Lebanese University Dept.

: Electricity - Electronics
Faculty of Engineering 3rd Year – 5th Semester
Branch I Lab : Linux
Num. 3: Accounts and Permissions

I- Introduction:
Linux is a multi-user system. This means that several people can work simultaneously on the same OS,
in particular by connecting to it remotely.
Since several users can log into Linux at the same time, it must have a great organization from the start.
User accounts serve several functions on Linux systems:
 They make it possible to distinguish the different users who have access to the system, for
security reasons. Each of them has a personal account, which he accesses by a username and a
secret password.
 These users can define access permissions to their data, in order to authorize or prohibit its
exploitation by others.
 The accounts allow the authentication of each user accessing the system, which allows many
other acts of management such as managing the e-mails of the users.
Apart from personal accounts, there are users who are not necessarily natural persons. These users
perform administrative functions. This is the case with the "root" account used by the administrator to
perform maintenance for example. This is also the case for accounts generally intended for daemons
who must have access to certain files under a specific identification ('the "news" account for example
allows receiving Usenet news from another site ").

II- Management of user groups :

a. The structure of users under Linux
You can create as many users as you want, themselves divided into groups.
There is a "special" user, root, also called a superuser. This one has all the rights on the machine.
The following figure shows different users and their groups.

Page 1/6
 b. Commands of group management :
You can simply add a new group with the command "groupadd", and delete a group with "groupdel"
if there is no user account belonging to this group.
Ex .: groupadd sem3
Likewise, you can add a group by direct editing of the /etc/group file, this file contains the
definitions of all user groups.

III- Management of user accounts :

a. How to create a user account:
Creating an account requires several operations: adding an entry in the /etc/passwd file, creating the
user's personal directory, and setting up the default configuration in the directory of this user.
All of these operations are handled by the "adduser" or "useradd" command, the syntax of which is
as follows:

adduser [-c commentaires] [-d rep_personnel]

[-e date_expiration] [-f tps_inactivité]

[-g groupe_initial] [-G groupe[,...]

[-m [-k squelette_rep | -M] [-p motdepasse]

[-s shell] [-u uid [-o]] [-r] nomutilisateur

When used without any argument, this command requests interactively all the necessary information to
identify the user subject of creation.

When used without any option (so uniquely with the argument username, this command applies a set of
values by default which are registered in the file : /etc/default/useradd
In addition the command "useradd –D" displays at the screen the configuration by default of new user
that might be created without inputting its options.

The table below describes the options the most used:

Option Résumé
-c comments Full name of the user or any comments
-d personal dir. Personal Directory, created by default in the directory /home
-e expiry date To set the expiry date of the account (format MM/JJ/AA
-f inactivity time Number of days between the expiration and the permanent deactivation of the
account
-g initial group Primary group of the user account. It should exist before the creation of the
account.
-G list To assign to the user a list of g secondary groups (use , as separator without
space)
-m The personal directory will be created if it does not exist. The option -k isn’t
valid without the option –m
-k skeleton_dir. Copy the content of the directory skeleton_dir into the personal directory ; by
default: /etc/skel
-p password Encrypted password. By default the password is deactivated
-s shell By default : bash
-u uid To set the identifier uid of the user (Number)
-r username Chosen username, (login username)

e.g. :
useradd –c UnUtilisateurDuSemestre5 –g100 –d/home/sem3 –m –u501 –r sem3user
Page 2/6
 b. How to modify a user account
To modify a user's account, use the "usermod" command as follows:
usermod [options] user
The options are the same as those of the "useradd" command
e.g.:
usermod -G trainee,teachers stagex
adds the stagex account in the 2 groups trainee and teachers (which must exist beforehand)

c. How to delete a user account

To delete a user account, use the "userdel" command as follows:
userdel [-r] user
The -r option also deletes the user's home directory and files.
The command removes all traces of the user in the configuration file: /etc/passwd.
e.g.:
userdel –r sem3user

d. The file /etc/passwd

Everything related to user management and authentication is written in a single /etc/passwd file,
encrypted passwords are often placed in /etc/shadow, for security, this file is only readable by the user root.
Structure of /etc/passwd :
This file contains for each user a line composed of 7 fields, separated by the symbol « : »
- Connection name (also called username or login)
- Anciant place of the encrypted password
- User Id uid, its value is the real identifier of the user under Linux; the uid of root is 0, the system
attributes conventionally a uid starting from 500 to various created. accounts
- Group Id gid, to which the user belongs by default; the gid of root is 0, those of user groups are
beyond 500
- Full Name, it may be followed by a list of personal instructions (try the command chfn)
- Personal directory (also called the connection directory)
- Shell, command interpreter (by default /bin/bash)

e. The command "passwd"

It allows the encrypting of the password in the file /etc/shadow
Syntax: passwd [option] username

Options :
--stdin, the command abandons its usual interactive behavior and examines its standard input for use as
a password.
-d , to delete the password, l'utilisateur pourra se connecter sans !
-l , to lock the account and disable the connection.
-u , to unlock the account.

f. The command "su" et "sudo"

The command "su" allows the current user to change the account temporarily (until the "exit" command
is received by the terminal), this requires knowing the password of the second account.
e.g. : su nabil
"su" without parameters allows the user to act as the super user ("root").

The pseudo-command "sudo", when it precedes any other command, allows the execution of the last
one with the permission of super user.

Page 3/6
 Lab  :
1. Execute the command "sudo su", you will be operational with the administrator "root"
2. Create a user group with the name of your own group of labs, e.g. : gr3
3. Create another user group with the name of another another lab group
4. Verify the registration of groups being created in the file "/etc/group"
5. Create user accounts (with creation of personal directory) for each one of you also a user account
for each member of the other group, each account must belong to its own group.
6. Verify the existence of users in the file "/etc/passwd"
7. Quit the "root" session by the command "exit".

