o+w
. Here, o
stands for others, u
stands for user, and g
stands for group. The +
means we are adding this permission, while -
would mean we are revoking it. Then, we specify the initial for the permission we are changing, like w
for write, x
for execute, and r
for read.
For example:
chmod o+x testing.txt
We can also use another method with chmod, which is using numbers. Here's how it works:
Remember,
4
stands for read,
2
stands for write,
1
stands for execute.
So, if we want to give the user read and write permissions, the group read permissions, and others all three permissions, we can write:
chmod 547 testing.txt
Here, 5 stands for the user (read + write), 4 stands for the group (read), and 7 stands for others (read + write + execute).
chown and chgrp
We also have the chown
and chgrp
commands.
The chown
command is used to change the owner of a directory or file.
The chgrp
command is used to change the group of a directory or file.
Here's how you use them:
sudo chown user_name testing.txt
sudo chgrp user_group testing.txt
You can also do both at once with the chown
command:
sudo chown username:usergroup testing.txt
setuid and setgid
So, let's say there's a file that only the sys admin or root user can execute, but the web dev needs to use it often. Each time they need access, they have to contact the sys admin, which isn't always convenient. To solve this, the owner can set the UID or GID.
In Unix-like operating systems, setuid
(set user ID) and setgid
(set group ID) are handy tools that let users run a program with the permissions of the program's owner or group. This is super useful for giving users temporary access to do a specific job.
setuid
(Set User ID)
When the setuid
bit is set on a program, it lets a user run the program with the permissions of the program's owner. For example, if a program is owned by the root user and has the setuid
bit set, any user running the program will have root privileges while running it.
Setting the setuid
bit:
bashCopy codechmod u+s filename
Example:
bashCopy code-rwsr-xr-x 1 root root 12345 Jul 21 10:00 /usr/bin/passwd
In this example, the passwd
command lets users change their passwords and has the setuid
bit set, giving it root privileges when it runs.
setgid
(Set Group ID)
The setgid
bit, when set on an executable file, lets users run the file with the permissions of the file's group. For directories, it makes sure that new files and subdirectories inherit the directory's group ID instead of the user’s group ID.
Setting the setgid
bit:
bashCopy codechmod g+s filename
Example:
bashCopy code-rwxr-sr-x 1 root staff 12345 Jul 21 10:00 /usr/bin/somecommand
In this example, the somecommand
file will execute with the group permissions of the staff
group.
When setgid
is set on a directory, new files created within the directory inherit the directory's group ID:
bashCopy codechmod g+s dirname
That wraps up our blog! Make sure to follow me here and on my social media. Until then, see you!
Yagya Goel