Professional Documents
Culture Documents
A user is anyone who uses a computer. In this case, we are describing the names which represent those users.
It may be Mary or Bill, and they may use the names Dragonlady or Pirate in place of their real name. All that
matters is that the computer has a name for each account it creates, and it is this name by which a person
gains access to use the computer. Some system services also run using restricted or privileged user accounts.
Managing users is done for the purpose of security by limiting access in certain specific ways. The superuser
(root) has complete access to the operating system and its configuration; it is intended for administrative use
only. Unprivileged users can use the su and sudo programs for controlled privilege escalation.
Any individual may have more than one account, as long as they use a different name for each account they
create. Further, there are some reserved names which may not be used such as "root".
Users may be grouped together into a "group", and users may be added to an existing group to utilize the
privileged access it grants.
Note: The beginner should use these tools carefully and stay away from having anything to do with any
other existing user account, other than their own.
/dev/audio," respectively.
Every file on a GNU/Linux system is owned by a user and a group. In addition, there are three
types of access permissions: read, write, and execute. Different access permissions can be
applied to a file's owning user, owning group, and others (those without ownership). One can
determine a file's owners and permissions by viewing the long listing format of the ls command:
$ ls -l /boot/
total 13740
drwxr-xr-x 2
-rw-r--r-- 1
fallback.img
-rw-r--r-- 1
-rw-r--r-- 1
-rw-r--r-- 1
root root
4096 Jan 12 00:33 grub
root root 8570335 Jan 12 00:33 initramfs-linuxroot root 1821573 Jan 12 00:31 initramfs-linux.img
root root 1457315 Jan 8 08:19 System.map26
root root 2209920 Jan 8 08:19 vmlinuz-linux
The first column displays the file's permissions (for example, the file initramfs-
linux.img has permissions -rw-r--r-- ). The third and fourth columns display the file's
owning user and group, respectively. In this example, all files are owned by the root user and
the root group.
$ ls -l /media/
total 16
drwxrwx--- 1 root vboxsf 16384 Jan 29 11:02 sf_Shared
In this example, the sf_Shared directory is owned by the root user and the vboxsf group. It is
also possible to determine a file's owners and permissions using the stat command:
Owning user:
$ stat -c %U /media/sf_Shared/
root
Owning group:
$ stat -c %G /media/sf_Shared/
vboxsf
Access rights:
$ stat -c %A /media/sf_Shared/
drwxrwx--Access permissions are displayed in three groups of characters, representing the permissions of
the owning user, owning group, and others, respectively. For example, the characters -rw-r--
r-- indicate that the file's owner has read and write permission, but not execute ( rw-), whilst
users belonging to the owning group and other users have only read permission ( r-- and r-- ).
Meanwhile, the characters drwxrwx--- indicate that the file's owner and users belonging to the
owning group all have read, write, and execute permissions ( rwx and rwx), whilst other users
are denied access ( ---). The first character represents the file's type.
List files owned by a user or group with the find utility:
File list
Warning: Do not edit these files by hand. There are utilities that properly handle locking and
avoid invalidating the format of the database. See #User management and #Group
management for an overview.
File
Purpose
/etc/shadow
/etc/passwd
/etc/gshadow
/etc/group
/etc/sudoers
/home/*
Home directories
User management
To list users currently logged on the system, the who command can be used.
To add a new user, use the useradd command:
-m creates the user home directory as /home/username . Within their home directory, a
non-root user can write files, delete them, install programs, and so on.
-g defines the group name or number of the user's initial login group. If specified, the group
name must exist; if a group number is provided, it must refer to an already existing group. If
not specified, the behaviour of useradd will depend on the USERGROUPS_ENAB variable
contained in /etc/login.defs. The default behaviour ( USERGROUPS_ENAB yes) is to
create a group with the same name as the username, with GID equal to UID .
-G introduces a list of supplementary groups which the user is also a member of. Each
group is separated from the next by a comma, with no intervening spaces. The default is for
the user to belong only to the initial group.
-s defines the path and file name of the user's default login shell. After the boot process is
complete, the default login shell is the one specified here. Ensure the chosen shell package
is installed if choosing something other than Bash.
Warning: In order to be able to log in, the login shell must be one of those listed
in /etc/shells , otherwise the pam_shell module will deny the login request. In particular,
do not use the /usr/bin/bash path instead of /bin/bash , unless it is properly configured
in /etc/shells .
