Lessons‎ > ‎Linux Lessons‎ > ‎

Linux Lesson 05 - Users and Groups

Summary

In this lesson you're going to learn how to create, manage and delete users and groups.  You will also learn how to manage permissions on files and directories. 

Managing User Accounts

In Linux the /etc/passwd file contains information about your system's users.  The file contains all the properties of the user accounts in a colon separated text file.  

Each line in the file represents a single user, and the properties, or fields, are in a specific order outlined below. 
  • Username - The name the user uses to log into the system.
  • Password - In the past this field  stored an encrypted version of the user's password.  The passwords have been moved to /etc/shadow so now it contains an x.
  • User ID - A unique number assigned to the user.  Linux tracks the users by their User ID.
  • Group ID - The ID of the user's primary group.
  • GECOS - This field is a special one that allows you to add multiple pieces of information in one spot.  Each piece of information is separated by a comma and they are outlined below.
    • Full Name - The real name of the user.  First and last name.  
    • Location - The building, room number, or contact person.
    • Phone - The user's phone number 
    • Other Phone - Another phone number like a cell, pager, or fax.
  • Home Directory - The user's home directory, usually in /home/$USER
  • Login Shell - The user's default shell, for use it's /bin/bash
The /etc/passwd file can be viewed by regular users.  The /etc/shadow file, which contains the encrypted passwords, can only be viewed by root .

Two ways you can add users to the system are the useradd command and the adduser script.  The useradd command uses options and arguments to add a user to the system.  The adduser script steps you through the creation of a user account asking you questions as it goes.

The useradd command has many options that can be used to specify the properties of the new user.
  • -d path - Specify the path of the user's home directory.  (This will not create the directory if it doesn't exist)
  • -m - Forced the command to create the home directory.  The contents of the skeleton directory, /etc/skel, will be copied to the new directory.  Without this no home directory will be created.
  • -s shell - Specify the default shell for the users, we are using /bin/bash.
The command sudo useradd -d /home/msmith -m -s /bin/bash msmith will create the Mike Smith account with a home directory.

The adduser script will step you through the process asking you questions as you go.  If you type in sudo adduser bdover it will start the process.

After you create an account using the useradd command you'll need to assign a password.  You can use the passwd command as root to set the password of another user.  The command sudo passwd msmith will let you set a password for msmith.  You can use the passwd command without an argument to change your password.

You can switch to the newly created user accounts using the su command.  Use Ctrl + D to logout and return to your account.

There are some commands you can use to gather information about user accounts in Linux.  The id command will show you the ID's of accounts, and the groups they are members of.  You can check other accounts by using the username as an argument.

The finger command will show you other information about the user.  It will display the username, name, home directory, default shell, as well as other information.

The who command can be used to display all the users logged into the system.  You may see yourself logged in multiple times.  If you want to know what session you are using you can use the who command with the "am i" arguments.  There is also a command, whoami, that will show you your current username.  This can be handy when using the su command and you can't remember who you're logged in as.

The usermod command can be used to modify the properties of a user account.  This can help you change users home directories, or default shell, as well as other properties of the user account.  In the image below we are using the usermod command to change the default shell for msmith.  The finger command is used to show the value before and after the change.

If you need to disable a user's account you can use the usermod or passwd commands.  When you disable an account an explanation point is added to the front of the encrypted password in /etc/shadow.  This prevents the user from logging into the system.  If you need to enable the account the usermod and passwd commands can be used to remove the explanation point.  You can also use a text editor and add/remove the explanation point yourself to enable/disable accounts.

You can delete user accounts using the userdel command.  If you use the userdel command with the -r option it will attempt to remove the home and mail directories.


Managing Groups

In Linux the /etc/group file contains a list of all the groups on the system.  Each line represents a single group with a comma separated list of member's usernames at the end.


A user account can be a member of multiple groups, and a group can contain multiple members.  If you want to see what groups your account is a member of you can use the groups command.

Groups are used for assigning permissions.  For example, if you want to enable another account to use the sudo command then add them to the sudo group.  In the screenshot we can see that only the mhull group is in the sudo group.

You can add users to groups using the usermod command.  In the screenshot below we are adding msmith to the sudo group.

The groupadd command will let you add your own groups to the system.  In the screenshot below we use the groupadd command to create the Sales group.

If you want to change or modify a group you can use the groupmod command.  In the screenshot below the groupmod command is used to change the name of the Sales group to NorthernSales.

If you no longer need a group you can delete it with the groupdel command.

Managing Permissions 

Each file and directory in Linux is owned by a user account and a group.  You can control the permissions for the user and group, as well as the permissions for everyone else, or other.  Each of the three entities, User, Group, and Other, can have Read, Write, or Execute permissions.  In the screenshot we can see the the user and group that has access to the Documents directory as well as their permissions.  We also see the permissions that everyone else has in the other section.

The permissions are grouped together in a nine character string that represents the user, group, and other.  The first three characters represent the account's permissions followed by the group, then other.  The order of the three characters are r for read, w for write, and x for execute.  If the entity has the permission the letter is displayed, if not a dash is displayed.  In the screenshot below we can see the account that owns the directory has read, write and execute.  The group that owns the directory has read and execute, and everyone else has read and execute.

When you display a long list of files using the -l option you'll see more information than normal.  In the listing there is one line per file and the columns of data are clearly defined.  They are outlined below.
  • 0 - The first column indicates what type of file is listed.  If it's a directory a "d" is displayed, if it's a file a "-" is displayed.
  • 1-3 - The user's, or owner of the data's, permissions.
  • 4-6 - The groups permissions.
  • 7-9 - Other user's permissions, or the permissions for everyone else.
  • 10 - Indicates the number of links, files have a link count of 1, folders have a link count equal to the number of subfolders + 2.
  • 11 - The owner of the file.  The permissions for this user are listed in columns 1-3.
  • 12 - The group that owns the file.  All members of this group have the permissions listed in columns 4-6.
  • 13 - Lists the size, in bytes, of the file or directory.
  • 14 - Shows the date and time the file was created or last modified.
  • 15 - The file name.

If we take the string rwxr-xr-x and convert it to binary where a 1 means the permission is applied, and 0 means it's not applied we end up with 111101101.  We can split it into three sections for user, group and other and convert each section into decimal. 
  • User = rwx = 111 = 7
  • Group = r-x = 101 = 5
  • Other = r-x = 101 = 5
This leaves us with the decimal number 755.  The number 755 is used to represent the permissions of the directory. 

You can change the permissions of a directory using the chmod command.  Knowing the three digit number of the permissions you want is helpful when using the chmod command.  In the screenshot below we change the permissions on the Documents directory removing all access for other.  750  =  111 101 000  =  rwx  r-x  ---

You can also also use another syntax with the chmod command.  Using the numbers will update the permissions for users, groups and others all at once.  You may find yourself wanting to change a single permission.  You can do this with the letter method.  The letter method let's you define what entity will get what permission.  In the screenshot below we remove the read and execute permission from other on the Documents directory.  The syntax for the letter method is chmod [ugo][+-][rwx] path.  

You can change who owns data with the chown command.  chown newuser path

You can change the group that owns the data with the chgrp command.  chgrp newuser path  chmod, chown and chgrp can use the -R to recursively change the permission on everything in a directory.

1 | 2 | 3 | 4 | 5