004 - Linux Basics for DevOps: Users, Groups, and Permissions

From the Last article we have learnt about Linux now lets move to Users, Groups and Permissions which is one of the essential topic in DevOps.

Users

In an operating system, the concept of users or accounts is fundamental. Users are primarily used to create boundaries, ensuring that each user has distinct permissions and operates within a unique environment. This separation is crucial for maintaining traceability within an organization. Generally, there are three main types of user accounts:

1. Root or Super User:
   The root or super user has unrestricted access to execute any operation within the system. These users are essentially administrators and are primarily responsible for creating other user accounts and managing permissions. They have the highest level of control over the system.

2. Standard User:
   Standard users are regular accounts that are granted specific permissions by the super user to perform certain operations. These accounts are similar to those used by everyday users like you and me. They have limited access compared to the root user, ensuring that they can only perform tasks within their designated permissions.

3. Service User:
   Service users are created for specific service-related operations. For example, a service user might be set up with particular permissions to manage a MySQL service. It is advisable to have separate users for services rather than using the root user, as this minimizes potential security risks and operational issues.

Examples:

• Root User Example:
  The root user can install software, modify system files, and manage other user accounts. For instance, using the command sudo useradd newuser allows the root user to create a new standard user account.

• Standard User Example:
  A standard user might have permissions to read and write files in their home directory but cannot install software or access system files. They might use commands like ls to list files or nano to edit text files within their permitted directories.

• Service User Example:
  A service user for MySQL might have permissions to start and stop the MySQL service using commands like systemctl start mysql or systemctl stop mysql, but cannot perform other administrative tasks unrelated to the MySQL service.

By understanding these user types and their roles, organizations can effectively manage access and maintain security within their systems.

User-related information is stored in the /etc/passwd file. You can view it by using the command cat /etc/passwd. Here is the information it can display about a user:

Groups

Imagine managing a system with thousands of users, where setting permissions individually for each user would be an overwhelming task. Instead, we can streamline this process by categorizing users into groups, such as developer groups, DevOps groups, etc. By assigning permissions to these groups, all users within a group automatically inherit the group's permissions, simplifying management and ensuring consistency.

Groups in Linux

In Linux, groups are used to manage permissions for multiple users efficiently. By assigning users to a group, you can control access to files, directories, and system resources collectively, rather than individually.

Creating and Managing Groups

1. Creating a Group:
   To create a new group, use the groupadd command followed by the group name. For example, to create a group named "developers", you would use:

    sudo groupadd developers
   

2. Adding Users to a Group:
   To add a user to a group, use the usermod command with the -aG option. For example, to add a user named "john" to the "developers" group, you would use:

    sudo usermod -aG developers john
   

3. Viewing Group Information:
   To view the groups a user belongs to, use the groups command followed by the username. For example:

    groups john
   

4. Listing All Groups:
   To list all groups on the system, you can view the /etc/group file:

    cat /etc/group
   

Example Scenario

Suppose you have a project directory that should only be accessible to the DevOps team. You can set the directory's group ownership to "devops" and adjust the permissions so that only members of this group can access it:

1. Change Group Ownership:

    sudo chown :devops /path/to/project-directory
   

2. Set Group Permissions:
   To allow the group to read, write, and execute, use:

    sudo chmod 770 /path/to/project-directory
   

In this setup, only users in the "devops" group can access the project directory, ensuring that sensitive files are protected from unauthorized access.

By effectively using groups, system administrators can manage user permissions more efficiently, reducing the complexity and potential for errors in permission settings.

Ownership and Permissions

For a file in Operating System there are two main things:

1. Ownership

   Ownership in a Linux operating system indicates who owns a file and which group is associated with it, typically the file owner's group. To view file ownership, you can use the ls -l command, which displays the file owner's name followed by the group name. If you need to change the ownership, you can use the sudo chown user:group filename command to change both the user and group. To change only the owner, use sudo chown user filename, and to change only the group, use sudo chgrp group filename.

   Examples:

   1. Viewing Ownership:
      Run ls -l filename to see the current owner and group of a file. The output will show something like -rw-r--r-- 1 owner group size date time filename.

   2. Changing Ownership:
      To change both the owner and group of a file named "example.txt" to "alice" and "developers" respectively, use:

       sudo chown alice:developers example.txt
      

   3. Changing Only the Owner:
      To change only the owner of "example.txt" to "bob", use:

       sudo chown bob example.txt
      

   4. Changing Only the Group:
      To change only the group of "example.txt" to "admins", use:

       sudo chgrp admins example.txt
      

Understanding and managing file ownership is crucial for maintaining security and proper access control in a multi-user environment.

2. Permissions

Image Credit TechWorld with Nana

To view file permissions in Linux, you can use the ls -l command. This command displays permissions in three main groups. The initial character represents the file type, such as "d" for a directory or "-" for a regular file. Following this, the permissions are divided into three sets:

1. Owner Permissions: Indicated by "r" for read, "w" for write, and "x" for execute.

2. Group Permissions: These are the permissions granted to the group associated with the file.

3. Other Users Permissions: These are the permissions available to all other users.

To change file permissions, there are three primary methods:

1. 

   Symbolic Mode: This method allows you to modify permissions using symbols. For example, sudo chmod u+r filename adds read permission for the user. Here, "u" stands for user, "+" means adding, and "r" stands for read.

2. Set Permission: This involves setting complete permissions for a specific category. For example, sudo chmod g=rwx filename sets read, write, and execute permissions for the group. Here, "g" stands for group, and "rwx" specifies the permissions.

3. Numeric Mode: Permissions can also be set using numeric values. For example, sudo chmod 777 filename grants read, write, and execute permissions to the owner, group, and others. The numbers represent the sum of permissions: 4 for read, 2 for write, and 1 for execute.

Understanding and managing file permissions is essential for maintaining security and ensuring proper access control in a multi-user environment.

I hope this article helps you understand the basics of Linux Users, Group and File Permissions. Feel free to reach out to me if you have any questions.

Summary

This article provides an overview of Linux users, groups, and file permissions, fundamental concepts in managing a system. It explores the types of user accounts—root, standard, and service users—and their roles in maintaining system security and organization. Additionally, it explains the use of groups for efficient permission management and details how to view and modify ownership and permissions of files. Understanding these concepts is essential for effective system administration and security in a multi-user environment.