Unit 4

Working with Users, Groups and Permissions

Managing Users and Groups:
Linux is a multi-user operating system, which means that more than one user
can use Linux at the same time. Linux provides a beautiful mechanism to
manage users in a system. One of the most important roles of a system
administrator is to manage the users and groups in a system. 

Linux user
A user or account of a system is uniquely identified by a numerical number
called the UID (unique identification number). There are two types of users –
the root or super user and normal users. A root or super user can access all the
files, while the normal user has limited access to files. A super user can add,
delete and modify a user account. The full account information is stored in
the /etc/passwd file and a hash password is stored in the file /etc/shadow.
Some operations on a user account are discussed below.

Creating a user with a default setting: A user can be added by running

the useradd command at the command prompt. After creating the user, set a password
using the
passwd utility, as follows:

[root@localhostbhargab]# useraddanirban
[root@localhostbhargab]# passwdanirban
Changing password foruser anirban.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
The system automatically assigns a UID, creates the home directory
(/home/<username>) and sets the default shell to /bin/bash.

Creating a user with the UID: You can create a user with a custom UID with the –
u option, as follows:

[root@localhostbhargab]# useradd -u 1036 anirban

Creating a user with non-default home directory: A non-default home directory can
be set by executing the following command:

[root@localhostbhargab]# useradd –d /home/test anirban

Adding a user to a primary group and supplementary group: A systems
administrator can specify a primary group and a supplementary one by specifying the –
g and –G option, respectively.

[root@localhostbhargab]# useradd -g “head” -G “faculty” anirban

Locking and unlocking a user: A super user can lock and unlock a user account. To
lock an account, one needs to invoke passwd with the -l option.

[root@localhostbhargab]# passwd -l anirban

Locking password foruser anirban.
passwd: Success
The –u option with passwd unlock an account, as
shown below:

[root@localhostbhargab]# passwd -u anirban

Unlocking password foruser anirban.
passwd: Success
Changing a user name: The –l option with the usermod command changes the login
(user) name, as shown below:

[root@localhostbhargab]# usermod -l “nishant” anirban

Removing a user: Combining userdel with the –r option drop a user and the home
directory associated with that user, as shown below:

[root@localhostbhargab]# userdel -r nishant

Linux group

Linux group is a mechanism to organise a collection of users. Like the user ID, each
group is also associated with a unique ID called the GID (group ID). There are two types
of groups – a primary group and a supplementary group. Each user is a member of a
primary group and of zero or ‘more than zero’ supplementary groups. The group
information is stored in /etc/group and the respective passwords are stored in
the /etc/gshadow file. Some operations such as creating, deleting and modifying on a
group are discussed below.
Creating a group with default settings: To add a new group with default settings, run
the groupadd command as a root user, as shown below:

[root@localhostbhargab]# groupadd employee

If you wish to add a password, then type gpasswd with the group name, as follow:

[root@localhostbhargab]# gpasswd employee

Changing the password forgroup employee
New Password:
Re-enter new password:
Creating a group with a specified GID: To explicitly specify the GID of a group,
execute the groupadd command with the –g option, as follow:

[root@localhostbhargab]# groupadd -g 1200 manager

Removing group password: To remove a group password, run gpasswd –r with the
relevant group name, as follow:

[root@localhostbhargab]# gpasswd -r employee

Changing the group’s name: To change the group’s name, run
the groupmod command with the -n option as a super user, as shown below:

[root@localhostbhargab]# groupmod -n hrmanager employee

Changing the group’s GID: To change the GID of a group, run
the groupmod command with –g, as follow:

[root@localhostbhargab]# groupmod -g 1050 manager

Deleting a group: Before deleting a primary group, delete the users of that primary
group. To delete a group, run the groupdel command with the group name, as shown
below:

[root@localhostbhargab]# groupdel employee

Using Graphical Tools for User, and Group
Management,
Gnome System Tools for 11.10 & later Ubuntu versions
The old Users and Groups GUI is available by installing from Software Center the gnome-
system-tools package

or from a terminal:

sudo apt-get install gnome-system-tools

Search in Dash:
Click and it will run the Users and Groups applet:

Being An Administrator Consists of (Specific) Group

Membership
Before actually managing users and groups, if you want to make one or more users
administrators, you should know what it means to be an administrator in Ubuntu.
An administrator can run commands as root, in two ways:
 With sudo.
 With PolicyKit. (But default, PolicyKit is not present on Ubuntu Server systems.)
This power is conferred to users by membership in the appropriate group.

 In Ubuntu 11.10 and earlier, administrators are members of the admin group.

