Users and rights: Difference between revisions
From WickyWiki
mNo edit summary |
|||
| (5 intermediate revisions by the same user not shown) | |||
| Line 7: | Line 7: | ||
Files and directories on the Linux system belong to an ''owner'' and a ''group''. You can set ''read'', ''write'' and ''execute'' permissions on a file or directory for ''owner'', ''group'' and ''others''. Users can belong to one or more groups. The command ''chmod'' is used to set the permissions, the command ''chown'' to change the owner and the command ''chgrp'' to change the group. | Files and directories on the Linux system belong to an ''owner'' and a ''group''. You can set ''read'', ''write'' and ''execute'' permissions on a file or directory for ''owner'', ''group'' and ''others''. Users can belong to one or more groups. The command ''chmod'' is used to set the permissions, the command ''chown'' to change the owner and the command ''chgrp'' to change the group. | ||
* https://wiki.archlinux.org/title/File_permissions_and_attributes | |||
* https://wiki.archlinux.org/index.php/Users_and_Groups | * https://wiki.archlinux.org/index.php/Users_and_Groups | ||
* http://www.cyberciti.biz/tips/unix-or-linux-commands-for-changing-user-rights.html | * http://www.cyberciti.biz/tips/unix-or-linux-commands-for-changing-user-rights.html | ||
* http://www.cyberciti.biz/faq/how-to-use-chmod-and-chown-command/ | * http://www.cyberciti.biz/faq/how-to-use-chmod-and-chown-command/ | ||
= Show ownership and permissions = | = Show ownership and permissions = | ||
< | <source lang=bash> | ||
ls -l /path/to/files/* | ls -l /path/to/files/* | ||
</ | </source> | ||
Example output: | Example output: | ||
| Line 36: | Line 35: | ||
List groups and its users | List groups and its users | ||
< | <source lang=bash> | ||
getent group groupname1 | getent group groupname1 | ||
</ | </source> | ||
Format: | Format: | ||
| Line 44: | Line 43: | ||
Disable (lock) the root account: | Disable (lock) the root account: | ||
< | <source lang=bash> | ||
sudo passwd -l root | sudo passwd -l root | ||
</ | </source> | ||
Enable the root account by specifying a password for it: | Enable the root account by specifying a password for it: | ||
< | <source lang=bash> | ||
sudo passwd | sudo passwd | ||
</ | </source> | ||
Add a user account and home folder, delete user: | Add a user account and home folder, delete user: | ||
< | <source lang=bash> | ||
sudo adduser username1 | sudo adduser username1 | ||
</ | </source> | ||
Delete user: | Delete user: | ||
< | <source lang=bash> | ||
sudo deluser username1 | sudo deluser username1 | ||
</ | </source> | ||
Lock (l) or unlock (u) a user account: | Lock (l) or unlock (u) a user account: | ||
< | <source lang=bash> | ||
sudo passwd -l username1 | sudo passwd -l username1 | ||
sudo passwd -u username1 | sudo passwd -u username1 | ||
</ | </source> | ||
Add or delete a group: | Add or delete a group: | ||
< | <source lang=bash> | ||
sudo addgroup groupname1 | sudo addgroup groupname1 | ||
sudo delgroup groupname1 | sudo delgroup groupname1 | ||
</ | </source> | ||
Add an existing user to a group: | Add an existing user to a group: | ||
< | <source lang=bash> | ||
sudo adduser username1 groupname1 | sudo adduser username1 groupname1 | ||
</ | </source> | ||
Remove user from a group: | Remove user from a group: | ||
< | <source lang=bash> | ||
sudo deluser username1 groupname1 | sudo deluser username1 groupname1 | ||
</ | </source> | ||
= Change permissions on files and directories = | = Change permissions on files and directories = | ||
| Line 105: | Line 104: | ||
Examples: | Examples: | ||
< | <source lang=bash> | ||
sudo chmod -R u+rwx /path/to/files | sudo chmod -R u+rwx /path/to/files | ||
sudo chmod -R go-x /path/to/files | sudo chmod -R go-x /path/to/files | ||
</ | </source> | ||
== Octal method == | == Octal method == | ||
| Line 134: | Line 133: | ||
Examples: | Examples: | ||
< | <source lang=bash> | ||
chmod 600 file – owner r,w | chmod 600 file – owner r,w | ||
chmod 700 file – owner r,w,x | chmod 700 file – owner r,w,x | ||
chmod 777 file – all can r,w,x | chmod 777 file – all can r,w,x | ||
</ | </source> | ||
