User:Gen2ly/Users and groups

From ArchWiki

Users and groups have the purpose on a GNU/Linux system of defining access control — to specify allowances of the system's files, directories, and peripherals. Linux offers shrewd yet basic access control mechanisms by default. For more advanced options see ACL and LDAP Authentication.

Overview

A user is any operator of a computer. In this case, the description means the names which represent those users. The name may be Mary or Bill, or it may be an assumed name like Dragonlady or Pirate that are used in place of the real name. The important detail to know is that the computer associates a name for each account that exists. It is by this name by which a person interacts with the computer.

A group is an associative unit that by joining has the ability to extend file access permissions or grant privileges related to a program.

File access controls are settings for purposes of security to limit user and group access in certain specific ways. Only the superuser (root) has complete access to the operating system and its configuration — it is intended for administrative use only. Unprivileged users can use the su and sudo programs for controlled privilege escalation. To learn about file permissions read File permissions and attributes.

Warning: The following tools are powerful and should only be used with knowledgeable effect, improper settings may damage the functionality of the system.

User management

User management may entail adding a user, setting a user password, editing a users attributes, or deleting a user.

User addition

To add a new user the useradd command is available. The basic usage is:

# useradd --gid initial_group --groups supplementary,groups --shell /login/shell --create-home username
  • --gid, -g — defines the user's initial login group by name or number. It must refer to an already existing group. If not specified the USERGROUPS_ENAB variable in the file /etc/login.defs will be used and the default value of yes will specify the creation a group with the same name as the username (GID being equal to UID).
  • --groups, -G — defines a list of supplementary groups to which to add the user to, each group is to be separated by a comma with no intervening spaces. For commonly used groups read #Group listings.
  • --shell, -s — defines the default login shell by its executable path. The path will need to match shells listed in /etc/shells (read warning below). For cases when the login shell is intended to be non-functional (e.g. when the user account is created for a specific service) /usr/bin/nologin may be specified in place of a regular shell to politely refuse a login [see nologin(8)].
  • --create-home, -m — will create a home directory for the user and add any skeleton files listed in /etc/skel. If this option is omitted, the directory will need to be created (e.g. install --directory --owner username --group users --mode 700 /home/username).
Warning: The pam_shell module will deny the login request if the shell path is not defined in /etc/shells. At this time defining /usr/bin/nameofshell is not possible.
Note: User accounts can be created in any amount as long as a they are uniquely named (a few reserved names exist, however, for use with system services or for privileged user accounts such as "root").

User addition example

To add a new user this is the typical command:

# useradd --gid users --groups wheel --create-home username

This command will create the user username, will be put in the initial group users, included in the group wheel, use the default shell, and have the home directory created with the skeleton files copied over.

Warning: For a system with multiple users, sharing a common initial group such as "users" may have security concerns. When working with shared directories, there is a common methodology to create a umask of 020 which would give write access to any in this group. If this is a possibility, consider omitting the --gid option to have useradd create a custom initial group that matches the username. (The /home/username directories are not effected as are created with user-only allowances.

User manipulation

To modify a password an a user account:

# passwd username*

To expire a password (and thereby prompt for a new password on login):

# chage --lastday 0

To modify the account the basic options are:

# usermod [-e] [-l] [-m] [-s] username
--expiredate, -e — account expiration date set
--login, -l — username rename
--move-home, -m — home directory move, use with -d
--shell, -s — login shell define

To delete a user account (--remove includes the home directory):

# userdel --remove username

To list users logged in to the system:

$ who
Note:
  • Finger information may be connected to the user (it is not necessary however and has limited usage). A few programs may query finger for Full Name, work room, phone, or home phone, read chfn(1) for more information.
  • Alternate choices for adding a user are available with the AUR packages: adduserAUR, adduser-defaultsAUR, and adduser-debAUR. They provide an adduser script that carries out the jobs of useradd, chfn and passwd interactively. See also FS#32893.

