Linux User Management, Managing Permissions, and Directory Structure

References

• Linux User Management
• • How To Manage Users and Groups in Linux
  • • User Account Management:
    • • Linux User Account Management
      • User account Management with UIDs and GIDs
    • Password Management:
    • • Effects of Adding Users to a Linux System
      • Forcing Linux System Password Changes with the Change Command
      • Managing Linux Users with the passwd command
    • Group Management
    • • Managing Local Group Accounts
      • Group Management Commands
  • The Complete Guide to User Management in Linux
• Managing Permissions in Linux
• • How To Manage Linux Permissions for Users, Groups, and Others
  • • Special Permissions
    • Access Control Lists
  • Manage File Permissions on Unix-like Systems
• Linux Directory Structure

Linux User Management

• User and group administration is an important skill for sysadmins.

Managing Users

Users must authenticate to any system they need to use. This authentication provides access to resources and a customized, user-specific environment. The user's identity is based on their user account.

1. Understand the /etc/passwd file

• • User account information is stored in the /etc/passwd file. This information includes the account name, home directory location, and default shell, among other values.
  • Each field is separated by a : character, and not all fields must be populated, but you must delineate them.
  • Example:

username:password:UID:GID:comment:home:shell

2. Understand the /etc/shadow file

• • Password hashed are in a file only readable by root: /etc/shadow
  • Administrators should recognize each field in the /etc/shadow. Several of the fields pertain to password requirements.
  • Example:

username:password:last password
change:min:max:warning:inactive:expired

• The first two fields identify the user and password, while the remaining six fields represent password change information that can be altered with the change command.

3. Create, modify, and delete user accounts

• • Sysadmins either add, modify, or delete users, and the related commands are quite intuitive. The commands to manage user accounts on RHEL and RHEL-like distributions are:
  • • useradd
    • usermod
    • userdel

4. Manage Password Requirements

• • Manu organizations rely on password policies to define appropriate password requirements. Sysadmins can enforce those requirements by using various mechanisms on Linux.
  • Two common ways of managing password settings are using the /etc/login.defs file or Pluggable Authentication Module (PAM) settings.

Managing Groups

• It is more efficient to group user accounts with similar access requirements than to manage permissions on a per user basis. Sysadmins should be comfortable with the process of creating, modifying, and deleting groups.

1. Understand the /etc/group file

• • Similar to the /etc/passwd file above, the /etc/group file contains group account information. This information can be essential for troubleshooting, security audits, and ensuring users can access the resources they need.
  • The fields in the /etc/group file are:

groupname:password:GID:group members

2. Create, modify, and delete groups

• • There is an easy-to-remember command for each function that you might need to carry out for a group:
  • • groupadd
    • groupmod
    • groupdel

3. Manage Group Membership

• • Adding users to a group simplifies permissions management. Adding a user to a group modifies the user, not the group; therefore, the necessary command to add a user to a group is the usermod command.
  • Commands to display group information:
  • • usermod: Update group membership
    • id: Display a list of groups the user is a member of
    • cat /etc/group: Show a list of existing groups, with membership displayed in the last field

User account management is one of the many challenges of Linux system administrators. Some of the responsibilities of a system administrator are enabling/disabling user accounts, preserving the home directory, setting user permissions, assigning groups/shells to users, and managing passwords.

How To Add User Accounts in Linux

• Any user who utilizes your Linux machine must have a separate user account. A user account allows you to separate your files in a safe space with the ability to tailor your home directories, path, environment variables, etc.
• You can list all available users with the cut command like follows:

$ cut -d: -f1 /etc/passwd

• useradd
• • Creates a new user
  • Options:
  • • -c: Adds a description/comment to a user account

$ useradd -c "John Wise" john

• • • -d: Sets the home directory for the specified user. By default, the useradd command sets it to the username (/home/<username>, but you can replace it with the directory of your choice:

$ useradd -d /mnt/home/john

• • • -g: Allows you to set the primary group of a user. the user will be added to a group by default if you don't add one during the creation process
    • -G: Adds the user to multiple groups

$ useradd -G employee,manager john

• • • -o: Creates a new user account using the UID of an existing user
    • -p: Used to add an encrypted password to the account. You can also add your password later by using the passwd command.

