- Learn Linux
- Learn Electronics
- Raspberry Pi
- LPI certification
- News & Reviews
All users on a system are identified by a username and a userid. The username is something that users would normally refer to, but as far as the operating system is concerned this is referred to using the userid (or uid). The username is typically a user friendly string, such as your name, whereas the userid is a number. The words username and userid are often (incorrectly) used interchangeably. The userid numbers should be unique (one number per user). If you had two usernames with the same userid, effectively there permissions would be the same and the files that they create would appear to have been created by the same user. This should not be allowed and the useradd command will not allow usernames to share the same userid.
Whilst there are no international naming conventions for usernames your company may have it's own naming convention (examples usernames could consist of: first names; last names; last name + initial; first name + 1st letter of surname; personnel number etc.).
There are some default users on all systems when first installed. Other than the root user however these can normally be disabled from logging in. You should however be more careful about deleting usernames as sometimes these are used by different tasks running on the system.
The special users normally have userid numbers that are less than 100, and have names such as sys, bin, adm etc.
The root user has an id of 0, which has a special meaning. The root user has full permissions to do anything on the system. It is not bound by any of the permissions on the system. There are some tasks that can only be performed by root, however it is recommended that you only run as root when necessary as mistakes could be devastating. To use root permissions you would normally login under a normal userid and "su" to root or use sudo as required.
One of the features of Linux is the ability to change userid when logged into a system. This command su is sometimes referred to as superuser, however this is not completely correct. In the early days of UNIX it was only possible to change to the root user, which made for the superuser command however it is now possible to change to any user using the su command. It is more correct to refer to the command as the switch user command.
The switch user command "su" is used to change between different users on a system, without having to logout. The most common use is to to change to the root user, but it can be used to switch to any user depending upon the users settings. To switch to a different user other than root, then the username is used as the last option on the command.
It is also possible to change to another user by putting the username after the su command. There are two ways of switching users. By putting a '-' after the command will cause the users profile to be read and variables to be set. Without the '-' the previous users settings will still remain.
su - username
To continue with the current profile and variables
you can then return to the previous user by entering exit.
Each of the users on a system is also a member of one or more groups. This is a further way of setting permissions for different users. Rather than having to setup individual access permissions for every single user, they can instead be placed in a group of users that have been given that permission. You may for example have a group called "design", of which the designers are members allowing them access to some of the design documents stored on the system.
Each user will have a default group. If a new file is created this will be automatically be owned by the individual user, and also the users default group. Mosts Linux systems now implement the "User Private Group Scheme" whereby a group is created with the same name as the user. This is considered the more secure option as it does not grant access to any other users.
Like the users the groups use a number based system from the operating system point of view. This is referred to as the groupid (or gid).
A user can be added to a group using the usermod command. The following will add user1 to the lpadmin group (required to administer printers).
sudo usermod -a -G lpadmin user1
The -a option is to append - without that then the user will be removed from any groups not listed in the -G (--groups) option.
The information about the users and groups are normally stored in the following files.
/etc/passwd User Information /etc/shadow User Passwords /etc/group Group Information /etc/gshadow Group Passwords
On some (particularly older) systems the shadow and gshadow files may not exist. This is now considered to be a security risk and is strongly discouraged. The reason for this is that without using the shadow files the password is stored in a file that is readable by everyone, whereas the shadow files are only readable by root. A full explanation for the reason is beyond the scope of this guide (it will be included in the security guide). For now please accept that it is far safer to store the passwords in the shadow files.
The default permissions of the files is as follows:
/etc/passwd rw-r--r-- 644 /etc/shadow rw------- 400 (Redhat systems) rw-r----- 640 (Debian)
If there are passwords contained in the passwd file, then they can be moved into the shadow file by using the following command:
If you want to move the passwords into the passwd file from the shadow file (not recommended), then you can use the following command:
Similarly you can do the same thing for the group and gshadow files using the commands grpconv and grpunconv. Group passwords are not however used on most systems.
The following screen shot shows some entries out of a typical /etc/passwd file. It has been trimmed due to the length of the file.