3.1. Users, Groups & Privileges#
Every process runs as a user. Every file belongs to a user and a group. Understanding this hierarchy is fundamental to Unix security and administration.
3.1.1. Understanding Users#
3.1.1.1. User Identity#
Every user on the system has:
Username — Human-readable name (e.g.,
alice)UID (User ID) — Numeric identifier (0-65535)
GID (Group ID) — Primary group membership
Home directory — Personal workspace
Login shell — Default shell when logging in
3.1.1.2. Viewing Current User#
# Current user
$ whoami
alice
# Full details
$ id
uid=1000(alice) gid=1000(alice) groups=1000(alice),27(sudo),999(docker)
# View user info
$ id alice
uid=1000(alice) gid=1000(alice) groups=1000(alice),27(sudo),999(docker)
3.1.1.3. The User Database#
All users are defined in /etc/passwd:
$ cat /etc/passwd | head -5
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
# Format: username:password:uid:gid:gecos:home:shell
Passwords are actually stored securely in /etc/shadow (readable only by root).
3.1.1.4. System vs Regular Users#
System users (UID < 1000):
Used by services and daemons
No login shell
Minimal privileges
Examples:
root,daemon,www-data
Regular users (UID >= 1000):
Real people
Have login shell
Home directory for personal files
Examples:
alice,bob,ubuntu
3.1.1.5. Creating Users (Admin Only)#
# Create new user
$ sudo useradd -m -s /bin/bash newuser
# -m: Create home directory
# -s: Set login shell
# Set password
$ sudo passwd newuser
New password:
Re-enter password:
# Add to system with default settings
$ sudo useradd -m alice
# Creates home /home/alice with default shell
# Add with specific home and shell
$ sudo useradd -m -s /bin/zsh -d /home/custom/bob bob
3.1.1.6. Viewing All Users#
# List all users
$ cut -d: -f1 /etc/passwd | sort
# List with details
$ getent passwd | head -10
# Check if user exists
$ id -u alice
1000
# Error if doesn't exist
$ id -u nosuchuser
id: 'nosuchuser': no such user
3.1.2. Understanding Groups#
3.1.2.1. Group Basics#
A group is a collection of users. Instead of assigning permissions to each user individually, you assign them to a group, and users inherit those permissions.
3.1.2.2. Viewing Groups#
Groups are defined in /etc/group:
$ cat /etc/group | head -10
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,ubuntu
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
sudo:x:27:alice,bob
docker:x:999:alice,charlie
# Format: groupname:password:gid:members
3.1.2.3. User’s Groups#
Every user has a primary group (GID in /etc/passwd) and can belong to secondary groups:
# View all groups for current user
$ groups
alice sudo docker
# View groups for specific user
$ groups bob
bob sudo
# See numeric group IDs
$ id bob
uid=1001(bob) gid=1001(bob) groups=1001(bob),27(sudo)
# Primary GID is 1001, secondary group is 27 (sudo)
3.1.2.4. Creating and Managing Groups#
# Create a group
$ sudo groupadd developers
# Add user to group
$ sudo usermod -aG developers alice
# -a: append (don't remove from other groups)
# -G: secondary groups
# View group membership
$ grep developers /etc/group
developers:x:1005:alice,bob
# Remove user from group
$ sudo deluser alice developers
# Delete group
$ sudo groupdel developers
3.1.2.5. Practical Group Example#
# Create a development team
$ sudo groupadd -g 2000 devteam
# Add team members
$ sudo usermod -aG devteam alice
$ sudo usermod -aG devteam bob
$ sudo usermod -aG devteam charlie
# Create shared project directory
$ mkdir /home/projects/api
$ sudo chown :devteam /home/projects/api
$ sudo chmod 2770 /home/projects/api
# Now all team members can collaborate
# New files inherit group ownership
$ cd /home/projects/api
$ touch file.txt
$ ls -l file.txt
-rw-r--r-- 1 alice devteam 0 Jan 15 file.txt
3.1.3. The Root User and Sudo#
3.1.3.1. Root (UID 0)#
The root user has unlimited access to everything. It’s the system administrator account.
# Check if you're root
$ whoami
root
# Or use numeric UID
$ id -u
0
# Most systems don't allow root login directly
# Instead, use sudo to run commands as root
3.1.3.2. Sudo — Privilege Escalation#
sudo allows regular users to run commands as root (or another user) when authorized.
# Run command as root
$ sudo apt-get update
[sudo] password for alice:
# Run command as specific user
$ sudo -u bob whoami
bob
# Run as root without password (if configured)
$ sudo whoami # No prompt if in sudoers
# See what sudo commands you're allowed to run
$ sudo -l
(ALL : ALL) ALL
# Edit sudo configuration (CAREFULLY!)
$ sudo visudo
3.1.3.3. The Sudoers File#
The /etc/sudoers file controls who can use sudo:
# Format
user ALL=(ALL) ALL
# user: alice
# ALL: on any host
# (ALL): as any user
# ALL: run any command
# Safer: Allow specific commands only
alice ALL=(ALL) /usr/bin/apt-get, /usr/bin/systemctl
# No password required
bob ALL=(ALL) NOPASSWD: /usr/bin/reboot
# Group-based
%developers ALL=(ALL) /home/projects/*
# All members of 'developers' group can run commands in /home/projects/
3.1.3.4. Security Best Practices with Root#
# Good: Use sudo for single commands
$ sudo systemctl restart nginx
# Bad: Don't use sudo to start an interactive shell
$ sudo -i # Gives full root shell - risky!
# Instead: Run specific commands as root
$ sudo -u www-data mkdir /var/www/new
$ sudo -u www-data touch /var/www/new/file.txt
# Audit sudo usage
$ sudo journalctl -c | grep COMMAND
# Shows who ran what commands and when
3.1.4. File Ownership#
Every file has an owner (user) and a group:
# View ownership
$ ls -l /tmp/file.txt
-rw-r--r-- 1 alice developers 1024 Jan 15 14:30 /tmp/file.txt
^ ^
owner group
# Change owner (requires root)
$ sudo chown bob /tmp/file.txt
$ sudo chown bob:devteam /tmp/file.txt
# Change owner recursively
$ sudo chown -R alice:developers /home/projects/api/
# Using reference
$ sudo chown --reference=/home/alice /home/bob
# Makes /home/bob owned by same user as /home/alice