File permissions and user groups in Linux

File permissions and user groups in Linux
Photo by Gabriel Heinzer / Unsplash

Introduction to the concept of users and groups was a natural step towards the division of resources and operating system functions among individuals and their tasks. Each user is provided with a personalized working environment, including elements such as:

  • A command shell process with personalized settings from profiles.
  • File system paths with user-accessible directories, including the home directory.
  • Machine hardware resources defined or constrained through cgroups.

And some others. Of course, users with similar access needs are conveniently grouped together, as is typically done. Therefore, access rights to an operating system object—such as a file or device—are evaluated for three categories:

  • The user who created the object.
  • The group associated with the object.
  • All other users and groups.

The rights themselves are also defined by three actions, each with a letter and a numerical alias:

  • Read — r or 4
  • Write — w or 2
  • Execute — x or 1

Thus, the access control map in Linux takes the form of a basic 3x3 matrix, which can be seen in a line-by-line form using the ls -l command:

ls -l /usr/bin/zgrep
-rwxr-xr-x 1 root root 5942 Apr 1 22:28 /usr/bin/zgrep

Here it is shown that the file /usr/bin/zgrep is owned by root and associated with the root group. The owner has all rights to the file—read, write, and execute—while the associated group has only read and execute permissions, and all others can only read and execute this file. Letter designations for permissions can also be used in the chmod program to set access rights:

chmod g+w /usr/bin/zgrep
ls -l /usr/bin/zgrep
-rwxrwxr-x 1 root root 5942 Apr 1 22:28 /usr/bin/zgrep

The permissions have changed—now the associated group can write data to this file. However, more commonly, permission notation is used in the form of a three-digit number, where the first digit represents the owner's rights, the second digit represents the associated group's rights, and the third digit represents the rights of all others. Digital permission codes are cumulative if users and groups are given multiple permissions.

chmod 755 /usr/bin/zgrep
ls -l /usr/bin/zgrep
-rwxr-xr-x 1 root root 5942 Apr 1 22:28 /usr/bin/zgrep

Here, the associated group has been deprived of its previous write permission. A group provides all its members with access to the operating system objects with which it is associated.

ls -l /dev/sdb
brw-rw---- 1 root disk 8, 16 May 1 21:26 /dev/sdb

Here, the file of the second drive is associated with the "disk" group, which has been granted read and write permissions to this file. Therefore, for the ability to work directly with this drive (for example, to create a partition), it is sufficient for the user to be a member of the "disk" group. Typically, in the operating system, a certain number of groups are already formed, providing access to drives, graphics cards, buses, binaries, and are named "disk," "video," "usb," and by the names of programs. To find out which files are associated with a group, you can use the search:

find / -mount -group locate

Next, the creation of a new group, adding a user to this group, removing a user from the group, and deleting the group itself will be demonstrated:

groupadd new_grp
gpasswd -a root new_grp
Adding user root to group new_grp
gpasswd -d root new_grp
Removing user root from group new_grp
groupdel new_grp

Creating a new user in Linux involves setting up their personal environment. The following actions are performed:

  • Creation of a personal group, with its name matching the username.
  • Generation of user (UID) and group (GID) identifiers. These identifiers are numerical values.
  • Adding the user to other specified groups.
  • Creating a home directory (usually /home/$USER) with appropriate access rights.
  • Copying files from the /etc/skel directory to the new home directory.

The new user is associated with a path to the program that will serve as their command shell. Typically, this is /bin/bash. Adding a user is done with a single command:

useradd -m -g vboxusers -G wheel,audio,video,usb -s /bin/bash forvirt

Here, a user named "forvirt" was created, but they were immediately associated with the "vboxusers" group, so the "forvirt" group was not created. The option -G sets the list of additional groups to which the new user will belong, -m creates a home directory for them with files from /etc/skel, and -s associates the user with the path to the command shell.

ls -l /home | grep forvirt
drwxr-xr-x 1 forvirt vboxusers 72 May 17 11:30 forvirt

After this, you can set a password:

passwd forvirt
New password:
BAD PASSWORD: is too simple
Retype new password:
passwd: password updated successfull

Usually, in the terminal, the password input is not displayed for security reasons.

Unused users can be deleted using the userdel command:

userdel -r forvirt
userdel: forvirt mail spool (/var/spool/mail/forvirt) not found

The -r option is necessary to remove the user's home directory and mail spool. In this case, the userdel program noted that the user did not have a mail spool.

It should be noted that in some Linux distributions, the programs useradd and userdel, as well as groupadd and groupdel, may have different names: adduser, deluser, addgroup, and delgroup, respectively.

In Linux-based operating systems, only one superuser (usually named root) has full rights to all objects, while other users are granted limited access to hardware and the file system hierarchy. This access is expanded by adding the user to various groups. However, many operations require exclusive root privileges, such as installing an application in the root file system or adding a new user. Elevating privileges to the superuser level for such operations can be done in several ways. Typically, it involves running a command shell as root by entering the root password.

gpasswd -a fragment root
gpasswd: Permission denied.
gpasswd -a fragment root
Adding user fragment to group root

or executing a specific command with elevated privileges through the sudo program, where the user is prompted to enter their own password:

sudo gpasswd -d fragment root
Removing user fragment from group root

The advantage of sudo is that there is no need to provide the user with the superuser password; it only needs to be added to the /etc/sudoers file in the following format: fragment ALL=(ALL) ALL

The standard 3x3 permission control system in Linux is not the only method of access control. The kernel supports access control through Access Control Lists (ACLs), as well as various security systems such as SELinux or Grsecurity.

Read more