Lesson 5: Users, Groups, Permissions

Homepage Content Slides Video

Warning

This lesson is under construction. Learn from it at your own risk. If you have any feedback, please fill out our General Feedback Survey.

Overview

What are users?

You, right now.

$ whoami    # your username
$ who       # who is logged in?
$ w         # who is here and what are they doing?
$ id        # user ID, group ID, and groups you're in

Not just people: Apache, Mailman, ntp. "system users"

Users have

/etc/passwd:

root:x:0:0:root:/root:/bin/bash
username:password:uid:gid:uid info:home directory:shell

Managing Groups and Users

As someone interacting with servers, even as a developer, it's necessary to understand how to manage users and groups on a Linux machine.

To view all user information on a system check the file /etc/passwd:

$ cat /etc/passwd
# username:x:UID:GID:GECOS:homedir:shell

Managing Groups and Users

To add, delete, and change the password of a user respectively run the following commands:

$ useradd <user_name>  # vs adduser, the friendly Ubuntu version
$ userdel <user_name>
$ passwd
xkcd letting go

What are groups?

To add a group, or the permissions of a user/group run groupmod, usermod, and groupmod respectively. Similarly to /etc/passwd, /etc/group carries group information.

$ groupadd
$ usermod
$ groupmod
$ cat /etc/group
    root:x:0:
    daemon:x:1:
    bin:x:2:
    sys:x:3:
    adm:x:4:
    tty:x:5:
# group name:password or placeholder:GID:member,member,member

Users won't be active in new group until they "log back in"

Passwords

/etc/shadow, not /etc/passwd

user@localhost ~ $ ls -l /etc/ | grep shadow
-rw-r-----  1 root shadow   1503 Nov 12 17:37 shadow

$ sudo su -
$ cat /etc/shadow
daemon:*:15630:0:99999:7:::
bin:*:15630:0:99999:7:::
sys:*:15630:0:99999:7:::
mail:*:15630:0:99999:7:::

# name:hash:time last changed: min days between changes: max days
#    between changes:days to wait before expiry or disabling:day of
#    account expiry

$ chage # change when a user's password expires

Root/Superuser

Sudo get me a sandwich.

Warning

Acting as root is dangerous! You can accidentally delete your filesystem, forcing you to completely re-install your OS! Type carefully.

Sudo

Consult man 5 sudoers for more information:

# User alias specification
User_Alias  DOBC_ADMIN = lance, teacher
User_Alias  DOBC_STUDENT = john, jane

# Runas alias specification
Runas_Alias ADMIN = root, sysadmin
Runas_Alias STUDENT = httpd

# Host alias specification
Host_Alias OSU_NET = 128.193.0.0/16
Host_Alias SERVERS = www, db

# Cmnd alias specification
Cmnd_Alias KILL = /bin/kill
Cmnd_Alias SU = /bin/su

#  User privilege specification
root          ALL = (ALL) ALL
DOBC_ADMIN    ALL = NOPASSWD: ALL
DOBC_STUDENT OSU_NET = (STUDENT) KILL, SU

Acting as another user

$ su joe            # become user joe, with THEIR password
$ su                # become root, with root's password
$ sudo su -         # become root, with your password
$ sudo su joe       # become user joe with your password
Sudoers Naught List

A dash after su provides an environment similar to what the user would expect. Typically a good practice to always use su -

Super users

Trying to run commands which require root permissions as a regular user can be a problem. However, sudo authorizes you to do commands based on your permissions. For example:

[dobc@dobc ~]$ yum install httpd      # Runs command as `dobc` user
Loaded plugins: fastestmirror, ovl
ovl: Error while doing RPMdb copy-up:
[Errno 13] Permission denied: '/var/lib/rpm/__db.002'
You need to be root to perform this command.

[dobc@dobc ~]$ sudo yum install httpd # Runs command as `root` user.
password:
Loaded plugins: fastestmirror, ovl
[... installs correctly ...]

Exercises

  1. Create a user on your system for yourself, with your preferred username.
  2. Give your user sudo powers.
  3. Change your password.
  4. Use su to get into your user account.
  5. Create a directory called bootcamp in your home directory.
  6. Create a group called devops.

Exercise Answer Key

$ sudo su -
$ useradd lance
# better to use visudo instead
$ echo "lance ALL = (ALL) ALL" >> /etc/sudoers
$ passwd lance
Changing password for user lance.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
$ su - lance
$ mkdir bootcamp
$ sudo groupadd devops

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for lance:

Further Reading

Next: Lesson 6: Files