Group management

To display group memberships:

$ groups username*

To display group memberships with their respective numerical ID:

$ id username*

To display all groups on the system:

$ cat /etc/group

To add a user to a group:

# gpasswd [--add,-a] username group

To add a user to a group(s) with usermod:

# usermod [--append,-a] [--groups,-G] supplementary,groups username

To modify the initial group:

# usermod [--gid,-g] group

To remove a user from a group:

# gpasswd [--delete,-d] username group

To create a new group:

# groupadd group

To rename a group:

# groupmod [--new-name,-n] oldgroup newgroup

To delete a group:

# groupdel group

To find files owned by a particular user or group:

find /directory -user  username
find /directory -group group
Tip: Group memberships become effective only on user login — membership alterations for currently logged in users will require another login for them to be observed.

Group listings

Basic details of the more popular groups are detailed here plus a list of some deprecated ones.

User groups

These are the general user groups that might be of use:

Group Effected files Purpose
games /var/games Required membership for some games to run
rfkill /dev/rfkill Wireless device power state access rights
users Common group used to share access permissions
uucp /dev/ttyS[0-9], /dev/tts[0-9], /dev/ttyACM[0-9] Serial and USB devices such as modems, handhelds, and RS-232 access (this group may be deprecated)
wheel Administration group to grant privilege escalation used by the sudo and su utilities

System groups

These groups are for system purposes and likely unnecessary for regular Arch Linux uses (some imply historic or legacy functions):

Group Effected files Purpose
bin Historical
daemon Historical
dbus dbus internal usage
ftp /srv/ftp FTP server privileges (e.g. proftpd).
fuse fuse user mount allowances
http HTTP server privileges!?
kmem /dev/port, /dev/mem, /dev/kmem virtual memory allowances
mail /usr/bin/mail
mem memory allowances
nobody An unspecified group (usually configuration definable)
polkitd Policy kit permissions, see polkit
smmsp Wikipedia:sendmail application usage
systemd-journal var/log/journal/ Systemd log complete access (otherwise only user-related messages are displayed)
tty /dev/tty, /dev/vcc, /dev/vc, /dev/ptmx (e.g. to access /dev/ACMx)

Pre-systemd groups

These groups were needed for most users before Arch Linux migrated to systemd system management. The logind session handles these now and as long it remains intact, membership in the groups is not essential; contrarily, if the logind sessions remains some of these groups may cause functionality breaks. Read General troubleshooting#Session to test for a logind session, and Sysvinit#Migration_to_systemd for more details.

Group Effected files Purpose
audio /dev/audio, /dev/rtc0 , /dev/snd/* Sound hardware direct access allowances. Requirement is imposed by both ALSA and OSS. (Local sessions have the ability to play sound and access mixer controls.)
camera Digital Cameras access
disk /dev/sda[1-9] Storage device block access that are not in optical, floppy, and storage groups
floppy /dev/fd[0-9] Floppy drive access
lp /etc/cups, /var/log/cups, /var/cache/cups, /var/spool/cups, /dev/parport[0-9] Printer hardware access, print jobs management
network Network settings management (e.g. NetworkManager)
optical /dev/sr[0-9], /dev/sg[0-9] Optical devices access(CD, DVD drives…)
power Pm-utils power management utilities (suspend, hibernate…)
scanner /var/lock/sane Scanner hardware access
storage Removable drives access such as USB hard drives, MP3 players; storage devices mounting
sys Printer administration in CUPS
video /dev/fb/0, /dev/misc/agpgart Video capture devices, 2D/3D hardware acceleration, framebuffer — not required for Xorg. (Local sessions have the ability to use hardware acceleration and video capture.)

Deprecated groups

These groups no longer carry any functionality:

Group Purpose
kvm Kernel Virtual Machine support, now done by udev rules
log /var/log files access (created by syslog-ng)
stb-admin Unused, system-tools-backends support
ssh A non-standard group that has been unknowingly created to allow the membership thereof only to log in

Program groups

Other groups exist that allow an aspect of a program's functionality to be transferred to the user. The program's documentation refer to more information.

File access controls

Learning the philosophy of how GNU/Linux regards a file is fundamental to understanding the basics of the operation system.

