Linux is designed as a multi-user operating system. Multi-user support allows each user of the computer to have their own desktop configuration and separate identities on the computer and, most importantly, it allows users to protect their files from viewing and modification by others. If you’re sharing a home computer with several family members, you can benefit from the protection of your files offered by multi-user support. In this column we show you how users and groups operate under Linux and how you can take advantage of this system to provide file security.
First, we’ll see how users and groups are stored in your system.
The /etc/passwd file is where all user information is kept. This is a text file with each line corresponding to an individual user. Below is an example entry:
Each value in /etc/passwd is separated by a “:”. From left to right, the format of each entry is:
Of interest, Linux encrypts all passwords stored in this file. If you see an “x” in place of your password, your system may have the shadow password system installed. The shadow password system stores passwords in a separate file, /etc/shadow, for additional security.
A database of groups is kept in the /etc/groups file. This is another text file with each line corresponding to a group. The format of this file is:
If you look at the /etc/passwd file on your computer you will notice that all users have a unique userid, but some may share the same groupid. By modifying the /etc/passwd file, users can be grouped together by assigning each an identical groupid. Users can be members of multiple groups if they are added in the /etc/groups file.
Every Linux system has a special user account, known as the super-user, or root, which is able to read, write and change permissions and ownership of any file. The superuser is most commonly used for installing and removing software and performing system maintenance.
If you are logged in as a normal user, you can become the superuser at any time by typing su in a shell and entering the superuser password. If successful, the prompt in the shell will change from a ‘$’ to a ‘#’, indicating you are now the superuser. To return to the normal user state, type exit.
Controlling file access
Linux uses a very simple, yet powerful, system for specifying the access each user has to a file. To demonstrate, we will create a file and use the chmod and chown commands to change its access permissions and ownership. To create a file and view its permissions, type the following in a shell:
$ echo “test” >> perms_example.txt $ ls -l perms_example.txt
The second command will produce an output similar to the following:
-rw-r--r-- 1 dad parents 5 Feb 1 08:38 perms_example.txt
This output shows the permissions on the file (rw-r--r--), the owner (dad) and the group the file belongs to (parents).
The representation of permissions may seem strange to you at first. Permissions of read (r), write (w) and execute (x) can be set for three categories of user in the system: owner, group and others. The permissions displayed by the ‘ls -l’ command show the settings for each of the three groups sequentially. In our example, the owner of the file may read and write to the file whereas members of the group ‘staff’ and everybody else may only read the file.
The chmod command is used to modify the permissions on a file. In the following example we assign read and write permissions for all members of the group parents:
$ chmod g+rw perms_example.txt
Each set of permissions can be specified with the chmod command. In this case, ‘g’ has been used to indicate the ‘group’ permissions. The other sets can be specified with ‘u’ for owner and ‘o’ for others; ‘a’ can be used to modify all three sets at once. The ‘+’ adds the permissions following it to the specified group. Using ‘-’ would remove them.
You can change the owner and/or group to which a file belongs with the chown command. For example:
$ chown fred:kids perms_example.txt
This command changes the file owner to the user ‘fred’ and the group to ‘kids’. By setting the permissions on individual files it is possible to control the access other users have to them. In our example, the kids in the family may want to block their siblings from reading and writing to their files, while allowing the parents to view the contents (this would mean permissions of -rw----r--). Setting file permissions is a very simple method to protect privacy.
Remember, if you ever need access to a file, the superuser is able to access any file on the system regardless of the permissions set.