Linux Users and Permissions

Deeply understand Linux user management, group management, file permissions, and access control

Back to Tutorial List

1. Users and Permissions Overview

Linux is a multi-user operating system that controls access to system resources through user accounts and permission systems. User accounts are the identity of users in the system, and the permission system determines which operations users can perform. Understanding Linux's user and permission system is crucial for system management and security.

1.1 Linux User Types

  • Root User: Has all system permissions, UID is 0.
  • System Users: Users used to run system services, UID is usually between 1-999.
  • Regular Users: Users created by administrators, UID is usually above 1000.

1.2 Linux Group Types

  • Primary Group: The default group that users belong to when created.
  • Secondary Group: Other groups that users can join.
  • System Groups: Groups used for system services.

2. User managementment

User management is an important part of Linux system management. It includes operations such as creating users, modifying user attributes, and deleting users.

2.1 User managementment Commands

2.1.1 Creating Users

# Create user
useradd username

# Create user and specify home directory
useradd -d /home/username username

# Create user and specify UID
useradd -u 1001 username

# Create user and specify primary group
useradd -g groupname username

# Create user and specify secondary groups
useradd -G group1,group2 username

# Create user and set expiration date
useradd -e 2025-12-31 username

# Create user and set login shell
useradd -s /bin/bash username

# Create user and simultaneously create home directory
useradd -m username

# More user-friendly create user command
adduser username  # Interactive user creation

2.1.2 Setting User Passwords

# Set user password
passwd username

# Non-interactive password setting
echo "username:password" | chpasswd

# Lock user password
passwd -l username

# Unlock user password
passwd -u username

# Make password expire immediately (user must change password on next login)
passwd -e username

# View user password status
passwd -S username

2.1.3 Modifying User Attributes

# Modify user attributes
usermod [options] username

# Modify username
usermod -l newusername oldusername

# Modify user UID
usermod -u 1001 username

# Modify user home directory
usermod -d /new/home/dir username

# Modify user primary group
usermod -g groupname username

# Modify user secondary groups
usermod -G group1,group2 username

# Modify user login shell
usermod -s /bin/bash username

# Lock user account
usermod -L username

# Unlock user account
usermod -U username

2.1.4 Deleting Users

# Delete user
userdel username

# Delete user and simultaneously delete home directory
userdel -r username

2.1.5 Viewing User Information

# View current logged-in users
who
whoami

# View user login history
last
lastlog

# View user information
id username

# View detailed user information
finger username

# View all users
cat /etc/passwd

# Filter regular users
grep "1000" /etc/passwd

3. Group managementment

Group management is an important part of the Linux permission system. It allows administrators to group users for more effective permission management.

3.1 Group managementment Commands

3.1.1 Creating Groups

# Create group
groupadd groupname

# Create group and specify GID
groupadd -g 1001 groupname

3.1.2 Modifying Group Attributes

# Modify group attributes
groupmod [options] groupname

# Modify group name
groupmod -n newgroupname oldgroupname

# Modify group GID
groupmod -g 1001 groupname

3.1.3 Deleting Groups

# Delete group
groupdel groupname

3.1.4 Managing Group Members

# Add user to group
usermod -aG groupname username

# Remove user from group
gpasswd -d username groupname

# View group members
groups username

# View all members of a group
grep "groupname" /etc/group

# View all groups
cat /etc/group

4. File Permission managementment

File permissions are the core of the Linux security model. They determine which users can perform which operations on files.

4.1 File Permission Representation

Linux file permissions have two representation methods: symbolic representation and numeric representation.

# Symbolic representation
-rw-r--r-- 1 user group 0 Apr 10 14:30 file.txt

# Numeric representation
# r=4, w=2, x=1
# 755 = rwxr-xr-x
# 644 = rw-r--r--

4.2 Permission Types

  • Read permission (r): Allows viewing file content or listing directory content.
  • Write permission (w): Allows modifying file content or creating/deleting files in directories.
  • Execute permission (x): Allows executing files or entering directories.

4.3 Modifying File Permissions

# Modify permissions using symbols
chmod u+x file.txt      # Add execute permission for owner
chmod g+w file.txt      # Add write permission for group
chmod o-r file.txt      # Remove read permission for others
chmod a+r file.txt      # Add read permission for all users
chmod ug+x file.txt     # Add execute permission for owner and group
chmod ug=rw file.txt    # Set owner and group permissions to read and write

# Modify permissions using numbers
chmod 755 file.txt      # Set to rwxr-xr-x
chmod 644 file.txt      # Set to rw-r--r--
chmod 700 file.txt      # Set to rwx------
chmod 600 file.txt      # Set to rw-------

# Recursively modify directory and its contents permissions
chmod -R 755 directory

4.4 Modifying File Owner and Group

# Modify file owner
chown user file.txt

# Modify both owner and group
chown user:group file.txt

# Modify only group
chown :group file.txt

# Recursively modify directory and its contents
chown -R user:group directory

5. Special Permissions

Linux provides three special permissions: SUID (Set User ID), SGID (Set Group ID), and Sticky Bit. These special permissions can give files or directories additional functionality.

5.1 SUID (Set User ID)

When a file is set with SUID permission, the user executing the file temporarily gains the permissions of the file owner.

# Set SUID permission
chmod u+s file

# View SUID permission
ls -l file
# Display as -rwsr-xr-x

# Remove SUID permission
chmod u-s file

5.2 SGID (Set Group ID)

When a file is set with SGID permission, the user executing the file temporarily gains the permissions of the file's group. When a directory is set with SGID permission, files created in the directory inherit the directory's group.