 In Ubuntu 12.04 LTS and later, administrators are members of the sudo group.
There are a couple complexities:

 The sudo group exists in 11.10 and earlier, it's just not used (by default).
 The admin group doesn't exist on a freshly installed 12.04 system, but it continues to exist
(and its members continue to have administrative abilities) on Ubuntu 12.04 systems
upgraded from previous releases.
Therefore, here are some reasonable guidelines for how to make a user an administrator in
Ubuntu:

 If you're running Ubuntu 11.10 or earlier, just put the user in the admin group.
 If you're running Ubuntu 12.04 LTS (or later), put the user in the sudo group, and if
the admin group exists, put the user there too.

You have a few options for managing users and groups.

Install and Run the Classic "Users and Groups" Utility

You'll perhaps be happy to hear that (as John S Gruber has pointed out) the old GUI utility for
managing users and groups still exists, though you may have to install the package that provides
it. I'm talking about the utility that was invoked in menu-driven interfaces
via System > Administration > Users and Groups.

This classic utility is provided by the gnome-system-tools   package, which you can

install in the Software Center by clicking that link, or in the Terminal by running these
commands:
sudo apt-get update
sudo apt-get install gnome-system-tools
The name of the Users and Groups utility is users-admin, so you can find it normally in your
graphical interface, or you can run it manually with that name. That is, here are some ways to
run the utility once it's installed:
 Press Alt+F2. Type users-admin. Press Enter.
 Press Ctrl+Alt+T. Type users-admin. Press Enter.
 In Unity, start to type users and groups. So long as gnome-system-tools is installed, the Users
and Groups utility will come up.
 If you use a desktop environment that has menus, find Users and Groups in
the Administration, System Tools, or Preferences menu.

But don't run sudo user-admin, or even gksu/gksudo/kdesudo users-admin. users-admin will

actually not work when run as root. (It is designed to use PolicyKit rather than sudo to gain the
necessary privileges to create and modify users and groups on the system.)
On some Ubuntu variants, such as Lubuntu, users-admin is already installed and is the standard
way to manage users and groups.

Use GNOME Control Center to Manage Users and Groups

The new, standard way to manage users and groups is with the GNOME Control Center,
accessible from the session menu. Click the gear icon in the top panel (at the upper-right
corner of the screen), and click System Settings....
In System Settings (also called the GNOME Control Center), click User Accounts (it's near
the bottom, in the "System" category).
You can then manage users, including what groups they're members of, with this part of the
GNOME Control Center.
Use Command-Line Utilities
If you...

 are running Ubuntu Server, or some other Ubuntu system with no GUI, or
 just prefer to use command-line utilities, or
 are running some weird desktop environment that doesn't come with a graphical utility to
manage users and groups
...then you can manage users and groups from the command-line.

The recommended utility for adding a user from the command-line (in Ubuntu, and also in
Debian and other Debian-based OSes) is adduser. The simplest way to use it is just to run:
sudo adduser --add_extra_groups username
 You may be prompted for your password first (that's how sudo works).
 Then you're asked a series of questions. Besides their real name and password, if you don't
have an answer to any of the questions, just press Enter.
 The user is made a member of the default groups for user accounts that do represent real
human beings, but do not have administrative powers.
Click here to read as text.
To make a user an administrator from the command-line, just add them to the appropriate
group. usermod is an excellent utility for this purpose. The -G flag means you're specifying one
or more new groups, and the -a flag means you're adding these to whatever groups the user is
already a member of, rather than replacing the old list of groups with a new one.
Depending on what version of Ubuntu you're running (as detailed above), use one or both of
these commands:

sudo usermod -a -G sudo username

sudo usermod -a -G admin username

You can edit users by going under System Settings (either search for it in the Dash, or select it
as the first entry under the power cog) and selecting User Accounts.
Alternatively, you may search the Ubuntu Software Center or use apt-get to install the gnome-
system-tools package, then run users-admin afterwards to get to working with groups (source).

Introduction to SSSD
7.1.1. How SSSD Works
The System Security Services Daemon (SSSD) is a system service to access remote
directories and authentication mechanisms. It connects a local system (an
SSSD client) to an external back-end system (a provider). This provides the SSSD
client with access to identity and authentication remote services using an SSSD
provider. For example, these remote services include: an LDAP directory, an
Identity Management (IdM) or Active Directory (AD) domain, or a Kerberos realm.

For this purpose, SSSD:

1. Connects the client to an identity store to retrieve authentication
information.

2. Uses the obtained authentication information to create a local cache of

users and credentials on the client.

Users on the local system are then able to authenticate using the user accounts
stored in the external back-end system.

