Users and permissions
Root user
The users named “root” (also called superuser or admin) is allowed to do anything on the system. For that reason is it not advisable to be logged in as root all the time.
Users
A Linux system supports having multiple users, who can also all be logged in at the same time. Each user has their own home directory under /home.
After installation you can use useradd to add a new user. Example to create user “alice” and set the password for the new user:
sudo useradd alice
sudo passwd aliceDebian-based distributions (Debian, Ubuntu and Linux Mint) also have the nicer adduser which is interactive and asks you what you want.
Each user has a line in /etc/passwd, e.g.:
jarkko:x:500:500:Jarkko Huijts:/home/jarkko:/bin/bash
From left to right it states the user name, encrypted password, the user ID, the group ID, a field with information about the user (usually their full name), home directory and finally the login shell. All distributions use shadow passwords and the password is actually in /etc/shadow.
Groups
Users can belong to one or multiple groups. Groups are useful to give multiple users access to some files/devices. You can show all groups you belong to with command groups.
File /etc/group lists all groups. Example entry:
some_group:x:505:jarkko
From left to right it states the name of the group, a password for the group (usually none), the group ID and at the end a list of users who belong to that group (separated with commas). An existing user can be added to a group with:
sudo usermod -a -G some_group some_userCreating a new group can be done with:
sudo groupadd new_groupSwitching user
It's best to log in as a normal user and only sporadically become root when it's necessary. (Some distributions don't even set a password for the root user by default, making it impossible to log in as root.) The modern and convenient way to execute something as root is by prepending sudo in front of the command, like in the examples above. It is possible to configure sudo to only allow sudo for certain commands, but I think all distributions don't have such restrictions by default.
If you need admin rights for a while, you can also execute sudo su to become root. While you're root, you don't need to prepend sudo in front of commands. You can stop being root by executing either exit or pressing Ctrl+D.
You can switch to being any other user with the su (switch user) command. The hyphen in the command is advisable, because it sets the environment as if you really logged in as that user.
su - some_userIf you're lost about which user you are currently are, you can use whoami to tell you. This is also useful in scripts.
Permissions
In the output of ls -l you get lines like this:
ls -l
-rw-rw-r-- 1 jarkko jarkko 2786 Aug 8 20:19 index.htmlFrom left to right it states the permissions, the number of links to the file/directory, the user owning the file, the group owning the file, the size in bytes, the access date/time (last time it was changed) and finally the name of the file/directory.
The first letter of the permission string shows the type:
| Letter | Meaning |
|---|---|
| - | normal file |
| b | block device, used in /dev |
| c | character device, used in /dev |
| d | directory |
| l | symlink |
| p | named pipe |
| s | socket |
Behind that are three blocks with three characters each. The r stands for read, the w for write and the x for execute. The first block applies to the owner of the file, the second to the group and the third for the rest of the world (all other users). Symlinks always have lrwxrwxrwx. Read, write and execute are self-explanatory for regular files, but for directories they have a different effect. Overview about what is allowed based on the permissions:
| Permission | For file | For directory |
|---|---|---|
| --- | nothing is allowed | nothing is allowed |
| r-- | see file contents | list filenames |
| rw- | see and change contents | list and add/remove files |
| r-x | see contents, execute it | list files and cd into directory |
| --x | execute binary | execute binary/script if you know the exact path |
| rwx | everything is allowed | everything is allowed |
Note that to execute a binary you only need execute, while for a script you need both execute and read. That's because a script needs to read by an interpreter.
There are 3 more permission bits that are less commonly used: SUID, SGID and sticky bit. The sticky bit is meant for directories. It is shown with a final t in permission shown by ls -l. If set, anyone with write permission can create files, but you're only allowed to rename or delete the file if you're the owner. This is typically used for the /tmp directory.
A binary or script with SUID (saved user ID) set behaves as if the owning user is executing it, whoever is executing it. Similarly SGID (save group ID) causes executing it to behave as if the owning group is executing it. It is shown with an s instead of an x in the permission shown by ls -l.
To change the permissions use command chmod. The most readable syntax is:
chmod u+x my_file # add execute for user owning the file
chmod g-r my_file # remove reading for owning group
chmod o+w my_file # add writing for othersThe classic way to indicate the permissions is with octal numbers, which is much less readable. Example command to give the owning user (first number) all rights, the owning group (middle number) only read/execute and others (last number) no permissions.
chmod 750 my_fileYou determine the number by adding these up:
| Number | Meaning |
|---|---|
| 0 | No permission |
| 1 | Execute |
| 2 | Write |
| 4 | Read |
Changing the owning user and/or group can be done with chown:
chown new_user my_file
chown :new_group my_file
chown new_user:new_group my_fileYou can also use chgrp to change the owning group.