### User and Groups
A user has a primary group and can belong to multiple secondary groups. The group information is present in the `/etc/group` file. To find which groups a user belongs to, use the `groups <user>` command

```
$groups stevejobs
stevejobs : stevejobs adm dialout cdrom floppy sudo audio dip video plugdev netdev

$groups root
root : root
```

Users can be added and removed from group by editing the `/etc/group`. The file looks like:
```
root:x:0:
adm:x:4:syslog,stevejobs
stevejobs:x:1000:
```

The last segment of each line (each segment is separated by : ) contains all secondary users who are part of that group. If we want to add a user billgates to adm group, we will modify the file as:
```
root:x:0:
adm:x:4:syslog,stevejobs,billgates
stevejobs:x:1000:
```

The `/etc/group` file can only be modified by root user and they affect will take place once the user logs out and logs in again.

### File and Directory Permissions
Whenever we do `ls -l` we get decriptive representation of all files. The various group.permission related information can be summarised as:

![ls long](https://i.imgur.com/wJT1uqP.png)

**Ownership:** whoever creates a file becomes its owner. In the above example, the .bash_history file is owned by stevejobs user and is in stevejobs group. The ownership information is closely linked with file permission.

**Permission:** the symbol r stands for read, w stands for write and x stands for execute. By default, when you create a file as a regular user, it’s given the permissions of `rw-rw-r–` (use `umask` command to change that default).These permissions have different meaning for a file or a directory. For files:
- read permission means reading the contents of the file
- write permission means able to update or delete the file
- execute permission means being able to execute the file

For directories:
- read permission means being able to list contents of a directory
- write permission means being able to create, rename, or delete files within the directory, and modify the directory's attributes
- execute permission means being able to cd into the directory and access files and directories inside

### Changing Permission and Ownership
To change permission of a file or directory use the `chmod` command. Permission for owner, group and other is represented using simple arithmetic where:
- 4 means read
- 2 means write
- 1 means execute
Therfore,
- 7 = 4+2+1 means read write execute
- 5 = 4+1 means read and execute

To change permission of a file to owner (read, write, execute), group (read, execute) and other (read, execute)
```
chmod 755 myfile.txt
```

To change ownership of file use `chown` command:
```
# Change user ownership of file
chmod billgates myfile.txt

# Change group ownership of file
chmod :microsoft myfile.txt

# Change user and group ownership of file
chmod billgates:microsoft myfile.txt
```

Only the file/directory owner and root can use the `chmod` and `chown` commands.

### suid and sgid
Whenever we login as a user, all the commands perform actions on your behalf. So, there are some scenarios such as changing password which would mean altering file owned by root (`/etc/shadow` in this case).

Linux permissions model has two special access modes called suid (set user id) and sgid (set group id). When an executable program has the suid access modes set, it will run as if it had been started by the file’s owner, rather than by the user who really started it. Similarly, with the sgid access modes set, the program will run as if the initiating user belonged to the file’s group rather than to his own group. Either or both access modes may be set.

```
$ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 68208 May 28  2020 /usr/bin/passwd
```

Notice the `s` (instead of x), it means suid has been set.

### Sticky Bit
Anyone with write permission to a directory can delete files in it. This might be acceptable for a group project, but is not desirable for globally shared file space such as the `/tmp` directory. Multiple programs write files to the `/tmp` directory but one program wouldn't want other program to delete its files. We can set sticky bit for a directory and only the root user or the owner can delete files in that directory.

```
$chmod +t test
$ ls -ld test
drwxr-xr-t 2 stevejobs stevejobs 4096 Dec  4 20:50 test
```

Small t means sticky bit + executable. Capital T means sticky bit without execute permission. Sticky bit has no meaning for files and is ignored.