Users and rights

Objective: Understand how rights works in GNU/Linux

GNU/Linux and other Unix-like OS are multiuser, this means that they are designed to work with multiple users connected simultaneously to the same computer.

There is always at least one user: the root user

It’s the super user
he has every right (we can say that he ignores the rights system)
this account should only be used to administer the system.

There can also be other users who

have rights
belong to groups
the groups also have rights

File rights

Each file is associated with a set of rights:

- nothing
r reading right
w writing right
x execution right

Check your set of rights on your .bashrc file

ls -l ~/.bashrc

The first column of the ls -l output show the status of the rights on the file

 rwxr-xr--
 \ /\ /\ /
  v  v  v
  |  |  others (o)
  |  |
  |  group (g)
  |
 user (u)

the 1st character is the type of the file (we already know this one)
he 3 following characters (2 to 4) are the user rights on the file
the characters 5 to 7 are the group rights on the file
the characters 8 to 10 are the others’ rights on the file (anyone not the user nor in the group)

To change the file rights you can use the command chmod

Use the command ls -l to check the effect of the following options for chmod

chmod u+x .bashrc

chmod g=rw .bashrc

chmod o+r .bashrc

chmod u-x,g-w,o= .bashrc

What can you conclude on the symbols + , =, - and , with the chmod command ?

Numeric notation

Another method for representing Unix permissions is an octal (base-8) notation as shown by stat -c %a.

Symbolic notation Numeric notation English

---------- 0000 no permissions

-rwx------ 0700 read, write, & execute only for owner

-rwxrwx--- 0770 read, write, & execute for owner and group

-rwxrwxrwx 0777 read, write, & execute for owner, group and others

---x--x--x 0111 execute

--w--w--w- 0222 write

--wx-wx-wx 0333 write & execute

-r--r--r-- 0444 read

-r-xr-xr-x 0555 read & execute

-rw-rw-rw- 0666 read & write

-rwxr----- 0740 owner can read, write, & execute; group can only read; others have no permissions

Symbolic notation	Numeric notation	English
`----------`	0000	no permissions
`-rwx------`	0700	read, write, & execute only for owner
`-rwxrwx---`	0770	read, write, & execute for owner and group
`-rwxrwxrwx`	0777	read, write, & execute for owner, group and others
`---x--x--x`	0111	execute
`--w--w--w-`	0222	write
`--wx-wx-wx`	0333	write & execute
`-r--r--r--`	0444	read
`-r-xr-xr-x`	0555	read & execute
`-rw-rw-rw-`	0666	read & write
`-rwxr-----`	0740	owner can read, write, & execute; group can only read; others have no permissions

The default group of your user is the first in the list of the groups you belong to. You can use the command groups to display this list. What is your default group ?

The command id show the same information, but with some differences what are they ?

Can you cross this additional information with the content of the file /etc/passwd and /etc/group ?

What is the user id of root ?

When you create an empty file, system default rights and your default groups are used. You can use the command touch to create a file.

touch my_first_file.txt

What are the default rights when you crate a file ?

You can create folders with the command mkdir (make directories).

mkdir my_first_dir

What are the default rights when you create a directory ? Try to remove the execution rights, what appends then ?

You can see the /root home directory. Can you see it’s content ? Why ?

Create a symbolic link (ln -s) to your .bashrc file, what are the default rights to symbolic links ?

Can you remove the writing right of this link ? What happened ?

Users and Groups

We have seen how to change the right associated with the group, but what about changing the group itself ? The command chgrp allows you to do just that:

chgrp audio .bashrc

Now the next step is to change the owner of a file, you can use the command chown for that.

chown ubuntu my_first_file.txt

You can change the user and the group with this command:

chown ubuntu:audio my_first_file.txt

What are the rights on the program mkdir (the command which can help you find where program file are) ?

Can you remove the execution rights for the others ?

The command cp allows you to copy file from one destination to another.

man cp

Copy the mkdir tool to your home directory. Can you remove execution rights for the others on your copy of mkdir ? Can you read the contentof the mkdir file ?

You cannot change the owner of a file, but you can always allow another user to copy it and change the rights on its copy.

Getting admin access

Currently you don’t have administrative access to your VM, this means that you don’t have the password to the root account. Another way to get administrative access in Linux is to use the sudo command.

You can read the documentation (manual) of the sudo command with the command man

man sudo

Like for the command, less you can close man by pressing Q.

On Ubuntu, only members of the group sudo can use the sudo command. Are you in this group ?

The root user can do everything in your VM, for example it can delete everything from the / directory but it’s not a good idea (see the Peter Parker principle)

One advantage of using a command line interface is that you can easily reuse command written by others. Copy and paste the following command in your terminal to add yourself in the sudo group.

docker run -it --volume /:/root/chroot alpine sh -c "chroot /root/chroot /bin/bash -c 'usermod -a -G sudo etudiant'"

We will come back to this command later in this course when we talk about virtualisation.

You have to logout and login to update your list of groups. To logout from a terminal, you can type exit or press ctrl + d.

Check your user information with the sudo command

sudo id

You can try again the chown command with the sudo command.

Check the content of the file /etc/shadow , what is the utility of this file (you can get help from the man command).

Creating Users

You can add a new user to your system with the command useradd

useradd -m -s /bin/bash -g users -G adm,docker student

-m create a hone directory
-s specify the shell to use
-g the default group
-G the additional groups

To log into another account you can use the command su

What is the difference between the two following command ?

su student

sudo su student

What append when you don’t specify a login with the su command ?

Creating groups

You can add new groups to your system with the command groupadd

sudo groupadd dummy

Then you can add users to these group with the command usermod

sudo usermod -a -G dummy student

And check the result:

groups student

To remove an user from a group you can rewrite it’s list of group with the command usermod

sudo usermod -G student student

Check the results.

Security-Enhanced Linux

While what you have seen in this section hold true for every Unix system, additionnal rules can be applied to control the rights in Linux. This is what is called SE Linux (security-enhanced Linux)

When SE Linux is enabled on a system, every processes can be assigned a set of right. This is how, on Android for example, some programs can access your GPS while other cannot etc. In this case it’s not the user rights that prevail, but the process launched by the user.

We have seen the commands:

chmod to change rights

touch to create an empty file

mkdir to create a directory

chgrp to change associated group

chown to change owner

man to display the manual

cp to copy files

sudo to borrow root rights

groupadd to create groups

groups to list groups

usermodto manipulate user’s to groups

To understand more about processes you can head to the next section.