= Change ownership of files and directories = | = Change ownership of files and directories = | ||
| Line 145: | Line 144: | ||
Owner: | Owner: | ||
< | <source lang=bash> | ||
sudo chown username1 /path/to/file_or_dir | sudo chown username1 /path/to/file_or_dir | ||
sudo chown -R username1 /path/to/dir | sudo chown -R username1 /path/to/dir | ||
</ | </source> | ||
Group: | Group: | ||
< | <source lang=bash> | ||
sudo chgrp -R groupname1 /path/to/file_or_dir | sudo chgrp -R groupname1 /path/to/file_or_dir | ||
sudo chgrp -R groupname1 /path/to/dir | sudo chgrp -R groupname1 /path/to/dir | ||
</ | </source> | ||
Owner+group: | Owner+group: | ||
< | <source lang=bash> | ||
sudo chown username1:groupname1 /path/to/file_or_dir | sudo chown username1:groupname1 /path/to/file_or_dir | ||
sudo chown -R username1:groupname1 /path/to/dir | sudo chown -R username1:groupname1 /path/to/dir | ||
</ | </source> | ||
= Create a shared folder and use of the sgid bit = | = Create a shared folder and use of the sgid bit = | ||
| Line 168: | Line 167: | ||
Create a group 'group1' and add user 'user1' and 'user2' | Create a group 'group1' and add user 'user1' and 'user2' | ||
< | <source lang=bash> | ||
sudo usermod -a -G group1 user1 | sudo usermod -a -G group1 user1 | ||
sudo usermod -a -G group1 user2 | sudo usermod -a -G group1 user2 | ||
</ | </source> | ||
Set group for all folders, subfolders and files in /home/group1 to 'group1': | Set group for all folders, subfolders and files in /home/group1 to 'group1': | ||
< | <source lang=bash> | ||
sudo mkdir /home/group1 | sudo mkdir /home/group1 | ||
sudo chgrp -R group1 /home/group1 | sudo chgrp -R group1 /home/group1 | ||
</ | </source> | ||
Set sgid-bit for the directories. The sgid-bit makes sure that new items in the directory will belong to the same group as the directory and not some default group. | Set sgid-bit for the directories. The sgid-bit makes sure that new items in the directory will belong to the same group as the directory and not some default group. | ||
< | <source lang=bash> | ||
sudo find /home/group1 -type d -exec chmod 2770 {} \; | sudo find /home/group1 -type d -exec chmod 2770 {} \; | ||
</ | </source> | ||
Here 2770 means: | Here 2770 means: | ||
| Line 194: | Line 193: | ||
Finally add read and write access for user and group for all files: | Finally add read and write access for user and group for all files: | ||
< | <source lang=bash> | ||
sudo find /home/group1 -type f -exec chmod ug+rw {} \; | sudo find /home/group1 -type f -exec chmod ug+rw {} \; | ||
</ | </source> | ||
There is also the suid-bit (4) that allows a program to have more privileges than the user that is executing the program. | There is also the suid-bit (4) that allows a program to have more privileges than the user that is executing the program. | ||
| Line 202: | Line 201: | ||
More info on sgid (2) and suid (4): | More info on sgid (2) and suid (4): | ||
* https://en.wikipedia.org/wiki/Setuid | * https://en.wikipedia.org/wiki/Setuid | ||
= File attributes = | |||
== List attributes == | |||
<source lang=bash> | |||
lsattr | |||
</source> | |||
== Immutable == | |||
Set the immutable-attribute to prevent any changes to the item or it's attributes. It will, for example, prevent writing to a folder that is meant as a mountpoint. Note that you have to umount first: | |||
Make immutable: | |||
<source lang=bash> | |||
sudo umount /media/data | |||
sudo chattr +i /media/data | |||
sudo mount /media/data | |||
</source> | |||
Remove immutable: | |||
<source lang=bash> | |||
sudo umount /media/data | |||
sudo chattr -i /media/data | |||
sudo mount /media/data | |||
</source> | |||
= See also = | |||
* [[Allow a user to sudo execute a script without password]] | |||
Latest revision as of 07:24, 6 September 2025
Introduction
Files and directories on the Linux system belong to an owner and a group. You can set read, write and execute permissions on a file or directory for owner, group and others. Users can belong to one or more groups. The command chmod is used to set the permissions, the command chown to change the owner and the command chgrp to change the group.