SSSD does not create user accounts on the local system. Instead, it uses the
identities from the external data store and lets the users access the local system.

Figure 7.1. How SSSD works

SSSD can also provide caches for several system services, such as Name Service
Switch (NSS) or Pluggable Authentication Modules (PAM).

7.1.2. Benefits of Using SSSD

Reduced load on identity and authentication servers
When requesting information, SSSD clients contact SSSD, which checks its
cache. SSSD contacts the servers only if the information is not available in
the cache.

Offline authentication
SSSD optionally keeps a cache of user identities and credentials retrieved
from remote services. In this setup, users can successfully authenticate to
resources even if the remote server or the SSSD client are offline.

A single user account: improved consistency of the authentication

process
With SSSD, it is not necessary to maintain both a central account and a
local user account for offline authentication.

Remote users often have multiple user accounts. For example, to connect to
a virtual private network (VPN), remote users have one account for the local
system and another account for the VPN system.

Thanks to caching and offline authentication, remote users can connect to

network resources simply by authenticating to their local machine. SSSD
then maintains their network credentials.

CONFIGURING SERVICES: NSS

SSSD provides an NSS module, sssd_nss, which instructs the system to use SSSD to
retrieve user information. The NSS configuration must include a reference to the SSSD
module, and then the SSSD configuration sets how SSSD interacts with NSS.

About NSS Service Maps and SSSD

The Name Service Switch (NSS) provides a central configuration for services to look up a
number of configuration and name resolution services. NSS provides one method of
mapping system identities and services with configuration sources.

SSSD works with NSS as a provider services for several types of NSS maps:

 Passwords (passwd)

 User groups (shadow)

 Groups (groups)

 Netgroups (netgroups)

 Services (services)

Procedure 13.1. Configuring NSS Services to Use SSSD

NSS can use multiple identity and configuration providers for any and all of its service
maps. The default is to use system files for services; for SSSD to be included,
the nss_sss module has to be included for the desired service type.

1. Use the Authentication Configuration tool to enable SSSD. This automatically

configured the nsswitch.conf file to use SSSD as a provider.

~]#authconfig --enablesssd --update

This automatically configures the password, shadow, group, and netgroups

services maps to use the SSSD module:

passwd: files sss

shadow: files sss

group: files sss

netgroup: files sss

2. The services map is not enabled by default when SSSD is enabled with authconfig.
To include that map, open the nsswitch.conf file and add the sss module to
the services map:
3. ~]# vim /etc/nsswitch.conf

4.

5. ...

6. services: file sss

...

Procedure 13.2. Configuring SSSD to Work with NSS

The options and configuration that SSSD uses to service NSS requests are configured in
the SSSD configuration file, in the [nss] services section.

1. Open the sssd.conf file.

~]# vim /etc/sssd/sssd.conf

2. Make sure that NSS is listed as one of the services that works with SSSD.
3. [sssd]

4. config_file_version = 2

5. reconnection_retries = 3

6. sbus_timeout = 30

services = nss, pam

7. In the [nss] section, change any of the NSS parameters. These are listed

in Table 13.2, “SSSD [nss] Configuration Parameters”.
8. [nss]

9. filter_groups = root

10. filter_users = root

11. reconnection_retries = 3

12. entry_cache_timeout = 300

entry_cache_nowait_percentage = 75

13. Restart SSSD.

~]# service sssd restart

Pluggable Authentication Module
(PAM):
A pluggable authentication module (PAM) is an application
programming interface (API) for authentication related services,
which permits system administrators to add new authentication
methods by installing PAMs and modifying authentication policies
by editing the configuration files.

A pluggable authentication module (PAM) is a mechanism that

integrates multiple low level authentication schemes into high
level APIs permitting programs relying on authentication to be
written independent of underlying authentication schemes. PAM
was initially proposed in 1995 by Vipin Samar and Charlie Lai of
Sun Microsystems. It was later adopted as an authentication
framework for the common desktop environment.
PAM uses a pluggable, modular architecture, which affords the system administrator a
great deal of flexibility in setting authentication policies for the system.

Advantages of PAM

PAM offers the following advantages:

o a common authentication scheme that can be used with a wide variety of

applications.

o significant flexibility and control over authentication for both system

administrators and application developers.

o a single, fully-documented library which allows developers to write programs

without having to create their own authentication schemes.
PAM Configuration Files

The /etc/pam.d/ directory contains the PAM configuration files for each PAM-aware

application.

