User:Gen2ly/Users and groups
Users and groups have the purpose on a GNU/Linux system of defining access control — to specify allowances of the system's files, directories, and peripherals. Linux offers shrewd yet basic access control mechanisms by default. For more advanced options see ACL and LDAP Authentication.
Overview
A user is any operator of a computer. In this case, the description means the names which represent those users. The name may be Mary or Bill, or it may be an assumed name like Dragonlady or Pirate that are used in place of the real name. The important detail to know is that the computer associates a name for each account that exists. It is by this name by which a person interacts with the computer.
A group is an associative unit that by joining has the ability to extend file access permissions or grant privileges related to a program.
File access controls are settings for purposes of security to limit user and group access in certain specific ways. Only the superuser (root) has complete access to the operating system and its configuration — it is intended for administrative use only. Unprivileged users can use the su and sudo programs for controlled privilege escalation. To learn about file permissions read File permissions and attributes.
User management
User management may entail adding a user, setting a user password, editing a users attributes, or deleting a user.
User addition
To add a new user the useradd command is available. The basic usage is:
# useradd --gid initial_group --groups supplementary,groups --shell /login/shell --create-home username
--gid
,-g
— defines the user's initial login group by name or number. It must refer to an already existing group. If not specified theUSERGROUPS_ENAB
variable in the file/etc/login.defs
will be used and the default value ofyes
will specify the creation a group with the same name as the username (GID
being equal toUID
).--groups
,-G
— defines a list of supplementary groups to which to add the user to, each group is to be separated by a comma with no intervening spaces. For commonly used groups read #Group listings.--shell
,-s
— defines the default login shell by its executable path. The path will need to match shells listed in/etc/shells
(read warning below). For cases when the login shell is intended to be non-functional (e.g. when the user account is created for a specific service)/usr/bin/nologin
may be specified in place of a regular shell to politely refuse a login [seenologin(8)
].--create-home
,-m
— will create a home directory for the user and add any skeleton files listed in/etc/skel
. If this option is omitted, the directory will need to be created (e.g.install --directory --owner username --group users --mode 700 /home/username
).
/etc/shells
. At this time defining /usr/bin/nameofshell
is not possible.User addition example
To add a new user this is the typical command:
# useradd --gid users --groups wheel --create-home username
This command will create the user username
, will be put in the initial group users
, included in the group wheel
, use the default shell, and have the home directory created with the skeleton files copied over.
020
which would give write access to any in this group. If this is a possibility, consider omitting the --gid
option to have useradd create a custom initial group that matches the username. (The /home/username
directories are not effected as are created with user-only allowances.User manipulation
To modify a password an a user account:
# passwd username*
To expire a password (and thereby prompt for a new password on login):
# chage --lastday 0
To modify the account the basic options are:
# usermod [-e] [-l] [-m] [-s] username
- •
--expiredate
,-e
— account expiration date set - •
--login
,-l
— username rename - •
--move-home
,-m
— home directory move, use with-d
- •
--shell
,-s
— login shell define
To delete a user account (--remove
includes the home directory):
# userdel --remove username
To list users logged in to the system:
$ who
- Finger information may be connected to the user (it is not necessary however and has limited usage). A few programs may query finger for Full Name, work room, phone, or home phone, read
chfn(1)
for more information. - Alternate choices for adding a user are available with the AUR packages: adduserAUR, adduser-defaultsAUR, and adduser-debAUR. They provide an adduser script that carries out the jobs of useradd, chfn and passwd interactively. See also FS#32893.
Group management
To display group memberships:
$ groups username*
To display group memberships with their respective numerical ID:
$ id username*
To display all groups on the system:
$ cat /etc/group
To add a user to a group:
# gpasswd [--add,-a] username group
To add a user to a group(s) with usermod:
# usermod [--append,-a] [--groups,-G] supplementary,groups username
To modify the initial group:
# usermod [--gid,-g] group
To remove a user from a group:
# gpasswd [--delete,-d] username group
To create a new group:
# groupadd group
To rename a group:
# groupmod [--new-name,-n] oldgroup newgroup
To delete a group:
# groupdel group
To find files owned by a particular user or group:
find /directory -user username find /directory -group group
Group listings
Basic details of the more popular groups are detailed here plus a list of some deprecated ones.
