User management and

Access Permission

Content
• User management
• Configuration files for user account and groups
• Root users
• User management utilities
• Group management utilities
• Access Permission
• Introduction
• Directories and File Permission
• Changing Permission
• User Masks
• Special Permissions

1
 • User management
• Configuration files for user account and
groups
• Root users
• User management utilities
• Group management utilities

User Management – Terminology

• A user – any one who has a linux account on
the system.
• Linux recognizes a user by a number called
user id.
• A super user
• has the maximum set of privileges in the system
also know as system administrator
– can change the system
– must have a lot of experience and training
• Users can be organized into groups.
• One or more users can belong to multiple
groups

2
Configuration files for user account
and group
• User account information stored in following
files:
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow

• An entry in /etc/passwd, which will define the user

• login name
• user id
• default group
• descriptive name
• login program (shell)
• An entry in /etc/shadow, which will control account access
• initial password
• password aging information
• An entry in /etc/group, for the default group assignment
• one of the existing groups in this file will become user's
primary group
• user access to other than primary group can be allowed
in this file
• And a place to store files
• a home directory
• an initial .bash_profile and application startup files

3
/etc/passwd
Username:password:UID:GID:Info:Home:Shell
• Username: It is used when user logs in. It should be between 1 and 32 characters
in length.
• Password: An x character indicates that encrypted password is stored in
/etc/shadow file.
• User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is
reserved for root and UIDs 1-99 are reserved for other predefined accounts.
Further UID 100-999 are reserved by system for administrative and system
accounts/groups.
• Group ID (GID): The primary group ID (stored in /etc/group file)
• User ID Info: The comment field. It allow you to add extra information about the
users such as user's full name, phone number etc. This field use by finger
command.
• Home directory: The absolute path to the directory the user will be in when they log
in. If this directory does not exists then users directory becomes /
• Shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell.
Please note that it does not have to be a shell.
$ grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash
operator:x:11:0:operator:/root:/sbin/nologin

/etc/shadow
Username:Password:Last_pwd_change:Minimum:Maximum:Warn:Inactive :Expire
• Username: It is your login name
• Password: It your encrypted password. The password should be minimum 6-8
characters long including special characters/digits
• Last password change: number of days since Jan 1, 1970 that password was last
changed
• Minimum: The minimum number of days required between password changes i.e. the
number of days left before the user is allowed to change his/her password
• Maximum: The maximum number of days the password is valid (after that user is forced
to change his/her password)
• Warn : The number of days before password is to expire that user is warned that his/her
password must be changed
• Inactive : The number of days after password expires that account is disabled
• Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying
when the login may no longer be used

$ grep root /etc/shadow

root:b93.GT2r.7IZ6:9718:0:60:7:::

4
/etc/group
Group_name:Password:Group_ID(GID):Group_li
st
• Group name: It is the name of group. If you run ls -
l command, you will see this name printed in the
group field.
• Password: Generally password is not used, hence
it is empty/blank. It can store encrypted password.
This is useful to implement privileged groups. X
means passwd is stored in /etc/gshadow
• Group ID (GID): Each user must be assigned a
group ID. You can see this number in your
/etc/passwd file.
• Group list: It is a list of user names of users who
are members of the group. The user names, must
be separated by commas.

/etc/gshadow
Group_name:Encrypted_password:Group_admin:
Group_members

• Group name — The name of the group. Used by various utility

programs as a human-readable identifier for the group.
• Encrypted password — The encrypted password for the group. If
set, nonmembers of the group can join the group by typing the
password for that group using the newgrp command. If the value
of this field is !, then no user is allowed to access the group using
the newgrp command. A value of !! is treated the same as a value
of ! — however, it also indicates that a password has never been
set before. If the value is null, only group members can log into the
group.
• Group administrators — Group members listed here (in a comma
delimited list) can add or remove group members using the
gpasswd command.
• Group members — Group members listed here (in a comma
delimited list) are regular, non-administrative members of the
group

5
Root
• Superuser is a privileged account with
unrestricted access to all files and command
• The username of superuser is “root”
• Root has a user ID of 0
• There are two ways to become the superuser
• Login as root directly
• Execute command su to change privileged
 % su

