Users and groups
zh-CN:Users and Groups zh-TW:Users and Groups Template:Article summary start Template:Article summary text Template:Article summary heading Template:Article summary text Template:Article summary heading Template:Article summary wiki Template:Article summary wiki Template:Article summary wiki Template:Article summary wiki Template:Article summary end
Users and groups are used on GNU/Linux for access control — that is, to control access to the system's files, directories, and peripherals. Linux offers relatively simple/coarse access control mechanisms by default. For more advanced options, see ACL and LDAP Authentication.
A user is anyone who uses a computer. In this case, we are describing the names which represent those users. It may be Mary or Bill, and they may use the names Dragonlady or Pirate in place of their real name. All that matters is that the computer has a name for each account it creates, and it is this name by which a person gains access to use the computer. Some system services also run using restricted or privileged user accounts.
Managing users is done for the purpose of security by limiting access in certain specific ways.
Any individual may have more than one account, as long as they use a different name for each account they create. Further, there are some reserved names which may not be used such as "root".
Users may be grouped together into a "group," and users may choose to join an existing group to utilize the privileged access it grants.
Permissions and ownership
- The UNIX operating system crystallizes a couple of unifying ideas and concepts that shaped its design, user interface, culture and evolution. One of the most important of these is probably the mantra: "everything is a file," widely regarded as one of the defining points of UNIX.
- This key design principle consists of providing a unified paradigm for accessing a wide range of input/output resources: documents, directories, hard-drives, CD-ROMs, modems, keyboards, printers, monitors, terminals and even some inter-process and network communications. The trick is to provide a common abstraction for all of these resources, each of which the UNIX fathers called a "file." Since every "file" is exposed through the same API, you can use the same set of basic commands to read/write to a disk, keyboard, document or network device.
- A fundamental and very powerful, consistent abstraction provided in UNIX and compatible operating systems is the file abstraction. Many OS services and device interfaces are implemented to provide a file or file system metaphor to applications. This enables new uses for, and greatly increases the power of, existing applications — simple tools designed with specific uses in mind can, with UNIX file abstractions, be used in novel ways. A simple tool, such as cat, designed to read one or more files and output the contents to standard output, can be used to read from I/O devices through special device files, typically found under the
/devdirectory. On many systems, audio recording and playback can be done simply with the commands, "
cat /dev/audio > myfile" and "
cat myfile > /dev/audio," respectively.
Every file on a GNU/Linux system is owned by a user and a group. In addition, there are three types of access permissions: read, write, and execute. Different access permissions can be applied to a file's owning user, owning group, and others (those without ownership). One can determine a file's owners and permissions by viewing the long listing format of the
$ ls -l /boot/
total 13740 drwxr-xr-x 2 root root 4096 Jan 12 00:33 grub -rw-r--r-- 1 root root 8570335 Jan 12 00:33 initramfs-linux-fallback.img -rw-r--r-- 1 root root 1821573 Jan 12 00:31 initramfs-linux.img -rw-r--r-- 1 root root 1457315 Jan 8 08:19 System.map26 -rw-r--r-- 1 root root 2209920 Jan 8 08:19 vmlinuz-linux
The first column displays the file's permissions (for example, the file
kernel26.img has permissions
-rw-r--r--). The third and fourth columns display the file's owning user and group, respectively. In this example, all files are owned by the root user and the root group.
$ ls -l /media/
total 16 drwxrwx--- 1 root vboxsf 16384 Jan 29 11:02 sf_Shared
In this example, the
sf_Shared directory is owned by the root user and the vboxsf group. It is also possible to determine a file's owners and permissions using the stat command:
$ stat -c %U /media/sf_Shared/
$ stat -c %G /media/sf_Shared/
$ stat -c %A /media/sf_Shared/
Access permissions are displayed in three groups of characters, representing the permissions of the owning user, owning group, and others, respectively. For example, the characters
-rw-r--r-- indicate that the file's owner has read and write permission, but not execute (
rw-), whilst users belonging to the owning group and other users have only read permission (
r--). Meanwhile, the characters
drwxrwx--- indicate that the file's owner and users belonging to the owning group all have read, write, and execute permissions (
rwx), whilst other users are denied access (
---). The first character represents the file's type.
List files owned by a user or group with the
# find / -group [group]
# find / -user [user]
A file's owning user and group can be changed with the
chown (change owner) command. A file's access permissions can be changed with the
chmod (change mode) command.
||Secure user account information|
||User account information|
||Contains the shadowed information for group accounts|
||Defines the groups to which users belong|
||List of who can run what by sudo|
To list users currently logged on the system, the
who command can be used.
To add a new user, use the
# useradd -m -g [initial_group] -G [additional_groups] -s [login_shell] [username]
-mcreates the user home directory as
/home/[username]; within their home directory, a non-root user can write files, delete them, install programs, and so on.
-gdefines the group name or number of the user's initial login group; the group name must exist; if a group number is provided, it must refer to an already existing group; if not specified, the behavior of useradd will depend on the
USERGROUPS_ENABvariable contained in
-Gintroduces a list of supplementary groups which the user is also a member of; each group is separated from the next by a comma, with no intervening spaces; the default is for the user to belong only to the initial group.
