Users, Groups and Permissions in Linux

Users, Groups, and Permissions in Linux

In the words of Richard Feynman, “If you want to master something, teach it. The more you teach, the better you learn…”

So here I am, in my journey to mastery, documenting how I learnt to create users, groups and permissions in Linux in the form of a mini-tutorial.

We’ll be working with Ubuntu installed on a local virtual server — but most commands used will apply to any other Linux distribution. This article also assumes a basic knowledge of Linux commands.

The Linux operating system allows multi-user functionality. This means that multiple users can use the operating system concurrently and independently while sharing system resources.

In this mini-tutorial, we will create 3 groups and 15 users and assign these users across the 3 groups. We will also ensure that users in one group cannot access files in another group unless they are added to that group.

But first, let’s take a look at the different types of user accounts in Linux.

Types of user accounts

There are three basic types of Linux user accounts:

1. Root user(administrative): This user account has full access to system-wide resources, in addition to the permission to create, modify and delete users and groups.
2. Regular user accounts: These are user accounts with a login shell and home directory that perform tasks for personal use — usually common application tasks that are isolated to the user’s home directory.
3. Service accounts: These are accounts assigned to applications but with limited access in order to protect the application from potential attacks while still performing essential functions. They usually will not have a home directory.

Create users

We will need admin privileges to create users — however, using the root user context is generally avoided, for security reasons.

First, create a regular user using the useradd command following this syntax:

$ useradd -m <name-of-user>

TIP: To learn more about a Linux command, run man <command> , for example, man useradd to display a full description of the command.

And then, assign admin privileges to this user as follows:

$usermod -aG sudo <username>

Now, this admin user has superuser privileges and will not need to type in a password with the sudo command.

Let’s switch to the admin superuser using the following command:

$ sudo su <adminuser>

And then create more users with the useradd command:

$ sudo useradd -m <name of user>

Do this for the number of users you need to create — 15 users in this case.

View users

All users in the system are stored in the /etc/passwd directory. To view all users, run the following command:

$ getent passwd

This should output something similar to the following:

root:x:0:0:root:/root:/bin/bash
...
user1:x:1002:1002::/home/user1:/bin/sh
user2:x:1003:1002::/home/user2:/bin/sh
user3:x:1004:1002::/home/user3:/bin/sh
user4:x:1006:1003::/home/user4:/bin/sh
user5:x:1007:1003::/home/user5:/bin/sh
...

Each entry has the following features:

• the username: user1
• the encrypted password: x
• the unique identifier (UID) for the user: 100x
• the user group ID (GID): 100x
• the General Electric Comprehensive Operating Supervisor (GECOS) field — which is empty in this case. (This field contains general information as a string of comma-delimited attributes, for example, full name; phone number; etc)
• the user home directory: /home/user1
• the default login shell for the user: /bin/sh

Delete users

To delete a user, run the command:

$ sudo userdel -f <user>

This removes all related user data, along with all the files in the user’s home directory -f, --force.

Add users to a group

To add the 15 users to groups, let’s create three different groups — a group for team leads leads, one for developers developers and another for the site reliability engineering team sre — and then add the users to the groups.

Use the groupadd command to create a group with the following syntax:

$ sudo groupadd <groupname>

So for our case, we will create three different groups like so:

$ sudo groupadd leads
$ sudo groupadd developers
$ sudo groupadd sre

Next, add the already created users to each group assuming each user fits the group role, using the gpasswd command with the following syntax:

$ sudo gpasswd -A <user> -M <user,user,user> <groupname>

The gpasswd command allows you to manage the creation of groups and members of groups — the -A flag defines group administrators and the -M flag defines the members of the group as a comma-separated list (see the man pages for more details).

View groups

All groups in the system are stored in the /etc/groups directory. To view all groups, run the following command:

$ getent group

This should give an output similar to:

leads:x:1002:user1,user2,user15
developers:x:1003:user3,user4,user5,user6,user7,user8,user9
sre:x:1004:user10,user11,user12,user13,user14

Next, let’s define the level of access allowed for each group.