PAM Configuration File Format

Each PAM configuration file contains a group of directives formatted as follows:

<module interface><control flag><module name><module

arguments>
 Module Interface
Four types of PAM module interface are currently available. Each of these corresponds
to a different aspect of the authorization process:

o auth — This module interface authenticates use. For example, it requests and
verifies the validity of a password.

o account — This module interface verifies that access is allowed. For example, it
may check if a user account has expired or if a user is allowed to log in at a
particular time of day.

o password — This module interface is used for changing user passwords.

o session — This module interface configures and manages user sessions.

Modules with this interface can also perform additional tasks that are needed to
allow access, like mounting a user's home directory and making the user's
mailbox available.

Control Flag
All PAM modules generate a success or failure result when called. Control flags tell PAM
what do with the result. Modules can be stacked in a particular order, and the control
flags determine how important the success or failure of a particular module is to the
overall goal of authenticating the user to the service.

There are four predefined control flags:

o required — The module result must be successful for authentication to
continue. If the test fails at this point, the user is not notified until the results of
all module tests that reference that interface are complete.

o requisite — The module result must be successful for authentication to

continue. However, if a test fails at this point, the user is notified immediately
with a message reflecting the first failed required orrequisite module test.

o sufficient — The module result is ignored if it fails. However, if the result of a

module flagged sufficientis successful and no previous modules
flagged required have failed, then no other results are required and the user is
authenticated to the service.

o optional — The module result is ignored. A module flagged as optional only

becomes necessary for successful authentication when no other modules
reference the interface.

Module Name
The module name provides PAM with the name of the pluggable module containing the
specified module interface. In older versions of Red Hat Enterprise Linux, the full path to
the module was provided in the PAM configuration file. However, since the advent
of multilib systems, which store 64-bit PAM modules in
the /lib64/security/ directory,

Module Arguments
PAM uses arguments to pass information to a pluggable module during authentication
for some modules.

For example, the pam_userdb.so module uses information stored in a Berkeley DB

file to authenticate the user. Berkeley DB is an open source database system embedded
in many applications. The module takes a dbargument so that Berkeley DB knows which
database to use for the requested service.

Linux is a clone of UNIX, the multi-user operating

system which can be accessed by many users
simultaneously. Linux can also be used in mainframes and
servers without any modifications. But this raises security
concerns as an unsolicited or malign user can corrupt,
change or remove crucial data. For effective security,
Linux divides authorization into 2 levels.

1. Ownership
2. Permission

Ownership of Linux files

Every file and directory on your Unix/Linux system is
assigned 3 types of owner, given below.

User

A user is the owner of the file. By default, the person

who created a file becomes its owner. Hence, a user is
also sometimes called an owner.

Group

A user- group can contain multiple users. All users

belonging to a group will have the same access
permissions to the file. Suppose you have a project
where a number of people require access to a file.
Instead of manually assigning permissions to each user,
you could add all users to a group, and assign group
permission to file such that only this group members
and no one else can read or modify the files.

Other

Any other user who has access to a file. This person has
neither created the file, nor he belongs to a usergroup
who could own the file. Practically, it means everybody
else. Hence, when you set the permission for others, it is
also referred as set permissions for the world.

Permissions

Every file and directory in your UNIX/Linux system has

following 3 permissions defined for all the 3 owners
discussed above.

 Read: This permission give you the authority to open

and read a file. Read permission on a directory gives
you the ability to lists its content.
 Write: The write permission gives you the authority to
modify the contents of a file. The write permission on
a directory gives you the authority to add, remove
and rename files stored in the directory. Consider a
scenario where you have to write permission on file
but do not have write permission on the directory
where the file is stored. You will be able to modify the
file contents. But you will not be able to rename,
move or remove the file from the directory.
 Execute: In Windows, an executable program usually
has an extension ".exe" and which you can easily run.
In Unix/Linux, you cannot run a program unless the
execute permission is set. If the execute permission is
not set, you might still be able to see/modify the
program code(provided read & write permissions are
set), but not run it.
 ls - l on terminal gives
 ls - l


 Here, we have highlighted '-rw-rw-r--'and this weird

looking code is the one that tells us about the
permissions given to the owner, user group and the
world.
 Here, the first '-' implies that we have selected a
file.p>

 Else, if it were a directory, d would have been shown.


The first part of the code is 'rw-'. This suggests that the
owner 'Home' can:

 Read the file

 Write or edit the file
 He cannot execute the file since the execute bit is set
to '-'.

By design, many Linux distributions like Fedora, CentOS,

Ubuntu, etc. will add users to a group of the same group
name as the user name. Thus, a user 'tom' is added to a
group named 'tom'.