11

Sudo command
• The sudo utility allows users defined in the
/etc/sudoers configuration file to have temporary
access to run commands they would not normally be
able to due to file permission restrictions
• Sudo (superuser do) allows a system administrator
to give certain users (or groups of users) the ability
to run some (or all) commands as root
• The /etc/sudoers file contains all the
configuration and permission parameters
needed for sudo to work

12

6
/etc/sudoers Examples
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
• root and users in group wheel can run anything on any machine
as any user
srk,rp ALL = NOPASSWD: ALL
• User srk and rp can run anything on any machine without a
password
peter, %operator ALL= /sbin/, /usr/sbin, /usr/local/apps/check.pl
• user peter and all the members of the group operator to gain
access to all the program files in the /sbin and /usr/sbin
directories, plus the privilege of running the command
/usr/local/apps/check.pl

13

Using Aliases in the sudoers File

User_Alias ADMINS = millert, mikef, dowdy
ADMINS ALL = NOPASSWD: ALL

• User alias ADMINS are user millert.mikef,dowdy

• User alias ADMINS can run anything on any machine without a
password

Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm

Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
srk ALL = PRINTING, /usr/bin/adduser

• User srk can use printer and add new user

14

7
User management ultility
• useradd/mod/del
• passwd
• groupadd/mod/del
• gpasswd
• sg/newgrp
• su
• users/groups
• id

Managing Users
• utility to manage users
• adding users: #useradd or #adduser
• modifying user details: #usermod
• Managing passwords: #passwd
• deleting users: #userdel

8
Adding Users
• Should not edit the /etc/passd manually
• Utility useradd creates required record in /etc/passwd and /etc/shadow
files
• Useful options to useradd to override defaults
-u uid specify new user id (default: next available number)
-g group specify default group (default other, GID=1)
-c comment description of user (default blank)
-d dir home directory
-m make home directory (recommended otherwise /home/username is not
created)
-s shell specify login program

# useradd -m henry
# useradd -u 321 -g 152 -m -s /bin/bash bill

• Each user's personal directory is placed in the /home directory.

The directory name will be the same as their username

• Useadd needs to add an initial password using command passwd

seperatedly.
• Other ultility adduser can ask for parameters and passwords iteractively

Modifying user
• Ultility Usermod
• usermod uses the same basic set of options
that are used with useradd
• if you modify UID then use -U option as well, to
change the UID of files belonging to the user
# usermod -g users -c "Henry Blake"
henry
# usermod -U -u 321 -s /bin/bash bill

• To change account inactivity and expiry date

• # usermod -f 10 henry
• # usermod -e 12/01/07 hotlips

9
Setting Passwords
• New user accounts have to have an initial password
• If new user is added by useradd command, passwd command is
needed

• Use the standard passwd program with a username

# passwd henry
new password:
retype password:

• as root you will not be prompted for an existing password

• choose a simple password and inform the user verbally
• Fore user to change password at first login
# passwd –e henry
• Lock the user account
# passwd -l henry

Account Security
• Use preset expiry dates for temporary employees
• very useful for contract staff
# usermod -e 12/24/05 hotlips
• Use inactivity counts to lock unused accounts
• perhaps the user has left the company
and no one told you # usermod -f 5 hotlips

• Change passwords known by someone who leaves

• change ALL passwords if they knew the root
password

• Lock accounts if they are temporarily unused # passwd -l trapper

• user is on secondment or holiday
# passwd -m 27 -x 30 -w 3 radar
• Use the password ageing mechanism!

10
Removing User Account
• Delete user account only when his/her data is safe
• Use userdel utility (SVR4) or rmuser (AIX)
• Without any options userdel will leave all files owned by that user
untouched and open to misuse.
• the -r option with userdel will remove user files, but
only those in the home directory (including the home
directory itself)
# userdel -r henry

• userdel does not remove mail file

• more significantly, userdel does not remove user's
cron table or stop cron from executing the task
scheduled by that user

Removing User: Preparation

• When a user leaves there are two main concerns:
• protect the system from unauthorised access via
his/her account
• protect and manage his/her files and directories left
on the system
• Proposed sequence of steps
• lock the account password, until you are ready to
remove it altogether
• save all files owned by the user, somewhere outside
the home directory
• change access permission on saved files, allowing
access to root only
• consider cron or at jobs setup by the user
• set up mail forwarding to send mail to a manager