Note: The password for the newly created user must then be defined, using passwd as
explained below.
When the login shell is intended to be non-functional, for example when the user account is
created for a specific service, /usr/bin/nologin may be specified in place of a regular shell
to politely refuse a login (see nologin(8)).
You could also make the default group something else, e.g. users:
# chfn username
(this way chfn runs in interactive mode).
To specify the user's password, type:
# passwd username
To mark a user's password as expired, requiring them to create a new password the first time
they log in, type:
# chage -d 0 username
User accounts may be deleted with the userdel command.
# userdel -r username
The -r option specifies that the user's home directory and mail spool should also be deleted.
Tip: The AUR packages adduserAUR, adduser-defaultsAUR or adduser-debAUR provide
an adduser script that allows carrying out the jobs of useradd, chfn and passwd interactively. See
also FS#32893.
User database
Local user information is stored in the /etc/passwd file. To list all user accounts on the system:
$ cat /etc/passwd
There is one line per account, and each is of the format:
account:password:UID:GID:GECOS:directory:shell
where:
GECOS is an optional field used for informational purposes; usually it contains the full user
name
Note: Arch Linux uses shadowed passwords. The passwd file is world-readable, so storing
passwords (hashed or otherwise) in this file would be insecure. Instead, the password field will
contain a placeholder character ( x) indicating that the hashed password is saved in the accessrestricted file /etc/shadow.
Group management
/etc/group is the file that defines the groups on the system ( man group for details).
Display group membership with the groups command:
$ groups [user]
If user is omitted, the current user's group names are displayed.
The id command provides additional detail, such as the user's UID and associated GIDs:
$ id [user]
To list all groups on the system:
$ cat /etc/group
Create new groups with the groupadd command:
# groupadd [group]
Add users to a group with the gpasswd command:
# groupdel [group]
To remove users from a group:
Group list
User groups
Workstation/desktop users often add their non-root user to some of following groups to allow
access to peripherals and other hardware and facilitate system administration:
Group
Affected files
Purpose
games
/var/games
rfkill
/dev/rfkill
users
uucp
/dev/ttyS[0-9], /dev/t Serial and USB devices such as modems, handhelds, RS-232/serial
ts/[0-9], /dev/ttyACM[
0-9]
ports.
wheel
System groups
The following groups are used for system purposes and are not likely to be used by novice Arch
users:
Group
bin
Affected files
none
Purpose
Historical
daemon
dbus
ftp
/srv/ftp
fuse
http
kmem
/usr/bin/mail
mem
nobody
Unprivileged group.
polkitd
polkit group.
/proc/pid/
root
/*
smmsp
systemdjournal
sendmail group.
/var/log/journal/*
tty
Software groups
These groups are used by certain non-essential software. Sometimes they are used just
internally, in these cases you should not add your user into these groups. See the main page for
the software for details.
Group
Affected files
Purpose
Right to
adbusers
avahi
bumblebee
/run/bumblebee.socket
Right to launch
applications with
Bumblebee to utilize
NVIDIA Optimus
GPUs.
Right to
cdemu
/dev/vhba_ctl
Used by Clam
clamav
/var/lib/clamav/* , /var/log/clamav/*
gdm
locate
AntiVirus.
GDM group.
Right to
and.
mpd
MPD group.
with NetworkManage
ger
ntp
/var/lib/ntp/*
NTPd group.
Used by ThinkPad
thinkpad
/dev/misc/nvram
vboxsf
Used by VirtualBox.
vboxusers
Right to use
/dev/vboxdrv
VirtualBox software.
Right to
vmware
Right to capture
wireshark
packets
with Wireshark.
Group
Purpose
log
ssh
Sshd can be configured to only allow members of this group to login. This is true for any arbitrary
group; the ssh group is not created by default, hence non-standard.
Adding a user to the kvm group used to be required to allow non-root users to access virtual
kvm
machines using KVM. This has been deprecated in favor of using udev rules, and this is done
automatically.
Pre-systemd groups
These groups used to be needed before arch migrated to systemd. That is no longer the case,
as long as the logind session is not broken (see General troubleshooting#Session
permissions to check it). The groups can even cause some functionality to break.
See SysVinit#Migration to systemd for details.
Grou
Affected files
Purpose
Direct access to
sound hardware, for
all sessions
(requirement is
imposed by
audio
camer
Access to Digital
Cameras.