IV- Evaluation of expressions:

Far from the subject of this lab, it is important to exploit the important functionality that exists in Linux,
the evaluation of expressions, or even the evaluation of commands.
The symbols used in this feature are simply an opening "` "at the beginning and another closing" `" at
the end of the command.
Consider the following example:
Being in the personal directory, the "ls" command lists its contents, its elements one by one. Whereas
with the command: ls `ls`, we find that" ls "will be applied individually to each element of the contents
of the home directory, so what happens?
Another example: create a "test" text file containing the following three lines:
ls
CD
pwd

The "cat test" command displays the previously cited lines on the screen. The "which command"
command indicates which executable is represented by the command passed as an argument of
"which". Now try the command "which` cat test` "and say what do you get?

Lab  :
1. The command "whoami" gives the name of an active user account, so starting from what this
command provides try to write by only one line a complex command giving the number of group
gid to which your user account belongs.
2. Use the command "sudo su « already created personal account »" then try these commands
"whoami", "who am i" and "who", what are you observing?

V- The permissions:
Linux permissions are a simple system for defining access rights to resources, represented by files
available on a computer system. They remain the most used way to define user rights on Linux-like
systems.
Thus each file is associated with a list of permissions, which determine what each user has the right to
do on this file.
The rights that can be assigned to a file are:

 r means : accessibility to read this file / this directory,

 w means : accessibility to write to this file / this directory,
 x means : accessibility to execute this file / to go into this directory.

We can attribute these rights for :

 the user of the file/dir,

 the members of a group of the file/dir,
 all the users (i.e. the other users).

Page 4/6
 a- Visualisation of the rights :
To see which rights are attributed to a file, it’s enough to write the command "ls -l filename",
e.g. : "ls –l toto"
We will get on the screen a list with the following format:
-rwxr-xr-- 1 user group 12345 Nov 15 09:19 toto
The output means that the file toto (of size 12345 bytes) belongs to the « user » and the « group », and
that its rights are : rwxr-xr--.

Off topic but important: the first character - is not a right, it is a character reserved to indicate the type of
file. It can take the following values:
d : directory
l : symbolic link
c : peripheral of type character (like the serial port , ps2, usb,…)
b : peripheral of type bloc (like the serial synchronous communication , IP networks,…)
p : fifo
s : socket
- : regular file

Here by the symbol "-" toto is marked as a regular file.

In return on the permissions, the letters "rwxr-xr-x" must be read as three blocs :
i- rwx (read, write, execute) for the user owner of the file
ii- r-x (read, execute) for the group owner of the file
iii- r-x (read, execute) for the others (everyone else)

So toto can be read, modified and executed by its user owner, but can be only read and executed by the
other users.

b- Modification of the rights:

By using the command "chmod", there is two ways to change the rights of a file or directory:
i- Either by specifying the rights in octal (base 8). The correspondence is as follows:
1 : Execute ;
2 : Write ;
4 : Read.

That is to say, each privilege level must be assigned an octal number describing the desired rights, so to
specify the read, write and execute rights for the owner user, the octal number is: 1 + 2 + 4 = 7.

Then to specify read, write and execute rights for users of the owner group, the corresponding number is
still 7.

Finally, to specify read and execute rights only for other users, the corresponding number is 1 + 4 = 5.

Then the desired command becomes: "chmod 775 toto".

Another example, if we want the user to have all 3 rights (rwx), the group to have 2 rights (rx) and the
rest of the world to have no rights (---), the corresponding octal number is 750.

ii- Or by specifying the right to be added (+) or to be removed (-) for the file (or directory) for each
privilege of manipulation (u for the user, g for the group and o for the others).

e.g.:

a. chmod g+w toto

b. chmod o-r-x toto

Page 5/6
Lab  : Are you asked to determine the differences between the two methods?

c- The command "umask" :

Used to modify the default permissions attributes of newly created files.
The syntax is simply:
umask <Octal complement of the desired attributes>
e.g.: umask 027
Means that files will be created with 750 permissions (i.e. rwx for the owning user, r-x for users in
the owning group, and --- for others).
d- Modify the user owner of a file :
To do so use the command "chown" in the following way :
chown <new_user> <filename>
e.g. : chown root Videos

e- Modify the group owner of a file :

To do so use the command command "chgrp" in the following way :
chgrp <new group> < filename >
e.g. : chgrp root Videos

Lab  :
1- Adjuat with "umask" the permissions by default to be attributed to to each new file, in such a
way that the owner user can read and write only, without any permission for all other users.
2- Create with "vi" a text file and name it "mycommands" that contains the following lines :
cd
ls –la > batch.txt
3- Verify the permissions of the file "mycommands"
4- The file " mycommands " may be shown for Linux as a little routine having its instructions some
commands Shell, we call such file a script. To verify its functionality, we use the command "sh
mycommands", try this command and verify the correct execution of the script.
5- Since "mycommands" is a script, then it should be started like any other program, that is, as
follows: "./mycommands"
(we have to put "./" here, because the home directory where our script is located is not defined in
what is called the PATH environment variable, this will be seen later in another lab).
Try the command, what is the response from the interpreter? and why ?
6- Assign the permission of execution to the file "mycommands"
7- Try again "./mycommands", Everything is fine now.
8- Copy "mycommands" to the personal directory of another user of your group
9- Do whatever is necessary to allow this user to run "mycommands" as an executable program.
10- Try the same steps for a user of another group.

Page 6/6