11
Managing Groups
• utility to manage groups
• Adding group: groupadd
• Modifying group: groupmod
• Deleting group: groupdel
• gpasswd
• sg/newgrp
• users/groups

Preparing Groups (/etc/group)

• Use groups for working on projects and in departments
• groups provide a second level of access control
• groups will allow users to share files
• Setup groups before adding new users
• One line per group in /etc/group
name::gid:user1,user2

group name list of users allowed 'secondary' access to this group

numeric id

12
 Adding group
• Add linux group
#groupadd students
#groupadd staff
#groupadd teachers
# groupadd -g 151 swamp
# groupadd -g 152 barracks

• Add the Linux users and assign them to their respective groups
#useradd –g teachers rp
#useradd –g staff srk

25

Changing Group Membership

• Each user belongs to a group (defined in /etc/passwd)
• primary membership can be changed with usermod -
g
• User can also be allowed access to other groups
• secondary membership is controlled by usermod -G
• the group must already exist
trapper's primary group is 400

# grep trapper /etc/passwd

trapper::416:400::/home/trapper:/bin/bash
add new group # groupadd -g 600 swamp
# usermod -G swamp trapper
# grep trapper /etc/group
swamp::600:trapper

add trapper to group 600 (his primary membership unchanged)

13
 Access Permission
• Introduction
• Directories and File Permission
• Changing Permission
• User Masks
• Special Permissions

Introduction
 The system determines whether a user or
group can access a file based on the
permissions assigned to them.

 There are 3 types of permissions for any file,

directory or application program.
 r: Indicates that a category of user can read a file
 w: Indicates that a category of user can write to a
file.
 x: Indicates that a category of user can execute the
file.
- : Permission denied

14
 Linux assigns different permission to 3
categories of user: owner, group and other
users (others)
• owner - The user who creates the file
• group - The members of a group that owns the file
(the primary group of the owner)
• others - All other users with access to the
system.
• Types of files
• Directories
• Other files

Directory and File Permissions

15
Access Types

Access Type Meaning on File Meaning on Dir.

r (read) View file contents List directory contents
(open, read)

w (write) Change file contents - Change directory contents

- Be careful !!!

x (execute) Run executable file - Make it your cwd

- Access files (by name) in it

- Permission denied Permission denied

Checking permissions
• To check the permissions of an
existing file or an existing directory,
use the command: ls -l
• Example:
ux% ls -l unix
total 387
drwxr--r-- 1 z036473 student 862 Feb 7 19:22
unixgrades
-rw-r--r-- 1 z036473 student 0 Jun 24 2003 uv.nawk
-rw-r--r-- 1 z036473 student 0 Jun 24 2003 wx.nawk
-rw-r--r-- 1 z036473 student 0 Jun 24 2003 yz.nawk

16
Changing permissions

The chmod Command

17
 Changing Permissions: Symbolic Mode

35

Changing Permissions: Symbolic Mode

mp% chmod who operation permissions filename

u for user + for add r for read

g for group - for remove w for write
o for others = for assign x for execute
a for all

36

18
 Changing Permissions: Symbolic Mode

ux% ls -li sort.c

118283 -rw-r--r-- 1 krush csci 80 Feb 27 12:23 sort.c

Example 1: To change the permissions on the file “sort.c” using

Symbolic mode, so that:
a) Everyone may read and execute it
b) Only the owner and group may write to it.

We want this using

symbolic mode: rwx|rwx|r-x

Answer:
chmod ug=rwx,o=rx sort.c
chmod ugo+rx,g+w sort.c
37

The chmod Command: Octal Mode

38

19
Changing Permissions: Octal Mode

ux% ls -li sort.c

118283 -rw-r--r-- 1 krush csci 80 Feb 27 12:23 sort.c

Example 2: Ignoring the original permission settings, change the

permissions on the file “sort.c” using octal mode, so that:
a) Everyone may read and execute it
b) Only the owner and group may write to it.