Modify Default User Settings

• The useradd command reads the default values from /etc/login.defs, /etc/useradd, and /etc/default/useradd. You can edit these files before using the command.

Modify User Groups on Linux

• usermod is another simple yet straightforward Linux utility to modify the user account details. It supports similar parameters or flags as the useradd command and that's why its usage is quite simple

Delete User Accounts on Linux

• userdel deletes a user account:

$ userdel [-r] <username> # The -r flag removes the user;s home directory as well
# It is recommended to find all files owned by the user and give them a different owner other than the existing user account
$ find / -user username -ls
$ find / uid 504 -ls
$ find / -nouser -ls

Managing Permissions in Linux

Managing access to resources is a fundamental task for sysadmins. This responsibility consists of three components: identities, resources, and permissions. This article covers several user, group, and file management commands to control access to resources.

• The ls -l command displays directory contents in long format., The long format contains both permissions and ownership. You can see that the user account that created the resources also owns those resources. The group association is also that user's primary group.

Changing Owners and Group Associations

$ chown user01 file1 # Transfers ownership of the file to user01
$ chown :groupA file1 # Change the group associated with file
$ chown user02:groupA file1 # Changes the user and group at the same time
$ chown -R user01:groupA <path to directory> # Changes the user/group for a directory and all of its contents

• The last command above provides a recursive configuration. Recursive commands are repeated on each specified object. The last command above changes the user/owner and group associated with a directory and all of the contents inside the directory.

Changing Permissions

• The change mode or chmod command sets permissions. The syntax:

$ chmod permissions <resource-name>

Absolute Mode

• Also known as octal or numeric mode, this is one way of specifying permissions. Each access level has an octal value, and each identity (user, group, others) has a position:

• Example:

$ chmod 740 file2 # Grants the user read (4) + write (2) + execute(1), grants the group (4) rad only, and grants other no access

• In the above example, the user has rwx, the group has r only, and all others have no access to file 2
• The chmod command can also be recursive when called on a directory with the -R flag

Symbolic Mode

• Each access level has a symbol

• Each identity has a symbol

• There are also operators to manipulate the permissions:

• Examples:

$ chmod o-r file2 # Remove read permissions from others on file 2
$ chmod g+rw file2 # Adds read and write permissions for the group for file2
$ chmod -R o=rwx,g+rw,o-rwx Resources # Sets others as having read, write, and execute permissions, gives the group associated with the file read and write permissions, and removes read, write, execute permissions from others recursively on the Resources directory

Special Permissions

• Special Permissions permit users to run applications with other credentials, control the inheritance of group associations, and keep files from being changed accidentally.
• Special permissions make up a fourth access level in addition to user, group, and other. Special permissions allow for additional privileges over the standard permission sets. There is special permission option for each access level discussed previously.

SUID

• The special permission for the user access level has a single function: A file with SUID always executes as the user who owns the file, regardless of the user passing the command. If the file owner doesn't have execute permissions, then use an uppercase S here.
• Example: Notice the 's' in the output where the x would usually indicate execute permissions for the user.

$ ls -l /usr/bin/passwd 
-rwsr-xr-x. 1 root root 33544 Dec 13  2019 /usr/bin/passwd

SGID

• This special parameter has a couple of functions:
• • If set on a file, it allows the file to be executed as the group that owns the file
  • If set on a directory, any files created in the directory will have their group ownership set to that of the directory owner.

$ ls -l 
total 0
drwxrws---. 2 tcarrigan tcarrigan  69 Apr  7 11:31 my_articles

• This permission set is noted by a lowercase s where the x would normally indicate execute privileges for the group. It is especially useful for directories that are used in collaborative efforts between members of a group. Any member of the group can access any new file. This applies to execution of the file as well.

Sticky Bit

• This permission does not affect individual files, but at the directory level, it restricts file deletion. Only the owner (and root) of a file can remove the file within that directory. A common example is

$ ls -ld /tmp/
drwxrwxrwt. 15 root root 4096 Sep 22 15:28 /tmp/

• This permission is set by denoted by the lowercase t, where the x would normally indicate the execute privilege

Setting Special Privileges

• Using the numerical method, we need to pass a fourth, preceding digit in the chmod command. The digit used is calculated similarly to the standard permission digits:
• • Start at 0
  • SUID = 4
  • SGID = 2
  • Sticky = 1
• Syntax:

$ chmod X### file | directory

• where X is the special permissions digit.

