Advanced Topics in Users Groups and Permissions
Overview
Users & Group ID Numbers
- When Files Are Stored On The Computer, The Metadata About The File Is Stored Numerically.
- That Is, The Username And Group Affiliation Of The File Are Not Stored; Rather, The User ID And Group ID Numbers Are Stored.
Examples:
Users & Group Informations Files
/etc/passswd
- The
/etc/passwd
file contains the list of the system’s accounts.
Format:
NOTE!: GID Is The User’s Primary Group ID Number
/etc/shadow
- The
/etc/shadow
file contains the users encrypted passwords and account expiration information. - The
/etc/shadow
file is not readable by anyone.
/etc/group
- The
/etc/group
file defines the groups on the system
Format:
NOTE!: UserList Is The List Of Usernames That Are Members Of This Group, Separated By The Commas.
/etc/gshadow
- The
/etc/gshadow
file contains the groups encrypted passwords and the list of group administrators. - The
/etc/gshadow
file is not readable by anyone.
Users Management Tools
####CLI
useradd
: Create a new user or update default new user informationusermod
: Modify a user accountuserdel[-r]
: Delete a user account [Removes users Home Directory and users Mail Spool]
Graphical Tool
- system-config-users:
- System -> Administration -> Users and Groups
- Add Modify Deletes Users and Groups
System Users and Groups
-
In additions to the ordinary user accounts and the superuser root account, The number of system users and groups exist.
- The main reason for creating system users and groups is, Runs several programs as non-priviledged users or as a particular groups. Examples: Daemon, mail, lp, nobody, web or print servers
-
Running programs in this way limits the amount of damage any single program can do to the system.
- System Users & Groups All Have UID & GID Numbers Between The 1 & 499.
Example:
Monitoring Logins
-
w
: Show who is logged on and what they are doing. -
last
: Show listing of last logged in users and reboot history.
Examples:last
;last root
;last mitesh
;last reboot
; -
lastb
: Show bad login information. -
lastlog
: Reports the most recent login of all users or of a given user
Examples:lastlog
;lastlog -u root
;
Default Permissions
Files: 0666 - umask Directory: 0777 - umask
umask
Non-privileged user’s umask is 0002
Files: 0666 - 0002 = 0664 Directory: 0777 - 0002 = 0775
Root user’s umask is 0022
Files: 0666 - 0022 = 0644 Directory: 0777 - 0022 = 0755
Changing umask value
NOTE!: The umask is typically set by the scripts run at the login time.
That means your umask value is set to default everytime you login into the system.
Special Permissons For Executables
-
In addition to the user, group and other permissions, An additional set of permissions exist called special permissions.
- 4(s) The suid - set user id bit
- 2(s) The sgid - set group id bit
- 1(t) The sticky bit
-
The special permission is displayed in the place of x.
- Small Letter = Executable Permission + Special Permission
- Capital Letter = No Executable Permission Only Special Permission
For Files
The SUID Permissions
- The command will run with the authority of the owner of the file, Rather than, the authority of the user running the command.
Example:
NOTE!: The passwd
command changes a user’s password,
which is stored in the /etc/shadow
file and it is not writable for non-privileged users.
However, since the passwd
command is owned by root
and runs with the suid
permissions,
Users running the command have the root
privilege while changing their passwords.
Hence, They have the permissions to edit the /etc/shadow
file.
The SGID Permissions
- The command will run with the authority of the group of the file.
For Directory
The SGID Permissions
- The files created in this directory will inherit its group affiliation from the directory, Rather than inheriting it from the user.
- The SGID Bit is commonly set for the Group Directories.
Examples:
The Sticky Bit
- The Sticky Bit For A Directory, Sets A Special Restriction On Deletion Of Files.
- If the sticky bit is set for the directory, Then only the owner of the files or root can delete the files - Regardless of the write permissions of the directory.
- An Example of sticky bit set is
/tmp
directory
Examples:
Newsletter
Get updated when I create new content.
Unsubscribe whenever. Never any spam.