2016 年 10 月 14 日
Linux Users and Groups
用户一般指使用计算机的人。在本文语境中，该词指用来识别用户的用户名称，既可以是 Mary 或 Bill 这样的真名，也可以是 Dragonlady, Pirate 这样的昵称。关键是，计算机给每个账户分配了特定的名称，而用户则使用这些名称访问计算机。除了人之外，一些系统服务也以有部分限制，又享有部分特权的用户账户身份运行。
- 集众多灵感及理念之大成，UNIX 操作系统打造出了它的设计、接口、文化甚至革新。重中之重，有一句道理：「一切皆文件」可谓 UNIX 的真谛之一。
- 根据这一设计原则，必须要有统一的模型，用以管理对大量 I/O 资源的访问：文档、目录、磁盘、CD-ROM、调制解调器、键盘、打印机、显示器和终端等等，甚至也包括了进程、网络之间的通信。而解决之策，就是为所有这些资源提成一个抽象层，UNIX 之父们称之为「文件」。所有文件都通过一致的 API 以提供访问，因此光只用同一套简单的命令，就可以读写磁盘、键盘、文档以及网络设备。
- UNIX 及兼容系统提供了一个即基本又强悍的抽象层——文件。很多系统服务和设备的应用程序接口，一开始都被设计为文件或文件系统之类的东西。这赋予程序全新的姿态——通过文件抽象层，我们就可以以全新的方式使用众多现成的、且用途单一的小工具。例如 cat 工具，原本只用来读取文件，再将其内容发送到标准输出，但现在它也可以直接访问特殊设备文件（通常在
/dev目录中），加以读取 I/O 设备。在很多系统上，音频记录和播放也可以通过一令执行：分别是
cat /dev/audio > myfile以及
cat myfile > /dev/audio.
GNU/Linux 系统中的每一个文件都从属一个用户（属主）和一个用户组（属组）。另外，还有三种类型的访问权限：读（read）、写（write）、运行（execute）。我们可以针对文件的属主、属组、而设置相应的访问权限。再次，我们可以通过 ls 命令的长列表格式以查询文件属主、属组和权限：
$ ls /boot/ -l
total 18492 drwxr-xr-x 3 root root 12288 Aug 21 03:27 grub -rw-r--r-- 1 root root 12487150 Aug 29 18:24 initramfs-linux-fallback.img -rw-r--r-- 1 root root 2990626 Aug 29 18:23 initramfs-linux.img -rw-r--r-- 1 root root 3440576 Aug 26 15:17 vmlinuz-linux
$ ls -l /media/
total 16 drwxrwx--- 1 root vboxsf 16384 Jan 29 11:02 sf_Shared
$ stat -c %U /media/sf_Shared/
$ stat -c %G /media/sf_Shared/
$ stat -c %A /media/sf_Shared/
# find / -group "用户组" # find / -user "用户"
who命令，可以查看目前已登陆的用户。要查看系统上的用户，以 root 执行
passwd -Sa 输出的数据格式可以参考
# useradd -m -g "初始组" -G "附加组" -s "登陆shell" "用户"
USERGROUPS_ENAB yes) 会用和用户名相同的名字创建群组，
/etc/shells中, 否则 PAM 的
# useradd -m -G wheel -s /bin/bash archie
# chmod g+s our_shared_directory
$ man useradd
# passwd [用户名]
If a GID change is required temporarily you can also use the newgrp command to change the user's default GID to another GID at runtime. For example, after executing
newgrp groupname files created by the user will be associated with the
groupnameGID, without requiring a re-login. To change back to the default GID, execute newgrp without a groupname.
