# LINUX USERS AND PERMISSIONS

## **Types of Linux Users Notes**

### **Admin or Non-admin**

A Linux user is either an administrator or non-administrator. The administrator is a superuser (or root user) with full control over the entire system. With that in mind, it is important to ensure that only a very limited number of folks have read and write permissions on all the files in the entire system. In contrast, a non-administrator by default has limited (or no) access to certain system/configuration files.


### **Normal User**

A majority of the accounts will be non-administrators. These users can be divided into two subtypes: normal user or system user. Normal users are real people. The individual is given a user account for login and limited access to computer applications, files, and resources.

### **System User**

A system user is typically a non-human or computer-generated account. System users are created to run a specific program or process/daemon such as a web server or backup program. This type of “user” is limited in control and is assigned only enough access to manage its particular process

## **Users and Groups in Linux**

On a Linux system, all users added are assigned a name, unique user identification (UID), group, and group identification (GID). When a user is initially created, a new UID and matching GID are assigned.

UID and matching GID numbers are assigned based on the type of user:

* Administrator (root): UID and GID = 0
* System user (computer-generated): UID and GID assigned from 1 to 999
* Normal users (real people): UID and GID = 1000 or greater, incremented with every new user

The new user is by default assigned a matching group name (and typically a matching GID) so that the user will be a member of their own group. For example, a user **stephen** (UID = 1000) will also be assigned to the group **stephen** (GID = 1000).

We can create groups and add users to them. For example, in our diagram, we have a group called **Business** that includes the user **Tony**. Users can also exist in more than one group as well.


We can use the `id` and `groups` commands in the terminal to check our uid and gid.


Admin users can also view and modify the user and group information stored in the read-only `/etc/passwd` and `/etc/group` files.

## **File Permissions in Linux**

How do users and groups relate to what files they can access?

If we use the command `ls -l` on a working directory, we will see directory/file permissions, user, group, filesize, creation date/time, and filename.

In Linux, everything is based on file permissions. Each file or directory has an owner and a group (or groups) that usually has more permissions to read, write, or execute than users not in the owner or in the permission group.

Let’s break down the permissions line for file-1.txt from the screenshot:

`-rw-rw-r--`

Note: the first character identifies the resource as either a directory (`d`) or file (`-`).

The following nine characters should actually be read as triplets: `rw-` for the file owner, `rw-` for the group(s) that have permission to the file, and `r--` for all others. What do these symbols mean?

* read (`r`) = contents can be viewed but not edited, renamed, added, or deleted
* write (`w`) = contents can be viewed, edited, renamed, added, and deleted
* execute (`x`) = contents can run as a program or script
* (`-`) = permissions don’t apply

So, the permissions shown for file-1.txt means that the owner can read and write, the group can read and write, and all others can only read.

Read-write-execute permissions can also be written as numbers, with each being a power of two. Each set of triplets can be expressed as the sum of the permissions that apply.

read = `r = 4`, write = `w = 2`, execute= `x = 1`

For example, a file’s permission being `777` is equivalent to `rwxrwxrwx`, whereas a file’s permission being `755` is equivalent to `rwxr-xr-x`.

## **Default Permissions**

When a normal user creates a folder, the default owner for the user and group is set to the username. The default permissions are typically set to 755 (or “rwx” for the user, “rx” for the group, and “rx” for others). These defaults are designed to restrict access until deliberately granted!

When a user then creates a file inside the folder, the default owner for the user and group is again set to the username while the permissions for that file are set to 644 (or “rw” for the user, “r” for the group, and “r” for others).

## **Elevating Privileges (sudo)**

Good security practices suggest that administrator/root access be limited. Typical day-to-day activities such as word processing, web browsing, or listening to music should never be done using the administrator account.

However, there are times when an administrator account is required to perform specific tasks, like adding and modifying permissions and configuring system software.

The Linux shell has the `sudo` command that can temporarily elevate privileges to a user that is a member of the administrator group.

Let’s say we need to modify the owner of a file named **sketches.ppt** from **bob** to **debbie**. We could enter the `chown` command with the right parameters in the terminal:

`$ chown debbie sketches.ppt`

However, if we have admin privileges but are not logged in as the administrator, this command will return an “operation not permitted” error since we don’t have sufficient privileges. But, we can use the handy command `sudo` in front of the same command to temporarily invoke admin privileges by confirming our identity. We can use the following command:

`$ sudo chown debbie sketches.ppt`

and enter our password to prove we are the current authorized user.

## **Modifying Users, Groups, and Permissions**