User groups
These are the general user groups that might be of use:
Group | Effected files | Purpose |
---|---|---|
games | /var/games |
Required membership for some games to run |
rfkill | /dev/rfkill |
Wireless device power state access rights |
users | Common group used to share access permissions | |
uucp | /dev/ttyS[0-9] , /dev/tts[0-9] , /dev/ttyACM[0-9] |
Serial and USB devices such as modems, handhelds, and RS-232 access (this group may be deprecated) |
wheel | Administration group to grant privilege escalation used by the sudo and su utilities |
System groups
These groups are for system purposes and likely unnecessary for regular Arch Linux uses (some imply historic or legacy functions):
Group | Effected files | Purpose |
---|---|---|
bin | Historical | |
daemon | Historical | |
dbus | dbus internal usage | |
ftp | /srv/ftp |
FTP server privileges (e.g. proftpd). |
fuse | fuse user mount allowances | |
http | HTTP server privileges!? | |
kmem | /dev/port , /dev/mem , /dev/kmem |
virtual memory allowances |
/usr/bin/mail |
||
mem | memory allowances | |
nobody | An unspecified group (usually configuration definable) | |
polkitd | Policy kit permissions, see polkit | |
smmsp | Wikipedia:sendmail application usage | |
systemd-journal | var/log/journal/ |
Systemd log complete access (otherwise only user-related messages are displayed) |
tty | /dev/tty , /dev/vcc , /dev/vc , /dev/ptmx |
(e.g. to access /dev/ACMx )
|
Pre-systemd groups
These groups were needed for most users before Arch Linux migrated to systemd system management. The logind session handles these now and as long it remains intact, membership in the groups is not essential; contrarily, if the logind sessions remains some of these groups may cause functionality breaks. Read General troubleshooting#Session to test for a logind session, and Sysvinit#Migration_to_systemd for more details.
Group | Effected files | Purpose |
---|---|---|
audio | /dev/audio , /dev/rtc0 , /dev/snd/* |
Sound hardware direct access allowances. Requirement is imposed by both ALSA and OSS. (Local sessions have the ability to play sound and access mixer controls.) |
camera | Digital Cameras access | |
disk | /dev/sda[1-9] … |
Storage device block access that are not in optical , floppy , and storage groups
|
floppy | /dev/fd[0-9] |
Floppy drive access |
lp | /etc/cups , /var/log/cups , /var/cache/cups , /var/spool/cups , /dev/parport[0-9] |
Printer hardware access, print jobs management |
network | Network settings management (e.g. NetworkManager) | |
optical | /dev/sr[0-9] , /dev/sg[0-9] |
Optical devices access(CD, DVD drives…) |
power | Pm-utils power management utilities (suspend, hibernate…) | |
scanner | /var/lock/sane |
Scanner hardware access |
storage | Removable drives access such as USB hard drives, MP3 players; storage devices mounting | |
sys | Printer administration in CUPS | |
video | /dev/fb/0 , /dev/misc/agpgart |
Video capture devices, 2D/3D hardware acceleration, framebuffer — not required for Xorg. (Local sessions have the ability to use hardware acceleration and video capture.) |
Deprecated groups
These groups no longer carry any functionality:
Group | Purpose |
---|---|
kvm | Kernel Virtual Machine support, now done by udev rules |
log | /var/log files access (created by syslog-ng)
|
stb-admin | Unused, system-tools-backends support |
ssh | A non-standard group that has been unknowingly created to allow the membership thereof only to log in |
Program groups
Other groups exist that allow an aspect of a program's functionality to be transferred to the user. The program's documentation refer to more information.
File access controls
Learning the philosophy of how GNU/Linux regards a file is fundamental to understanding the basics of the operation system.
From In UNIX, Everything is a File (lightly paraphrased):
- "The UNIX operating system solidified several unifying ideas that shaped its design, user interface, culture, and evolution. One of the most important of these ideas is represented in the mantra "everything is a file" — it is widely regarded as one of the prominent characteristics of UNIX.
