The Debian Series: users and groups management
I wanted to create this quick story for explaining in a simple way, how users and OS groups are managed along with their permissions the correct way. Take fact that this is not code intended but certain snippets will be placed along with each explanation. Code is necessary, always.
You may be thinking, why Debian? There’s a LOT of Linux distributions out there. A lot of people use Ubuntu (highly popular), Linux Mint, other people like to use OS’s based on RedHat flavors like CentOS or Fedora and even other users prefer dedicated OS, for example, infosec practitioners and professionals typically use Slax, Parrot, or the most famous Kali Linux.
Debian is one of the biggest Linux distro available today, is widely used for SysAdmins (related) and coders around the world. Debian is based on Ubuntu and works with a package manager called APT and the package format is the .deb.
I will explain in more detail about the package managers such as dpkg, apt, aptitude, tasksel in other stories of this series, so, stay tuned.
In order to make things shorter, there’s a lot of history and background information related to Linux, the GNU foundation, the Kernel, and more. If you google it, in a bunch of clicks you will have better and complete information about it, so I will skip that.
All the exercises were done in an old Debian 7 OS with a GNOME 2 graphical environment. Debian 7 is actually a not-so-old OS, as a matter of fact, all following examples work very well with more recent Debian versions.
For today's episode, I’m going to talk about the most elemental thing before anything else, the users and the groups. Before going further, we need to set clear that on a fresh install we set up a su user, which stands for super-user, also known as root.
In Debian instances, we have two files that are important for user management, those files are responsible for listing and specifying users' directories, passwords, and permissions according to your interests.
The first one is the
/etc/passwd which basically has a record of all system user information, for obvious reasons, in a fresh install the root user is the first one you will see listed on that, but more information is shown there. Here’s a quick example of how it looks.
After you log in with
su on the terminal, you can do the following
You will see something like:
Each line represents a user on the system, there’s a lot of parameters that represent something for each user, I will list it next using my user
david as an example, we have the following information:
:x (shadow file, password storage)
:1000 (created ID user, starting from 1000)
:1000 (created group user, starting from 1000)
:david (description name)
:/home/david (user directory folder)
:/bin/bash (user console type)
The other key file is the
/etc/shadow which handles password encryption and rules for handling user-related security access and more. This file has a similar structure of the
/etc/passwd but have a bunch of different parameters that complete the user identity in Debian OSs
Here’s an example using the same
david user before.
:david (name of the user - login)
:password (encrypted password)
:16016 (UNIX EPOCH date of the changed password since 1970)
:0 (remaining days of current password before change)
:99999 (remaining days of password usage)
:7 (warning days to change password)
In a simple way, both previous files record data into the system in order to handling user login and terminal access, passing through the password configuration and expiry dates of each user on the system.
With all that said, let’s move to the basic commands for user creation.
Before going into each command, let me give a pro-tip: check the manual ALWAYS, there’s a direct command for it, refer to it as
Let’s move on.
As it sounds, it creates a user on the OS, but inaccessible (for the moment), you will know in a bit what I’m talking about.
This will create an OS user, but you won’t be able to log in because there’s no password associated, and either have a personal directory. by using the
-d command flag you can provide a directory pathname to it.
With that said, when you type the
useradd -d /home/david david a directory will be created for the
david user on the
/home/david directory. And the user will be added to the
During that type, is you see what’s going on in the terminal, you will notice that some files copied from a
/etc/skel directory, this last one contains files for configuring environment variables and other related stuff for the user bash session. Those files are copied to the
/home/[user] and managed for each session.
If you executed the
useradd david command, you will need to manually create the files by copying them from the
/etc/skel directory itself, and then change the permissions with the
Here’s an example:
chown esanquiz:esanquiz /home/esanquiz
chown [name]:[group] [directory]
By the moment you log in the first time with that created user, the files will be generated with the following archives.
There’s an easy alternative for this complex scenario and is the
This is a PERL script that creates everything, through a wizard. It is very similar to the
useradd but basically handles everything quicker. Also handles the password creation and the
/etc/skel files replication to the user folder
/etc/skel directory contains the
.profile files that a user can configure to specific action into the bash session.
Simply, you can change the password for a specific user.
passwd inside the user session or providing the name of the user you want to change.
passwd david you will be following a prompt and that’s it. A lot of changes also occur on the
/etc/passwd file as well.
This command helps you to specify changes in a specific user. You can see it as a way to edit specs on a user, Here’s an example:
usermod -s /bin/bash david
On this link, you will find more info about the usermod flags and available configurations
This command will prompt you the current user logged on the OS through the CLI
Let’s delete a user from the OS by using the
userdel command, this also deletes its relations on the OS. The
-r flag is key to fully delete the user documents located on its
/home directory. If you do not use the
-r flag it will only be deleted on the
/etc/shadow files only.
You can also generate and manage users for the OS from the GUI, If you have the possibility of access to Debian through a GUI and you are not familiar with the previous command explained before, don’t worry about it. You can go the System Tools -> System -> User Accounts and work from there. (A root password may be required).
To this point, users are pretty much covered from a high-level and simple overview, users are important, but groups are a high priority as well. Let’s talk about it first before going into file permissions.
We ain’t forgetting about groups
Let’s go back to the
/etc/passwd for a bit, on the third parameter on each user, you will see the group ID, when you create a user, the user ID and the Group ID are the same. It’s your responsibility to group each user correctly for any particular reason.
Let’s add a group to the system.
groupadd admins where the
admins is the name of the group.
/usr/sbin/directory you will see a bunch of other commands that represent the other functionalities that groups can do. Many actions are described by the name itself, it keeps the same analogy as the user's functionalities. Things like
We can list all groups using the
cat /etc/group other commands are applicable like
The structure of each group listed there, references the following information:
Before adding users to groups, there is a simple but useful command, the
groups command. If you type just
groups you will be prompted to the groups that the logged user belongs to.
Now, you can add users to a group like this.
usermod -g [group] [user]
If you use the
-g flag, you will be referencing only one group, if you use
-G you will be adding multiple groups to a single user.
Of course, you can handle group management through GUI using the
gnome-system-tools package, feel free to download it through the apt or aptitude package managers
And finally, let’s talk about permissions
When we list something using the
ls -l command. It will show something like this:
drwxr-xr — x 2
This string represents and determines el access type to certain files or directories, basically are 10 lineal bits, where the first bit represents the type of file and the other 9 are related to users and group permissions.
If a file does not have any permissions at all, a
- will be replacing it.
Of the 9 characters below, the first 3 bits are the permissions to the current user, the second 3 bits represent the permissions for the group where it belongs and the final 3 bits are the permissions to any other user on the system.
In a simple way, you can represent and assign permissions in both ways, numbers and letters, check the following self-explanatory relation representation.
r (read): 4 bits
w (write): 2 bits
x (execute): 1 bits
To change permissions you will be using the
chmod command where you can use both notations. You can use something like
chmod 755 [file] or do something like
chmod +rw [file]
The first byte previously mentioned represents the data type of the listing. If you see a
- (dash) is a file, but instead if you see a
d letter, it references a directory.
There’s more to talk about, a huge missing concept here is the
chown command, that basically changes file owners and groups.
Permissions are also applicable to groups as well.
Explaining more concepts will be a never-ending story, I’ll try to emphasize even more on general terminology in this series. In the next story, I’ll talk about package managers.