- https://wiki.archlinux.org/title/File_permissions_and_attributes
- https://wiki.archlinux.org/index.php/Users_and_Groups
- http://www.cyberciti.biz/tips/unix-or-linux-commands-for-changing-user-rights.html
- http://www.cyberciti.biz/faq/how-to-use-chmod-and-chown-command/
Show ownership and permissions
ls -l /path/to/files/*
Example output:
| Directory | User | Group | Other | Number of links | Owner | Group | Size | Modified date/time | Object name |
|---|---|---|---|---|---|---|---|---|---|
| - | rwx | rw- | r-- | 1 | wilbert | users | 464843 | Apr 6 16:09 | file1.txt |
| - | rwx | rwx | r-- | 1 | wilbert | users | 1398792 | Apr 6 16:09 | file2.sh |
| d | rwx | rw- | r-- | 2 | wilbert | users | 4096 | Apr 17 23:16 | directory |
| - | rwx | rw- | r-- | 2 | wilbert | users | 93 | Apr 17 23:16 | link_to_file1.txt |
Show, add, remove and modify users and groups
List groups and its users
getent group groupname1
Format:
groupname1:x:group_id:username1,username2,etc
Disable (lock) the root account:
sudo passwd -l root
Enable the root account by specifying a password for it:
sudo passwd
Add a user account and home folder, delete user:
sudo adduser username1
Delete user:
sudo deluser username1
Lock (l) or unlock (u) a user account:
sudo passwd -l username1 sudo passwd -u username1
Add or delete a group:
sudo addgroup groupname1 sudo delgroup groupname1
Add an existing user to a group:
sudo adduser username1 groupname1
Remove user from a group:
sudo deluser username1 groupname1
Change permissions on files and directories
Flag method
User/group:
- u user/owner
- g group
- o other
Permissions:
- r read
- w write
- x execute
Options:
- -R full recursive
- + add permission
- - remove permission
Examples:
sudo chmod -R u+rwx /path/to/files sudo chmod -R go-x /path/to/files
Octal method
There are four OCTAL (0..7) digits, which control permissions. Mostly only three are used, more info on the first digit can be found in paragraph #Create a shared folder and use of the sgid bit.
Permissions:
1 = execute (x) 2 = write (w) 4 = read (r)
The octal number is the sum of those free permissions, i.e.
1+2+4 = 7 : can execute, write and read 2+4 = 6 : can write and read
Permissions are set for owner, group and others, depending on the position of the digit:
| who: | owner | group | others | ||||||
|---|---|---|---|---|---|---|---|---|---|
| may: | x | w | r | x | w | r | x | w | r |
| add: | 1 | 2 | 4 | 1 | 2 | 4 | 1 | 2 | 4 |
Examples:
chmod 600 file – owner r,w chmod 700 file – owner r,w,x chmod 777 file – all can r,w,x
Change ownership of files and directories
Note: option -R (recursive) applies the change all files and (sub)directories.
Owner:
sudo chown username1 /path/to/file_or_dir sudo chown -R username1 /path/to/dir
Group:
sudo chgrp -R groupname1 /path/to/file_or_dir sudo chgrp -R groupname1 /path/to/dir
Owner+group:
sudo chown username1:groupname1 /path/to/file_or_dir sudo chown -R username1:groupname1 /path/to/dir
Share files among users using a group, protect from others and keep new items in the group using the sgid bit.
Create a group 'group1' and add user 'user1' and 'user2'
sudo usermod -a -G group1 user1 sudo usermod -a -G group1 user2
Set group for all folders, subfolders and files in /home/group1 to 'group1':
sudo mkdir /home/group1 sudo chgrp -R group1 /home/group1
Set sgid-bit for the directories. The sgid-bit makes sure that new items in the directory will belong to the same group as the directory and not some default group.
sudo find /home/group1 -type d -exec chmod 2770 {} \;
Here 2770 means:
- 2 : sgid-bit
- 7 : owner rwx
- 7 : group rwx
- 0 : others have no access
Finally add read and write access for user and group for all files:
sudo find /home/group1 -type f -exec chmod ug+rw {} \;
There is also the suid-bit (4) that allows a program to have more privileges than the user that is executing the program.
More info on sgid (2) and suid (4):
File attributes
List attributes
lsattr
Immutable
Set the immutable-attribute to prevent any changes to the item or it's attributes. It will, for example, prevent writing to a folder that is meant as a mountpoint. Note that you have to umount first:
Make immutable:
sudo umount /media/data sudo chattr +i /media/data sudo mount /media/data
Remove immutable:
sudo umount /media/data sudo chattr -i /media/data sudo mount /media/data