Access Control Lists

• Access Control Lists (ACLs) permit sysadmins to define permissions for more than just one user and one group, which adds a great deal of flexibility to standard permissions.

Access control lists allow us to apply a more specific set of permissions to a file or directory without (necessarily) changing the base ownership and permissions. They let us tack on access for other users or groups.

• You can view the current ACL using the getfacl command.

Setting an ACL:

$ setfacl [option] [action/specification] file
# Example:
$ setfacl -d -m accounting:rwx /accounting # accounting group can read, write execute accounting directory
$ setfacl -m kenny:r-x /accounting # kenny can read, not execute the accounting directory

• The action would be -m (modify) or -x (remove), and the specification would be a user or group followed by the permissions we want to set. In this case, we would use the option -d (defaults).

Managing File Permissions on Unix Like Systems

• Permissions determine who can access and modify the files and directories stored in their file system.
• Most commonly, the user who creates a file or directory is set as the owner of that file or directory.
• Group designations can be used as a convenient way to grant access to multiple users.

# View File permissions
$ ls -lah
-rw-r--r-- 1 user1 group1 62 Jan 15 16:10 myfile.txt
drwxr-xr-x 2 user1 group1 2048 Jan 15 17:10 Example

• The first character in the output tells you whether something is a directory. It is a directory if it starts with d. The letters rwx represent different permission levels:

• The multiple instances of r, w, and x. These are grouped into three sets that represent different levels of ownership:
• • Owner of User Permissions: The first set of three characters indicate the permission settings for the owner (also known as the user)
  • Group Permissions: The middle set of three characters indicate the group permissions.
  • Other Permissions: The last set of three characters is for other. This is anyone outside the group.
• When changing file permissions, use the chmod command. Note that a stands for all.

Linux Directory Structure

Everything is considered a file in UNIX and UNIX derivatives such as Linux. if not a file, then it must be a running process.

• There are three broad categories of files in Linux:
• • General Files - ordinary files made up of binary ASCII data.
  • Directory Files - Directories are categorized as files since they also serve as storage space for other files and folders.
  • Device Files - These are special files that provide an interface to device drivers which enable the usability of hardware devices on the system such as a mouse, keyboard, USB devices, hard drives, etc.
• Standard Linux Directory Structure:

Important Directories

• / Directory
• • The root directory denoted by a single forward slash is the uppermost directory in the Linux directory structure. It contains all directives, sub directories, and files on your Linux system. It's from the root directory where the Linux directory hierarchy starts.
  • • Note: Don't confuse the root directory with the root home directory /root
• /boot Directory
• • The boot directory contains the Linux boot files such as the bootloader, the kernel, and its associated files.
• /etc Directory
• • Contains system configuration files for all the services, scripts, and third part applications that are installed. This directory is considered the nerve center of the Linux ecosystem.
• /home Directory
• • This directory is a directory that contains a user's personal folders and files. The /home directory also contains personal configuration files which are prefixed by a ..
• /root Directory
• • The home directory for the root user, which is also referred to as the root user's home directory. The root user has access to all commands and system files in Linux.
• /opt Directory
• • This directory is reserved for add-on packages and third party software applications that are not included by default in the system's official repositories.
• /dev Directory
• • Contains device files or special files for devices that are attached to the system such as the hard drive, keyboard, and mouse.
• /var Directory
• • Stores system generated variable files, which include log files, caches, and spool files just to mention a few.
• /bin Directory
• • The /bin directory contains user binaries, executable programs, and common system commands that are used by all users of the system, like ls, pwd, ...
• /sbin Directory
• • Contains executable files, and system commands that are reserved for the root user or a user with root privilege, such as ipconfig
• /usr Directory
• • Holds an enormous amount of data. The directory contains system-wide read-only files. These include libraries, user binaries, and their documentation, programs, and system utilities.
• /proc Directory
• • It is a virtual or storage directory that contains vital information about running processes. It is considered the control and information center for the Linux kernel. The filesystem is created on the fly upon system startup and is destroyed once the system is powered off.
• /mnt Directory
• • Directory intended to be used as a temporary mount point for mounting storage devices such as Hard disk drives and USB drives
• /sys Directory
• • This is a virtual file system that contains a set of virtual files that provide an interface to the Linux kernel.
• /media Directory
• • Directory where the system mounts removeable media such as USB drives.
• /run Directory
• • This directory is a temporary filesystem that contains volatile runtime data that shows the system since it was booted. Files under this directory must be deleted at the start of the boot process
• /tmp Directory
• • This directory stores temporary files and many programs use this directory to create lock files and keep the temporary storage of data. Do not delete files under the /tmp directory unless you know exactly what you are doing. Many of these files are critical for running programs.
• /lib Directory
• • Stores all standard libraries required by user binaries in the /bin directory
• /lost+found
• • This directory is installed during the installation of Linux, useful for recovering files that may be broken due to unexpected shut-down.
• /srv Directory
• • This directory is the service directory and is abbreviated as srv. This directory contains server-specific and service-related files.

