Chapter 5. Multiuser Environment
- Table of Contents
- 5.1. User accounts
- 5.1.1. Superuser Account
- 5.1.2. Adding new users
- 5.1.3. Removing users
- 5.1.4. Modifying user information
- 5.2. The concept of ``groups'' in Linux
- 5.2.1. Managing groups
- 5.2.2. Predefined groups
- 5.3. Access Privileges
- 5.3.1. File owner and file group
- 5.3.2. File Permissions
- 5.3.3. Managing file permissions
Linux is a true multiuser environment. This means that the system can support different users with different privileges. Each user has access to a predefined set of system services and his/her own private data. The private data in turn can be shared with other users by granting access privileges to them. All the privilege checking is done with the help of user accounts maintained by the system. Linux provides a number of commands that can be used to create and manage user accounts. These are supported by a number of files and directories under /etc that are used to hold information about the users. The facilities provided can be broadly classified into two categories - user management and group management.
5.1. User accounts
Traditionally, the information regarding the users is placed in a file called /etc/passwd. This contains the login name, full name, home directory and other info in a standard format. It may also contain the encrypted password used by the user, hence the name of the file. But nowadays, better ways for user authentication are used, which store the password elsewhere.
5.1.1. Superuser Account
By default, every Linux installation has a specially privileged account called the root or superuser. This user has complete access to all the services and resources present on the system. The account is normally owned by the system administrator, and used to carry out special task that require special privileges not available to normal accounts. A person who logs in as root can modify any file on the entire system irrespective of the actual owner of the file and run any program anywhere on the system. As such, it is the most powerful account and has to be used with caution. Mistakes made while logged in as root can prove very dangerous to the system; hence its extremely important that the user should avoid using the root account unless absolutely necessary.
All other accounts are said to be non-privileged, since they have only access to a limited amount of services. Their privileges can be further controlled by use of groups which are used for collective management of user accounts.
5.1.2. Adding new users
The standard command useradd can be used to create a new user on the system. It is one of a family of commands for user management, that can only be invoked by a user with special privileges, ie, the root. The most common arguments provided to the command are as follows:
adduser -g <group> -m -p <password> <login> |
The result of this command is the creation of a new user with this login. Also a directory with the same name is created under /home/ and some default files are copied to this directory. Also, the necessary files containing user information are updated, according to the information provided by the superuser. The new user is assigned a unique number called the UID, ie, his/her User ID. This ID can have a value greater than a particular number which is represented by a constant called UID_MIN. This constant is system specific, defined in the file /etc/login.defs. This feature allows the system operator to reserve a minimum number of ID's for system accounts.
 | Further exploration |
|---|---|
The manpages list a lot of other options like the life of the user account, the default shell, etc. Objects of interest are the directory /etc/skel/ that specifies the initial contents of the home directory and /etc/default/useradd that lists the default values used by the command. |
 | Distribution specific options |
|---|---|
Some distributions can specify their own default behaviour for the useradd command. An example is Redhat, where the command will create a new group having the same name as the user by default. This can be overriden using the -n option. |
5.1.3. Removing users
The command userdel is used to remove an existing user from a system. This can be invoked as follows:
userdel -r <username> |
This command modifies all the system files, deleting all information about the specified username. The -r option will cause the user's home directory to be deleted along with any files or sub-directories it may contain.
5.1.4. Modifying user information
The command usermod is used to modify information about an existing user. The arguments accepted by this are almost the same as those accepted by useradd command. The only difference is that it modifies existing entries rather than creating new one's.
5.2. The concept of ``groups'' in Linux
In Linux, users are divided into logical collections called groups. These are used to confer various kinds of privileges to system objects to a group of users together. One user may belong to a number of groups, but he/she will always have a default group, along with other groups which are said to be supplementary. When a user is added to a particular group, all the privileges that are conferred on the group are also conferred on the user.
5.2.1. Managing groups
The superuser can use a set of commands analogous to the once used for user management. They are:
| groupadd |
| groupdel |
| groupmod |
In addition, the superuser uses the commands usermod and useradd with the -D option to specify group memberships for various users.
5.2.2. Predefined groups
User groups can be effectively used to segregate users according to the privileges that may be granted to them. A number of such groups are created during system installation, which have a particular set of privileges for the system services that they correspond to. When a user is made a member of such a group, he/acquires access to the services that are available to that group. A few such groups are listed below, a complete list can be obtained from the file /etc/group.
Predefined groups in Linux
- wheel
This is the set of privileged users who are granted special powers in the system. By default, root is the only member of this group.
- users
This is the catch-all group that all new users are added to. All the members of this group are provided basic privileges in the system as defined by the system administrator.
- pppusers
Users that can create and pull down PPP (point-to-point) connections with remote computers. Usualy this involves the right to invode the PPP Daemon (pppd).
5.3. Access Privileges
So far we have been talking about controlling user actions through the use of privileges. Let us take a quick overview of the way in which Linux implements security on a very basic level, between multiple users on the same system. The same principles form the basis for further implementing security measures against outside users.
A file is not just made up of its content and a pointer in the filesystem informing where to find it. It also has an owner (a user id), a group (a group id), permissions, various time-stamps and other information. These are together called its attributes, which are stored in the filesystem.
5.3.1. File owner and file group
In order to implement access priviges, the first thing to do is define an owner and a group for the file. This information establishes who can claim control of the file. A file is given an owner and a group as soon as it is created. Usually owner is the current user and the group is the group of the directory within which the file is created; but this is system dependent.
$ ls -l NGL.sgml -rw-r--r-- 1 sameer users 10565 Jun 1 08:59 NGL.sgml |
Besides other stuff, we can see some information about the owner of the file in the above output. This file belongs to the user ``sameer'' on the system and is also accessible to the group ``users''.
5.3.2. File Permissions
Every file in Linux has a list of permissions attached to it, that specifies the kind of access that different users have to that file. The file permissions are also called its access modes. Here is the same example we had used earlier:
$ ls -l NGL.sgml -rw-r--r-- 1 sameer users 10565 Jun 1 08:59 NGL.sgml |
The very first column in the above output defines the access modes for the file. Their meaning will become apparent when we look at the way access modes are represented. These can be expressed as either octal numbers or mnemonics.
Access modes or permissions
- Read access (mnemonic: r, binary weight: 4)
Permission to read the file; for directories this means the permission to list the contents of the file.
- Write access (mnemonic: w, binary weight: 2)
Permission to modify the file; for directories, this means the permission to create or delete files.
- Execute access (mnemonic: x, binary weight: 1)
Permission to execute the file; for directories, this means the permission to access files in the directory.
| The file owner ``sameer'' has read and write permissions. |
| The file group ``users'' has only read permissions. |
| The other groups have only read permissions. |
Now let us take a look at the concept of octal value. In manipulating the permissions associated with a file, a common practice is to specify them using octal numbers. For this, each triad is interpreted as an octal, with the three modes ``r-w-x'' having their respective binary values. For example, in the above output, consider the permissions for the owner: `rw-'. This will have the octal value of (4+2+0=)6. And all the permissions can be expressed as the octal number 644.
5.3.3. Managing file permissions
A set of commands is available to manipulate the various permissions or access modes associated with a file. Any detailed treatment of these commands would prove to be superfluous. So we will proceed to only list some of the more important ones. These are all distributed in a single package called ``fileutils'' which is part of the GNU System. More information can be obtained from the relevant documentation such as manpages and info-pages.