ruk·si

Commands
Privileges

Updated at 2014-09-26 20:43

This note contains Unix commands how to manage file ownership and execution privileges.

Normal users don't have the access to knowledge about other users or groups in a system, only administrators can see everything.

# Normal user can only access their own info.
whoami  # Return the current user.
groups  # Return all groups of the current user.

# But as root...
cat /etc/passwd # Return info about all the possible users
cat /etc/shadow # Returns encrypted passwords of all users
cat /etc/group  # Return info about all the possible groups
/etc/passwd format
1:2:3:4:5:6:7
1 = username
2 = x to indicate that governed by systemd
3 = uid (user id, system accountts are 0 - 999, user accounts are 1000 - 65535)
4 = gid (group id, system groups are 0 - 999, user groups are 1000 - 65535)
5 = provides resources for systemd
6 = user's home directory
7 = user's shell or /sbin/nologin

/etc/shadow format
1:2:3:4:5:6:7:8
1 = username
2 = encrypted password
3 = last password change (days since 1970-01-01)
4 = minimum days between password changes
5 = maximum days between password changes
6 = number of days when the user will be warned about expiring password
7 = number of days after warning that the password becomes inactive
8 = absolute disable day (days since 1970-01-01)

/etc/group format
1:2:3:4
1 = group name
2 = group password, rarely used and usually just x
3 = gid (group id, system groups are 0 - 999, user groups are 1000 - 65535)
4 = comma separated list of users in this group

Administrators can create, remove and modify users all they like.

useradd -m <USERNAME>      # Create a new user and a home directory for them.
passwd <USERNAME>          # Change user password.
deluser <USERNAME>         # Delete user.

# disable user account without deleting it, disables login and ssh access
passwd --expire 1 <USERNAME>

For services and programs, you should create separate users so you can limit what they can execute and access in the system.

useradd -m -g <PRIMARY_GROUP> <USERNAME>
passwd <USERNAME> <SMASH_YOUR_KEYBOARD_FOR_A_WHILE>
usermod -L <USERNAME> # Locks the user, cannot login anymore but `su` works.

Use a logical naming scheme for your users and groups. This is how I personally name them.

# Simple names are users that can login to the server, usually people.
root # Default administrator user
john # John's user

# Name service users using two parts: <FUNCTIONALITY>-<IDENTIFIER>
# The first part is according to the main functionality they provide,
# without any underscores or dashes.
# E.g. `webserver`, `serverupdater`, `apiserver`.
# The second part is separated with a dash `-` and  works as an identifier
# for that specific service, separating it from other similar services.
webserver-main      # Serves web content of the main site, port 80.
webserver-forums    # Serves web content of the forums on a different port.
apiserver-appname   # Serves API for application named appname.

# Then you can name groups with the plural form of the functionality.
webservers
apiservers

Each user can belong to one primary group and any number of secondary groups. The primary group is the one that gets assigned when the user creates files or directories.

groupadd <GROUPNAME>   # Create new group.
groupmod <GROUPNAME>   # Change group privileges.
delgroup <GROUPNAME>   # Delete group

# before deleting a group, check that no files have that group as owner
find / -gid 1234
groupdel 1234

usermod -g <GROUPNAME> <USERNAME>       # Change user primary group.
usermod -a -G <GROUPNAME> <USERNAME>    # Add user to a secondary group.
usermod -G "" <USERNAME>                # Remove all secondary groups from user.

You cand disable login entirely by changing the shell program that is executed on startup.

# Disable login.
usermod -s /bin/false <USERNAME>

# Enable login.
usermod -s /bin/bash <USERNAME>

You can switch to other users if you are administrator. This allows easily to test what you can do as a user.

su <USERNAME>   # Switch User, temporarily become another user.

If you want to allow limited administrative privileges for a user, you can add them to a sudoers file and user sudo command.

# All files in `/etc/sudoers.d` are read.
touch /etc/sudoers.d/<USERNAME>
nano /etc/sudoers.d/<USERNAME>

# In the file, basic syntax is this:
# <USERNAME> <HOSTNAME> = <USERS/GROUPS> <TAGS> <COMMANDS>
ruksi ALL = (ALL) ALL
# Allow "ruksi" on "all hosts" to act as "any user" "without a password" to run
# "any command".

