Table of contents
User and Groups
Files and directories which you are working within the system have permission, this permission controls the access of the resources for various uses. In this blog, we are going to discuss all those methods by using which we can manipulate the access rights of the files and folder
Group
The permission management system utilizes groups to organize access rights. Each group comprises users with similar permissions. For instance, there may be separate groups for web developers and DevOps. The system owner can assign permissions based on the specific requirements of each group. Importantly, access to resources and privileges is restricted within individual groups, preventing one group from accessing the resources or privileges of another group.
User
When you run a process, its execution and permissions are influenced by the user who initiates the process. You can determine the current user by using the
whoami
command in the shell. The output will typically display the current userLet's consider a scenario where there are two users in the system: User A and User B. In any situation, User A is restricted from accessing files that are in any way associated with or owned by User B.
The system enforces strict file permissions and access controls to maintain user privacy and security. Each user has their own designated home directory, where their personal files and data reside. By default, User A does not have permission to access or modify files within User B's home directory, and vice versa.
If you are using your system, it is common to assume that you are the sole user. However, it is important to note that there are multiple users, including system daemons.
Each process may have its own associated system daemon, which is responsible for ensuring the proper functioning and operation of that particular process. These system daemons work behind the scenes to perform specific tasks and provide essential services for the system as a whole.
But among all the users, there is one user who holds the most power - the superuser or root user. The superuser can access, run, or terminate any process on the system.
Fortunately, regular users can gain access to the superuser account by using the
sudo
command (short for "superuser do"). By utilizingsudo
users can temporarily transform into the superuser (similar to Ben 10 transforming) and execute commands with elevated privileges.regular users do not have permission to access some files, for instance
Shivansh(which is the current user) cannot access the shadow file.
- write
ls -l /etc/shadow
to know who has the priviliges to access that file
Only root users have access to this file as you can see in the image
In this case, you can transform yourself into a superuser using
sudo su
this will grant you the privileges to access the root file
Here you can access the shadow file because you are in superuser mode, However, if you want to get out of the superuser mode use exit
command
etc/sudoers:- You can see all the users who have access to the superuser/root user by writing
sudo cat etc/sudoers
/etc/passwd
: This file contains the login data of all the users, both active and inactive. It includes the password of each user and specifies the applications that a specific user can run.Understanding passwd file
After writing this command you can see the whole mess in your shell. Basically, every line describe different user and their powers and passwds let's understatnd what the line is saying
shivansh:x:1000:1000:Shivansh charak,,,:/home/shivansh:/usr/bin/zsh
let's divide it into 7 parts
First field(shivansh)= username
Second field(x)-> If the second place is marked with x that means that the password is stored in the /etc/shadow file
Third field(1000)-> user-id where user belongs to
Fourth field(1000)-> Groupid: Id of the Group which the user belongs to
Fifth field(Shivansh charak,,,)-> Userinfo(username)
Sixth field(home/shivansh)-> User's home directory
Seventh field(/usr/bin/zsh)-> It refers to the shell, command interpreter, or terminal that automatically launches when a user logs into the system. Users utilize this command line interface to communicate with the system, execute commands, and interact with various functionalities.
Understanding Shadow file
As you say before that the shadow file stores all the password
root:!:19416:0:99999:7:::
First field(root)-> username
Second field(!)-> encrypted password, Here,
!
means the account is locked and*
means the password is not set, and if you want to grep the specific user's password you can use
sudo cat /etc/shadow | grep "username"
If you use this command you can see the encrypted password of the user in the second field
Third field(19056)->"The date of last password change" It shows the number of days elapsed since January 1, 1970
Fourth field(0)-> The "minimum password change" refers to the number of days a user has to wait before they are allowed to change their password.
Fifth field(99999)-> It specifies the maximum number of days a password is valid before it must be changed.
Sixth field(7)-> warning period:-The number of days in advance that a user will start receiving warnings about upcoming password expiration.
Seventh field(which is empty here): It is typically used to set the password expiry period. If this field is empty, it means that no specific password expiry period has been set for the user.
Eighth Field(which is empty here): Amount of days left for the expiry of the user:- if you are using someone else's system and the owner of that system has set some days, after that specific amount of days you cannot access the system
Ninth(reserved field)-> Extra field
Understanding group file
/etc/group -> This file is responsible to maintain the data of the group
"root:x:0:"
First field(root)-> Group name
Second field(x)->group password
Third field(0)-> Group id
Fourth field(empty)->In the "/etc/group" file, the fourth field (which is typically empty) represents the list of usernames associated with a specific group. For instance, let's consider a group named "group1" that has two users, "shivansh" and "shivansh2". In this case, both of them should be present in the fourth field, separated by commas.
