Skip to content

Linux

Linux: Permissions and Ownership

Basics

How to properly apply and troubleshoot access control.

File and directory permissions.

It is important to make sure the right users have the right access to the right resources in the Linux enviroment.

Files and Directories Permissions

Permissions are access rights assigned to users to enable them to access and modify files and directories. It is best practice to apply the principle of least priviledge. Give users only access to the permissions they need to perform their tasks. No unecessary additional permission should be added.

ls displays the permissions set on files and directories. ls -l will give a long details of the content of a directory. ls has few useful flags:

  • -l to show a long description of the files
  • -a to show all files including hidden files
  • -h to show display a human readable format of the files details

Permission attributes defines the access level users are allowed to do on selected file or directory.

The permission attributes for files are:

  • r to indicate a read permission. It allows the user to read the content of a file.
  • w to indicate a write permission. It allows the user to save changes of a file.
  • x to indicate a execute permission. It allows the user to execute a script or program.

For directories:

  • r to indicate a read permission. It allows the user to list the content of a directory.
  • w to indicate a write permission. It allows the user to create, rename, and delete files in the directory.
  • x to indicate a execute permission. It allows the user to execute scripts from the directory.

Permission attributes on files and directories are applied to one of several contexts or different uses and entities.

Permission context:

  • u owner (user): refers to the owner of the directory
  • g group: refers to the files or directories group
  • o other: refers to other users. These are users that are the owner or member of the group.

chmod

chmod is used to change the permissions of a file or directory. chmod [options] <mode> <file or directory> is the proper syntax for modifying a file or folder permissions

Permission Context Permission Operators Permission Attributes
u/g/o/a +/-/= r/w/x

The + operator grants permission, - removes a permission, and = assigns the permission as provided.

In symbolic mode, use chmod <access context> <operators> <permission attributes> <file or directory>. For example: chmod g+w my_file.txt will assign the write permission of my_file.txt

chmod in absolute mode

We can also use chmod in absolute mode. The absolute mode uses octal numbers to specify permissions:

  • 4 => read permission
  • 2 => write permission
  • 1 => execute permission

Adding them up will give the permission number to assign to a file or folder.

7 equals to wrx permisson because 4+2+1=7. 6=rw because 4+2=6

chmod <number> <file or directory> is the proper syntax to assign permissions in absolute mode.

The permission 724 means:

  • 7 for the owner permission (wrx)
  • 2 for the group permission (w)
  • 4 for the other user permission (r)

umask

the umask (user file-creation mask) command is used to set the default permissions for newly created files and directories. We can set default permissions permanently in the .bashrc file. Just add umask 0022 to the .bashrc file.

umask 0022 command sets the default temporary permission to 666 - 022 = 644 for files and 777 - 022 = 755 to directories if used in bash.

You cannot add permissions with umask.

Files and Directories Ownership

Ownership refers to who can make changes to a file or directory permissions. Only the root user have the permission to change the permission of files and directories of all other users.

Use chwon to change the owner or group of a file or directory. The correct syntax to use chown is chown <username> <file or directorie>. For example chown demo dir1 to change the ownership of dir1/ to demo. This will only change the owner but not the group.

To change the owner and group of the file or directory, use chown <username>:<group-name> <file or directory>. To change the group but not the owner, use chown :<group-name> <file or directory>.

To do recursive change of ownership in a diretory, we can use the -R flag: chown -R <username> <file or directory>.

To chagne a group ownership of a file or directory, use chgrp command: chgrp <group-name> <file or directory>.

Special Permissions and Attributes

Special permissions are used to allow less priviledged user to asume permission of the group or owner of file to perform a task.

There are two special permissions that can be used:

  • Set User ID (SUID): The user allowed to have the same permission as the owner of the file
  • Set Group ID (SGID): The user is allowed to have the same permission as other members of the group

chmod u+s <file> to set the special permission for a file in symbolic mode.

chmod 4### <file> to set the special permission for a file in absolute mode.

chmod g+s <direcotry> to set the special permission for a directory in symbolic mode.

chmod 2### <directory> to set the special permission for a directory in absolute mode.

The Sticky Bit is another special permission. It protects files in directories. It makes sure only the root or owner of the file or directory can delete the file or directory.

chmod +t <direcotry> to set the sticky bit permission for a directory in symbolic mode.

chmod 1### <directory> to set the sticky bit permission for a directory in absolute mode.

The immutable flag protect files and directories from being modified. It is very useful for sensitive files and directories.

lsattr

lsattr command is used to list the attributes of a file or directories. To use it type lsattr [options] <file or directory>. lsattr support the following options among others:

  • -R recursively list the attributes of all files in the directory
  • -a list all files
  • -d list all directories
  • -v list the version number of the files

chattr

chattr is used to change the attributes of a file or directory. To change the attribute of file or directory, use the command chattr [-R] [-v <version>] [+-<attributes>] <file or directory>. The option +i marks the file or directory as immutable. -i will remove the immutable attribute from the file or directory.

