Users, groups and permissions - page 1

One of the concepts many people struggle with is that of users, groups and permissions. It's not only people migrating from a Windows OS but many people who already use Linux and Macs.

These concepts are the building blocks of the Linux OS and are the key-stone for all security measures on your VPS and server.

Take each section at a time and you'll be surprised how easily it comes together at the end.

users:

Let's get right in there and see what users are on your system. So log into your VPS and see who's logged in:

who

Now we know there's at least one user around: paul. So what?

Well, 'paul' is actually a pretty unique user on this test server - he's the only user that can log in via SSH. He's the only user with sudo rights. It seems that 'paul' can pretty much do whatever he wants.

Let's test that by opening a file:

nano /etc/shadow

Hmm, it would seem that 'paul' doesn't have enough permission to open the shadow file (which, by the way, is a very good thing as it contains password information - it's all encrypted but we don't want anyone seeing it do we?).

You may think that it's pretty obvious that 'paul' can do some things and not others, but take a second to think about how autonomous programmes run. They need to complete various tasks and have access to various files. So how do they identify themselves?

By being assigned a user name.

Most processes are automatically given a user name. Some are assigned by the administrator. If you follow (or have followed) the Litespeed articles you will assign the username 'www-data' to the server.

That means that whenever the server requests information or wants to write some data to a file, it can identify itself and leave an accountable trail. It also means that if it went mad and wanted to write to our shadow file, it wouldn't be able to.

Put simply, we can assign permissions to individual users so they have access to certain files and directories and not others.

But what happens when we have a few users who want to access a particular file?

We could create a really long list of users that have access, or we could create a group of users and just say that group 'x' has access to that file.

groups:

Which brings us neatly to the 'group' section. Actually, that's pretty much it but I'll explain in more detail.

I like using real examples so, on your server, issue this command:

groups

You'll see that I belong to the group 'paul' and to the group 'www-data'. Your setup should be fairly similar with your main user being part of one or two groups.

Where some confusion comes about is the different permissions each group may have and how it relates to a single user.

We already know that the user 'paul' has some fairly loose privileges (although a password is still needed to perform some tasks). The group 'www-data' is the group of users the web server belongs to.

We put 'paul' in that group so we can share the same permissions and privileges of the 'www-data' group. It is a one way share though, the 'www-data' group does not automatically gain all the user 'paul' privileges and 'paul' does not gain all the user 'www-data' privileges. They both share the group privileges.

Using the image above, the user 'paul' has access to his email folder and the the user www-data has access to server ports. The 'shared' folder was told that all members of the 'www-data' group can access it.

As both user 'paul' and user 'www-data' are in the 'www-data' group, they can both play with the shared folder.

This will become clearer when we look at file and folder permissions and, more specifically, how we assign different permissions for users, groups and even to every user on the system.

When you move onto page 2, keep in mind the basics described here.

PickledOnion.

Digg it | del.icio.us | reddit | StumbleUpon