Adding user
sudo useradd Kunal:- it will automatically create
/home/Kunal
in my system which contains all the script which contain the processes with specific permissionsudo passwd kunal:- to set password for the user
run this command to see the user who has been currently added to the system
sudo tail -1 /etc/passwd
sudo userdel kunal
:- to delete a usersudo groupadd "groupname"
:- Used to create a groupusermod -aG groupname username
: to add the user to the group-
In the image shown above we have created a group DevOps first, and then added ansible in it using the usermod command, after that, you can check the user which is added to the group using the command
sudo cat /etc/group
Fourth field shows the user who belongs to the group. In this case its ansible which we just have added using usermod command
sudo passwd "New password"
: it creates a new passwordsudo hostname "hostname"
:- to change the hostnameIf we want to switch to a different user I can write
su username
then the system will ask for the target user password
Permission
ls -l
to see all the files with permissions
drwxr-xr-x 28 shivansh shivansh 4096 Apr 30 04:56 anaconda3
let's divide the first output into parts
First part:
1(drwxr-xr-x)-> permissions bits(10bits). Let's divide the permissions bit.
The first bit(d) shows whether the specified thing is a file or not if it is marked with d the thing is a directory, if hyphen then it is a file and if l the thing is a link
2(rwx)-> The Owner's permission. the user can read this file write on the file and execute the file.
3(r-x)-> Group permissions means all the users coming under that group can read and execute but cannot write indicated by(-)
4(r-x)-> Indicates the permission for other users which does not comes under owner or group, That means user A is the owner of the application and user b who is working on some project and user c who is surfing
Second part:
shivansh:shivansh
- The name before
:
shows the user who has access to the particular resource and after:
shows the group that has access to the resource
Third part:
- Apr 30 04:56-> The date on which the file was created
Fourth part :
- Application name
What does rwx indicate
r->read
w->write
x->executable
s-> file with permission lets only file owner to execute it
S-> This bit only gives the user as owner permission you still cannot execute the file
Let's take a look at how you can modify these permissions. Linux have marked different end user with a different keyword
g for group
u for user
o for others for example let's create a file new.txt
Users can read and write a file but cannot access it. You can modify the permissions using the chmod
command. For example, to change the file permissions to the executable for the user, you can run chmod u+x test.txt
. By using "u" for the user and "+x" to add the execute permission, the user can now execute the file.
If you want to change the permissions for the group, you can use chmod g+x test.txt
. Here, "g" represents the group, and "+x" adds the execute permission to the group.
To remove permissions, you can use "-" instead of "+". For example, chmod ugo-rwx test.txt
removes all permissions (read, write, and execute) for the user, group, and others.
You can modify these permissions as needed using chmod ugo+rwx
to add permissions or chmod ugo-rwx
to remove permissions for the user, group, and others.
Numerical representation of permissions
as we know the write permissions are defined by w read permissions is defined by r and the executable file is defined by e like uid, Permissions is also defined by some number
Read is represented by 4
Write is represented by 2
the executable is represented by 1
If you want to grant read, write, and execute permissions to the user, group, and others, you can use the command chmod +777 test.txt
. The number 777 represents the permissions for the file. Each digit in the number corresponds to a set of permissions: the first digit is for the user, the second digit is for the group, and the third digit is for others.
In this case, since each digit is 7, it means that all permissions (read, write, and execute) are granted to the user, group, and others. The number 7 is the sum of the permission values: 1 for execute, 2 for write, and 4 for read. By adding these values together, you get 7, indicating all permissions.
So, chmod +777 test.txt
sets the file permissions to read, write, and execute for the user, group, and others. This command grants full access to the file for all types of users.
sudo chown user_name file_name:- If you want to change the owner of any file you can change it with this command
sudo chgrp group_name file_name:- If you want to change the group of people who can access the file using this command
Stickybit permission
- if a file has sticky bit permission that means that every other user can access the file but only the owner can delete the file
sudo chmod +t directory
Can we change the password of any other user in the system?
No, we cannot do that because all the processes running in Linux are associated with three user IDs:
Effective UID: It represents the user ID of the owner, which is typically the root (ID 0).
Real UID: This is the user ID of the user who launched the process. For example, if user B has a UID of 700 and launches a process, the real UID of that process will be 700. The real UID is used to determine the actual user who initiated the process.
Saved UID: The saved UID helps in switching between the effective UID and the real UID. It allows a process to temporarily assume different privileges or permissions while executing specific tasks.
These user IDs play a crucial role in determining the permissions and access rights of processes in Linux. The effective UID is often used to enforce security measures and restrict access to certain operations for non-privileged users.
Some more basic commands
last
:- It will show the users who were logged into the systemlsof -u username
:- It will list all the open files by this usernetstat -tulpn
: it will show all the services and the port on which they are hosted or using