Important Files, their Location, and their usability

• /dev/vmlinuz - the Linux kernel file
• /dev/hda - Device file for the first IDE HDD
• /dev/hdc - Device file for the IDE Cdrom
• /dev/sda - Device file for the SATA drive
• /dev/null - A pseudo device that doesn't exist. Sometimes garbage output is redirected here so that it gets lost, forever
• /etc/bashrc - The file contains system-wide defaults, functions, and aliases among other files that are used by all the system users.
• /etc/crontab - system-wide file that is uniquely formatted to schedule or automate system tasks on a Linux system
• /etc/exports - A file that determines which file systems are exported to remote hosts and specifies options.
• /etc/fstab - special file that contains information about all available mount points and mount point options.
• /etc/hosts - configuration file that maps system hostnames to their corresponding IP addresses
• /etc/hosts.allow - file specifies which hosts are permitted to connect to the local system
• /etc/host.deny - file specified which hosts are denied access and services on the local machine
• /etc/issue - contains a pre-login message
• /etc/modules - file contains the names of kernel modules that should be loaded at boot time, one per line
• /etc/motd - motd stands for message of the day, the message users get upon login
• /etc/mtab - A read-only file that contains a list of currently mounted filesystems
• /etc/passwd - contains system user's information
• /etc/printcap - contains printer information
• /etc/profile -contain Linux system-wide environment and other startup scripts
• /etc/profile.d - application script, executed after login
• /etc/rc.d -Information about run level specific script
• /etc/rc.d/init.d -run level initialization script
• /etc/resolv.conf -this is a DNS resolver file. It specifies how the system uses DNS to resolve hostnames.
• /etc/security -Contains configuration files for various RAM modules
• /etc/skel - contains a set of user configuration files that are copied to the user's home directory when a user is created.
• /etc/X11 -directory that contains configuration files for the X-window system
• /usr/bin-Normal users executable commands
• /usr/bin/X11 - directory contains infinitely nested dictionaries and binaries for the X Windows system
• /usr/include -directory contains header files for C compilers.
• /usr/share -Shared directory contains binaries with superuser privileges
• /usr/lib -directory contains object files and directories
• /usr/sbin -directory contains binaries with superuser privileges
• /proc/cpuinfo - file contains system info including CPU model, model name, number of cores, and clock speed to mention a few files
• /proc/interrupts -information about current interrupts being utilized
• /proc/ioports -file contains all the Input/Output addresses used by devices on the server
• /proc/meminfo - a file that stores memory being used by the kernel
• /proc/modules -file lists all the modules being used by the Kernel
• /proc/mount --file contains detailed mounted file-system information
• /proc/swaps - file contains information about the swap file
• /proc/version -file contains Linux version information
• /var/log/lastlog -file contains a log of messages about the last successful user logins
• /var/log/messages -file contains a log of all messages produced by the syslog daemon at boot
• /var/log/syslog -file that contains non-critical system logs
• /var/log/wtmp -file listing the login time and duration of each user on the system currently