-sdefines the path and file name of the user's default login shell; after the boot process is complete, the default login shell is the one specified here; ensure the chosen shell package is installed if choosing something other than Bash.
/etc/shells. For programs that use PAM, this is checked by the
A typical desktop system example, adding a user named archie specifying bash as the login shell:
# useradd -m -g users -G wheel -s /bin/bash archie
To later add the user to other groups use
# usermod -aG [additional_groups] [username]
Alternatively, gpasswd may be used. Though the username can only be added (or removed) from one group at a time.
# gpasswd --add [username] [group]
-aoption is omitted in the
usermodcommand above, the user is removed from all groups not listed in
[additional_groups](i.e. the user will be member only of those groups listed in
To enter user information for the GECOS field (e.g. the full user name), type:
# chfn [username]
chfn runs in interactive mode).
To specify the user's password, type:
# passwd [username]
To mark a user's password as expired, requiring them to create a new password the first time they log in, type:
# chage -d 0 [username]
User accounts may be deleted with the
# userdel -r [username]
-r option specifies that the user's home directory and mail spool should also be deleted.
Local user information is stored in the
/etc/passwd file. To list all user accounts on the system:
$ cat /etc/passwd
There is one line per account, and each is of the format:
accountis the user name
passwordis the user password
UIDis the numerical user ID
GIDis the numerical primary group ID for the user
GECOSis an optional field used for informational purposes; usually it contains the full user name
directoryis the user's
shellis the user command interpreter (defaults to
passwdfile is world-readable, so storing passwords (hashed or otherwise) in this file would be insecure. Instead, the
passwordfield will contain a placeholder character (
x) indicating that the hashed password is saved in the access-restricted file
/etc/group is the file that defines the groups on the system (
man group for details).
Display group membership with the
$ groups [user]
user is omitted, the current user's group names are displayed.
id command provides additional detail, such as the user's UID and associated GIDs:
$ id [user]
To list all groups on the system:
$ cat /etc/group
Create new groups with the
# groupadd [group]
Add users to a group with the
# gpasswd -a [user] [group]
To delete existing groups:
# groupdel [group]
To remove users from a group:
# gpasswd -d [user] [group]
If the user is currently logged in, he/she must log out and in again for the change to have effect.
- Some of these may not be needed when running a system with systemd. See the supplementary information section for systemd.
- None of these groups is needed for standard desktop permissions like sound, 3D graphics, printing, mounting, etc. as long as the logind session is not broken (see General Troubleshooting#Session permissions to check it).
Workstation/desktop users often add their non-root user to some of following groups to allow access to peripherals and other hardware and facilitate system administration:
||Direct access to sound hardware, for all sessions (requirement is imposed by both ALSA and OSS). Local sessions already have the ability to play sound and access mixer controls.|
|camera||Access to Digital Cameras.|
||Access to block devices not affected by other groups such as |
||Access to floppy drives.|
||Access to some game software.|
||Right to use updatedb command.|
||Access to printer hardware; enables the user to manage print jobs.|
|network||Right to change network settings such as when using NetworkManager.|
|networkmanager||Requirement for your user to connect wirelessly with NetworkManager. This group is not included with Arch by default so it must be added manually.|
||Access to optical devices such as CD and DVD drives.|
|power||Right to use Pm-utils (suspend, hibernate...) and power management controls.|
||Right to control wireless devices power state (used by).|
||Access to scanner hardware.|
|storage||Access to removable drives such as USB hard drives, flash/jump drives, MP3 players; enables the user to mount storage devices.|
|sys||Right to administer printers in CUPS.|
|users||Standard users group.|
||Serial and USB devices such as modems, handhelds, RS-232/serial ports.|
||Access to video capture devices, 2D/3D hardware acceleration, framebuffer (X can be used without belonging to this group). Local sessions already have the ability to use hardware acceleration and video capture.|
|wheel||Administration group, commonly used to give access to the |
The following groups are used for system purposes and are not likely to be used by novice Arch users:
||Used by Clam AntiVirus.|
||used by FTP servers like Proftpd|
|gdm||X server authorization directory (ServAuthDir)||GDM group.|
||Access to log files in |
||Complete system administration and control (root, admin).|
||Provides access to the complete systemd logs. Otherwise, only user generated messages are displayed.|
||Eg. to acces |
|vboxsf||virtual machines' shared folders||Used by VirtualBox.|
|fuse||Used by fuse to allow user mounts.|
These groups allow its members to use specific software:
|adbusers||devices nodes under
||Right to access Android Debugging Bridge.|
||Right to use cdemu drive emulation.|
||Used by ThinkPad users for access to tools such as tpb.|
||Right to use VirtualBox software.|
|vmware||Right to use VMware software.|
|ssh||Sshd can be configured to only allow members of this group to login.|
|wireshark||Right to capture packets with Wireshark.|
Deprecated or unused groups
Following groups are currently of no use for anyone:
|stb-admin||Unused! Right to access system-tools-backends|