- "The principle consists of providing a unified paradigm for accessing a varied range of input/output resources: CD-ROMs, directories, documents, hard-drives, keyboards, modems, monitors, printers, terminals, and even some inter-process and network communications. The result was to provide a common abstraction for all of these resources each of which the UNIX fathers called a "file". Since every "file" is exposed through the same API, you can use the same set of basic commands to read/write to a disk, keyboard, document or network device."
Ownership and permissions
The ownership and permissions of files can be viewed with the ls command in its "long-listing" format:
$ ls -l /boot/
total 13740 drwxr-xr-x 2 root root 4096 Jan 12 00:33 grub -rw-r--r-- 1 root root 8570335 Jan 12 00:33 initramfs-linux-fallback.img -rw-r--r-- 1 root root 1821573 Jan 12 00:31 initramfs-linux.img -rw-r--r-- 1 root root 1457315 Jan 8 08:19 System.map26 -rw-r--r-- 1 root root 2209920 Jan 8 08:19 vmlinuz-linux
The user and group ownership are defined in the third and fourth columns. The access permissions are defined in the first column. Above, for example, the file initramfs-linux.img
is owned by the user root
, owned by the group root
, and has the permissions of -rw-r--r--
. (This permission block is technically called the "the file mode bits" — "mode" referring to permissions and "bits" referring to each character.)
Another command, called stat, can also be used. For it to display owning user, group, and permissions do:
$ stat -c %U /var/log/journal/
root
$ stat -c %G /var/log/journal/
systemd-journal
$ stat -c %A /var/log/journal/
drwxr-sr-x
The permission block encapsulates the permissions of the three "whos": the user, the group, and the other-groups. The first character is either -
for a file or d
for a directory. The remaining nine characters, divided into units of three, represent each "who's" permissions. The three characters are typically the permission types: r
ead, w
rite, and ex
ecute. In the above example, the permissions of drwxr-sr-x
says that the file is a directory, that the owning user has r
ead and w
rite and ex
ecute permissions, the group has r
ead and s
et-user-ID-on-execution permissions, and that other-groups have r
ead and ex
ecute permissions.
Ownership control
The user and group ownership can be changed with the chown command:
chown username file chown username:users file
Permission control
The permissions of the "whos" can be changed with the chmod command. chmod can be implemented in two modes: symbolic mode and numeric mode.
With symbolic mode, the argument applied to the file begins with the "who" symbols. The "who" symbols u
, g
and o
specify the user, group, and other-groups; the symbol a
specifies all of them. The "who" symbols require an action of add +
, subtract -
, or equals =
, and they in turn effect the "perm" symbols. The "perm" symbols r
, w
, x
specify the read, write, and execute permission types. Other "perm" symbols exist; they are X
to set the execute/search permission, s
to set user or group ID on execution, and the symbol t
to set the restrict deletion flag (a.k.a. as the sticky bit). Basic usage is chmod [ugoa][+-=][rwxXst] file
. Some examples:
touch file # -rw-r--r-- chmod g+w file # -rw-rw-r-- chmod ug-r file # --w--w-r-- chmod ug+r-w file # -r--r--r-- chmod u+w,g-r,o= file # -rw------- chmod +x file # -rwx--x--x
With numeric mode, the argument applied to the file is composed of up to four octal digits (0-7). The octal digits are derived from summed variances of 4, 2, and 1; these respectively specify the read, write, and execute permissions. An example: to set file permissions with user rw
, group r
, and other-groups as r
the unit-summation/argument would be 644
(-42-4--4--
).
chmod 644 file
The octal digit argument is a four character total, omitted digits are assumed to be leading zeros (this would make above argument 0644
wholly). The first digit is used for these permissions: set the user ID on execution (4
), group ID on execution (2
), or set the restrict deletion flag (sticky bit) ((1
).
--recursive
,-R
option for effecting ownership and permissions through multiple sub-levels.s
perm does not refer to the sticky bit. It is unclear what the intention here is.To allow write access to a specific group, shared files/folders can be made writable by default for everyone in this group and the owning group can be automatically fixed to the group which owns the parent directory by setting the group sticky bit on this directory:
# chmod g+s our_shared_directory
See also
chmod(1)
,chmod(1p)
for more information; or read the Linux.com article.