# Set SGID permission
chmod g+s file

# View SGID permission
ls -l file
# Display as -rwxr-sr-x

# Remove SGID permission
chmod g-s file

# Set SGID permission on directory
chmod g+s directory

# View directory's SGID permission
ls -ld directory
# Display as drwxr-sr-x

5.3 Sticky Bit

When a directory is set with Sticky Bit permission, only the file owner, directory owner, or root user can delete files in the directory.

# Set Sticky Bit permission
chmod +t directory

# View Sticky Bit permission
ls -ld directory
# Display as drwxrwxrwt

# Remove Sticky Bit permission
chmod -t directory

5.4 Numeric Representation of Special Permissions

# Numeric representation of special permissions
# SUID = 4
# SGID = 2
# Sticky Bit = 1

# Set SUID
chmod 4755 file

# Set SGID
chmod 2755 file

# Set Sticky Bit
chmod 1777 directory

# Set multiple special permissions
chmod 6755 file  # Set SUID and SGID

6. ACL (Access Control List)

ACL (Access Control List) is a more flexible permission management mechanism that allows for finer-grained permissions to be set for files or directories.

6.1 ACL managementment Commands

6.1.1 Viewing ACL

# View ACL of file or directory
getfacl file.txt

# Example output
# file: file.txt
# owner: user
# group: group
# user::rw-
# group::r--
# other::r--

6.1.2 Setting ACL

# Set ACL for user
setfacl -m u:username:rwx file.txt

# Set ACL for group
setfacl -m g:groupname:rwx file.txt

# Set ACL for others
setfacl -m o::r-- file.txt

# Set default ACL (for directories)
setfacl -m d:u:username:rwx directory

# Recursively set ACL
setfacl -R -m u:username:rwx directory

6.1.3 Removing ACL

# Remove ACL for specific user
setfacl -x u:username file.txt

# Remove ACL for specific group
setfacl -x g:groupname file.txt

# Remove all ACL
setfacl -b file.txt

# Recursively remove ACL
setfacl -R -b directory

7. sudo Permission managementment

sudo (Superuser Do) is a mechanism that allows regular users to execute commands with root privileges, providing a more secure way of permission management.

7.1 sudo Configuration

# Edit sudo configuration file
visudo

# Or directly edit /etc/sudoers file
# But visudo is recommended as it performs syntax checking

# Configuration examples
# Allow user to execute all commands
username ALL=(ALL) ALL

# Allow user to execute specific commands
username ALL=/usr/bin/apt,/usr/bin/systemctl

# Allow user to execute commands without password
username ALL=(ALL) NOPASSWD: ALL

# Allow users in group to execute all commands
%groupname ALL=(ALL) ALL

7.2 Using sudo

# Execute command with sudo
sudo command

# Switch to root user
sudo su -

# Execute command as specific user
sudo -u username command

# View sudo permissions
sudo -l

# View sudo execution history
sudo -i

8. Practice Case: Permission managementment

8.1 Case Objective

Create a project directory, set appropriate permissions, allow project members to access and modify files in the directory, while ensuring other users cannot access it.

8.2 Implementation Steps

8.2.1 Create Project Group

# Create project group
groupadd project-group

8.2.2 Create Project Directory

# Create project directory
mkdir -p /opt/project

8.2.3 Modify Directory Group

# Modify directory group
chown :project-group /opt/project

8.2.4 Set Directory Permissions

# Set directory permissions, add SGID permission
chmod 2770 /opt/project

8.2.5 Add Users to Project Group

# Add users to project group
usermod -aG project-group user1
usermod -aG project-group user2

8.2.6 Test Permissions

# Test as user1
# Switch to user1
su - user1

# Create file in project directory
touch /opt/project/test.txt

echo "Test content" > /opt/project/test.txt

# View file permissions
ls -l /opt/project/test.txt
# Should show file group as project-group

# Test as user2
# Switch to user2
su - user2

# Modify file content
echo "Modified by user2" >> /opt/project/test.txt

# View file content
cat /opt/project/test.txt

# Test as other user
# Switch to other user
su - otheruser

# Try to access project directory
ls /opt/project
# Should show permission denied

9. Interactive Exercises

Exercise 1: User managementment

Perform the following operations:

  • 1. Create a user named developer with UID 1001.
  • 2. Set password for the developer user.
  • 3. Create a group named dev-group.
  • 4. Add the developer user to the dev-group group.
  • 5. View detailed information about the developer user.
  • 6. Delete the developer user and its home directory.

Exercise 2: File Permission managementment

Perform the following operations:

  • 1. Create a file named secret.txt with content "This is a secret".
  • 2. Set file permissions so only the owner can read and write, other users have no permissions.
  • 3. Create a directory named share.
  • 4. Set directory permissions so owner and group can read, write, execute, others can only execute.
  • 5. Create a file named public.txt in the share directory.
  • 6. Set sticky bit permission for the share directory.

Exercise 3: sudo Configuration

Perform the following operations:

  • 1. Create a user named admin.
  • 2. Edit sudo configuration file to allow admin user to execute all commands.
  • 3. Test if admin user can use sudo to execute root commands.
  • 4. Edit sudo configuration file to allow admin user to execute specific commands (like apt and systemctl).
  • 5. Test if admin user can execute these specific commands.

Recommended Tutorials

Linux Basics Linux File System Linux Command Line Linux Process managementment Linux Network Configuration Linux System Administration Linux Server Configuration Linux Security Linux advanced topics View complete Tutorial List