Chapter 5 – Users and Permissions
So far, you’ve been using the same user account you’ve created during the installation of Linux. That’s fine as long as you’re the only one using your machine.
But what if you want to grant access to other people. Each person would need to have their own user account and permissions would need to be properly managed.
In this chapter, you will learn how to do all that. So without wasting any time, let’s get started.
By having a user account on a Linux system, you can run processes, access directories, and read and edit files, all within the limits provided by the permissions associated with your user account.
Normally, Many users will have access to a Linux machine. A user will own certain files and will belong to certain groups, but they won’t be able to interfere with other users’ processes and perform actions to which they do not have proper permissions.
However, root is a special user that does not abide by these rules. If you’re acting as root, you can literally do everything you want in your machine. Really, the sky is your limit here. You have full permissions on all files, and you can interrupt and run any process you want. This is why sometimes people refer to root as a superuser.
Having these full privileges can be a double-edged sword. Although it looks tempting at first to be a superuser at all times, it isn’t wise to do so.
When I mentioned that root can do anything, just think for a second about what this implies. Imagine all the ways that you can damage your system: From overwriting or removing critical files to accidentally wiping your entire drive.
For this reason, and as a safety precaution, when you connect to the command-line, you are by default in a normal user mode.
You can switch to root only when you need to do certain actions that require root permissions, but you should do this only when it’s necessary.
Become a Superuser
For example, let’s say you want to access the file ‘/etc/shadow‘. This file contains information about the passwords of all users who have access to the machine. Normally, only root can read this file, and so, if you try to read it, you will get a permission denied error.
Now, to execute this command as root, you have to type sudo before the command. After that, you will be asked to type in your password, and only then will you see the content of the file.
I’m obviously not going to share with you the content of the file because it contains sensitive information about my passwords.
But now, let’s say you want to perform multiple actions as root, you don’t want to type sudo before every command. That would be a waste of your time. Luckily, Linux has a way to solve this.
You can run the command sudo su. This will place you in a root mode, and every command that you run after it will be executed as root.
Of course, similarly to sudo, you also have to type in your password.
Notice the change that occurred in the command prompt. Instead of a dollar ($), we have a dash (#) sign, which indicates that we are using the command-line as root.
When you don’t need full privileges anymore, make sure to switch back to your normal user mode. For this, simply type exit or press Ctrl-D.
Now that you know how to become a superuser, let’s explore some user management commands that only root can execute.
Add a User
To create a user account, use the adduser command followed by the username.
Notice that I had an error message when I tried to execute the command as my normal user account.
When you run the command, you are asked to fill in some fields, You can either provide the requested information, or simply press enter to skip them.
This process will create a user named neo.
Change a Password
The passwd command allows you to change the password of an existing account.
You have to type in the user account you wish to update after passwd. This is very important, because if you forget to do so, and only run passwd by itself, then you’ll be changing your own password.
Delete a User
Nothing is more simple than to delete a user. The command is deluser and the syntax is as follows.
Every user in a Unix system belongs to one or more groups. These groups help in assigning permissions. Users in one group can have common privileges. You will understand this a lot better when we discuss permissions in the next section.
For now, let’s see how we can create and remove groups.
The command to add a group is addgroup. You should type in after it the name that you want to assign to the new group.
To assign a user to a group, you can use the command usermod. For this, use the option -G followed by the name of the groups you want to assign the user to. Note that the use of the -G option will remove the user from any existing groups they belonged to. To prevent this, you can use the option -a, which will keep the existing groups.
To verify if the user was indeed assigned to the group, you can use the command groups, which tells you what groups the user belongs to.
Notice that, in addition to the friends group, neo is also a member of the group neo. This is because every time a user is created, Linux automatically creates a group with the same name as the username and assigns the user to it.
The command usermod has many features. You can use it to change the login or the username of an account by using the -l option, or you can change the home directory for a user by using the -d option. I’ll let you explore the manual page to see what else you can do with this command.
Now if you want to delete a group, the command is, you guessed it, delgroup.
Here is how it works.
As we’ve talked about in a previous chapter, when we use ls with the option -l, we get a detailed list of files that are present in our current directory. When we first learned about this option, I promised you that I will explain in a later chapter what the output of this command means. Well, now it’s time for me to keep my promise. So, I’ll try to explain here what the highlighted elements in the image below represent.
Elements 2 and 3 represent the owner and the group of the file respectively. The owner is normally the user who has created the file, but it is also possible to change it and that’s what we’re going to see in the next section.
But for now, let’s focus on the first element that is highlighted in the image above.
This is how file permissions are written in Linux. As you can see, each file is assigned a set of 10 characters. Each one has a special meaning.
The first character is the only one that has nothing to do with permissions. In general, it tells you whether the file is a directory or not. This is indicated by the letter ‘d‘ which stands for directory.
The remaining characters can be divided into three similar sets of three characters each. The first set represents the owner’s permissions, the second set is the group’s permission and the third set is everyone else’s permissions.
For each set, the file is readable if the first character is set to ‘r’, is writable if the second character is set to ‘w’, and is executable if the third character is set to ‘x’.
If we take for example the .dmrc file from the list shown in the previous image, its permissions can be expressed as follow:
- The owner, who is amine, can read and write to the file.
- Any user who belongs to the group amine, can only read the file.
- Other users can only read the file.
Now that we know how to read file permissions, let’s see how we can change them.
For this, we use the chmod command, followed by a letter to specify which one of the three sets we want to change (u : user, g : group, o : other). Then, we can type + or – to add or remove a permission, and finally, we pick the permission to change (r, w, or x).
Of course, we need to also add the name of the file at the end.
Here is an example of how this works:
Another way to change permissions is by using chmod with a three-digit number that corresponds to the entire set of permissions. The first digit represents the permissions of the owner, the second one of the group, and the third one of everyone else.
To use this second method, you need to understand how permissions translate to numbers. For this, you need to always remember the following:
- r = 4
- w = 2
- x = 1
If we add these three together, we have the following:
- ‘rwx’ : 7 (4+2+1).
- ‘rw-‘ : 6 (4+2).
- ‘r–‘ : 4.
By combining these three, we get 764 equivalent to ‘rwxrw-r–‘
Now, by typing chmod 764 <filename>, we assign the above permission set to <filename>.
Here, notice below how permissions have changed, I think this is enough proof that I’m not leading you astray.
Change owner and group
For changing the owner of a file, you can use the command chown.
In a similar way, if you want to change the group of a file, you can use the command chgrp.
I believe that these last two commands are self-explanatory. I don’t need to go into more details about them. But if you insist on learning more, you know the drill, just read the manual.
I’m feeling a bit sleepy now, so I think I’m going to call it a day. Besides, We’ve covered almost everything that you would need to properly manage users and permissions in a Linux machine.
So, I’ll see you in the next chapter.