Users, Groups and Permissions in

Linux

Liban Bashir
Network Security Administrator/
Former SYSTEM ADMIN
RHCSA / RHCE & RED HAT
VIRTUALIZATION
Liben.bashir@gmail.com
Introduction to Linux -
agenda
 Users,
 Groups
 Permissions in Linux
Linux User Management
 Linux stores user and group data in specific files and directories
that contain user account info, passwords, and group
configurations. System administrators can interact with these
files to control and modify user and group settings in Linux.
 The main files and directories for storing user data in Linux
include:
 /etc/passwd. The passwd file contains a list of user accounts
and the corresponding user ID, group ID, home directory, and
the default shell. It is readable by most users, but only root and
sudo accounts can add new users or remove and modify
existing user data.
 /etc/group. The group file contains a list of user groups. Each
line in the file represents a group and displays the group name,
GID, and group members. Administrators can interact with this
file to manage settings for an entire collection of users.
Linux User Management
 /etc/sudoers. The sudoers file specifies which users have elevated permissions,
on which machines, and for which directories. Admins can use this file to
configure permissions for users and groups to use the sudo command.
 /etc/shadow. The shadow file stores encrypted user password information and
other password-related data such as the password expiration date, last change
date, and account expiration date. It is only accessible by the root user or users
with appropriate privileges. The restricted access and encryption add another
security layer compared to the /etc/passwd file.
 /etc/gshadow. The gshadow file stores encrypted user group password
information and other password-related data such as the password expiration
date, last change date, and account expiration date. Like the shadow file, it is
only accessible by the root user or users with appropriate privileges.
 /etc/skel. The skel directory contains default configuration scripts and
templates such as .bashrc and bash_profile. The templates are copied to the
user's home directory when a new user is created, streamlining the provisioning
of new user accounts.
 /etc/login.defs. The login.defs file contains system-wide user account policy
settings, like the password aging policy. System administrators can refer to and
modify this file to enforce specific security and user management rules.
Check Currently Logged Users
 The most efficient way to determine which
users are currently logged in a Linux system
is to use the who command. Enter the
following command to list currently logged
users:
 Who

 The terminal displays the user session

information in several columns. Add the -

H option to display the header of each
column:
 awk command
 The /etc/passwd file contains data about all
users on the Linux system. Several Linux
commands, like cat, awk, and getent, can
be used to display user data in the terminal.
 Enter the following command to

list Linux users:

awk -F':' '{ print $1}' /etc/passwd

 1. To list out all the users in Linux, use

the awk command with -F option. Here, we
are accessing a file and printing only first
column with the help of print $1 and awk.
 awk command
 Cat /etc/passwd
 ID command
 2. Using id command, you can get the ID of
any username. Every user has an id
assigned to it and the user is identified with
the help of this id. By default, this id is also
the group id of the user.
id username
 Useradd command
 3. The command to add a user. useradd
command adds a new user to the directory.
The user is given the ID automatically
depending on which category it falls in. The
username of the user will be as provided by
us in the command.
 Example: sudo useradd geeks
 Passwd command
 4. Using passwd command to assign a
password to a user. After using this
command we have to enter the new
password for the user and then the
password gets updated to the new
password.
 Example: passwd geeks
Accessing a user configuration
file.
Passwd Accessing a user cd
 4. Using passwd command to assign a
password to a user. After using this
command we have to enter the new
password for the user and then the
password gets updated to the new
password.
 Example: passwd geeks
Accessing a user configuration
file.
 Cat /etc/passwd
 This commands prints the data of the

configuration file. This file contains

information about the user in the format.
 username : x : user id : user group

id : : /home/username : /bin/bash
The command to change the user ID
for a user.
usermod -u new_id username
 This command can change the
user ID of a user. The user with
the given username will be
assigned with the new ID given
in the command and the old ID
will be removed.
 Example: sudo usermod -u 1982

test
Command to Modify the group ID of
a user.
usermod -g new_group_id username
 This command can change the group
ID of a user and hence it can even be
used to move a user to an already
existing group. It will change the
group ID of the user whose username
is given and sets the group ID as the
given new_group_id.
 Example: sudo usermod -g 1005 test
 change the user login

