users groups and permissions

How to manage Users, Groups and Permissions

by

Learn how to manage Users, Groups and permissions effectively to improve security and efficiency. This blog post covers the basics of user management, including creating and managing users, adding users to groups, and assigning permissions to users and groups.

Upon completion of this artical, you should be able to:

  • Explain the Linux security model
  • Explain the purpose of user and group accounts
  • Read and set file permissions

Users

  • Every user is assigned a unique User ID number (UID)
    • UID 0 identifies root
    • User accounts normally start at UID 500
  • Users’ names and UIDs are stored in /etc/passwd
  • Users are assigned a home directory and a program that is run when they log in
    (usually a shell)
  • Users cannot read, write or execute each others’ files without permission

Users

In the earliest years of computing, computers were very large and expensive. The concept of user accounts was created to allow many individuals to share these precious computing resources.

Every person that logs into the computer is considered a user. this user has a number of characteristics, the most important being a user name and a user identification number, or UID. Both should be include the user’s real name and the user’s home directory. Read the passwd (5) man page for more detail (man 5 passwd)

Users have full access to their home directories. That is, they can create and remove files and directories as they please, and can organize their files in any way they desire, subject only to limitations such as disk quotas. Typically, users will have limited or no access to other directories on the system, although there are some exceptions (/tmp, for example). A user’s ability to gain access to files or directories depends on the permissions of the files, as well as the user’s identity and the user’s group affiliations.

Groups

  • Users are assigned to groups
  • Each group is assigned a unique Group ID number (gid)
  • GIDs are stored in /etc/group
  • Each user is given their own private group
    • Can be added to other groups for additional access
  • All users in a group can share files that belong to the group

Groups

Sometimes users need to collaborate. This can be accomplished by having users assigned to groups and setting appropriate group permissions for files or directories.

Every user is a member of at least one group, their primary group, and may be a member of additional supplementary groups. As with users, groups have group names and group identification numbers, GIDs. The group names and GIDs are stored in the /etc/group file. Read the group (5) man page for more details.

User Private Group Scheme

By default, a user belongs to a group that is named the same as their username. That is, user digby is a member or group digby and, by default, is the only member of that group. This system can be abandoned by system administrators when they set up accounts and so this may not be the case at your location.

Primary Group

A user’s primary group is defined in the /etc/passwd file and supplementary groups are defined in the /etc/group file. The primary group is important because files created by the user will be owned by the user and the user’s current primary group. the primary group can temporarily be changed by running newgrp groupname, where groupname is one of the user’s supplementary groups. The user can revert to their original primary group by typing exit.

Linux file Security

  • Every file is owned by a UID and a GID
  • Every process runs as a UID and one or more GIDs
    • Usually determined by who runs the process
  • Three access categories:
    • Processes running with the same UID as the file (user)
    • Processes running with the same GID as the file (group)
    • All other processes (other)

Security Contexts and Access Catergories

Every process runs under the authority of a particular user and with the authority of one or more groups; this is called the process’s security context. When a process tries to access a file, the security context of the process is matched against the owner and group affilliation of the file.

By this means the process will fall into one of three access categories: user, group or other. Each of these categories can be assigned a different combination of permissions.

Permission Precedence

  • If UID matches, user permissions apply
  • Otherwise, if GID matches, group permissions apply
  • If neither match, other permissions apply

User Group and Other: Which gets priority?

When determining whether a process should be granted user. group or other permissions, a UID match takes precedence over a GID match. So if a file is owned by UID 500 and GID 600 and a process with the same UID and GID attempts to access it, the user permissions will be used, despite the fact that the GIDs also match.

If a process is a member of the file’s group, but owned by a different UID, The group permissions apply, regardless of the other permission.

If the process is affiliated with neither the owner of the file nor the group of the file, then the other permissions apply.

Note that it is possible to make the owner’s permissions more restrictive than the group and other permissions (or to make the group permissions more restrictive than the other permission), but this is odd and rarely done.

  1. Viewing Permissions from the Command-Line
  2. Changing File Ownership
  3. Changing Permissions – Symbolic Method
  4. Changing Permissions – Numeric Method


Leave a Comment