Moment For Technology

Linux user management and permissions

Posted on Aug. 8, 2023, 6:45 a.m. by 金淑芬
Category: The back-end Tag: linux

1. Introduction

Hi, everybody. I'm Little Match. Today, I would like to share with you a story about my learning Linux user management and permissions. The difficulty of the article is not very deep (Linux veterans or big guys beg to pass ?). It is mainly to record some problems I encountered in the process of using Linux and summarize them.

When I first started to get used to Linux, I learned CI/CD, and used Docker to deploy Jenkins service in Linux system to realize automatic process. I often see errors like "Permissions denied" :

Of course, the Internet search is all about adding permissions, such as this:

sudo chmod 777 -R /home/jenkins_data
Copy the code

Or this:

sudo chown -R 1000:1000 /home/jenkins_data
Copy the code

It works, but I'm just curious what the 777 stands for and why can't it be 888? Why can't it be in English?

In addition, when viewing a file using the ls command, you often see a long string like this:

For a Linux novice like me, it was really confusing, and I often used sudo to temporarily borrow root identity to solve the problem for the command or operation that could not be used. I felt that it was not particularly safe, and I did not pay enough attention to Linux permissions. So with that question in mind, I started looking for answers to those questions, starting with Linux's multi-user system. The following operations were tested in CentOS 7, similar to other systems.

2. Concept and management of users and user groups

Linux system is a multi-user multi-task time-sharing operating system (Unix), which can be understood as the same operating system can be used by different users to do different things at the same time. These users are not the same kind of people, some are super butler (root), some are ordinary citizens (test), although they live together, but some things are not ordinary citizens can use, sometimes need to temporarily borrow a sudo command to use the permission of the butler. But the greater the ability, the greater the responsibility, super butler which day hard use of RM - RF /*, then congratulations directly prison sit wear ?. Ordinary but law-abiding citizens never do anything out of line. This accountability is what makes Linux so powerful, and one of the things I love about Linux. Without further ado, let's get to the topic: How do you manage users?

2.1 Creating a User

We originally have a root user default existence, it is extremely powerful, but if you are like me is a beginner it is best to create a normal user to learn, and the best is to do in the VIRTUAL machine, delete it again

Create a normal user as root
You can use '-g' to assign user groups, leaving groupadd out for demonstration purposes
useradd foo

# change password
passwd foo

# Switch user
su foo
Copy the code

If we go to the home directory, we can see an extra file foo:

We can see that there are many columns, but we only need to focus on three columns for now. The leftmost (DRWX ------) is the read/write or execute permission for the file/folder, and the middle two foo are the directory owner and the group that the directory owner belongs to. Let's talk about users and groups first.

2.2 User/User Group and UID/GID

If we have a development department, the department with the front group, test group and the back-end group, UI team, and each group has to do something right, the front group is mainly responsible for develop page based component development, small programs, and so on, in the other groups are similar, these members are similar to in Linux users, and the front end is user group, Although the user itself may not have the permissions of other users, it must have the permissions of the user group.

In addition, each user and group will have a unique number to distinguish other users and groups, this number is very important, like ID. The Linux kernel determines permissions not by user name/user group name, but by UID/GID. Uids and Gids are managed by the Linux kernel, and kernel level system calls determine whether a request should be granted privileges. For example, when a process tries to write to a file, the kernel checks the UID and GID of the process that created it to determine whether it has sufficient permissions to modify the file. When I was learning Docker, I was often confused about the difference between the container user and the host user, but after I understood the UID and GID, I understood.

We can use the whoami, groups, and id commands to view the current user/user group and uid/ GID:

2.3 User Group Management

When we create foo, if we do not assign it to a group, then its user group is foo by default. We can use the groups command to view the current user's group:

[foo@localhost home]$ groups
Copy the code

What if I wanted to change foo's group? Foo's group used to be the front end and now wants to be the back end. There is no problem with that.

Switch to root first
su -

# Add group API
groupadd api

# assign group to foo -g
usermod -g api foo
Copy the code

Then we find that the group foo belongs to has changed from foo to API:

Usermod is short for user+modify. Usermod is an important command for modifying users. It must be run under root, as is chown.

Foo is now in the API group and always complains that he is the API writer, so he wants to add a front group to write the front end, so we can do the above steps, but we can do this:

usermod -G api,front foo
Copy the code

However, either -g or -g will kill the original group. To keep the original group, you need to add the -a parameter, and this parameter can only be used with -g.

