How to Manage Permissions and Privileges in Linux?
Overview
Linux Operating system is mainly used where multiple users require concurrent access, for example, as servers. During concurrent access by multiple users comes the question of authorization and maintaining the integrity of data in the form of files, which is resolved by bringing in the concept of permissions and privileges in Linux and Linux user permissions.
To simplify the maintenance, users can be clubbed together to form groups addressable as an entity. We can ensure proper authorization and data integrity using these permissions and privileges.
Introduction to Permissions, Users, and Groups
Linux operating systems are used almost everywhere being it as Server OS, Databases server, file server, and email servers to host a website, store data, send and receive emails, perform network operations, scientific computing, IoT devices, and for a variety of other purposes Linux based systems are used.
Linux manages different users at once by creating groups and permissions for each user based on which the user can or cannot access or modify the content.
Linux user permissions ensures that the user with adequate permissions can only access and the user with modify permission can only modify this creating a secure environment for multi-user functionality. This enables sharing of system resources while allowing several users to use the operating system concurrently and independently.
In a Linux operating system, an entity called a user is capable of manipulating files and carrying out several other tasks. The system assigns a unique identifying number, or UID, to each user, which can be used further to assign a user to any group or change permissions for that particular user.
In the Linux operating system, these users can be grouped to enable the administrator to specify permissions at the group level rather than having to set permissions for each user. Group identification numbers, or GIDs, are used in Linux systems to identify each group uniquely. Each user can be part of multiple groups, one of which would be the primary group, and the rest are known as secondary groups.
How to Create Directories and Files in Linux?
We can use the command line or a graphical file manager in Linux to create a directory. We will be using the command line interface.
- To open the terminal Ctrl + Alt + T
- To create a directory in the root directory, use the following command : mkdir directory_name
As we can observe, nothing is returned on the command line when the command is successful. Furthermore, the command ls is used to show all the directories and files in the current working folder and confirms the creation of the directory. To create a directory in some other directory, you need to navigate to the required directory first using the following command:cd directory_name. This Command will navigate into the directory, then we can use the command mkdir directory_name to create a new directory in that directory
Additionally, you can make several directories at once using the following command: mkdir {dir1,dir2,dir3} // This command will create 3 directories named dir1, dir2, dir3.
While creating a directory, we can use optional arguments "-m" to set the read-write and execute permission (rwx permission). And using the command ls -l, we can check all the directories files and the permissions of each one in the current working directory.
Similarly, to create files in a Directory, we can use the command line :
- To open the terminal Press Ctrl + Alt + T
- The "touch" command can be used to create a file in the manner shown below : touch file1.txt // This creates a file named file1 with txt as file format.
We can use "cat" and "echo" commands to create a file, Or We can use text editors like vim, nano, etc., to create a file. Like for example to use the cat command the following command will be used. cat > file2.txt This command will create a file and will wait to take input. That input will be transferred into the file.
To use the echo command to create a file we use the following commandecho "hello world"> file3.txt . This command will create the file file3.txt and output the text "hello world" into the file.
To use the Vi editor to create a file we use the following command vi file4.txt. On pressing Enter the Vi text editor will open, Press i to insert and to save and exit press ESC , then type “
How to Manage Ownership and Groups in Linux?
Whenever a file is created, the user who created it is assigned the role of the owner based on the owner of the file. It gets attached to the group of which the owner is a part, called the primary group. Information about the groups is stored in the /etc/group file.
In this image, we can see the file's permissions that indicate the read, write, and execute permissions in the respective order of the owner, group owner, and other users.
The chown command in Linux changes the user who is the owner of the file or directory. A particular user or group owns each file. The chown command in Linux changes the user who owns the file or directory. The chown command should be used as follows :
As you can see above, the command fails to run specifying operation not permitted because, in Linux, you need administrative permission to change ownership of the file. To go into the administrative mode, use the sudo su command, after which the ownership of the file can be changed.
To Change a Group Ownership in Linux
Use administrative mode using the command sudo su. We can use the following command, "chgrp" to change the group. Ownership can also be changed using the "chown" command. However, we will move forward with "chgrp" in this example.
The syntax for the chgrp command is :
As you can observe in the above image, the file's group ownership is transferred from "kali" to "test_grp."
Create a Group
To Create a group in Linux :
- To open the terminal Press Ctrl + Alt + T .
- Enter administrative mode using the sudo su command.
- Then Enter the following command : groupadd group_name // This command creates a group called group_name.
Add User to a Group
To Add a user to a group in Linux :
In the administrative mode in the terminal, Use the following command. usermod -a -G group_name user_name // This command adds the user "user_name" to the the specified group group_name.
Or
adduser user_name sudo// This command adds the user user_name to the sudo group, which is the group with administrative permissions.
Delete the User from a Group
To delete the user from a group in Linux :
In the administrative mode in the terminal, Use the following command. gpasswd -d user_name group_name // This command removes the user with user_name from the group group_name.
Delete a Group
To delete a group in Linux :
In the administrative mode in the terminal, Use the following command. groupdel group_name // This command deletes the group called group_name.
Types of User Accounts
User Accounts can be further divided into three types known Root user accounts, regular user accounts, and service accounts.
-
Root user account :
It is also an administrative or superuser account. In addition to adding, editing, and removing users and groups, this user account has complete access to all system-wide resources. It has the highest privilege in the system and is used for system administration. -
Regular user accounts :
It is also known as a "standard user account". This account is used for normal functions. It can only access the services and files for which it is authorized, and it can only do the tasks for which it is authorized. It could be disabled or removed depending on the needs. -
Service accounts :
These accounts are just like any other user account, but these accounts are created to be used by the application. The package manager usually creates and configures service accounts when installing the service software.
