Linux User Accounts and Security
Author’s note: This article is excerpted in part from Appendix 1 of my book, Linux for Small Business Owners, with some changes to update it and to better fit this article format.
User accounts are the first line of security on your Linux computer. They are used in the Linux world to provide access to the computer, to keep out people who should not have access, and to keep authorized users from interfering with other user’s data and usage of the computer.
The security of the computer and the data stored on it is dependent on the user accounts created by the Linux system administrator. A user cannot access any resources on a Linux system without logging on with an account ID and password. The administrator creates an account for each authorized user and assigns an initial password. For many home users and small businesses only one user account is needed but others may require more than one account on a given computer.
Files have attributes of ownership and permissions that are used to determine which user accounts have access to read or write files, or to execute program files. Directories have permissions that determine which users can have access to them.
File Attributes
I created some files to illustrate the concepts in this article.
[dboth@mycomputer ~]$ for I in `seq -w 20` ; do echo “Hello world file$I > testfile$I.txt ; done
A long listing of the contents of the home directory shows the ownership and file permissions for each file and subdirectory.
[dboth@mycomputer ~]$ ls -l
total 80
drwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Desktop
drwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Documents
drwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Downloads
drwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Music
drwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Pictures
drwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Public
drwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Templates
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile01.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile02.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile03.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile04.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile05.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile06.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile07.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile08.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile09.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile10.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile11.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile12.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile13.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile14.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile15.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile16.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile17.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile18.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile19.txt
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile20.txt
drwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Videos
[dboth@mycomputer ~]$
File Ownership
The file permissions drwxr-xr-x for some of the items in the listing – those with the leading “d” – indicates that they are directories. The rest have a dash (-) in that first position indicating that they are regular files. Regular files is the correct term.
Each file and directory has a set of permissions as shown in Figure 1. These permissions are three triplets of (R)ead, (W)rite, and e(X)ecute. Each triplet represents User – the owner of the file, Group – the group that owns the file, and Other – for all other users.
User | Group | Other |
---|---|---|
rwx | rwx | rwx |
These file attributes are sometimes referred to as the file mode. The file permissions, the number of hard links, the User ownership, Group ownership, the file size, the date and time it was last modified, and the file name itself, are all shown in that order in the long listing.
Let’s look at the details of a single file. We will use the file shown in Figure 2 to explore the structure and attributes of a file.
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile01.txt
Figure 2: Permissions of a single file.
There are two owners associated with every file. In this case the first is the User dboth. The second is Group ownership, which is also dboth. This is normal for the files in your home directory structure. The reasons for this are beyond the scope of this book.
The User permissions are the first triplet, rw- which indicates that the user dboth can read and write this file. Because the last position in this triplet is a dash (-) this file cannot be executed. That is OK because it is not an executable file.
The Group permissions are the second triplet. This triplet, r– indicates that members of the group dboth, if there are any others, can only read the file. They cannot write to it – that is they cannot change it – and it cannot be executed.
The final triplet is for all other user accounts on the system. In this case the permissions of r– means the file can only be read by those other accounts.
The user who created the file is always the owner of a file – at least until ownership is changed.
The root user can always change user and group ownership – or anything else. The User (owner) of a file can only change the Group ownership under certain circumstances.
More about file permissions
The file permissions, also called the file mode, along with file ownership, provide a means of defining which users and groups have specific types of access to files and directories. For now we just look at files and will examine directory permissions later. Figure 3 shows the three types of permissions and their representation in symbolic (rwx) and Octal (421) formats. Octal is only a bit different from Hex – literally. Hex characters are composed of 4 binary bits and Octal is composed of 3 binary bits.
User, Group, and Other define the classes of users that the permissions affect. The User is the primary owner of the file. So the User student owns all files with user ownership of student. Those files may or may not have group ownership of student, but in most circumstances they will. So the User permissions define the access rights of the User who “owns” the file. The Group permissions define the access rights of the Group that owns the file, if it is different from the User ownership. And Other is everyone else. All other users fall into the Other category so access by all other users on the system is defined by the Other permissions.
User | Group | Other | |
---|---|---|---|
Permissions | r w x | r w x | r w x |
Binary Bits | 1 1 1 | 1 1 1 | 1 1 1 |
Octal value | 4 2 1 | 4 2 1 | 4 2 1 |
There are three permissions bits for each class, User, Group, and Other. Each bit has a meaning, (r)ead, (w)rite, and e(x)ecute, and a corresponding octal positional value. We can simplify the class notation by using “UGO” either together or separately in commands. These classes are expressed in lowercase in the commands that affect them.
- Read means that the file can be read by members of that class.
- Write means that the file can be written by members of the class.
- Execute means that the file is executable by members of that class.
A file with permissions set to 644 in octal can be interpreted as in Figure 4.
User | Group | Other | |
Permissions | rw_ | r__ | r__ |
Binary Bits | 110 | 100 | 100 |
Octal Value | 6 | 4 | 4 |
Directory permissions
Directory permissions are not all that different from file permissions. They are also part of the Linux security structure.
- The read permission on a directory allows access to list the content of the directory.
- Write allows the users with access to create, change, and delete files in the directory.
- Execute allows the users with access to make the directory the present working directory (PWD).
A group is an entity defined in the /etc/group file with a meaningful name, such as “development” or “dev” that lists the user IDs, like “dboth,” of the members of the that group. So by making group ownership of a file to be “development” all members of the development group can access the file based on its Group permissions.
The bottom line is that there are many directories on a Linux system that regular users do not have access to. If a regular user cannot access a directory it is because they do not have the proper permissions.
But regular users do have access to their entire home directory tree. All users also have access to create files and directories in the /tmp directory which is a place to store files temporarily. Thus its name – which is short because … lazy Sysadmin.
It is unlikely that most users who aren’t SysAdmins in their day jobs will need to add users or users to groups.