User and Group Management
<What>
Groups simplify user management by allowing users with similar access rights to share a group ID. Alongside with user management, enabling specific users to have home directories while others don't, setting password expiration, and even modifying groups associated with other users makes it all easier just on the CLI. This approach makes permission management more efficient, supports collaboration, and strengthens overall system security.
<Why>
When configuring users and groups on a Linux system, it’s crucial to consider security. Properly managing user access and group permissions helps ensure that users only have access to what’s necessary for their roles, enhancing both security and system organization.
<How>
On Linux, several key files are involved in managing users and groups:
/etc/passwd:
Purpose: Stores basic user account information, including the username, user ID (UID), group ID (GID), home directory, and default shell.
Access: Readable by all users.
/etc/shadow:
Purpose: Contains encrypted user passwords, password change dates, and expiration information.
Access: Readable only by users with root privileges.
/etc/group:
Purpose: Lists information about groups and the users assigned to each group.
Access: Readable by all users.
#Create a user with a home directory and switch to that user
D3F3ND3R@hi-world:~$ sudo useradd -m bob
D3F3ND3R@hi-world:~$ sudo passwd bob
New password:
Retype new password:
passwd: password updated successfully
D3F3ND3R@hi-world:~$ sudo su bob
#Read the contents of a sensitivy file as bob and be denied access
bob@hi-world:~$ sudo cat /etc/shadow
cat: /etc/shadow: Permission denied
bob@hi-world:~$ sudo su d3f3nd3r
#Add bob to the sudoers group to gain access to the file and more
D3F3ND3R@hi-world:~$ sudo usermod -aG sudo bob
#Configure bobs password to have a min age of 60 days and max of 120 days
D3F3ND3R@hi-world:~$ sudo chage -M 120 -m 60 bob
#Change file ownership from bob to d3f3nd3r and its group as well
D3F3ND3R@hi-world:~$ chown d3f3nd3r:d3f3nd3r secrets.txt
#We no longer need the bob account, bob resigned so we longer need it
#-r flag remove the mail spool and home dir
D3F3ND3R@hi-world:~$ sudo userdel -r bob
File Management
<What>
In Linux, correctly assigning file permissions is essential to ensure that only authorized users can access, modify, or execute files. This prevents unauthorized access and potential security breaches. Linux permissions are categorized into three types: read (r or 4), write (w or 2), and execute (x or 1). While the letters are for symbolic notation the numbers are for numeric notation, and either can be used for modifying permissions. These permissions can be set at three levels: for the file owner (u), group (g), and others (o), allowing granular control over file access.
For example, when an employee resigns, instead of deleting their files, you can transfer ownership to a new user. This preserves important data while maintaining security. The ability to change ownership and assign permissions on the Linux terminal makes managing a system much more efficient.
<Why>
Security is the primary reason for managing file permissions. It ensures that sensitive files are protected from unauthorized access, which is crucial in preventing data breaches. As a Linux administrator, controlling user access not only simplifies system management but also reduces the attack surface for potential malicious activities.
<How>
To change ownership of a file or folder the "chown" will be used; stands for change ownership. To modify and add permissions the "chmod" will be used; stands for change mode.
chmod:
#Listing file permissions on our current working directory
D3F3ND3R@hi-world:~$ ls -l
total 0
-rw-r--r-- 1 D3F3ND3R root 0 Aug 20 16:13 hello.txt
-rw-r--r-- 1 D3F3ND3R root 0 Aug 20 16:14 passwords.txt
#Changing our permissions for password.txt to read & write only for owner
# And removes all permissions for groups & other users.
D3F3ND3R@hi-world:~$ chmod 600 password.txt
total 0
-rw-r--r-- 1 D3F3ND3R root 0 Aug 20 16:13 hello.txt
-rw------- 1 D3F3ND3R root 0 Aug 20 16:14 passwords.txt
#Creates a .sh file & assigning read, write, & execute for all users & groups
D3F3ND3R@hi-world:~$ touch bash-script.sh && chmod 777 bash-script.sh
#Listing our files with their new modified permissions
D3F3ND3R@hi-world:~$ ls -l
total 0
-rwxrwxrwx 1 D3F3ND3R root 0 Aug 20 16:20 bash-script.sh
-rw-r--r-- 1 D3F3ND3R root 0 Aug 20 16:13 hello.txt
-rw------- 1 D3F3ND3R root 0 Aug 20 16:14 passwords.txt
#Add 'bob' to the sudo group so that bob can do things that requires root
D3F3ND3R@hi-world:~/folder$ sudo usermod -aG sudo bob
D3F3ND3R@hi-world:~/folder$ sudo su bob
#Reading a file that requires root privs as 'bob'
bob@hi-world:/folder$ sudo cat password.txt
SSH password > admin:Password1234
chown:
# create user 'bob' with a home directtory and switch to user 'bob'
D3F3ND3R@hi-world:~/folder$ sudo useradd -m bob
D3F3ND3R@hi-world:~/folder$ sudo su bob
$ bash
#list file permissions as user 'bob'
bob@hi-world:/folder$ ls -l
total 0
-rwxrwxrwx 1 root root 0 Aug 20 16:37 bash-script.sh
-rw-r--r-- 1 root root 0 Aug 20 16:37 hello.txt
-rw------- 1 root root 0 Aug 20 16:37 password.txt
#try to read the password.txt as 'bob', but permission is denied
#switch back to user with sudo privileges
bob@hi-world:/folder$ cat password.txt
cat: password.txt: Permission denied
bob@hi-world:/folder$ su D3F3ND3R
Password:
#change file owenership from 'D3F3ND3R' to 'bob'for including for -
#group as well for password.txt
D3F3ND3R@hi-world:~/folder$ sudo chown bob:bob password.txt
D3F3ND3R@hi-world:~/folder$ ls -l
total 0
-rwxrwxrwx 1 root root 0 Aug 20 16:37 bash-script.sh
-rw-r--r-- 1 root root 0 Aug 20 16:37 hello.txt
-rw------- 1 bob bob 0 Aug 20 16:37 password.txt
#switch back to 'bob' where we can read the contents of password.txt
D3F3ND3R@hi-world:~/folder$ sudo su bob
$ bash
bob@hi-world:/folder$ cat password.txt
SSH password > admin:Password1234
<Closing>
If you reached the end of this guide on managing users, groups, and file permissions in Linux. I want to say thank you and hope you learned something valuable that will help you understand how to manage and secure your data through permissions.
Happy managing :)