{"id":7999,"date":"2024-10-12T01:01:00","date_gmt":"2024-10-12T05:01:00","guid":{"rendered":"https:\/\/www.both.org\/?p=7999"},"modified":"2024-10-11T13:59:32","modified_gmt":"2024-10-11T17:59:32","slug":"linux-user-accounts-and-security","status":"publish","type":"post","link":"https:\/\/www.both.org\/?p=7999","title":{"rendered":"Linux User Accounts and Security"},"content":{"rendered":"
\r\n
\r\n \r\n <\/i>\r\n <\/a>\r\n <\/span>\r\n<\/div><\/div>\n

Author\u2019s note: <\/strong>This article is excerpted in part from Appendix 1 of my book, Linux for Small Business Owners<\/a>, with some changes to update it and to better fit this article format.<\/em><\/p>\n\n\n\n

User accounts are the first line of security on your Linux computer. They are used in the Linux world to provide access to the computer, to keep out people who should not have access, and to keep authorized users from interfering with other user\u2019s data and usage of the computer.<\/p>\n\n\n\n

The security of the computer and the data stored on it is dependent on the user accounts created by the Linux system administrator. A user cannot access any resources on a Linux system without logging on with an account ID and password. The administrator creates an account for each authorized user and assigns an initial password. For many home users and small businesses only one user account is needed but others may require more than one account on a given computer.<\/p>\n\n\n\n

Files have attributes of ownership and permissions that are used to determine which user accounts have access to read or write files, or to execute program files. Directories have permissions that determine which users can have access to them.<\/p>\n\n\n\n

File Attributes<\/h2>\n\n\n\n

I created some files to illustrate the concepts in this article. <\/p>\n\n\n\n

[dboth@mycomputer ~]$ for I in `seq -w 20` ; do echo \u201cHello world file$I > testfile$I.txt ; done<\/strong><\/code><\/pre>\n\n\n\n
A long listing of the contents of the home directory shows the ownership and file permissions for each file and subdirectory.<\/p>\n\n\n\n
[dboth@mycomputer ~]$ ls -l<\/strong>\ntotal 80\ndrwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Desktop<\/strong>\ndrwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Documents<\/strong>\ndrwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Downloads<\/strong>\ndrwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Music<\/strong>\ndrwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Pictures<\/strong>\ndrwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Public<\/strong>\ndrwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Templates<\/strong>\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile01.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile02.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile03.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile04.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile05.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile06.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile07.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile08.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile09.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile10.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile11.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile12.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile13.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile14.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile15.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile16.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile17.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile18.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile19.txt\n-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile20.txt\ndrwxr-xr-x. 1 dboth dboth 0 May 25 14:12 Videos<\/strong>\n[dboth@mycomputer ~]$<\/code><\/pre>\n\n\n\n
File Ownership<\/h2>\n\n\n\n
The file permissions drwxr-xr-x<\/strong> for some of the items in the listing \u2013 those with the leading \u201cd\u201d \u2013 indicates that they are directories. The rest have a dash (-) in that first position indicating that they are regular files. Regular files is the correct term.<\/p>\n\n\n\n
Each file and directory has a set of permissions as shown in Figure 1. These permissions are three triplets of (R)ead, (W)rite, and e(X)ecute. Each triplet represents User \u2013 the owner of the file, Group \u2013 the group that owns the file, and Other \u2013 for all other users.<\/p>\n\n\n\n
User<\/th>Group<\/th>Other<\/th><\/tr><\/thead>
rwx<\/td>rwx<\/td>rwx<\/td><\/tr><\/tbody><\/table>
Figure 1: Linux file permissions.<\/em><\/figcaption><\/figure>\n\n\n\n
These file attributes are sometimes referred to as the file mode. The file permissions, the number of hard links, the User ownership, Group ownership, the file size, the date and time it was last modified, and the file name itself, are all shown in that order in the long listing.<\/p>\n\n\n\n
Let\u2019s look at the details of a single file. We will use the file shown in Figure 2 to explore the structure and attributes of a file.<\/p>\n\n\n\n
-rw-r--r--. 1 dboth dboth 22 Oct 11 15:57 testfile01.txt<\/code><\/pre>\n\n\n\n
Figure 2: Permissions of a single file.<\/em><\/p>\n\n\n\n
There are two owners associated with every file. In this case the first is the User dboth. The second is Group ownership, which is also dboth. This is normal for the files in your home directory structure. The reasons for this are beyond the scope of this book.<\/p>\n\n\n\n
The User permissions are the first triplet, rw- which indicates that the user dboth can read and write this file. Because the last position in this triplet is a dash (-) this file cannot be executed. That is OK because it is not an executable file.<\/p>\n\n\n\n
The Group permissions are the second triplet. This triplet, r– indicates that members of the group dboth, if there are any others, can only read the file. They cannot write to it \u2013 that is they cannot change it \u2013 and it cannot be executed.<\/p>\n\n\n\n
The final triplet is for all other user accounts on the system. In this case the permissions of r– means the file can only be read by those other accounts.<\/p>\n\n\n\n
The user who created the file is always the owner of a file \u2013 at least until ownership is changed.<\/p>\n\n\n\n
The root user can always change user and group ownership \u2013 or anything else. The User (owner) of a file can only change the Group ownership under certain circumstances.<\/p>\n\n\n\n
More about file permissions<\/h2>\n\n\n\n
The file permissions, also called the file mode, along with file ownership, provide a means of defining which users and groups have specific types of access to files and directories. For now we just look at files and will examine directory permissions later. Figure 3 shows the three types of permissions and their representation in symbolic (rwx) and Octal (421) formats. Octal is only a bit different from Hex \u2013 literally. Hex characters are composed of 4 binary bits and Octal is composed of 3 binary bits.<\/p>\n\n\n\n
User, Group, and Other define the classes of users that the permissions affect. The User is the primary owner of the file. So the User student owns all files with user ownership of student. Those files may or may not have group ownership of student, but in most circumstances they will. So the User permissions define the access rights of the User who \u201cowns\u201d the file. The Group permissions define the access rights of the Group that owns the file, if it is different from the User ownership. And Other is everyone else. All other users fall into the Other category so access by all other users on the system is defined by the Other permissions.<\/p>\n\n\n\n