# useradd -r -s /usr/bin/nologin username
# usermod -l newname oldname
# usermod -d /my/new/home -m username
# usermod -aG 群组 username
# gpasswd --add username group
# chfn [用户名]
此外，可以设置 GECOS comment：
# usermod -c "Comment" username
# userdel -r [用户名]
$ cat /etc/passwd
jack:x:1001:100:Jack Smith,some comment here,,:/home/jack:/bin/bash
/etc/shadow，UID为1001，首要组的ID是100 (users组)，全名Jack Smith并加了一些注释，主目录是
The pwck command can be used to verify the integrity of the user database. It can sort the user list by GID at the same time, which can be helpful for comparison:
# pwck -s
Note that the Arch Linux defaults of the files are created as .pacnew files by new releases of thepackage. Unless Pacman outputs related messages for action, these .pacnew files can, and should, be disregarded/removed. New required default users and groups are added automatically by the packages' install script.
$ groups [用户名]
$ id [用户名]
$ cat /etc/group
# groupadd [组名]
# gpasswd -a [用户名] [组名]
# groupmod -n newname oldname
# groupdel [组名]
# gpasswd -d [用户名] [组名]
The grpck command can be used to verify the integrity of the system's group files.
Updates to the #User database, these can be disregarded/removed, because the install script adds any new required groups.package create .pacnew files. Alike the .pacnew files for the
||可以运行 sudo 的用户|
This section explains the purpose of the essential groups from the core/filesystem package. There are many other groups, which will be created with correct GID when the relevant package is installed. See the main page for the software for details.
||访问 FTP 服务器.|
|log||访问 syslog-ng 创建的
||访问 HTTP 服务器文件.|
|rfkill||不再使用! 控制无线设备的电源 (可能被使用).|
|sys||Right to administer printers in CUPS.|
||串口和 USB 设备，例如猫、手柄 RS-232/串口。|
|wheel||管理组，通常用于 sudo 和 su 命令权限。systemd 会允许非 root 的 wheel 组用户启动服务。|
下列组系统使用，一般不被 Arch 用户使用：
||Clam AntiVirus 使用.|
||See Core utilities#locate.|
||Access to parallel port devices (printers and others) and read-only access to CUPS files. If you run a non-printer parallel port device, see FS#50009for implied problems.|
||完全的系统管理和控制 (root, admin)|
Before arch migrated to systemd, users had to be manually added to these groups in order to be able to access the corresponding devices. This way has been deprecated in favour of udev marking the devices with a
uaccess tag and logind assigning the permissions to users dynamically via ACLs according to which session is currently active. Note that the session must not be broken for this to work (see General troubleshooting#Session permissions to check it).
There are some notable exceptions which require adding a user to some of these groups: for example if you want to allow users to access the device even when they are not logged in. However, note that adding users to the groups can even cause some functionality to break (for example, the
audio group will break fast user switching and allows applications to block software mixing).
如下组是 systemd 之前使用，目前已经没有任何作用，使用后还可能对功能有影响:
||直接访问声音硬件(ALSA 和 OSS).|
|camera||访问 Digital Cameras.|
||直接访问不受 optical, floppy 和 storage 组控制的块设备. 除非有特殊需要, 否则不建议将一般用户添加至该组.|
|network||改变网络设置的权限，比如使用 NetworkManager 的权限.|
|power||使用 Pm-utils (挂起、休眠...) 和电源管理控制。|
|storage||访问可移动储存器，例如 USB 硬盘、flash 存储器、MP3 播放器等；用户可以通过 D-Bus 挂载设备。|
|sys||管理 CUPS 中的打印机.|
||访问视频捕获和硬件加速设备。例如framebuffer (X 不属于这个组也能使用).|
|network||Unused by default. Can be used e.g. for granting access to NetworkManager (see NetworkManager#Set up PolicyKit permissions).|
If you are new to Linux/Unix, then the concept of permissions may be confusing. This guide will provide you with an explanation of what permissions are, how they work, and how to manage them. A number of examples will be provided to illustrate how to set and change permissions for both users and groups.
What are User and Group Permissions?
Linux/Unix operating systems have the ability to multitask in a manner similar to other operating systems. However, Linux’s major difference from other operating systems is its ability to have multiple users. Linux was designed to allow more than one user to have access to the system at the same time. In order for this multiuser design to work properly, there needs to be a method to protect users from each other. This is where permissions come in to play.