Note that a lot of friends, as I am just learning Linux system has just started to discover a lot of orders will have no legal power this is normal, the Internet will also tell us in suders documents give us a use sudo permissions, but used for a long time with root no difference, so suggest don't do this, just start now, though a little trouble, But it's easy to understand its permission control system.

3. File permission management

Now that we know the concept of users and groups, we come to a very important step: file permissions.

We have a picture at the beginning of the article:

What the hell is this big string in the first column?

Let's take a look at what those lowercase letters stand for:

  • D (directory) : indicates that the current directory is a folder
  • L (link) : indicates a link
  • R (read) : indicates that the file is readable
  • W (write) : indicates that a file can be written or deleted
  • X (execute) : the file can be run

We can see that there are a lot of repetitions, and it's hard to read them all together, but it's easy to understand once we have the setup above

First - represents one pit, 10 pit if there are no English letters, and the last. The first pit can be L, D, and -, indicating that the current is a link, directory, and file respectively. The last three pit groups represent the permissions of the file owner, group user, and other users. Here's an ugly picture (yes, I did) :

Let's take a look at how to assign permissions.

3.1 Using numbers to indicate Permissions

W, r, and x correspond to 4, 2, and 1 respectively. To allocate permissions, add the corresponding digits together.

echo 'hello'  test.txt
Copy the code

The file permission is 644:

So we will now assign 760 permissions to this file (for demonstration purposes), that is, groups can read and write, and any permissions to other users, we will use the chmod command to assign:

chmod 760 test.txt
Copy the code

Let's use the ll command to check:

The permission has been assigned successfully.

We often see 777 in fact, all users have read and write executable permission, the rest of you can figure out. We often see sudo execute this chmod command, but it's not necessary. There are only two possibilities to assign permissions to files, one to the file owner and the other to the root, so it's understandable that we can play in Foo's own home and do what we want. In addition to using numbers to indicate permissions, there is another way to use letters.

3.2 Assigning Permissions using letters

We usually use the following three symbols to assign permissions:

  • +: Adds a permission
  • -: Deletes a permission
  • =: Assigns a permission

Use u, g, and O to represent the current user, user group, and other users

Add read and run permissions to the owner of the test.txt file.
chmod u+rx test.txt

Add read permission to group test. TXT file for other users.
chmod g+r test.txt 

Remove read permission from other users of the test. TXT file.
chmod o-r test.txt 

Add the read permission to other users and remove the read permission from other users.
chmod g+r o-r test.txt 

Remove read permission from other users and other users in the group of file test. TXT.
chmod go-r test.txt 

Add permission to all users of test.txt file.
chmod +x test.txt 

The owner of the test.txt file assigns read, write, and execute permissions;
Other users in the group have been assigned read permission and cannot write or execute data.
No other user has any privileges.
chmod u=rwx,g=r,o=- test.txt 
Copy the code

Using letters is actually more convenient, although it looks a little complicated, but at least you don't have to do it yourself. If we want to recursively allocate all files in a directory, either way we add the -r parameter.

3.3 Changing the File Owner and Group

For users who want to use files from other users, or even root, or "transfer" their files to other users, they must inform root that they will use chown to help us, assuming there is also a bar user (from the UI group), Let's give him the test.txt file we just created:

chown bar:ui test.txt
Copy the code

At this point, Bar is overjoyed that Foo can't operate it, so Foo deletes it using rm as if she didn't find anything. Huh? Are we missing something? At this point, we return to home. Although the permissions of the subdirectory have changed, the permissions of the parent directory are still foo. How can we make Foo lose control completely? We directly use the -r recursive file directory:

chown -R bar:ui /home/foo
Copy the code

It's like selling a house to bar, and you can't even get into CD, let alone cat:

The next time the house is sold, the door will not be allowed in. At least let poor Foo enter the door. Use usermod to change groups, and then use chmod to add file permissions.

4. To summarize

Finally finished writing the article, a little sense of relief, a little curiosity to have this article. This article mainly focuses on the following points:

  • User/user groupAs well asuidandgidIncluding the concept ofgroupadd,useradd,usermodThe use of
  • File permissions, how to use numbers and letters to express permissions
  • How to manage permissions through usechown,chmodTo allocate permissions properly

I was a front-end developer, and most of the time at ordinary times also not spend on Linux, but after contact with CI/CD I feel my new world is opened, the Linux learning is boring, but I still hope that through this people will understand, the interpretation of writing articles myself through harvest a lot, hope you continue to work hard!

Reference 5.

[1] Understand uids and Gids in docker containers

About (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.