Create, View, and Delete User Accounts
-
To open the terminal Press Ctrl + Alt + T .
-
Enter into administrative mode using the sudo su command. Administrative privilege is required to create, view or delete user accounts.
-
To create a user account, use the following command : useradd user_name // This command will just create a user with a specified username. Or adduser user_name // This command creates a user with the specified username, but it also creates a new group with the same user name and adds the user to the given group.
-
To give admin privilege to the added user, use the following command : usermod -aG sudo user_name // the usermod command modifies the configration files such as, etc/passwd file which maintains user account-related information, /etc/shadow file which maintains user account security-related information, /etc/group file which maintains group related information. these files should be only modified using usermod command.
-
To view all the user accounts in the system, use the following command : cat /etc/passwd // This gives a detailed information Or awk -F: '{ print $1 }' /etc/passwd // This gives only the usernames of user accounts.
-
To delete a user account, we need to remove the user from a group, then we can remove the user. To remove a user from the group, you can refer above in the article. If the user is not an affiliate of any group, we can directly remove the user account using the following command. userdel user_name // This command delete the user with username user_name.
How to Manage Permissions in Linux?
As we have seen earlier, each file has a set of permissions that defines the access level of the owner, group, and others regarding the read, write and execute status of the file. To check the specific permission of a file, we can use the following command : ls -l file_name
These permissions can be modified depending on the requirement. For this, we can use the "chmod" command, which enables us to change the file permissions.
Only the Root user or the owner of the file/directory can change its permission.
Permissions can be set in two modes, either Absolute mode or Symbolic mode.
- Symbolic Mode :
In symbolic mode, we grant or remove permissions by combining letters and symbols. - Absolute Mode :
For adding or removing permissions in absolute mode, we use a number to represent file permissions.
Manage Permissions Using Absolute Mode
The following Table depicts the permissions representations and their corresponding permissions :
Octal Value | Binary | Permission Representation | Permission Description |
---|---|---|---|
0 | 000 | - - - | No Permission |
1 | 001 | - - x | Execute Only Permission |
2 | 010 | - w - | Write Only Permission |
3 | 011 | - w x | Write and Execute Permissions |
4 | 100 | r - - | Read Only Permission |
5 | 101 | r - x | Read and Execute Permissions |
6 | 110 | r w - | Read and Write Permissions |
7 | 111 | r w x | Read, Write, and Execute Permissions |
Now we can directly use either the combination of octal values or rwx notation to set file permissions, for example.
This example depicts permissions using the octal values and setting individual permission of users, groups, and others using the rwx notations.
Manage Permissions Using Symbolic Mode
In symbolic mode, mathematical symbols are used to change the permissions :
Symbol | Description |
---|---|
+ | This Symbol denotes the addition of permission to a file or directory |
- | This Symbol denotes the removal of permission from a file or directory |
= | This Symbol is used to apply and overwrite any previous permissions set on a file or directory |
Also, "u" denotes the user, "g" denotes the group, "o" denotes others, and "a" denotes all.
The following example denotes changing permissions using symbolic mode.
In this example, we modified and assigned the permission of the file using symbolic mode.
Special Permissions and Access Control Lists and Modifying Permissions
Apart from reading, writing, and executing, we also have some other permissions that are less commonly used but essential to know, they are known as special permissions. It allows additional privileges over the standard permission sets. These include SUID, SGID, and sticky bit.
SUID
SUID, which is short for Set User ID is special permission. This special permission enables the execution of the file with the permission and privilege of the owner of the file. When the set user id bit is enabled, it ensures that whoever executes the file will always run with the privileges the owner of the file had. To set up this SUID, we can use the following command : chmod u+s file_name
Note :
- If you observe that "S" is present in the file permissions, it indicates that the user does not execute permission. When execute permission is available, "s" will be appended in the file permissions.
- Also, to add SUID using the absolute method, we can per-append a 4 to the numerical permissions.
SGID
SGID, which is short for Set Group ID, is also special permission. When this permission is enabled, the GID of the user becomes the same as that of the group owner. That is, any user can access a file with the permissions provided to the group owner. To set up this SGID, we can use the following command : chmod g+s file_name
Also, to add SGID using the absolute method, we can pre-append a 2 to the numerical set of permissions.
Sticky Bit
Sticky bit, as the name suggests, is used to prevent files from being deleted by authorizing only the root user, owner of the file, or owner of the directory to delete the file. To set up this sticky bit, we can use the following command : chmod o+t file_name
Also, to add SGID using the absolute method, we can pre-append a 1 to the numerical permissions set.
Conclusion
- Permissions and privilege are integral parts to manage concurrent access from multiple users.
- Linux user permissions are used to ensure a secure environment for multi-user functionality by employing various checks in the form of permissions and privileges.
- Directories can be created using the mkdir command.
- Files can be created either with touch, cat, echo and using text editors
- The three basic types of permission include Read, Write and Execute.
- Users can be grouped and added into groups, making them more convenient to address.
- Root user accounts, regular user accounts, and service accounts are the categories into which user accounts can be further subdivided.
- There are two ways to set permissions: in absolute or symbolic modes.
- Special Permissions are available in Linux. These include sticky bit, SGID, and SUID. These permissions allow special privileges.