In this article, we will explore the importance of properly organized Linux users. We will describe access rights, starting with how to create and configure users and ending with how to grant access to specific files and folders. We will also discuss some important security tools, such as sudo and SELinux, which help protect the system from unwanted activity.
The Importance of User Management and Access Rights in Linux
In the Linux world, user management and access rights play a key role. Imagine Linux as a large apartment where each user is a tenant and each file is a room. User management is like assigning each tenant their unique key, while access rights are what they can do in their room.
When a user is created, they are assigned a name and a unique identifier (UID), like a personal key to the apartment. The user also has a group, uniting them with other tenants. The group is like a club where members share common privileges.
File access rights are divided into three categories: owner (user), group, and others. Each key (user) can have its unique rights to read, write, and execute for each category. For example, the file owner may have read and write rights, the group - only read, and others - nothing.
Special attention deserves security policies like sudo and SELinux, used in Linux systems. Sudo is a special command that allows regular users to temporarily use superuser (root) rights to perform specific tasks that are normally only available to administrators. This helps prevent accidental errors or misuse of superuser rights. When using sudo, the user is usually required to enter their password to confirm their identity. After this, they can execute commands with superuser (root) rights in accordance with the rules set in the sudoers file.
SELinux is an additional layer of security for the Linux operating system. It monitors which programs and files can be used in the system and limits access to them to prevent intrusions and attacks. This makes the server more secure by preventing hacking attempts or malicious actions.
Creating and Managing Users
How to Create a User in Linux
Linux users are usually created with the useradd command. For example, to create a user named "username", you would enter:
useradd username
How to Set a Linux User Password
After creating a user, their account is not protected by a password. To set a password for a new user, use the passwd command:
passwd username
Where username is the name of the user for whom the password is being set.
How to View a List of Users in Linux
To view a list of users in Linux with a single command in the terminal, you can use the cut command:
cut -d: -f1 /etc/passwd
This command reads the contents of the /etc/passwd file, which contains information about all users.
To get information about a specific user, you can use the command:
id username
This will display the user's UID, GID, and Groups.
Deleting a Linux User
To delete a user, use the userdel command:
userdel username
However, this command does not delete the files in the user's home directory. To remove them, you can use the -r option:
userdel -r username
This will delete the user username along with their home directory and all files within it.
Modifying a Linux User
To modify information about a user, use the usermod command. The tool uses the syntax:
usermod argument user
A full list of possible arguments is displayed in the utility's help:
For example, to change a user's home directory, you would use the command:
usermod -d /new/path/to/directory username
Creating and Managing User Groups in Linux
User groups in Linux allow administrators to group users with similar access rights. This facilitates the management of access rights and enhances system security by enabling rights to be set at the group level, instead of doing so for each user individually. As an example, we will consider the developers group with the user admin.
How to Create a User Group in Linux
To create a new group, use the groupadd command with the name of the new group:
sudo groupadd group_name
In our example, the command would look like this:
sudo groupadd developers
How to Delete a User Group in Linux
To delete a group, use the groupdel command:
sudo groupdel group_name
Thus, the command:
sudo groupdel developers
Will delete the group named developers.
Adding Users to a Group
To add a user to a specific group, use the usermod command:
sudo usermod -aG group_name user_name
For example:
sudo usermod -aG developers admin
This command will add the user named admin to the developers group.
Removing Users from a Group
To remove a user from a group, use the deluser command:
sudo deluser user_name group_name
The command to remove the user admin from the developers group:
sudo deluser admin developers
Viewing Group Lists in Linux
To view a list of all groups in the system, use the cat command with the /etc/group file:
cat /etc/group
This command will display a list of all groups in the system.
Checking User Group Membership
After performing actions, you can check which groups a user belongs to using the groups command:
groups user_name
Thus, we have explored the basics of managing user groups in Linux. Now, let's move on to the next stage – examining the assignment of access rights to files and directories. This process allows determining what actions users or groups can perform regarding specific files and directories, ensuring effective security management and access to system resources.
Assigning Access Rights to Files and Directories
Symbolic Representation of Access Rights
As we have already found out, there are 3 categories of users in Linux: owner (user), group, and others. Each of them may possess certain groups of access to files or directories:
- Read (Read - r): Allows viewing the contents of a file or directory.
- Write (Write - w): Provides the ability to modify a file or create a new file inside the directory. For a directory, this also allows deleting files from it.
- Execute (Execute - x): Allows executing the file (if it is an executable file) or entering the directory (if it is a directory).
In Linux family systems, access rights are represented by a string of 10 characters. The first character indicates the file type (regular file, directory, etc.), and the remaining nine are three groups of three characters for each of the user groups. For understanding, let's consider an example.
Access rights -rwxr-xr-- mean:
- The first character (-) indicates the file type (in this case, a regular file).
- Three characters for the owner (rwx) show that the owner has read, write, and execute rights.
- Three characters for the group (r-x) indicate that group members have read and execute rights only.
- Three characters for others (r--) mean that other users can only read the file.
Access rights are set using the chmod command, and the syntax looks as follows:
chmod [options] mode file(s)
Where:
- [options] - additional parameters, such as -R for recursively changing access rights in a directory and its subdirectories.
- mode - a special string that specifies which access rights are changed and for whom. The mode can be specified by symbols (r, w, x) and bits (0 or 1). Numeric values of mode can also be used (we will talk about them later)
- file(s) - files or directories to which changes are applied.
This utility is quite a powerful tool, so we will only look at a few basic commands as an example.
Change access rights to a file so that the owner has read and write rights, the group has read rights only, and other users have no rights:
chmod u=rw,g=r,o= filename
Set access rights for all users to read and write to a file:
chmod a+rw filename
Recursively change access rights for all files and subdirectories in a directory:
chmod -R u+rwx directory
Numeric Representation of Access Rights
In the numeric representation, each user category (owner, group, others) has its number, and the combination of these numbers sets the final access rights. Similar to symbolic, each of the three rights has its value, but in numeric:
- Read (read) - value 4
- Write (write) - value 2
- Execute (execute) - value 1
Numeric values are also used to determine the type of user:
- File owner (user) - the first digit
- Owner's group (group) - the second digit
- Other users (others) - the third digit
Thus, the full numeric representation of file access rights consists of three digits, each representing the sum of the values of rights for a certain user category. This is somewhat more convenient than using 10 characters in symbolic representation. Management in this case would look as follows:
chmod XYZ file
where X, Y, and Z are numbers representing access rights for the owner, group, and other users respectively.
For example, to grant the owner full access rights (read, write, and execute), and the group and other users only read and execute, you could use the command:
chmod 755 file
Let's consider other examples:
chmod 700 file
Only the owner has rights to read, write, and execute, while the group and other users have no access rights.
chmod 644 file
The owner has rights to read and write, while the group and other users only have read rights.
chmod 751 file
The owner has full rights, the group has read and execute rights, and other users only have execute rights.
As we mentioned earlier, the tool has very extensive functionality. In some cases, the options available in the "help" section are not sufficient:
Pay attention to the last line. Using this command opens more detailed documentation on the tool. You can also visit the utility's official Wikipedia page, where you can find detailed information about Chmod.
Conclusion
Linux users and their management are critically important for the security and stable operation of the OS. In this article, we have highlighted the importance of effective user and access rights management in Linux, covering the creation and management of users, working with user groups, and assigning access rights to files and directories.