Lesson 5: Users, Groups, Permissions
| Homepage | Content | Slides | Video |
Warning
This lesson is under construction. Learn from it at your own risk. If you have any feedback, please fill out our General Feedback Survey.
Overview
- What a user is.
- Who can be a user.
- What a group is.
- Acting as another user.
- The root user.
What are users?
You, right now.
$ whoami # your username
$ who # who is logged in?
$ w # who is here and what are they doing?
$ id # user ID, group ID, and groups you're in
Not just people: Apache, Mailman, ntp. "system users"
Users have
- Username
- UID
- Group
- Shell
- Usually (but not always) password
- Usually (but not always) home directory
/etc/passwd:
root:x:0:0:root:/root:/bin/bash
username:password:uid:gid:uid info:home directory:shell
Managing Groups and Users
As someone interacting with servers, even as a developer, it's necessary to understand how to manage users and groups on a Linux machine.
To view all user information on a system check the file /etc/passwd:
$ cat /etc/passwd
# username:x:UID:GID:GECOS:homedir:shell
Managing Groups and Users
To add, delete, and change the password of a user respectively run the following commands:
$ useradd <user_name> # vs adduser, the friendly Ubuntu version
$ userdel <user_name>
$ passwd
What are groups?
To add a group, or the permissions of a user/group run groupmod, usermod, and groupmod respectively. Similarly to /etc/passwd, /etc/group carries group information.
$ groupadd
$ usermod
$ groupmod
$ cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
# group name:password or placeholder:GID:member,member,member
Users won't be active in new group until they "log back in"
Passwords
/etc/shadow, not /etc/passwd
user@localhost ~ $ ls -l /etc/ | grep shadow
-rw-r----- 1 root shadow 1503 Nov 12 17:37 shadow
$ sudo su -
$ cat /etc/shadow
daemon:*:15630:0:99999:7:::
bin:*:15630:0:99999:7:::
sys:*:15630:0:99999:7:::
mail:*:15630:0:99999:7:::
# name:hash:time last changed: min days between changes: max days
# between changes:days to wait before expiry or disabling:day of
# account expiry
$ chage # change when a user's password expires
Root/Superuser
- UID 0
- sudo
Warning
Acting as root is dangerous! You can accidentally delete your filesystem, forcing you to completely re-install your OS! Type carefully.
Sudo
Consult man 5 sudoers for more information:
# User alias specification
User_Alias DOBC_ADMIN = lance, teacher
User_Alias DOBC_STUDENT = john, jane
# Runas alias specification
Runas_Alias ADMIN = root, sysadmin
Runas_Alias STUDENT = httpd
# Host alias specification
Host_Alias OSU_NET = 128.193.0.0/16
Host_Alias SERVERS = www, db
# Cmnd alias specification
Cmnd_Alias KILL = /bin/kill
Cmnd_Alias SU = /bin/su
# User privilege specification
root ALL = (ALL) ALL
DOBC_ADMIN ALL = NOPASSWD: ALL
DOBC_STUDENT OSU_NET = (STUDENT) KILL, SU
Acting as another user
$ su joe # become user joe, with THEIR password
$ su # become root, with root's password
$ sudo su - # become root, with your password
$ sudo su joe # become user joe with your password
A dash after su provides an environment similar to what the user would expect. Typically a good practice to always use su -
Super users
Trying to run commands which require root permissions as a regular user can be a problem. However, sudo authorizes you to do commands based on your permissions. For example:
[dobc@dobc ~]$ yum install httpd # Runs command as `dobc` user.
Loaded plugins: fastestmirror, ovl
ovl: Error while doing RPMdb copy-up:
[Errno 13] Permission denied: '/var/lib/rpm/__db.002'
You need to be root to perform this command.
[dobc@dobc ~]$ sudo yum install httpd # Runs command as `root` user.
password:
Loaded plugins: fastestmirror, ovl
[... installs correctly ...]
Exercises
- Create a user on your system for yourself, with your preferred username.
- Give your user sudo powers.
- Change your password.
- Use su to get into your user account.
- Create a directory called bootcamp in your home directory.
- Create a group called devops.
Exercise Answer Key
$ sudo su -
$ useradd lance
# better to use visudo instead
$ echo "lance ALL = (ALL) ALL" >> /etc/sudoers
$ passwd lance
Changing password for user lance.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
$ su - lance
$ mkdir bootcamp
$ sudo groupadd devops
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for lance:
Further Reading
Next: Lesson 6: Files