# You can specify tags e.g. NOPASSWD so user doesn't have to give his pw again.
ruksi ALL = (ALL) NOPASSWD: ALL

# You can create a set of users to assign rules to all of those users.
User_Alias MYUSERS = tom, dick, harry
MYUSERS ALL = (ALL) NOPASSWD: ALL

# You can limit what commands they can run with Cmd_Alias
Cmnd_Alias ALLOWED_COMMANDS = /usr/sbin/lpc, /usr/sbin/lprm
ruksi ALL = (ALL) NOPASSWD: ALLOWED_COMMANDS
sudo <COMMAND>  # Switch User and DO, execute command as administrator.
sudo -s         # Switch User and DO Shell, open administrator shell.

Example configuration of a webserver user.

groupadd webservers
useradd -m -g webservers webserver-main
passwd webserver-main dqwljflkqwjlkdwqDADJJDWAl21u3u2112319udj21ed2091u
usermod -L webserver-main
su webserver-main
cd ~

Each file and directory has one owner and one group.

# CHange OWNer of file or directory.
chown <USERNAME> <TARGET_FILES>
chown adam /Users/Shared/meeting-notes.txt
# -R = recursive, change for all inside a directory.
# :  = indicates that the group ownership is also changed
chown -R adam:staff /Users/Shared
chown -R :staff /Users/Shared          # only changes group

# CHange GRouP of file or directory.
chgrp <GROUP_NAME> <TARGET_FILE>
chgrp staff /Users/Shared/meeting-notes.txt
# Recursive, change for all inside a directory.
chgrp -R staff /Users/Shared

File mode bits specify who can write, read and execute the file or directory.

# Absolute Mode
# 400    Allow read by owner.
# 200    Allow write by owner.
# 100    For files, allow execution by owner.
#        For directories, allow the owner to search in the directory
# 040    Allow read by group members.
# 020    Allow write by group members.
# 010    For files, allow execution by group members.
#        For directories, allow group members to search in the directory.
# 004    Allow read by others.
# 002    Allow write by others.
# 001    For files, allow execution by others.
#        For directories allow others to search in the directory.
# 600    Allow read and write by owner.
# 760    Allow read, write and execute by owner.
#        Allow read and write by group.

# Special Modes, not available in all operating systems.
# 1777   Sticky bit, same as `chmod +t directoryname`
#        Everyone can read, write and execute the contents,
#        but only file owners may rename or remove the files.
#        Without sticky bit, you could move and delete files you don't
#        have permission to write to if you have write access to the directory.
# 2711   Set group ID.
#        Owner can read, write and execute. Group and others may only execute.
#        When on file, execute using the file owner, not the logged in user.
#        When on directory, new files are assigned to be owned by the dir owner.
# 4771   Set user ID.
#        Owner and groun can read, write and execute. Others may only execute.
#        When on file, execute using file group, not the logged in user group.
#        When on directory, new files are assigned to in group of the diretory.

# CHange MODe, change permissions of a file or directory.
chmod <MODE> <TARGET>

# Set permissions so that only owner user can read, write and execute.
chmod 700 one.sh

# Set permissions so that:
# owner user can read and write
# owner group can read
# all can read
# none can execute
chmod 644 two.sh
# Symbolic Mode

# - : normal file
# d : directory
# b : block device
# c : character device
# l : link to another file

# Permissions
# r : read
# w : write
# x : execute

# Using `s` aka. setuid in place of `x` means that the program
# uses owner user and group when it is run.

# Using `t` aka. sticky bit in place of `x` on directories means
# that users can edit and delete only files they own.

# drwxr-xr-x
# |\ /\ /\ /
# | |  |  |
# | |  |  other     (not owner or part of the group)
# | |  group        (individuals who are in the same group as file)
# | user            (owner of file or directory)
# file type

# CHange MODe, change permissions of a file or directory.
chmod <OPTIONS> <WHO><PLUS_OR_MINUS><PERMISSIONS> <TARGET>

# Add read, write and execute privileges to owner.
chmod u+rwx one.sh

# Add read, write and execute privileges to owner and file's group.
chmod ug+rwx two.hs

# Deny write privileges from file's group and others.
chmod go-w three.hs

# Set permissions so that:
# owner can r, w, x
# group can r, x
# other can r, x
chmod 755 four.sh
chmod u=rwx,go=rx four.sh

# -R = Recursive, used with directories.
chmod -R ugo+rX ~/documents