In this blog we will be exploring the following fields in Linux:
- User Account Management
- Group Management
- File Permissions And Ownership
Question arises why to have different user accounts? To answer this following are some points that we keep in mind.
- Each user will have their own individualized private space.
- Will help in distinguishing privileges among users.
Note : root user is a special user who is able to do anything on the system.
- UID : It is a unique number that is assigned to the user account. It is also used for determination of user privileges and activity tracking.
- GID : Indicates default group of the user.
- Comment : Using comment field for contact information.
- Home Directory : This is owned by a user and will be found on system under /home directory, except for root.
- Login Shell : Various shells are there e.g. /bin/bash or /bin/csh.
WHAT actually happens behind the scene when a user account is created let's debug it 😎
- In /etc/login.defs ; the next UID greater than UID_MIN by default is assigned to the new user.
- By default value of UID is assigned to GID.
- Then the home directory for the user is created.
- A login shell is attached with the user.
- The contents of /etc/skel is copied to home directory of user. Note : /etc/skel contains the startup files for bash and for the X Window system.
- Command to create a user named student
useradd -s /bin/bash -m student
- userdel : The root user can remove user accounts using this command. This command doesn't delete the home directory. To delete the home directory use -r option. User reference is removed from /etc/passwd, /etc/shadow, and /etc/group.
- usermod : Change the characteristics of a user account, such as group memberships, home directory, login, name, password, default shell, user id etc.
You might be thinking what is locked accounts? To answer this in Linux some accounts are locked means they can run programs but can never login to the system and have no valid password associated with them, such as bin and daemon.
If you look up these entries in the /etc/passwd file
To lock a user account
usermod -L student
Unlocking can be done by -U option.
If we look up in some entries of /etc/passwd we will see the following records. Each record consists of a number of fields separated by colons (:):
student:x:1006:1008::/home/student:/bin/bash user1:x:1002:1002:user 1:/home/user1:/bin/bash
- username : user's unique name
- password : it can be hashed password or a placeholder ("x")
- UID : User Identification Number
- GID : primary group identification number for the user
- comment : comment area, usually the user's real name
- home : user's home drectory
- shell : name of the shell to be invoked at the login
The default permissions in /etc/passwd is 644 (-rw-r--r--), this make the file vulnerable to attack as anyone can read this file. Tools like Crack, John the ripper can easily exploit this file.
*/etc/shadow** : provides greater security of hashed passwords, also provides the option of enabling password aging on a per user basis. The permission attached to this file **400 (-r--------), means only root can access this file. Let's see one record from this file.
This file contains one record for each user.
Colon separated fields are:
- password (hashed 512)
- last change : days since Jan 1,1970 that password was last changed.
- mindays : minimum days after which password must be changed.
- maxdays : maximum days after which password must be changed.
- warn : days before password expires that the user is warned.
- grace : days after password expires that account is disabled.
- expire : date that account will be disabled.
passwd is the command to change the password. Remember, Normal users can change only their own password. Root can change any user password. Normal users will not be allowed to set bad passwords, such as short words. However, root is allowed to do so.
root@ayush:~# passwd student New password: Retype new password: passwd: password updated successfully
Linux Systems form collection of users called groups, whose member share some common purpose. They share certain files and directories, and maintain some common privileges; this separates them from others on the system called the world. Groups are defined in /etc/group.
cat /etc/group student:x:1008:
- groupname is name of the group
- password is password placeholder
- GID is the group identifier. Values between 0 and 99 are for system groups. Values between 100 and GID_MIN are considered special. Values over GID_MIN are for User Private Groups. Each user will have his or her own group, not guaranteed to be private, this is called UPG(User Private Groups).
- user1, user2 is the list of users who are the members of the group.
- groupadd: Add a new group.
- groupmod: Modify a group and add new users.
- groupdel: Remove a group.
- usermod: Manage a user's group memberships.
Let's see the demo of it.
1. Step 1 - Create a group groupadd -r -g 245 student_grp 2. Step 2 - Add users in the group usermod -G student_grp student usermod -G student_grp user1 3. Check whether the group is created or not root@ayush:~# cat /etc/group | grep student_grp student_grp:x:245:student,user1
Note : Be careful while using usermod -G as grouplist that follows is complete list of groups, not just the changes, any supplemented groups left out will be gone !
- -a option in usermod will preserve pre-existing group memberships when adding new ones.
Linux User has 1 primary group listed in /etc/passwd and /etc/group. Primary group GID is used whenever the user creates the files or directories.
1. Group membership can be identified by running the following command: root@ayush:~# groups root
- First character indicates the type of the file object. There are nine more which indicate the access rights granted to file users.
root@ayush:~# ls -l file.txt -rw-r--r--. 1 root root 16 Oct 8 12:31 file.txt
- These are arranged in three groups of three:
- owner: the user who owns the file
- group: the group of users who have access
- other: the rest of the world (also called world)
- File access rights r : read access is allowed w : write access is allowed x : execute access is allowed
If permission is not allowed a, - (dash) appears.
- Changing file permissions is done with chmod
Let's see a demo now.
- Create a file, give the owner and world execute permission, and remove the group write permission:
- You can only change permissions on files you own, unless you are the supervisor.
- student user tried to change the file permissions but failed as this file is owned by other user.
- Simple algorithm, and a single digit suffices to specify all three permissions bits for each entity.
Octal Number representation
- Octal Number representation is sum of each digit of:
- 4 - if read permission is desired
- 2 - if write permission is desired
- 1 - if execute permission is desired
Chown and Chgrp
- Changing file ownership is done with chown and changing the group is done with chgrp.
Note : Only Superuser can change ownership on files.
- In this demo we have changed the owner of file from ayush to user1
- In this demo we have changed the group ownership.
Default permission given when creating a file are read/write for owner, group and world (0666) and for directory is (0777)
But we noticed that actual permission on file is 664(u=rw, g=rw, o=r) and for directory is 775(u=rwx, g=rwx, o=wx)
- Question arises who has done it ? Umask is the answer. Umask whose purpose is to show permissions should be denied. Let's see the value of umask set by default.
- This represents that for the other users write permission is disabled.
That's all for now. Thank you for reading. Do share your feedback and if you have liked the article share it with your friends.