The second part is 'rw-'. It for the user group 'Home' and
group-members can:

 Read the file

 Write or edit the file

The third part is for the world which means any user. It
says 'r--'. This means the user can only:

 Read the file

Changing file/directory permissions with 'chmod'
command

We can use the 'chmod' command which stands for

'change mode'. Using the command, we can set
permissions (read, write, execute) on a file/directory for the
owner, group and the world. Syntax:

chmod permissions filename

There are 2 ways to use the command -

1. Absolute mode
2. Symbolic mode

Absolute(Numeric) Mode

In this mode, file permissions are not represented as

characters but a three-digit octal number.

The table below gives numbers for all for permissions

types.

Number Permission Type Symbol

0 No Permission ---

1 Execute --x

2 Write -w-

3 Execute + Write -wx

4 Read r--

5 Read + Execute r-x

6 Read +Write rw-

7 Read + Write +Execute rwx

Let's see the chmod command in action.

In the above-given terminal window, we have changed the

permissions of the file 'sample to '764'.
'764' absolute code says the following:

 Owner can read, write and execute

 Usergroup can read and write
 World can only read

This is shown as '-rwxrw-r-

This is how you can change the permissions on file by

assigning an absolute number.

Symbolic Mode

In the Absolute mode, you change permissions for all 3

owners. In the symbolic mode, you can modify permissions
of a specific owner. It makes use of mathematical symbols
to modify the file permissions.

Operato Description
r

+ Adds a permission to a file or directory

- Removes the permission

= Sets the permission and overrides the permissions set

earlier.

The various owners are represented as -

User Denotations

u user/owner

g group

o other

a all

We will not be using permissions in numbers like 755 but

characters like rwx. Let's look into an example
Access Control Lists(ACL) in Linux
https://www.geeksforgeeks.org/access-control-listsacl-linux/

What is ACL ?
Access control list (ACL) provides an additional, more flexible permission
mechanism for file systems. It is designed to assist with UNIX file
permissions. ACL allows you to give permissions for any user or group to
any disc resource.
Use of ACL :
Think of a scenario in which a particular user is not a member of group
created by you but still you want to give some read or write access, how
can you do it without making user a member of group, here comes in
picture Access Control Lists, ACL helps us to do this trick.
Basically, ACLs are used to make a flexible permission mechanism in Linux.
From Linux man pages, ACLs are used to define more fine-grained
discretionary access rights for files and directories.
setfacl and getfacl are used for setting up ACL and showing ACL
respectively.
For example :
getfacl test/declarations.h
Output:
# file: test/declarations.h
# owner: mandeep
# group: mandeep
user::rw-
group::rw-
other::r--
List of commands for setting up ACL :
1) To add permission for user
setfacl -m "u:user:permissions" /path/to/file

2) To add permissions for a group

setfacl -m "g:group:permissions" /path/to/file

3) To allow all files or directories to inherit ACL entries from the directory
it is within
setfacl -dm "entry" /path/to/dir

4) To remove a specific entry

setfacl -x "entry" /path/to/file

5) To remove all entries

setfacl -b path/to/file
For example :
setfacl -m u:mandeep:rwx test/declarations.h
Modifying ACL using setfacl :
To add permissions for a user (user is either the user name or ID):
# setfacl -m "u:user:permissions"
To add permissions for a group (group is either the group name or ID):
# setfacl -m "g:group:permissions"
To allow all files or directories to inherit ACL entries from the directory it is
within:
# setfacl -dm "entry"

Example :
setfacl -m u:mandeep:r-x test/declarations.h
See below image for output :

setfacl and getfacl

View ACL :
To show permissions :
# getfacl filename
Observe the difference between output of getfacl command before and
after setting up ACL permissions using setfacl command.
There is one extra line added for user mandeep which is highlighted in
image above.
Output:

change permissions

The above command change permissions from rwx to r-x

Remove ACL :
If you want to remove the set ACL permissions, use setfacl command with
-b option.
For example :
remove set permissions

If you compare output of getfacl command before and after using setfacl
command with -b option, you can observe that there is no particular entry
for user mandeep in later output.
You can also check if there are any extra permissions set through ACL
using ls command.
check set acl with ls

Observe the first command output in image, there is extra “+” sign after
the permissions like -rw-rwxr–+, this indicates there are extra ACL
permissions set which you can check by getfacl command.
Using Default ACL :
The default ACL is a specific type of permission assigned to a directory,
that doesn’t change the permissions of the directory itself, but makes so
that specified ACLs are set by default on all the files created inside of it.
Let’s demonstrate it : first we are going to create a directory and assign
default ACL to it by using the -d option:
$ mkdir test && setfacl -d -m u:dummy:rw test