Read, Write & Execute Permissions
Permissions are the “rights” to act on a file or directory. The basic rights are read, write, and execute.
- Read - a readable permission allows the contents of the file to be viewed. A read permission on a directory allows you to list the contents of a directory.
- Write - a write permission on a file allows you to modify the contents of that file. For a directory, the write permission allows you to edit the contents of a directory (e.g. add/delete files).
- Execute - for a file, the executable permission allows you to run the file and execute a program or script. For a directory, the execute permission allows you to change to a different directory and make it your current working directory. Users usually have a default group, but they may belong to several additional groups.
Viewing File Permissions
To view the permissions on a file or directory, issue the command
ls -l <directory/file>. Remember to replace the information in the < > with the actual file or directory name. Below is sample output for the
-rw-r--r-- 1 root root 1031 Nov 18 09:22 /etc/passwd
The first ten characters show the access permissions. The first dash (-) indicates the type of file (d for directory, s for special file, and - for a regular file). The next three characters (rw-) define the owner’s permission to the file. In this example, the file owner has read and write permissions only. The next three characters (r–) are the permissions for the members of the same group as the file owner (which in this example is read only). The last three characters (r–) show the permissions for all other users and in this example it is read only.
Working with Users, Groups, and Directories
The following sections will go over the commands needed to create, delete, and modify user accounts. Groups will be covered, as well as commands for creating and deleting directories. You will be provided with the commands and descriptions needed for working with users, groups, and directories.
Creating and Deleting User Accounts
To create a new standard user, use the
useradd command. The syntax is as follows:
The useradd command utilizes a variety of variables, some of which are shown in the table below:
||home_dir will be used as the value for the user’s login directory||
||the date when the account will expire||
||the number of days before the account expires||
||sets the default shell type||
You will need to set a password for the new user by using the
passwd command. Note, you will need root privileges to change a user password. The syntax is as follows:
The user will be able to change their password at any time using the
passwd command with the syntax. Below is an example:
1 2 3 4 5 6
$ passwd Changing password for lmartin. (current) UNIX password: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
There is another way of creating user accounts that might be easier for first-time administrators. However, you may need to install a new package. The installation command for Debian/Ubuntu is as follows:
apt-get install adduser
The adduser command automatically creates a home directory and sets the default group, shell, etc. To create a new standard user with the
adduser command the syntax is as follows:
Once you enter the command you will receive a series of prompts; most of this information is optional. However, you should include at least the user’s name (for this example the user name is cjones) and of course a password.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
root@localhost:~# adduser cjones Adding user `cjones\' ... Adding new group `cjones\' (1001) ... Adding new user `cjones\' (1001) with group `cjones\' ... Creating home directory `/home/cjones\' ... Copying files from `/etc/skel\' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for cjones Enter the new value, or press ENTER for the default Full Name : Chuck Jones Room Number : 213 Work Phone : 856-555-1212 Home Phone : Other : Is the information correct? [Y/n] Y
It is important to note that security should always be taken very seriously. Therefore, it is strongly recommended to use unique passwords for each account. Never share or give your password to other users.
To remove a user account, enter the following command:
Issuing the command above will only delete the user’s account. Their files and home directory will not be deleted.
To remove the user, their home folder, and their files, use this command:
Root is the super user and has the ability to do anything on a system. Therefore, in order to have protection against potential damage sudo is used in place of root. Sudo allows users and groups access to commands they normally would not be able to use. Sudo will allow a user to have administration privileges without logging in as root. A sample of the sudo command is as follows:
sudo apt-get install
Before using sudo, it may need to be installed if it is not part of your distribution. The command for Debian is as follows:
apt-get install sudo
For CentOS, the command is as follows:
yum install sudo
In order to provide a user with sudo ability, their name will need to be added to the sudoers file. This file is very important and should not be edited directly with a text editor. If the sudoers file is edited incorrectly it could result in preventing access to the system.
visudo command should be used to edit the sudoers file. At a command line, log into your system as root and enter the command
Below is the portion of the sudoers file that shows the users with sudo access.