From In UNIX, Everything is a File (lightly paraphrased):

"The UNIX operating system solidified several unifying ideas that shaped its design, user interface, culture, and evolution. One of the most important of these ideas is represented in the mantra "everything is a file" — it is widely regarded as one of the prominent characteristics of UNIX.
"The principle consists of providing a unified paradigm for accessing a varied range of input/output resources: CD-ROMs, directories, documents, hard-drives, keyboards, modems, monitors, printers, terminals, and even some inter-process and network communications. The result was to provide a common abstraction for all of these resources each of which the UNIX fathers called a "file". Since every "file" is exposed through the same API, you can use the same set of basic commands to read/write to a disk, keyboard, document or network device."

Ownership and permissions

The ownership and permissions of files can be viewed with the ls command in its "long-listing" format:

$ ls -l /boot/
total 13740
drwxr-xr-x 2 root root    4096 Jan 12 00:33 grub
-rw-r--r-- 1 root root 8570335 Jan 12 00:33 initramfs-linux-fallback.img
-rw-r--r-- 1 root root 1821573 Jan 12 00:31 initramfs-linux.img
-rw-r--r-- 1 root root 1457315 Jan  8 08:19 System.map26
-rw-r--r-- 1 root root 2209920 Jan  8 08:19 vmlinuz-linux

The user and group ownership are defined in the third and fourth columns. The access permissions are defined in the first column. Above, for example, the file initramfs-linux.img is owned by the user root, owned by the group root, and has the permissions of -rw-r--r--. (This permission block is technically called the "the file mode bits" — "mode" referring to permissions and "bits" referring to each character.)

Another command, called stat, can also be used. For it to display owning user, group, and permissions do:

$ stat -c %U /var/log/journal/
root
$ stat -c %G /var/log/journal/
systemd-journal
$ stat -c %A /var/log/journal/
drwxr-sr-x

The permission block encapsulates the permissions of the three "whos": the user, the group, and the other-groups. The first character is either - for a file or d for a directory. The remaining nine characters, divided into units of three, represent each "who's" permissions. The three characters are typically the permission types: read, write, and execute. In the above example, the permissions of drwxr-sr-x says that the file is a directory, that the owning user has read and write and execute permissions, the group has read and set-user-ID-on-execution permissions, and that other-groups have read and execute permissions.

Ownership control

The user and group ownership can be changed with the chown command:

chown username       file
chown username:users file

Permission control

The permissions of the "whos" can be changed with the chmod command. chmod can be implemented in two modes: symbolic mode and numeric mode.

With symbolic mode, the argument applied to the file begins with the "who" symbols. The "who" symbols u, g and o specify the user, group, and other-groups; the symbol a specifies all of them. The "who" symbols require an action of add +, subtract -, or equals =, and they in turn effect the "perm" symbols. The "perm" symbols r, w, x specify the read, write, and execute permission types. Other "perm" symbols exist; they are X to set the execute/search permission, s to set user or group ID on execution, and the symbol t to set the restrict deletion flag (a.k.a. as the sticky bit). Basic usage is chmod [ugoa][+-=][rwxXst] file. Some examples:

touch            file  # -rw-r--r--
chmod g+w        file  # -rw-rw-r--
chmod ug-r       file  # --w--w-r--
chmod ug+r-w     file  # -r--r--r--
chmod u+w,g-r,o= file  # -rw-------
chmod +x         file  # -rwx--x--x

With numeric mode, the argument applied to the file is composed of up to four octal digits (0-7). The octal digits are derived from summed variances of 4, 2, and 1; these respectively specify the read, write, and execute permissions. An example: to set file permissions with user rw, group r, and other-groups as r the unit-summation/argument would be 644 (-42-4--4--).

chmod 644 file

The octal digit argument is a four character total, omitted digits are assumed to be leading zeros (this would make above argument 0644 wholly). The first digit is used for these permissions: set the user ID on execution (4), group ID on execution (2), or set the restrict deletion flag (sticky bit) ((1).

Tip: Both chown and chmod have a --recursive,-R option for effecting ownership and permissions through multiple sub-levels.
Warning: The proceeding advice is erroneous, the s perm does not refer to the sticky bit. It is unclear what the intention here is.

To allow write access to a specific group, shared files/folders can be made writable by default for everyone in this group and the owning group can be automatically fixed to the group which owns the parent directory by setting the group sticky bit on this directory:

# chmod g+s our_shared_directory

See also

  • chmod(1), chmod(1p) for more information; or read the Linux.com article.