User Management in Linux Explained

Linux, being a truly multi-user, multi-namespace OS, offers a lot of options when it comes to user management. Here is what you need to know to master it.

What are users and groups?

A multi-user OS means that Linux can be used by multiple users at the same time. It is wrong to assume that users can only be humans, though. Most Linux distributions have much more users, each one responsible for a certain aspect of the system. You can not easily log in to them, but you can run commands from their name and set permissions. Groups, then, are just groups of users who need access to a certain resource. For example, anyone who is in www group can access the HTTP server. To list all users on your system, run this command:

$ less /etc/passwd

/etc/passwd is the file that holds the information about users, and less outputs it nicely. Some time ago, passwd also stored user’s passwords, but not anymore, for security reasons. Here is a sample output from a fresh install of Ubuntu Server:

The format of the passwd file is the following:

  • username
  • password (replaced with x and stored in /etc/shadow)
  • UID (user id, a number)
  • GID (group id, also a number)
  • user’s full name
  • user’s home directory
  • user’s login shell (the program that runs when you log in. The nologin is a program that does nothing, used to prevent logging in as system users)

Managing users

To create a new Linux user: use the useradd command like this:

$ useradd <name>

Additionally, useradd can take these arguments:

  • -d <home directory> – sets user’s home directory
  • -s <shell> – sets user’s login shell
  • -g <group> – sets user’s primary group (more on that later)
  • -u <uid> – sets user’s UID (will be autogenerated by default)

After you have created the user, you need to set a password for him. Unlike windows, if a user does not have a password, there is no way of logging in as him. To set the password run this command:

# passwd <username>

You will be prompted for the password twice.

To modify a Linux user: use the usermod command like this:

# usermod <username>

Like useradd, usermod will accept the same arguments to set the fields of the user.

To delete a Linux user: use the userdel command like this:

# userdel <username>

It accepts an argument -r to also delete the user’s home directory and mail.

Manage groups

Like users, you can create, modify, and delete groups. To view the group membership for a user, as well as its UID, use:

$ id <username>

Like users, you can list all groups on your setup:

$ cat /etc/group

To create a group: use the groupadd command like this:

# groupadd <groupname>

groupadd takes these arguments:

  • -g <GID> set the group id
  • -f force the command to return successfully even if group already exists

After the group is created, you might want to add some users to it. The gpasswd tool can do that:

# gpasswd <username> <groupname>

And, lastly, you can edit groups with groupmod (same arguments as groupadd) and delete groups with groupdel.

Superuser access

root, or superuser, is a special user in the system, with unlimited power. root can read, write, and execute every single file. But, of course, with great power comes great responsibility (rm -rf * is a very funny command, indeed), so some distributions disable root altogether. Instead, you can use the sudo command to run a specific program as root. sudo is used like this:

$ sudo apt-get install cowsay

Here, the apt-get install cowsay command will be run as root, after you enter your password. Access to sudo is governed by the /etc/sudoers file. In it, you will find lines like these:

Defaults env_reset

username ALL=(ALL:ALL) ALL
%sudo ALL=(ALL:ALL) ALL

The Defaults env_reset line clears all environmental variables. This is a safety precaution. Then, the username ALL=(ALL:ALL) ALL command does this:

  • Let username
  • On ALL hosts
  • Run commands as ALL users and ALL groups
  • ALL commands are allowed

So, the syntax goes like this:

<username> <allowed hosts>=(<allowed users>:<allowed groups>) <allowed_commands>

The next line starts with a % sign. That means that that rule applies to any user in the sudo group. This is convenient because you do not have to edit this file when creating new users, instead, you can add them to sudo group.

Now, there may be cases when you need to login as genuine root. The su command switches current user to root, and if you run it with sudo, you will be able to switch to root using your own password:

$ whoami          // michael
$ sudo su
# whoami          // root

When logged in as root, you can simply run passwd to change root‘s password and be able to login to it directly (please do not do this).

File permissions & ownership

The last topic I am going to cover is file permissions. Every file and every folder on your system has them, as well as ownership info. The permissions have these values:

  • 0 or --- – nothing allowed
  • 1 or --x – execution allowed
  • 2 or -w- – writing allowed
  • 3 or -wx – writing and execution allowed
  • 4 or r-- – reading allowed
  • 5 or r-x – reading and execution allowed
  • 6 or rw- – reading and writing allowed
  • 7 or rwx – everything allowed

In addition, every file and directory has an owner. The owner is the user that has absolute control over the file. The owner can also be specified as a group. Thus, every file has 3 different permissions: for owner, for owning group, and for everyone else. You can easily view permissions by running ls -al:

In the first column you can see the permissions, specified in the order user group everyone. For example, only root can edit the boot directory, but anyone can read and execute stuff from it.

To change permissions on a file or directory, use the chmod command:

$ chmod [options] [mode] [files]

Most common chmod option is -R. It stands for recursive and means that the rule will be applied to all children in a folder. Here are some examples:

$ chmod 777 -R ./bin
This changes permissions on all files in bin to allow everything
$ chmod +x runme.sh
This makes the script runme.sh executable

In addition to permissions, you can use the chown command to change ownership of a file/directory. Its syntax is similar:

$ chown [options] [user:group] [files]

It takes the same option -R, which does the same thing. Here are some examples:

$ chown -R mike /home/mike
Set ownership to mike for all files in his home directory
$ chown www-user:www-group /var/www
Set ownership of /var/www folder to user www-user and group www-group

Sticky bit

The permission system in Linux has one interesting concept, called the sticky bit. A sticky bit is a parameter that can be set on any directory. It prohibits anyone other than the owner from deleting or renaming files in it. Notice, that other users may or may not be able to edit the file. Even if they can edit it, with teh sticky bit only the owner can delete or rename the file. You can set the sticky bit on a folder with this command:

$ chmod +t someDirectory/

If the sticky bit is set, its permission string will have a t at the end, like this: drwxrwxr-t. To unset the sticky bit, use:

$ chmod -t someDirectory/

Closing notes

Thank you for reading, I hope now you feel more comfortable using Linux systems. Please do let me know of any problems you have with operating Linux that I can cover in the coming articles!

Resources

Get new content delivered to your mailbox:

leave a comment