Access Control Lists (ACLs)

We can use access control lists to set different level of permission to different groups that need access to the same ressources. One group may need rwx and another only needs rw.

The command getfacl to get the access control lists of a file and directories.

setfacl is used to change the permissions associated with the ACL of a file or directory. The command looks like: setfacl [-br] [-mx <acl specs>] <file or directory>. This command supports the following options:

  • -r recursively sets the ACL of the content of a directory
  • -s sets and replaces the existing ACL of a file or directory
  • -m modifies the existing ACL of a file or directory
  • -x removes the existing ACL of a file or directory
  • -b removes all permissions except the standard permissions

Example: setfacl -R -m g:students:r /assignments modifies the current ACL to give read permissions to the students group the assignments directory.

u:<username>:<permissions> or

g:<username>:<permissions>

By default only one group can be associated with a directory. ACLs allow giving permissions to a directory more groups.

Troubleshooting Permission Issues

Follow the 7 step troubleshooting technic in the CompTIA A+.

  1. Identify the issue
  2. Establish a theory of probable cause
  3. Test the theory to determine the cuase
  4. Establish a plan of actions
  5. Apply the solution
  6. Verify full system functionality
  7. Document findings, actions, and outcomes

Linux: Users and Groups

Basics

This post contains the notes I am taking while learning Linux users and groups.

The root user is the most powerful user on the Linux system. It can perform any task on the system. It is a good practice to user a separate user to perform the day to day operations.

Each user should have a separate standard user with limited priviledges that allow them to perform only the tasks they are assigned.

There are also service accounts that are specific to a particular service such as docker, incus, nginx, ... They are not setup for interactive login.

It is a security best practice to login into a Linux system with non-priviledge account instead of the root account. A user should not given more priviledge than they need to perform their job. That is the principle of least priviledge.

If root priviledge is required to perform a task, one can elevate their privildege as needed using the su -root or su - command.

root priviledges can be delegated to other users using sudo. To delegate commands to a user, list the user in the /etc/sudoers using the visudo editor. This file can only be edited with visudo editor and the syntax is verified before any change is saved. While sudoers have elevated priviledge, they cannot do everything a root user can do.

Wheel group have limited root priviledge and is usually used for performing administrative tasks. Members of the wheel group can use sudo or su to perform root user tasks.

Polkit (PolicyKit)

It is a tool in the Linux system that controls the communication between priviledge processes and non-priviledge ones.

pkexec mkdir /lab-1 to create the folder lab-1 in the root directory of the system using the room priviledge. sudo seems easier; right?

You can use the id command to verify the user priviledge. The root user always have id 0.

Create, modify, and delete a new user

useradd demo to create a new user. The account will b saved in /etc/passwd file and configured according to options set in the file /etc/login.defs. The user's home directory is created in the /home/<account name> directory and populated using files from the /etc/skel directory (or sckeleton directory). useradd does not set the password of the user account. The password must set separately. In this stage the account is created but not usable yet.

useradd [options] username is the general syntax for creating a user account. The following are usefull options:

-e: to set the expiration date of the account. After the set date, the account becomes unusable. Example: useradd -e 2026/10/25

-s: to set the default shell for the user. Example: useradd -s /bin/bash.

-D: to view the default configuration for the new user.

-c: add a comment to the user account. Adding a comment to the user account may make administering user accounts easier.

passwd demo is used by the root user to set a new password the newly created user. user demo in this case. The same command is also used to reset the password of all users.

visudo to open the sudoers file and add users to the sudoers group if needed.

demo ALL=(ALL) NOPASSWD:ALL with add demo the sudoers group in order to perform root level tasks.

User account information is stored at /etc/passwd. The proper way to edit the /etc/passwd file is through useradd, usermod, or userdel. Modern systems stores user password hashes and account information in /etc/shadow file. Only the root user have access to the shadow file.

Use pwck command to check the validity of the /etc/passwd file.

The shadow file contains the following information:

  • username
  • Hashed password
  • Number of days since the password was changed
  • Number of days before the password must be changed
  • Number of days until the user is warned to change their passsord. The value of 99999 means the password never needs to be changed
  • Number of days after the password expires that account gets disabled
  • Number of days the account has been disabled
  • Unused field reserved for future use

chage -E <date> <username> is used to change the expiration date of an already existing account. Example: chage -E 2025/11/30 demo to change the demo account expiration date. The date is of the YEAR/MONTH/DAY format.

chage -l <username> to see the account expiration information.

chage -M <days> <username> to change the Maximum number of days the user must change their password. 90 days is a typical value for regular user and 60 for admin users.

chage -W <day> <username> to change the number of the days user is warned to change their password before it expires. 5 is a typical value.

usermod -l <new-username> <current-username> to change the username of an existing user. The usermod command is used to modify user account information.

