This tutorial will provide you with an explanation of how Linux users organized, what permissions are, how they work, and how to manage them. A number of examples will be provided to illustrate how to set and change permissions for both users and groups.
What are User and Group Permissions?
Linux operating systems have the ability to multitask in a manner similar to other operating systems. However, the Linux’s key difference from others is its ability to have multiple users. Linux was designed to allow more than one user to have access to the system at the same time. In order for this multiuser design to work properly, there needs to be a method to protect users from each other. This is where permissions come in to play.
Read, Write & Execute Permissions
Permissions are the “rights” to act on a file or directory. The basic rights are read, write, and execute.
- Read – a readable permission allows the contents of the file to be viewed. A read permission on a directory allows you to list the contents of a directory.
- Write – a write permission on a file allows you to modify the contents of that file. For a directory, the write permission allows you to edit the contents of a directory (e.g. add/delete files).
- Execute – for a file, the executable permission allows you to run the file and execute a program or script. For a directory, the execute permission allows you to change to a different directory and make it your current working directory. Users usually have a default group, but they may belong to several additional groups
Viewing File Permissions
To view the permissions on a file or directory, issue the command ls -l <directory/file>. Below is sample output for the ls command:
|
1 |
-rw-r--r--. 1 root root 982 Jul 24 15:53 /etc/passwd |
The first ten characters show the access permissions.
The first dash (-) indicates the type of file (d for a directory, s for a special file, and – for a regular file).
The next three characters (rw-) define the owner’s permission to the file. In this example, the file owner has read and write permissions only.
The next three characters (r–) are the permissions for the members of the same group as the file owner (which in this example is read-only).
The last three characters (r–) show the permissions for all other users and in this example, it is read-only.
Working with Users, Groups, and Directories
The following sections will go over the commands needed to create, delete, and modify user accounts. Groups will be covered, as well as commands for creating and deleting directories. You will be provided with the commands and descriptions needed for working with users, groups, and directories.
Creating and Deleting User Accounts
To create a new standard user, use the useradd command. The syntax is as follows:
|
1 |
useradd <name> |
The useradd command utilizes a variety of variables, some of which are shown in the table below:
| Option | Description | Example |
|---|---|---|
-d <home_dir> |
home_dir will be used as the value for the user’s login directory | useradd <name> -d /home/<user's home> |
-e <date> |
the date when the account will expire | useradd <name>** -e <YYYY-MM-DD> |
-f <inactive> |
the number of days before the account expires | useradd <name> -f <0 or -1> |
-s <shell> |
sets the default shell type | useradd <name> -s /bin/<shell> |
You will need to set a password for the new user by using the passwd command. Note, you will need root privileges to change a user password. The syntax is as follows:
|
1 |
passwd <username> |
The user will be able to change their password at any time using the
passwd command with the syntax. Below is an example:|
1 2 3 4 5 |
[root@test-centos7 tomcao.vn]# passwd phuong Changing password for user phuong. New password: Retype new password: passwd: all authentication tokens updated successfully. |
It is important to note that security should always be taken very seriously. Therefore, it is strongly recommended to use unique passwords for each account. Never share or give your password to other users.
To remove a user account, enter the following command:
|
1 |
userdel <name> |
Issuing the command above will only delete the user’s account. Their files and home directory will not be deleted.
To remove the user, their home folder, and their files, use this command:
|
1 |
userdel -r <name> |
Understanding Sudo
Root is the super user and has the ability to do anything on a system. Therefore, in order to have protection against potential damage sudo is used in place of root. Sudo allows users and groups access to commands they normally would not be able to use. Sudo will allow a user to have administration privileges without logging in as root. A sample of the sudo command is as follows:
|
1 |
sudo apt-get install <package> |
Before using sudo, it may need to be installed if it is not part of your distribution. The command for Debian is as follows:
|
1 |
apt-get install sudo |
For CentOS, the command is as follows:
|
1 |
yum install sudo |
In order to provide a user with sudo ability, their name will need to be added to the sudoers file. This file is very important and should not be edited directly with a text editor. If the sudoers file is edited incorrectly it could result in preventing access to the system.
Therefore the visudo command should be used to edit the sudoers file. At a command line, log into your system as root and enter the command visudo.