Access to block
devices not affected
disk
/dev/sda[1-9], /dev/sdb[1-9]
by other groups
such
as optical , flop
py , and storage.
floppy /dev/fd[0-9]
lp
Access to floppy
drives.
dev/parport[0-9]
Right to change
network settings
networ
such as when
using NetworkMan
ager.
Access to optical
optical /dev/sr[0-9], /dev/sg[0-9]
devices such as CD
and DVD drives.
hibernate...) and
power management
controls.
scann
er
/var/lock/sane
Access to scanner
hardware.
Access to
removable drives
such as USB hard
storag
drives, flash/jump
drives, MP3
players; enables the
user to mount
storage devices.
Right to administer
sys
video
printers in CUPS.
/dev/fb/0, /dev/misc/agpgart
Access to video
capture devices,
2D/3D hardware
acceleration,
framebuffer (X can
be
used without belong
ing to this group).
Local sessions
already have the
ability to use
hardware
acceleration and
video capture.
Procedure
Warning: Make certain that you are not logged in as the user whose name you are about to change! Open a
new tty (Ctrl+Alt +F1) and log in as root or as another user and su to root. usermod should prevent you
from doing this by mistake.
This will created a link between username's former home directory to the new one. Doing this will allow
programs to find files that have hardcoded paths.
Warning: Make sure there is no trailing / on /my/old/home
# ln -s /my/new/home/ /my/old/home
<login name> This field can not be blank. Standard *NIX naming rules apply.
<password> would be an encrypted password, however it should be marked with a lowercase "x"
(without quotes) to signify the password is located in /etc/shadow .
Each user and group name has a corresponding numerical UID and GID (User ID and Group ID). In
Arch, the first login name (after root) is UID 1000 by default. Subsequent UID/GID entries for users should
be greater than 1000. GID should match the primary group for the particular user. Numeric values for GIDs
are listed in /etc/group .
<Real name/comments> is used by services such as finger. This field is optional and may be left
blank.
<home directory> is used by the login command to set the $HOME environment variable. Several
services with their own users use "/" which is safe for services, but not recommended for normal users.
<user command interpreter> is the path to the user's default shell. This is normally Bash, but there are
several other command line interpreters available. The default setting is "/bin/bash" (without quotes) for
users. If you use another CLI, set the path to it here. This field is optional.
Example (user):
Viewing permissions
In order to use chmod to change permissions of a file or directory, you will first need to know what the current
mode of access is. You can view the contents of a directory in the terminal by "cd" to that directory and then
using:
$ ls -l
The -l switch is important because using ls without it will only display the names of files or folders in the
directory.
Below is an example of using ls -l on my home directory:
$ ls -l
total 128
-rw-r--r-drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
-rw-r--r-drwxr-xr-x
drwxr-xr-x
-rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--
1
2
6
2
2
2
1
2
3
1
1
1
1
1
1
1
1
ben
ben
ben
ben
ben
ben
ben
ben
ben
ben
ben
ben
ben
ben
ben
ben
ben
users
832 Jul 6 17:22 #chmodwiki#
users 4096 Jul 5 21:03 Desktop
users 4096 Jul 5 17:37 Documents
users 4096 Jul 5 13:45 Downloads
users 4096 Jun 24 03:36 Movies
users 4096 Jun 24 03:38 Music
users 57047 Jun 24 13:57 Namoroka_wallpaper.png
users 4096 Jun 26 00:09 Pictures
users 4096 Jun 24 05:03 R
users
354 Jul 6 17:15 chmodwiki
users 5120 Jun 27 08:28 data
users 3339 Jun 27 08:28 datadesign
users 2048 Jul 6 12:56 dustprac
users 1568 Jun 27 14:11 dustpracdesign
users 1532 Jun 27 14:07 dustpracdesign~
users
229 Jun 27 14:01 ireland.R
users
570 Jun 27 17:02 noattach.R
588 Jun
5 15:35 noattach.R~
The letters after that are the permissions, this first column is what we will be most interested in. The second
one is how many links there are in a file, we can safely ignore it. The third column has two values/names: The
first one (in my example 'ben') is the name of the user that owns the file. The second value ('users' in the
example) is the group that the owner belongs to (Read more about groups).
The next column is the size of the file or directory in bytes and information after that are the dates and times the
file or directory was last modified, and of course the name of the file or directory.