You can change the user login

name using usermod command. The below
command is used to change the login name of the
user. The old login name of the user is changed to
the new login name provided
sudo usermod -l new_login_name
old_login_name .
Example: sudo usermod -c John_Wick John_Doe
Modify Default User Settings
(usermod)
The usermod command in Linux is used to modify
various attributes of an existing user account.
Administrators can utilize several options with this
command to change specific data points:
•-d - Changes the user's home directory.
•-s - Changes the user's default shell.
•-e - Sets an account expiry date.
•-c - Adds a comment to the user's entry.
•-u - Changes the user's UID (User ID).
•-aG - Adds the user to supplementary groups without

removing existing group memberships.

In the following command, the -d option is used to
change the location of the user's home directory:
Modify Default User Settings
(usermod)
sudo usermod -d /var/test_account test_account
Command to change the home
directory
The command to change the home directory.
The below command change the home directory of
the user whose username is given and sets the new
home directory as the directory whose path is
provided.
usermod -d new_home_directory_path username
Example: usermod -d new_home_directory test
 delete a user name
You can also delete a user name. The below
command deletes the user whose username is
provided. Make sure that the user is not part of a
group. If the user is part of a group then it will not
be deleted directly, hence we will have to first
remove him from the group and then we can delete
him.
sudo userdel -r username
Example: sudo userdel -r new_geeks
 Types of user accounts
 There are three basic types of Linux user accounts:
 Root user(administrative): This user account has
full access to system-wide resources, in addition to
the permission to create, modify and delete
users and groups.
 Regular user accounts: These are user accounts
with a login shell and home directory that perform
tasks for personal use — usually common application
tasks that are isolated to the user’s home directory.
 Service accounts: These are accounts assigned to
applications but with limited access in order to protect
the application from potential attacks while still
performing essential functions. They usually will not
have a home directory.
 View users
All users in the system are stored in the /etc/passwd directory.
To view all users, run the following command:
Cat /etc/passwd
Or
Getent passwd
This should output something similar to the
following:

root:x:0:0:root:/root:/bin/bash
user1:x:1002:1002::/home/user1:/bin/sh
user2:x:1003:1002::/home/user2:/bin/sh
user3:x:1004:1002::/home/user3:/bin/sh
user4:x:1006:1003::/home/user4:/bin/sh
user5:x:1007:1003::/home/user5:/bin/sh
 View users
Each entry has the following features:

the username: user1

the encrypted password: x
the unique identifier (UID) for the user: 100x
the user group ID (GID): 100x
the General Electric Comprehensive Operating
Supervisor (GECOS) field — which is empty in this
case. (This field contains general information as a
string of comma-delimited attributes, for example,
full name; phone number; etc)
the user home directory: /home/user1
the default login shell for the user: /bin/sh
 Add users to a group
To add the 15 users to groups, let’s create three
different groups — a group for team leads leads, one
for developers developers and another for the site
reliability engineering team sre — and then add the
users to the groups.

Use the groupadd command to create a group with

the following syntax:
$ sudo groupadd <groupname>
 Add users to a group
So for our case, we will create three different groups like so:

$ sudo groupadd leads

$ sudo groupadd developers
$ sudo groupadd Marketing
Next, add the already created users to each group assuming
each user fits the group role, using the gpasswd command with
the following syntax:
gpasswd -a john developers

$ sudo gpasswd -A <user> -M <user,user,user> <groupname>

The gpasswd command allows you to manage the creation of
groups and members of groups — the -A flag defines group
administrators and the -M flag defines the members of the
group as a comma-separated list (see the man pages for more
details).
 View groups
All groups in the system are stored in the /etc/groups
directory. To view all groups, run the following
command:

$ getent group
This should give an output similar to:

leads:x:1002:user1,user2,user15
developers:x:1003:user3,user4,user5,user6,user7,us
er8,user9
Marketing:x:1004:user10,user11,user12,user13,user
14
Next, let’s define the level of access allowed for each
group.
 Permissions and Ownership
The reason Linux so elegantly supports a multi-user system
is as a result of permissions. Permissions grant users the
right to access files and directories within the system. In
Linux, the basic permissions are:

Read : the right to open and view the contents of files and
directories. Represented by r
Write: the right to modify the content of a file and to add,
remove and rename files within a directory. Represented by
w
Execute: the right to run a script or application. Represented
by x
Let’s demonstrate the significance of file permissions; create
3 separate files using the following command:

$ touch leads.txt developers.txt marketing.txt

 Permissions and Ownership
Run the following command to view the files and the current permissions on
each file:

$ ls -l
The output of this command should be similar to this:

-rw-r--r-- 1 adminuser adminuser 0 Aug 15 19:41 leads.txt

-rw-r--r-- 1 adminuser adminuser 0 Aug 15 19:41 developers.txt
-rw-r--r-- 1 adminuser adminuser 0 Aug 15 19:41 sre.txt
The parts of the above output relevant to the level of access are the following:

The first ten characters -rw-r--r-- symbolize the file access permissions:
the first character refers to the file type, where - means a regular file. Other
notations are d for a directory, l for a symbolic link, and so on.
the other nine characters define access permissions to the file type — the first
three characters rw-are user permissions, the next three r-- are group
permissions while the last three r-- are permissions for all other users.
root: the user that owns (created) the file
root: the group that owns the file
With the above information in mind, we will assign a specific group to its related
file.
 Assign Group Ownership
We want each file to belong to its own group. To do this, let’s
assign group ownership using the chgrp (short for change group)
command. The syntax for this command is:

$ sudo chgrp <group> <file>

So, for our example, we’ll run the following commands:

$ sudo chgrp leads leads.txt

$ sudo chgrp developers developers.txt
$ sudo chgrp sre sre.txt
Now, when we run the ls -l command, we should get the following
output:

-rw-r--r-- 1 adminuser leads 0 Aug 15 19:41 leads.txt

-rw-r--r-- 1 adminuser developers 0 Aug 15 19:41 developers.txt
-rw-r--r-- 1 adminuser sre 0 Aug 15 19:41 sre.txt
 Assign Group Ownership
Each file now belongs to its respective group. This
means that only members of the group that owns
the file can have whatever permissions specified;
that is, read permission (as demonstrated by the
middle three characters r--). However, all other
users outside of the group also have read
permissions (as demonstrated by the last three
characters r--).

So, considering we want to restrict file access to

only members belonging to the file group, let’s
change that.
 Modifying permissions
To set or change permissions, use the chmod (short for change
mode) command (see the manpages for more details).

When using this command, we specify the following:

Whom to change permissions for: u for the user(owner), g for the

group and o for all other users.
How to change permission: + (plus sign) to add permissions, —
(minus sign) to remove permissions or =(equal sign) to leave as is.
What permission to change: r for read, w for write, x for execute.
Using the information above, let’s take away the read permission
for users outside the group and add write and execute permissions
to the group as follows:

$ sudo chmod g+wx,o-r leads.txt

$ sudo chmod g+wx,o-r developers.txt
$ sudo chmod g+wx,o-r sre.txt
 Modifying permissions
Run the ls -l command to view the modified permissions. The output should be:

-rw-rwx--- 1 adminuser leads 0 Aug 15 19:42 leads.txt

-rw-rwx--- 1 adminuser developers 0 Aug 15 19:42 developers.txt
-rw-rwx--- 1 adminuser sre 0 Aug 15 19:42 sre.txt
To demonstrate that files belonging to one group cannot be accessed by
another group, login as a different user; for example, user5(who belongs to the
developers group), using the following command:

$ sudo su user5
Now, let’s attempt to read a file that does not belong to the developers group.
Run the following command to view the leads.txt file:

$ cat leads.txt
You should get a warning that says:

cat: leads.txt: Permission denied

This is expected because user5 does not have the permission to read the
contents of the leads.txt file since the file belongs to the leads group, and not
the developers group.
Questions?