Permissions and Ownership

The reason Linux so elegantly supports a multi-user system is as a result of permissions. Permissions grant users the right to access files and directories within the system. In Linux, the basic permissions are:

• Read : the right to open and view the contents of files and directories. Represented by r
• Write: the right to modify the content of a file and to add, remove and rename files within a directory. Represented by w
• Execute: the right to run a script or application. Represented by x

Let’s demonstrate the significance of file permissions; create 3 separate files using the following command:

$ touch leads.txt developers.txt sre.txt

Run the following command to view the files and the current permissions on each file:

$ ls -l

The output of this command should be similar to this:

-rw-r--r-- 1 adminuser adminuser    0 Aug 15 19:41 leads.txt
-rw-r--r-- 1 adminuser adminuser    0 Aug 15 19:41 developers.txt
-rw-r--r-- 1 adminuser adminuser    0 Aug 15 19:41 sre.txt

The parts of the above output relevant to the level of access are the following:

• The first ten characters -rw-r--r-- symbolize the file access permissions:
• the first character refers to the file type, where - means a regular file. Other notations are d for a directory, l for a symbolic link, and so on.
• the other nine characters define access permissions to the file type — the first three characters rw-are user permissions, the next three r-- are group permissions while the last three r-- are permissions for all other users.
• root: the user that owns (created) the file
• root: the group that owns the file

With the above information in mind, we will assign a specific group to its related file.

Assign Group Ownership

We want each file to belong to its own group. To do this, let’s assign group ownership using the chgrp (short for change group) command. The syntax for this command is:

$ sudo chgrp <group> <file>

So, for our example, we’ll run the following commands:

$ sudo chgrp leads leads.txt
$ sudo chgrp developers developers.txt
$ sudo chgrp sre sre.txt

Now, when we run the ls -l command, we should get the following output:

-rw-r--r-- 1 adminuser leads    0 Aug 15 19:41 leads.txt
-rw-r--r-- 1 adminuser developers    0 Aug 15 19:41 developers.txt
-rw-r--r-- 1 adminuser sre    0 Aug 15 19:41 sre.txt

Each file now belongs to its respective group. This means that only members of the group that owns the file can have whatever permissions specified; that is, read permission (as demonstrated by the middle three characters r--). However, all other users outside of the group also have read permissions (as demonstrated by the last three characters r--).

So, considering we want to restrict file access to only members belonging to the file group, let’s change that.

Modifying permissions

To set or change permissions, use the chmod (short for change mode) command (see the manpages for more details).

When using this command, we specify the following:

• Whom to change permissions for: u for the user(owner), g for the group and o for all other users.
• How to change permission: + (plus sign) to add permissions, — (minus sign) to remove permissions or =(equal sign) to leave as is.
• What permission to change: r for read, w for write, x for execute.

Using the information above, let’s take away the read permission for users outside the group and add write and execute permissions to the group as follows:

$ sudo chmod g+wx,o-r leads.txt
$ sudo chmod g+wx,o-r developers.txt
$ sudo chmod g+wx,o-r sre.txt

Run the ls -l command to view the modified permissions. The output should be:

-rw-rwx--- 1 adminuser leads    0 Aug 15 19:42 leads.txt
-rw-rwx--- 1 adminuser developers    0 Aug 15 19:42 developers.txt
-rw-rwx--- 1 adminuser sre    0 Aug 15 19:42 sre.txt

To demonstrate that files belonging to one group cannot be accessed by another group, login as a different user; for example, user5(who belongs to the developers group), using the following command:

$ sudo su user5

Now, let’s attempt to read a file that does not belong to the developers group. Run the following command to view the leads.txt file:

$ cat leads.txt

You should get a warning that says:

cat: leads.txt: Permission denied

This is expected because user5 does not have the permission to read the contents of the leads.txt file since the file belongs to the leads group, and not the developers group.

Conclusion

The information shared in this mini-tutorial is by no means exhaustive of the topic of managing users, groups and permissions in Linux. But this should get any beginner, such as myself, up and running with working in Linux.

PS: I decided to have some fun while learning bash scripting, and wrote scripts create_users.sh and delete_users.sh to automate creating and deleting the users described above. See them here.

— — — — — — — — — Thank you for reading! — — — — — — — — -