Linux, being a truly multi-user, multi-namespace OS, offers a lot of options when it comes to user management. Here is what you need to know to master it.
What are users and groups?
A multi-user OS means that Linux can be used by multiple users at the same time. It is wrong to assume that users can only be humans, though. Most Linux distributions have much more users, each one responsible for a certain aspect of the system. You can not easily log in to them, but you can run commands from their name and set permissions. Groups, then, are just groups of users who need access to a certain resource. For example, anyone who is in www
group can access the HTTP server. To list all users on your system, run this command:
$ less /etc/passwd
/etc/passwd
is the file that holds the information about users, and less
outputs it nicely. Some time ago, passwd
also stored user’s passwords, but not anymore, for security reasons. Here is a sample output from a fresh install of Ubuntu Server:
The format of the passwd
file is the following:
- username
- password (replaced with x and stored in
/etc/shadow
) - UID (user id, a number)
- GID (group id, also a number)
- user’s full name
- user’s home directory
- user’s login shell (the program that runs when you log in. The
nologin
is a program that does nothing, used to prevent logging in as system users)
Managing users
To create a new Linux user: use the useradd
command like this:
$ useradd <name>
Additionally, useradd
can take these arguments:
-d <home directory>
– sets user’s home directory-s <shell>
– sets user’s login shell-g <group>
– sets user’s primary group (more on that later)-u <uid>
– sets user’s UID (will be autogenerated by default)
After you have created the user, you need to set a password for him. Unlike windows, if a user does not have a password, there is no way of logging in as him. To set the password run this command:
# passwd <username>
You will be prompted for the password twice.
To modify a Linux user: use the usermod
command like this:
# usermod <username>
Like useradd
, usermod
will accept the same arguments to set the fields of the user.
To delete a Linux user: use the userdel
command like this:
# userdel <username>
It accepts an argument -r
to also delete the user’s home directory and mail.
Manage groups
Like users, you can create, modify, and delete groups. To view the group membership for a user, as well as its UID, use:
$ id <username>
Like users, you can list all groups on your setup:
$ cat /etc/group
To create a group: use the groupadd
command like this:
# groupadd <groupname>
groupadd
takes these arguments:
-g <GID>
set the group id-f
force the command to return successfully even if group already exists
After the group is created, you might want to add some users to it. The gpasswd
tool can do that:
# gpasswd <username> <groupname>
And, lastly, you can edit groups with groupmod
(same arguments as groupadd
) and delete groups with groupdel
.
Superuser access
root
, or superuser, is a special user in the system, with unlimited power. root
can read, write, and execute every single file. But, of course, with great power comes great responsibility (rm -rf *
is a very funny command, indeed), so some distributions disable root
altogether. Instead, you can use the sudo
command to run a specific program as root
. sudo
is used like this:
$ sudo apt-get install cowsay
Here, the apt-get install cowsay
command will be run as root
, after you enter your password. Access to sudo
is governed by the /etc/sudoers
file. In it, you will find lines like these:
Defaults env_reset
username ALL=(ALL:ALL) ALL
%sudo ALL=(ALL:ALL) ALL
The Defaults env_reset
line clears all environmental variables. This is a safety precaution. Then, the username ALL=(ALL:ALL) ALL
command does this:
- Let
username
- On
ALL
hosts - Run commands as
ALL
users andALL
groups ALL
commands are allowed
So, the syntax goes like this:
<username> <allowed hosts>=(<allowed users>:<allowed groups>) <allowed_commands>
The next line starts with a %
sign. That means that that rule applies to any user in the sudo
group. This is convenient because you do not have to edit this file when creating new users, instead, you can add them to sudo
group.
Now, there may be cases when you need to login as genuine root
. The su
command switches current user to root
, and if you run it with sudo
, you will be able to switch to root
using your own password:
$ whoami // michael
$ sudo su
# whoami // root
When logged in as root
, you can simply run passwd
to change root
‘s password and be able to login to it directly (please do not do this).
File permissions & ownership
The last topic I am going to cover is file permissions. Every file and every folder on your system has them, as well as ownership info. The permissions have these values:
0
or---
– nothing allowed1
or--x
– execution allowed2
or-w-
– writing allowed3
or-wx
– writing and execution allowed4
orr--
– reading allowed5
orr-x
– reading and execution allowed6
orrw-
– reading and writing allowed7
orrwx
– everything allowed
In addition, every file and directory has an owner. The owner is the user that has absolute control over the file. The owner can also be specified as a group. Thus, every file has 3 different permissions: for owner, for owning group, and for everyone else. You can easily view permissions by running ls -al
:
In the first column you can see the permissions, specified in the order user
group
everyone
. For example, only root
can edit the boot
directory, but anyone can read and execute stuff from it.
To change permissions on a file or directory, use the chmod
command:
$ chmod [options] [mode] [files]
Most common chmod
option is -R
. It stands for recursive and means that the rule will be applied to all children in a folder. Here are some examples:
$ chmod 777 -R ./bin
This changes permissions on all files in bin to allow everything
$ chmod +x runme.sh
This makes the script runme.sh executable
In addition to permissions, you can use the chown
command to change ownership of a file/directory. Its syntax is similar:
$ chown [options] [user:group] [files]
It takes the same option -R
, which does the same thing. Here are some examples:
$ chown -R mike /home/mike
Set ownership to mike for all files in his home directory
$ chown www-user:www-group /var/www
Set ownership of /var/www folder to user www-user and group www-group
Sticky bit
The permission system in Linux has one interesting concept, called the sticky bit. A sticky bit is a parameter that can be set on any directory. It prohibits anyone other than the owner from deleting or renaming files in it. Notice, that other users may or may not be able to edit the file. Even if they can edit it, with teh sticky bit only the owner can delete or rename the file. You can set the sticky bit on a folder with this command:
$ chmod +t someDirectory/
If the sticky bit is set, its permission string will have a t
at the end, like this: drwxrwxr-t
. To unset the sticky bit, use:
$ chmod -t someDirectory/
Closing notes
Thank you for reading, I hope now you feel more comfortable using Linux systems. Please do let me know of any problems you have with operating Linux that I can cover in the coming articles!
Resources
man passwd
man useradd
man <insert command name here>
- 15 Essential Linux Command Line Tips & Tricks
- So You Think You Know Linux User Management