Linux and Unix operating systems were designed from the ground up to support multiple users simultaneously. This means that even though a computer typically has only one keyboard and monitor, it can be accessed by several people at once. For instance, users can connect to a computer remotely through a network or the internet using SSH (Secure Shell) to operate it as if they were sitting directly in front of it. The X Window System allows these remote users to even run graphical applications and view the output on their own screens, demonstrating the inherent flexibility of these operating systems.
Linux's multi-user capability is a fundamental aspect of its design, rooted in the historical context of computing. Before the era of personal computers, computing resources were centralized and expensive, typically housed in large mainframes. Universities, for example, relied on these systems, connecting multiple users through terminals scattered across campus. This environment necessitated operating systems that could efficiently manage and share resources among many simultaneous users, a design philosophy that has been inherited by Linux.
To ensure the system could function reliably, a robust mechanism was essential to safeguard users from one another's actions. It was imperative to prevent a single user from causing system crashes or accessing another user's files.
Owners, Group Members, and Everybody Else
Linux filesystems have permissions set on file and folders. For example If you try to access file that you have no right to it, the system refuses:
$ file /etc/shadow
/etc/shadow: regular file, no read permission
The reason for this error message is that, as regular users, we do not have permission to read this file.
Unix employs a hierarchical security model centered around ownership and permissions. Files and directories have individual owners who control access. Users can be organized into groups, granting collective permissions to file and directory owners. Beyond these, a broader set of permissions can be assigned to 'everyone' or the 'world.' To determine your user identity and group affiliations on a Unix system, use the id command.
$ id uid=1000(hamed) gid=1000(hamed) groups=1000(hamed),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare)
Upon account creation, each user is assigned a unique numerical identifier called a User ID (UID) and a human-readable name known as a username. Additionally, a Group ID (GID) is assigned, and users can belong to multiple groups. While the example provided was from a Ubuntu system, the specific output format may vary across different Unix-like operating systems.
Linux user and group information is stored in plain text configuration files. The /etc/passwd file outlines user accounts, containing details such as username, user ID, primary group, full name, home directory, and default shell. Groups are defined in /etc/group. To enhance security, password information is encrypted and stored separately in /etc/shadow. Importantly, these files also include system accounts, such as the superuser (UID 0) and other essential system processes.
Reading, Writing, and Executing
Access rights to files and directories are defined in terms of read access, write access, and execution access. If we look at the output of the ls command, we can get some clue as to how this is implemented.
$ touch newfile.txt
$ ls -l newfile.txt
-rw-rw-r-- 1 hamed hamed 0 august 5 08:39 newfile.txt
The first 10 characters of the listing are the file attributes. The first of these characters is the file type. Table 9-1 describes the file types you are most likely to see (there are other, less common types too).
Attribute |
File type |
- |
A regular file. |
d |
A directory. |
l |
A symbolic link. Notice that with symbolic links, the remaining file attributes are always rwxrwxrwx and are dummy values. The real file attributes are those of the file the symbolic link points to. |
c |
A character special file. This file type refers to a device that handles data as a stream of bytes, such as a terminal or /dev/null. |
b |
A block special file. This file type refers to a device that handles data in blocks, such as a hard drive or DVD drive. |
The remaining nine characters of the file attributes, called the file mode, represent the read, write, and execute permissions for the file’s owner, the file’s group owner, and everybody else respectively.
Attribute |
Files |
Directories |
r |
Allows a file to be opened and read. |
Allows a directory’s contents to be listed if the execute attribute is also set. |
w |
Allows a file to be written to or truncated; however, this attribute does not allow files to be renamed or deleted. The ability to delete or rename files is determined by directory attributes. |
Allows files within a directory to be created, deleted, and renamed if the execute attribute is also set. |
x |
Allows a file to be treated as a program and executed. Program files written in scripting languages must also be set as readable to be executed. |
Allows a directory to be entered, e.g., cd directory |
chmod: Change File Mode
To modify a file or directory's permissions, use the chmod command. Only the file owner or the system administrator (superuser) can make these changes. There are two primary methods for specifying permissions: octal and symbolic notation.
The octal method employs a three-digit number to represent permissions for the file owner, group, and others, respectively. Each digit is a combination of values representing read, write, and execute permissions. This numerical approach aligns directly with the underlying file mode storage format.
$ chmod 600 newfile.txt
$ ls -l newfile.txt
-rw------- 1 hamed hamed 0 august 5 08:39 newfile.txt
By passing the argument 600, we were able to set the permissions of the owner to read and write while removing all permissions from the group owner and world.
chmod also supports a symbolic notation for specifying file modes. Symbolic notation is divided into three parts.
Who the change will affect
Which operation will be performed
What permission will be set
To specify who is affected, a combination of the characters u, g, o, and a is used.
u: Short for “user” but means the file or directory owner.
g: Group owner.
o: Short for “others” but means world.
a: Short for “all.” This is a combination of u, g, and o
If no character is specified, “all” will be assumed. The operation may be a + indicating that a permission is to be added, a - indicating that a permission is to be taken away, or a = indicating that only the specified permissions are to be applied and that all others are to be removed.
Permissions are specified with the r, w, and x characters. For example u+x adds execute permission for the owner, while u-x removes execute permission from the owner.