A quick way to lock user account is to use passwd -l <username>. passwd -u <username> to unlock the account.

userdel <username> is used to delete a user. The user home directory stays on the system after the account deletion. To delete the home directory of the user along the account, we can use the -r flag with the userdel command.

passwd -l <username> is also used to lock user account. passwd -u <username> is used to unlock the account.

usermod -L <username> is used to lock user account as well. usermod -U <username> unlocks the account.

chsh -s /bin/zsh <username> is used to change the user default login shell.

Create, modify, and delete a user group

User groups are used to set requirements for a set of users. User groups are stored in /etc/group. Each group contains 4 fields of information:

  • nameL the group name
  • password: the password required to enter this group
  • id: group id
  • list: the members of the group

groupadd, groupmod, and groupdel is used to properly modify the group file. By default a newly created group has member and no password.

groupadd [options] <group name> is the command to create a new group. Example: groupadd -g 100 instructors creates a group called instructors.

groupmod -n <new-group-name> <current-group-name> to modify the name of an existing group.

To add a user to a group we can use the usermod command. For example usermod -aG instructors demo to add the account demo to the instructors group.

Using the groupdel command will not delete the users in the selected group. It just delete the group itself. The proper way to delete a group is to use the command groupdel [options] <group name>. For example groupdel students will delete the students group.

Search users and groups

whoami is used to know the username of the currently logged in user.

A # indicates a root user and a $ indicates a standard user.

who show the details of users currently logged in. It shows information like the username, name of the system, and date and time since the user is connected. -u flag will show the idle time. . indicates that the user is active until now, old indicates that the user is inactive over 24h.

who am i shows only the information of the user who ran the command.

w command is used to show the details of users currently logged in and their transactions. w [options] [username] is the the command to get details of another user.

last show the history of the user login and logout actions, and the actual time and date. It retrieves the information from the /var/log/wtmp file.

lastlog displays the last login time for all users

id to display user id (UID) and group id (GID) information. id [options] [username] is the proper syntax.

groups <username> to determine all the groups a user is part of.

To view all the members of a groups, there are 2 commands that is usually installed in some distros: lid (List Id) and libuser-lid.

getent (Get Entries) retries group members of non standard authentication methods

Account profiles

.bashrc file enables customization of the user's own environment. It is unique to each user. It is commonly used for storing aliases, environment variables, default directories, file permissions, and default command prompt. It is located at ~/.bashrc.

.bash_profile files provides the shell configuration for the initial login environment. It is located at ~/.bash_profile in the home directory of each user.

To execute a script when any user logs in to the system place your script in /etc/profile. /etc/profile.d holds configuration scripts that will run for all users. It is recommanded to user /etc/profile.d for setting system wide variables via scripts rather than editing the /etc/profile file.

/etc/bashrc provides a system-wide configuration changes specific to Bash settings. It is different than the ~/.bashrc which is specific to each user.

Linux: Basics

The Linux open-source operating system was created by Linus Travolta in 1991. Linux has multiple distributions. A distributions is a system built on the Linux kernel, software packages, and package management system. Linux distributions usually follow two categories: RPM based and dpkg based. The difference between the two is the package managmement they use.

Linux is built on the priciple of FOSS (Free and Open Source Software) that allows users to change, share, and distribute it freely.

RPM-based Distributions

RPM = Red Hat Package Manager includes RHEL, CentOS, Almalinux, Fedora, and OpenSUSE. They use dnf command (previously yum) to manage packages. Zypper for OpenSUSE. RHEL (Red Hat Entreprise Linux) is a commercial distribution that typically requires a subscription.

dpkg-based Distributions

They derive from Debian including Ubuntu, Linux Mint, and Kali Linux. They use the dpkg and apt (Advanced Package Tool) package manager. The .deb package format requires the dpkg tool for installation. apt automatically retrieves packages and their dependences from online repositories.

