Managing user accounts and groups is an essential part of system
administration within an organization. But to manage users effectively, a
good system administrator must understand what user accounts and groups
are and how they work.
User accounts are used within computer environments to verify the
identity of the person using a computer system. By checking the identity
of a user, the system is able to determine if the user is permitted to log
into the system and, if so, which resources the user is allowed to
access.
Groups are logical constructs that can be used to cluster user
accounts together for a specific purpose. For instance, if a company has a
group of system administrators, they can all be placed in a system
administrator group with permission to access key resources and
machines. Also, through careful group creation and assignment of
privileges, access to restricted resources can be maintained for those who
need them and denied to others.
The ability for a user to access a machine is determined by whether or
not that user's account exists. Access to an application or file is
granted based on the permission settings for the file. The nature of the
access users have to their own systems and others on the network should be
determined by the organization's system administrators. This helps to
ensure the integrity of sensitive information and key resources against
accidental or purposeful harm by users.
User Accounts, Groups, and Permissions
After a normal user account is created, the user can log into the
system and access any applications or files they are permitted to
access. Red Hat Linux determines whether or not a user or group can access these
resources based on the permissions assigned to them.
There are three permissions for files, directories, and
applications. The following lists the symbols used to denote each, along
with a brief description:
r — Indicates that a given
category of user can read a file.
w — Indicates that a given
category of user can write to a file.
x — Indicates that a given
category of user can execute the file.
A fourth symbol (-) indicates
that no access is permitted.
Each of the three permissions are assigned to three defined
categories of users. The categories are:
owner — The owner of the file or
application.
group — The group that owns the file
or application.
everyone — All users with access to
the system.
One can easily view the permissions for a file by invoking a long
format listing using the command ls -l. For instance,
if the user juan creates an executable
file named foo, the output of the command
ls -l foo would look like this:
-rwxrwxr-x 1 juan juan 0 Sep 26 12:25 foo |
The permissions for this file are listed are listed at the start of
the line, starting with rwx. this
first set of symbols define owner access. the next set of
rwx symbols define group access, with
the last set of symbols defining access permitted for all other
users.
This listing indicates that the file is readable, writable, and
executable by the user who owns the file (user
juan) as well as the group owning the
file (which is a group named juan). the
file is also world-readable and world-executable, but not
world-writable.
One important point to keep in mind regarding permissions and user
accounts is that every application run on Red Hat Linux runs in the context of a
specific user. typically, this means that if user
juan launches an application, the
application runs using user juan's
context. however, in some cases the application may need more access in
order to accomplish a task. such applications include those that edit
system settings or log in users. for this reason, special permissions
have been created.
There are three such special permissions within Red Hat Linux. they are as
follows:
setuid — used only for applications,
this permission indicates that the application runs as the owner of
the file and not as the user running the application. it is
indicated by the character s in
place of the x in the owner
category.
setgid — used only for applications,
this permission indicates that the application runs as the group
owning the file and not as the group running the application. it is
indicated by the character s in
place of the x in the group
category.
sticky bit — used primarily on
directories, this bit dictates that a file created in the directory
can be removed only by the user who created the file. it is
indicated by the character t in
place of the x in the everyone
category. in Red Hat Linux the sticky bit is set by default on the
/tmp/ directory for exactly this reason.
Usernames and UIDs, Groups and GIDs
Another point worth noting is that user account and group names
are primarily for peoples' convenience. Internally, the system uses
numeric identifiers. for users, this identifier is known as a
UID, while for groups the identifier is known
as a GID. Programs that make user or group
information available to users translate the UID/GID values into their
more human-readable counterparts. This fact is particularly important
when accessing shared media as discussed in the Section called The UID/GID Conundrum.
Since some system-level programs on Red Hat Linux run under a dedicated
UID, and some default system accounts have reserved UID numbers, all
UIDs and GIDs below 500 are reserved for system use. For more
information on these standard users and groups, see the chapter titled
Users and Groups in
Official Red Hat Linux Reference Guide.
When new user accounts are added using a user creation tool such
as /usr/sbin/useradd, they are assigned the first
available UID and GID starting at 500.
User creation tools are discussed further into this chapter. But
before reviewing these tools, let us review the files Red Hat Linux uses to
define system accounts.