Below is the portion of the sudoers file that shows the users with sudo access.
|
1 2 3 4 5 6 7 8 9 10 11 |
## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL |
Changing Directory and File Permissions
To view file permissions and ownership on files and directories, use the ls -al command. The aoption is to show hidden files or all files, and the l option is for the long listing. The output will be similar to the following:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[phuong@test-centos7 tmp]$ ll -al total 4 drwxrwxrwt. 12 root root 259 Jul 26 15:14 . dr-xr-xr-x. 17 root root 224 Jul 24 15:52 .. drwxrwxr-x. 2 phuong phuong 6 Jul 26 15:14 01234 -rw-rw-r--. 1 tomcao.vn tomcao.vn 0 Jul 26 15:11 abc drwxr-xr-x. 3 root root 20 Jul 16 22:27 .config drwxrwxrwt. 2 root root 6 Jul 16 22:24 .font-unix drwxrwxrwt. 2 root root 6 Jul 16 22:24 .ICE-unix -rwx------. 1 root root 836 Jul 16 22:29 ks-script-hlT4Bv drwxr-----. 3 root root 19 Jul 16 22:26 .pki drwx------. 3 root root 17 Jul 24 15:52 systemd-private-60c3d7621bb1443493afe79b804f62b6-chronyd.service-0HTCOd drwxrwxr-x. 2 tomcao.vn tomcao.vn 6 Jul 26 15:11 temp drwxrwxrwt. 2 root root 6 Jul 16 22:24 .Test-unix drwxrwxrwt. 2 root root 6 Jul 16 22:24 .X11-unix drwxrwxrwt. 2 root root 6 Jul 16 22:24 .XIM-unix |
The first column with the ten letters and dashes shows the permissions of the file or directory. The second column (with the single number) indicates the number of files or directories contained in the directory. The next column indicates the owner, followed by the group name, the size, date, and time of last access, and finally the name of the file . For example, using the first line from the output above, the details are as follows:
|
1 2 3 4 5 6 7 8 |
drwxrwxr-x. 2 phuong phuong 6 Jul 26 15:14 01234 `2` is the number of files or `phuong` is the owner `phuong` is the group `6` is the size `Jul 26 15:14` is the date/time of last access `01234` is the directory |
Chmod Command
The command chmod is short for change mode. Chmod is used to change permissions on files and directories. The command chmod may be used with either letters or numbers (also known as octal) to set the permissions. The letters used with chmod are in the table below:
| Letter | Permission |
|---|---|
| r | Read |
| w | Write |
| x | Execute |
| X | Execute (only if file is a directory) |
| s | Set user or group ID on execution |
| t | Save program text on swap device |
| u | Current permissions the file has for owner |
| g | Current permissions the file has for users in the same group |
| o | Current permissions the file has for others not in the group |
It is important to remember that the first character of the first column of a file listing denotes whether it is a directory or a file. The other nine characters are the permissions for the file/directory. The first three characters are for the user, the next three are for the group, and the last three are for others. The example drwxrw-r– is broken down as follows:
d is a directory
rwx the user has read, write, and execute permissions
rw- the group has read and write permissions
r– all others have read only permissions
Note that the dash (-) denotes permissions are removed. Therefore, with the “all others” group, r– translates to read permission only, the write and execute permissions were removed.
Conversely, the plus sign (+) is equivalent to granting permissions: chmod u+r,g+x <filename>
The example above translates as follows:
|
1 2 3 4 5 |
u is for user r is for read g is for group x is for execute |
In other words, the user was given read permission and the group was given execute permission for the file. Note, when setting multiple permissions for a set, a comma is required between sets.
Changing File OwnershipPermalink
By default, all files are “owned” by the user who creates them and by that user’s default group. To change the ownership of a file, use the chown command in the chown user:group /path/to/fileformat. In the following example, the ownership of the “list.html” file will be changed to the “phuong” user:
|
1 |
chown phuong:phuong file.txt |
To change the ownership of a directory and all the files contained inside, use the recursive option with the -R flag. In the following example, change the ownership of /tmp/abc to the “phuong” user:
|
1 |
chown -R phuong:phuong /tmp/abc/ |
Ref: https://www.linode.com/docs/tools-reference/linux-users-and-groups/