1 2 3 4 5
# User privilege specification root ALL=(ALL:ALL) ALL cjones ALL=(ALL:ALL) ALL kbrown ALL=(ALL:ALL) ALL lmartin ALL=(ALL:ALL) ALL
After you have given your user account sudo privileges, save the sudoers file and log out as root. Now log in as your user and test the privileges as your user with sudo access. When a new user needs sudo access, you will now be able to edit the sudoers file with your own login using the following command:
Working with Groups
Linux uses groups as a way to organize users. Groups organize collections of accounts, primarily as a security measure. Control of group membership is administered through the
/etc/group file, which shows a list of groups and its members. Every user has a default or primary group. When a user logs in, the group membership is set for their primary group. This means that when a user launches a program or creates a file, both the file and the running program will be associated with the user’s current group membership. A user may access other files in other groups, as long as they are also a member of that group and the access permissions are set. To run programs or create a file in a different group, the user must run the
newgrp command to switch their current group. A sample of the newgrp command is as follows:
If the user entering the above-referenced command is a member of the marketing group in the
/etc/group file, then the current group membership will change. It is important to note that any files created will now be associated with the marketing group rather than the user’s primary group. Users may also change their group by using the
chgrp command. The syntax for the chgrp command is as follows:
Creating and Removing Directories
To make a directory use the command:
To make a directory and set the permissions at the same time, use the following option and syntax:
mkdir -m a=rwx
The -m option is short for mode, and a=rwx means that all users have read, write, and execute permissions on the directory. To see a complete list of all options for the mkdir command enter
man mkdir at a command prompt.
To remove a file, use the following:
To remove a directory:
It is important to note that if you remove a directory all the files inside will be deleted as well.
Changing Directory and File Permissions
To view file permissions and ownership on files and directories, use the
ls -al command. The
aoption is to show hidden files or all files, and the
l option is for the long listing. The output will be similar to the following:
1 2 3
drwxr-xr-x 2 user user 4096 Jan 9 10:11 documents -rw-r--r-- 1 user user 675 Jan 7 12:05 .profile drwxr-xr-x 4 user user 4096 Jan 7 14:55 public
The first column with the ten letters and dashes shows the permissions of the file or directory. The second column (with the single number) indicates the number of files or directories contained in the directory. The next column indicates the owner, followed by the group name, the size, date, and time of last access, and finally the name of the file . For example, using the first line from the output above, the details are as follows:
1 2 3 4 5 6 7
``drwxr-xr-x`` are the permissions ``2`` is the number of files or directories ``user`` is the owner ``user`` is the group ``4096`` is the size ``Jan 9 10:11`` is the date/time of last access ``documents`` is the directory
Since a directory itself is a file, any directory will always show
4096as it’s size. This does not reflect the size of the contents of the directory.
chmod is short for change mode. Chmod is used to change permissions on files and directories. The command
chmod may be used with either letters or numbers (also known as octal) to set the permissions. The letters used with chmod are in the table below:
|X||Execute (only if file is a directory)|
|s||Set user or group ID on execution|
|t||Save program text on swap device|
|u||Current permissions the file has for owner|
|g||Current permissions the file has for users in the same group|
|o||Current permissions the file has for others not in the group|
It is important to remember that the first character of the first column of a file listing denotes whether it is a directory or a file. The other nine characters are the permissions for the file/directory. The first three characters are for the user, the next three are for the group, and the last three are for others. The example drwxrw-r– is broken down as follows:
d is a directory
rwx the user has read, write, and execute permissions
rw- the group has read and write permissions
r– all others have read only permissions
Note that the dash (-) denotes permissions are removed. Therefore, with the “all others” group, r– translates to read permission only, the write and execute permissions were removed.
Conversely, the plus sign ( ) is equivalent to granting permissions:
chmod u r,g x
The example above translates as follows:
1 2 3 4
u is for user r is for read g is for group x is for execute
In other words, the user was given read permission and the group was given execute permission for the file. Note, when setting multiple permissions for a set, a comma is required between sets.