Linux Boot Process

The Linux Boot Process is how a computer using the Linux operating system starts up. It has 4 main components:

  1. Preboot Execution Environment (PXE): used for remote booting
  2. Bootloader: Loads the OS and prepares the system
  3. Initial RAM Disk (initrd): Provides essential drivers and tools before switching to the real root filesystem
  4. Kernel: The core of the OS, managing system resources
  5. init: The process in the system

Preboot Execution Environment (PXE)

It allows a computer to start up over a network connection rather than booting from its internal storage. it is useful where many system have to be setup simultaneously or remotely. Here are the steps for PXE Booting a computer:

  • The network card activates to start the boot process
  • The network card request an IP address from the DHCP server
  • The DHCP server provides the location of the TFTP server
  • The necessary files are transferred from the TFTP server
  • The Bootloader is executed to load the operation system

Bootloader

There several Bootloaders but GRUB2 (Grand Unified Bootloader v2) is commonly used. It is responsible for selecting and lunching the Linux kernel. WHen the computer starts,

  • The firmware hands control to GRUB2
  • GRUB2 displays boot menu: The user select the OS or kernel if multiple operating systems are available
  • GRUB2 reads configuration from /boot/grub/grub.cfg that contains kernel version and other options
  • GRUB2 loads initrd and the kernel and the system prepares for booting

Use update-grub to modify GRUB configuration at /etc/default/grub

Initial RAM Disk (initrd)

initrd.img is a temporary root filesystem that is loaded into memory before the real root filesystem is mounted. it contains the tools needed for booting. It is typically located at /boot/initrd.img. It can be managed using tools like mkinitramfs and dracut depending on the Linux distro.

Kernel

The kernel is the main component of the operating system. It manages the hardware, processes, memory, and system resources. The kernel behavior can be adjusted using sysctl to modify the kernel parameters at runtime. The change can be made permanent by updating the configuration file /etc/sysctl.conf then apply the changes with sysctl -p command. The kernel also start the first process: init.

init

The init system is the first process that start all other processes. It has a PID of 1. It is the parent of all other processes.

System Directories

The Filesystem Hierarchy Standard (FHS) specifies a set of guidelines for the names of files and directories and their locations on Linux systems.

Here are some important directories in a Linux system:

/ the root directory. It is the top level directory from which all other directories branch out.

/bin stores essential command line utilities and binaries

/boot contains the files necessary to boot the Linux OS: /boot/initrd.img, /boot/vmlinuz, /boot/grub/grub.cfg

/dev stores hardware and software device drivers (/dev/sdb the first drive, /dev/tty the first terminal interface, /dev/null, /dev/random)

/etc stores system-wide configuration files. Important files include /etc/passwd for user account details, /etc/shadow for password information, /etc/fstab for file system mount points, /etc/hosts for hostname to ip mappings, and /etc/ssh/sshd_config for SSH configuration.

/home stores users' home directories, including personal files. By default, every user is assigned a sub directory in the /home directory.

/lib stores shared program libraries required by the kernel, command-line utilities, and binaries

/media stores mount points for removable media such as CD-ROMs and floppy disks

/mnt refers to the mount point for temporary mounting file systems

/opt stores optional files for large software packages

/proc represents continually updated kernel information to the user ina typical file format. For example we have: /proc/cpuinfo for CPU usage, /proc/meminfo for memory usage, /proc/uptime for system uptime, /proc/[PID]/ for information about running processes. The /proc directory is important for monitoring and troubleshooting system performance.

/root represents the home directory of the root user

/sbin stores binaries used for completing the booting process which are also used by the root user (/sbin/fsck, /sbin/reboot, /sbin/iptables, /sbin/mount)

/sys stores information about devices

/tmp stores temporary files that may be lost on system shutdown

/usr is a read-only directory that stores small programs and files accessible to all users. /usr/bin contains programs that can be executed by all users. /usr/local contains custom build application that is contained here by default.

/var stores variable files, or files that are expected to constantly change as the system runs. It includes /var/log for logs, /var/mail for mail storage, /var/www for websites.

Environment Variables

The $ is used to recall environment variables. For example echo $USER will print the username that is stored in a variable called USER. The are few more usefull user variables in addtion to USER: HOME holds the user home directory path, SHEL holds the command line interpreter running the current environment, PS1 defines the styles and content of the command line prompt.

PATH and DISPLAY are common system variable often seen in Linux systems. PATH is used to find executables when a command is entered in the terminal. DISPLAY tells to applications, which screen to send graphical output.

Input and Output Redirection

< is used for redirecting file content as command input

<< (Here-document) allows embeding multiple line input in a command

<<< (Here-string) allows passing a single string input to a command

> redirects output to a file and override the existing content

>> appends output to a file content

2> and 2>> can be used to capture error output into a separate file

&> can be used to capture both standard output and error into a file

Command history

history allows displaying all commands entered in the current and previous session

!! let us repeat the last command

! can execute a command that start with the string provided

alias allows personalizing shortcuts for long commands

More

uname provides essentials details about the system such as operationg system, kernel version, and hardware architecture.

source used to execute scripts in the current shell session. For example environment variable can be updated with source without loging out users. Ex: source ~/.bashrc to load environment variables