<\/th>		User<\/th>Group<\/th>Other<\/th><\/tr><\/thead>
Permissions<\/th>r w x<\/strong><\/td>r w x<\/strong><\/td>r w x<\/strong><\/td><\/tr>
Binary Bits<\/th>1 1 1<\/strong><\/td>1 1 1<\/strong><\/td>1 1 1<\/strong><\/td><\/tr>
Octal value<\/th>4 2 1<\/strong><\/td>4 2 1<\/strong><\/td>4 2 1<\/strong><\/td><\/tr><\/tbody><\/table>
Figure 3: File permission representations and their binary and Octal values.<\/em><\/figcaption><\/figure>\n\n\n\n
There are three permissions bits for each class, User, Group, and Other. Each bit has a meaning, (r)ead, (w)rite, and e(x)ecute, and a corresponding octal positional value. We can simplify the class notation by using \u201cUGO\u201d either together or separately in commands. These classes are expressed in lowercase in the commands that affect them.<\/p>\n\n\n\n
    \n
  • Read means that the file can be read by members of that class.<\/li>\n\n\n\n
  • Write means that the file can be written by members of the class.<\/li>\n\n\n\n
  • Execute means that the file is executable by members of that class.<\/li>\n<\/ul>\n\n\n\n
    A file with permissions set to 644 in octal can be interpreted as in Figure 4. <\/p>\n\n\n\n
    <\/td>User<\/strong><\/td>Group<\/strong><\/td>Other<\/strong><\/td><\/tr>
    Permissions<\/strong><\/td>rw_<\/strong><\/td>r__<\/strong><\/td>r__<\/strong><\/td><\/tr>
    Binary<\/strong> Bits<\/strong><\/td>110<\/strong><\/td>100<\/strong><\/td>100<\/strong><\/td><\/tr>
    Octal Value<\/strong><\/td>6<\/strong><\/td>4<\/strong><\/td>4<\/strong><\/td><\/tr><\/tbody><\/table>
    Figure 4: Symbolic permissions for a file with 644 octal value.<\/figcaption><\/figure>\n\n\n\n
    Directory permissions<\/h2>\n\n\n\n
    Directory permissions are not all that different from file permissions. They are also part of the Linux security structure.<\/p>\n\n\n\n
      \n
    • The read permission on a directory allows access to list the content of the directory.<\/li>\n\n\n\n
    • Write allows the users with access to create, change, and delete files in the directory.<\/li>\n\n\n\n
    • Execute allows the users with access to make the directory the present working directory (PWD).<\/li>\n<\/ul>\n\n\n\n
      A group is an entity defined in the \/etc\/group file with a meaningful name, such as \u201cdevelopment\u201d or \u201cdev\u201d that lists the user IDs, like \u201cdboth,\u201d of the members of the that group. So by making group ownership of a file to be \u201cdevelopment\u201d all members of the development group can access the file based on its Group permissions.<\/p>\n\n\n\n
      The bottom line is that there are many directories on a Linux system that regular users do not have access to. If a regular user cannot access a directory it is because they do not have the proper permissions.<\/p>\n\n\n\n
      But regular users do have access to their entire home directory tree. All users also have access to create files and directories in the \/tmp directory which is a place to store files temporarily. Thus its name \u2013 which is short because \u2026 lazy Sysadmin.<\/p>\n\n\n\n
      It is unlikely that most users who aren’t SysAdmins in their day jobs will need to add users or users to groups. <\/p>\n","protected":false},"excerpt":{"rendered":"
      Author’s note: This article is excerpted in part from Appendix 1 of my book, Linux for Small Business<\/p>\n","protected":false},"author":2,"featured_media":2818,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[5],"tags":[],"class_list":["post-7999","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux"],"modified_by":"David Both","_links":{"self":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/7999","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7999"}],"version-history":[{"count":7,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/7999\/revisions"}],"predecessor-version":[{"id":8028,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/7999\/revisions\/8028"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/media\/2818"}],"wp:attachment":[{"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7999"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7999"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7999"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}