Chmod Octal Format
To use the octal format, you have to calculate the permissions for each portion of the file or directory. The first ten characters mentioned above will correspond to a four digit numbers in octal. The execute permission is equal to the number one (1), the write permission is equal to the number two (2), and the read permission is equal to the number four (4). Therefore, when you use the octal format, you will need to calculate a number between 0 and 7 for each portion of the permission. A table has been provided below for clarification.
Although octal format may seem difficult to understand, it is easy to use once you get the gist of it. However, setting permissions with r, w, and x may be easier. Below are examples of how to use both letters and octal format to set permissions on a file or directory.
chmod <file/directory name>
chmod go-rwx Work(Deny rwx permission for the group and others)
The output of ls -al after the chmod command above would looks as follows:
dr-------- 2 user user 4096 Dec 17 14:38 Work
chmod 444 Work
The output of ls -al after the chmod command above would look as follows:
dr--r--r-- 2 user user 4096 Dec 17 14:38 Work
An octal table showing the numeric equivalent for permissions is provided below.
Additional File Permissions
In addition to the most common read/write/execute file permissions, there are some additional modes that you might find useful, specifically the t mode (sticky bit) and the s mode (setuid bit). These functions describe the behavior of files and executables in multi-user situations.
When set on a file or directory, the sticky bit, or t mode, means that only the owner (or root) can delete the file, regardless of which users have write access to this file/directory by way of group membership or ownership. This is useful when a file or directory is owned by a group through which a number of users share write access to a given set of files.
To set the sticky bit on a file named
/root/sticky.txt, issue the following command:
chmod t /root/sticky.txt
To remove the sticky bit from a file, use the
chmod -t command. Note, to change the sticky bit, you need to be either root or the file owner. The root user will be able to delete files regardless of the status of the sticky bit.
The setuid bit, or s, when set on files allows users with permissions to execute a given file the ability to run that file with the permissions of file owner. For instance, if the file
work was owned by the
root user and the
marketing group, members of the
marketing group could run the
workprogram as if they were the root user. This may pose potential security risks in some cases and executables should be properly evaluated before receiving the
s flag. To set the
s bit on a file named
/usr/bin/work, issue the following command:
chmod g s /usr/bin/work
In contrast to the s mode for the ownership of a file, the effect of the s mode on a directory is somewhat different. Files created in s directories receive the ownership of that directory’s user and group, rather than the ownership of the user that created the file and their default group. To set the setguid (group id) option on a directory, use the following command:
chmod g s /var/doc-store/
To set the setuid (user id) for a directory named
/var/doc-store, issue the following command:
chmod o s /var/doc-store/
Changing File Ownership
By default, all files are “owned” by the user who creates them and by that user’s default group. To change the ownership of a file, use the
chown command in the
chown user:group /path/to/fileformat. In the following example, the ownership of the “list.html” file will be changed to the “cjones” user in the “marketing” group:
chown cjones:marketing list.html
To change the ownership of a directory and all the files contained inside, use the recursive option with the
-R flag. In the following example, change the ownership of
/srv/smb/leadership/ to the “cjones” user in the “marketing” group:
chown -R cjones:marketing /srv/smb/leadership/
Leveraging Users and Groups
In many cases, user permissions are used to provide your system with greater security without any direct interaction. Many operating systems create specific system user accounts for different packages during the installation process.
The best practice is to give each user their own login to your system. This protects each user’s files from all other users. Furthermore, using specific accounts for users allows more accurate system logging, particularly when combined with tools like
sudo. We recommend avoiding situations where more than one individual knows the password for a user account for maximum security.
In contrast, groups are useful for allowing multiple independent user accounts to collaborate and share files. If you create groups on a machine for common tasks on a per-task basis (e.g. web editors, contributors, content submitters, support) and add relevant users to the relevant groups, these users can all edit and run the same set of files without sharing these files with the world. Use of the
chown command with file permissions of 770 and 740 would help accomplish this goal.