Folders
In case of folders the mode bits can be interpreted as follows:
r (read) stands for the ability to read the table of contents of the given directory,
w (write) stands for the ability to write the table of contents of the given directory (create new files,
folders; rename, delete existing files, folders) if and only if execute bit is set. Otherwise this permission is
meaningless.
x (execute) stands for the ability to enter the given directory with command cd and access files,
folders in that directory.
Let's see some examples to clarify, taking one directory from above:
Files
Let's look at another example, this time of a file, not a directory:
- rw- r-- r-- 1 ben users 5120 Jun 27 08:28 data (Split the permissions
coloumn again for easier interpretation)
Here we can see the first letter is not d but -. So we know it is a file, not a directory. Next the owners
permissions are rw- so the owner has the ability to read and write but not execute. This may seem odd that the
owner does not have all three permissions, but the x permission is not needed as it is a text/data file, to be read
by a text editor such as Gedit, EMACS, or software like R, and not an executable in it's own right (if it contained
something like python programming code then it very well could be). The group's permssions are set to r--, so
the group has the ability to read the file but not write/edit it in any way - it is essentially like setting something to
Read-Only. We can see that the same permissions apply to everyone else as well.
chmod is a command in Linux and other Unix-like operating systems. It allows you to change the permissions
(or access mode) of a file or directory.
Text method
To change the permissions-or access mode-of a file, we use the chmod command in a terminal. Below is the
command's general structure:
u
g
o
a
The
The
The
all
The permissions are the same as already discussed (r, w, and x).
Let's have a look at some examples now using this command. Suppose we became very protective of the
Documents directory and wanted to deny everybody but ourselves, permissions to read, write, and execute (or
in this case search/look) in it:
Note: It does not matter which order you put the who letters or the permission letters in a chmod command:
you could have chmod go=rx File or chmod og=xr File. It is all the same.
Now let's consider a second example, say we want to change our data file so that we have read and write
permissions, and fellow users in our group users who may be colleagues working with us ondata, can also
read and write to it, but other users can only read it:
Copying permissions
It is possible to tell chmod to copy the permissions from one class, say the owner, and give those same
permissions to group or even all. To do this, instead of putting r, w, or x after the =, we put another who letter.
e.g:
This command essentially translates to "change the permissions of group (g=), to be the same as the owning
user (=u). Note that you cannot copy a set of permissions as well as grant new ones e.g.:
Numeric method
chmod can also set permissions using numbers.
Using numbers is another method which allows you to edit the permissions for all three owner, group, and
others at the same time. This basic structure of the code is this:
r=4
w=2
x=1
To come up with a three digit number you need to consider what permissions you want owner, group, and user
to have, and then total their values up. For example, say I wanted to grant the owner of a directory read write
and execution permissions, and I wanted group and everyone else to have just read and execute permissions. I
would come up with the numerical values like so:
everyone else, refer to the last note on the lack of x permissions with non executable files - its the same deal
here.
To see this in action with examples consider the previous example I've been using but with this numerical
method applied instead:
000=0
001=1
010=2
011=3
100=4
101=5
110=6
111=7
permissions to something out of the norm, it may be simpler and quicker to use the text method as opposed to
trying to convert it to numbers, which may lead to a mistake. It could be argued that there isn't any real
significant difference in the speed of either method for a user that only needs to use chmod on occasion.
Bulk chmod
Generally directories and files should not have the same permissions. If it is necessary to bulk modify a
directory tree, use find to selectively modify one or the other.
To chmod only directories to 755:
As you can see the device in /dev is owned by root, as is where it is mounted (/media/Backup). To change the
owner of where it is mounted one can do the following:
File attributes
Apart from the file mode bits that control user and group read, write and execute permissions, several file
systems support file attributes that enable further customization of allowable file operations. This section
describes some of these attributes and how to work with them.
Warning: By default, file attributes are not preserved by cp, rsync, and probably others.
a : append only
c : compressed
d : no dump
e : extent format
i : immutable
j : data journalling
s : secure deletion
t : no tail-merging
u : undeletable
A : no atime updates
C : no copy on write
S : synchronous updates
For example, if you want to set the immutable bit on some file, use the following command:
# chattr +i /path/to/file
To remove an attribute on a file just change + to -.
Extended attributes
From attr(5): "Extended attributes are name:value pairs associated permanently with files and directories".
There are four extended attribute classes: security, system, trusted and user.
Warning: By default, extended attributes are not preserved by cp, rsync, and probably others.
$ getfattr -d foo.bar
# file: foo.bar
user.checksum="3baf9ebce4c664ca8d9e5f6314fb47fb"