Managing user accounts and groups is an essential part of system administration within an organization. But to manage users effectively, a good system administrator must understand what user accounts and groups are and how they work.
User accounts are used within computer environments to verify the identity of the person using a computer system. By checking the identity of a user, the system is able to determine if the user is permitted to log into the system and, if so, which resources the user is allowed to access.
Groups are logical constructs that can be used to cluster user accounts together for a specific purpose. For instance, if a company has a group of system administrators, they can all be placed in a system administrator group with permission to access key resources and machines. Also, through careful group creation and assignment of privileges, access to restricted resources can be maintained for those who need them and denied to others.
The ability for a user to access a machine is determined by whether or not that user's account exists. Access to an application or file is granted based on the permission settings for the file. The nature of the access users have to their own systems and others on the network should be determined by the organization's system administrators. This helps to ensure the integrity of sensitive information and key resources against accidental or purposeful harm by users.
After a normal user account is created, the user can log into the system and access any applications or files they are permitted to access. Red Hat Linux determines whether or not a user or group can access these resources based on the permissions assigned to them.
There are three permissions for files, directories, and applications. The following lists the symbols used to denote each, along with a brief description:
r — Indicates that a given category of user can read a file.
w — Indicates that a given category of user can write to a file.
x — Indicates that a given category of user can execute the file.
A fourth symbol (-) indicates that no access is permitted.
Each of the three permissions are assigned to three defined categories of users. The categories are:
owner — The owner of the file or application.
group — The group that owns the file or application.
everyone — All users with access to the system.
One can easily view the permissions for a file by invoking a long format listing using the command ls -l. For instance, if the user juan creates an executable file named foo, the output of the command ls -l foo would look like this:
-rwxrwxr-x 1 juan juan 0 Sep 26 12:25 foo |
The permissions for this file are listed are listed at the start of the line, starting with rwx. this first set of symbols define owner access. the next set of rwx symbols define group access, with the last set of symbols defining access permitted for all other users.
This listing indicates that the file is readable, writable, and executable by the user who owns the file (user juan) as well as the group owning the file (which is a group named juan). the file is also world-readable and world-executable, but not world-writable.
One important point to keep in mind regarding permissions and user accounts is that every application run on Red Hat Linux runs in the context of a specific user. typically, this means that if user juan launches an application, the application runs using user juan's context. however, in some cases the application may need more access in order to accomplish a task. such applications include those that edit system settings or log in users. for this reason, special permissions have been created.
There are three such special permissions within Red Hat Linux. they are as follows:
setuid — used only for applications, this permission indicates that the application runs as the owner of the file and not as the user running the application. it is indicated by the character s in place of the x in the owner category.
setgid — used only for applications, this permission indicates that the application runs as the group owning the file and not as the group running the application. it is indicated by the character s in place of the x in the group category.
sticky bit — used primarily on directories, this bit dictates that a file created in the directory can be removed only by the user who created the file. it is indicated by the character t in place of the x in the everyone category. in Red Hat Linux the sticky bit is set by default on the /tmp/ directory for exactly this reason.
Another point worth noting is that user account and group names are primarily for peoples' convenience. Internally, the system uses numeric identifiers. for users, this identifier is known as a UID, while for groups the identifier is known as a GID. Programs that make user or group information available to users translate the UID/GID values into their more human-readable counterparts. This fact is particularly important when accessing shared media as discussed in the Section called The UID/GID Conundrum.
Since some system-level programs on Red Hat Linux run under a dedicated UID, and some default system accounts have reserved UID numbers, all UIDs and GIDs below 500 are reserved for system use. For more information on these standard users and groups, see the chapter titled Users and Groups in Official Red Hat Linux Reference Guide.
When new user accounts are added using a user creation tool such as /usr/sbin/useradd, they are assigned the first available UID and GID starting at 500.
User creation tools are discussed further into this chapter. But before reviewing these tools, let us review the files Red Hat Linux uses to define system accounts.