We want this using octal

mode: rwx|rwx|r-x

Answer: chmod 775 sort.c

39

User Masks (default permissions)

• The default permissions are initially set for a file or directory
using a three-digit octal system variable called user mask
(mask).
• This user mask was defined initially by the system
administrator when your account is created.
• Initially set by system administrator in a start-up file:
$HOME/.cshrc
• The user mask contains the octal settings for the permissions
to be removed from the default when a directory or file is
created.
• The default permissions are:
– 777 for a directory
– 666 for a file
40

20
Figure 4-10

The umask Command

41

User Mask
User mask Directory File (666)
Value Default: 777 Default: 666
000 777 (rwx rwx rwx) 666 (rw- rw- rw-)
111 666 (rw- rw- rw-) 666 (rw- rw- rw-)
222 555 (r-x r-x r-x) 444 (r- - r- - r- -)
333 444 (r- - r- - r- -) 444 (r- - r- - r- -)
444 333 (-wx –wx –rx) 222 (-w- -w- -w-)
555 222 (-w- -w- -w-) 222 (-w- -w- -w-)
666 111 (- -x - -x - -x) 000 (--- --- --- )
777 000 (--- --- --- ) 000 (--- --- --- )
42

21
The command: umask
% umask 000
For regular files: rw-rw-rw- 666
For directories: rwxrwxrwx 777

In $HOME/.cshrc file: umask 022

For regular files: rw-r- - r- - 644
For directories: rwxr-xr-x 755

43

Default Access Permissions

• To prevent cheating, do not grant read and write
access permissions to group and others!
• Set default permissions for all files and directories
created in the future, so that only you/owner can
rw to it (rw- --- ---)

• In your $HOME/.cshrc file: umask 077

44

22
Special Permissions
• The regular file permissions (rwx) are used to
assign security to files and directories.
• Three additional special permissions can be
optionally used on files and directories.
– Set User Id (SUID)
– Set Group ID (SGID)
– Sticky bit

45

Special Permissions: SUID

• SUID enables regular users to execute a program
file and become the owner of the file for the
duration of execution.
• Example: The “passwd” command is used to
change a user’s password. The file
“/usr/bin/passwd” (owned by “root”) has this
special permission set: r-sr-sr-x
• In theory, only the root user has the ability to
change passwords. Since “/usr/bin/passwd” has
the SUID permission on, when a regular user
executes the “passwd” command, the user
temporarily becomes the “root” user while the
“passwd” command is executing.
46

23
 Special Permissions
• The access permission status that is displayed
using the “ls –l” command does not have a section
for special permissions
• However, since special permissions required
“execute”, they mask the execute permission when
displayed using the “ls –l” command.

rwxrwxrwx

rwsrwsrwt
SUID SGID STICKY
BIT

47

Special Permissions
• All special permissions also required the “execute” permission
to work properly.
• Usually, the SUID and SGID apply to executable files.
• The sticky bit applies to directories, which must have execute
permission for access.
• If special permissions are set on a file or a directory without
“execute” permission, the special permissions are shown in
capital letters.

rw-rw-rw-

rwSrwSrwT
SUID SGID STICKY
BIT
48

24
Special Permissions: GUID
• Like SUID, SGID enables regular users to execute
a program file and become a member of the group
that is attached to the file.
• If a file is owned by the system group and also has
the SGID permission, then any user who executes
that file will be a member of the system group
during the execution.

49

Special Permissions: Sticky Bit

• Sticky bit performs a useful function on
directories
• Recall: Write permission applied to a directory
enables you to add and remove any files to or from
that directory.
• If you had “write” permission to a certain
directory but no permissions for files within it,
you could delete all of those files.

50

25
Special Permissions: Sticky Bit
Scenario: A company provides a common directory
that gives all employees the ability to add and
remove files in it. This directory must give user
“write” permissions. Unfortunately, the “write”
permissions also gives all employees the ability to
delete all files and subdirectories within it, including
the ones that others have added to the directory.

51

Special Permissions: Sticky Bit

• If the “sticky” bit were applied to this common
directory, in addition to “write” permissions, then
employees may add files to the directory.
However, they may delete only files and
directories that they have added/created.
• Example:
ls –ld /tmp
drwxrwxrwt 3 root sys 1077 Jan 25 13:30 /tmp

Sticky Bit

52

26
Setting Special Permissions

suid sgid stb r w x r w x r w x

1 1 1 1 1 1 1 1 1 1 1 1
7 7 7 7

Special user group others

Use the “chmod” command with octal mode:

chmod 7777 filename
53

27