How to Change Read,write Permissions in Shadow File

Users and groups are used on GNU/Linux for access control—that is, to control access to the arrangement's files, directories, and peripherals. Linux offers relatively simple/coarse admission control mechanisms by default. For more advanced options, see ACL, Capabilities and PAM#Configuration How-Tos.

Overview

A user is anyone who uses a computer. In this case, we are describing the names which represent those users. Information technology may be Mary or Neb, and they may use the names Dragonlady or Pirate in identify of their existent name. All that matters is that the reckoner has a proper name for each account information technology creates, and it is this name by which a person gains admission to utilize the calculator. Some organization services as well run using restricted or privileged user accounts.

Managing users is done for the purpose of security past limiting admission in certain specific ways. The superuser (root) has consummate access to the operating system and its configuration; it is intended for administrative use only. Unprivileged users tin employ the su and sudo programs for controlled privilege elevation.

Any private may accept more than i account equally long as they apply a different name for each account they create. Farther, there are some reserved names which may not be used such every bit "root".

Users may be grouped together into a "group", and users may be added to an existing group to utilize the privileged access it grants.

Note: The beginner should utilize these tools carefully and stay away from having anything to do with any other existing user account, other than their own.

Permissions and ownership

From In UNIX Everything is a File:

The UNIX operating system crystallizes a couple of unifying ideas and concepts that shaped its design, user interface, civilization and evolution. One of the about important of these is probably the mantra: "everything is a file," widely regarded as one of the defining points of UNIX.

This cardinal design principle consists of providing a unified paradigm for accessing a wide range of input/output resource: documents, directories, hard-drives, CD-ROMs, modems, keyboards, printers, monitors, terminals and even some inter-procedure and network communications. The fob is to provide a common abstraction for all of these resource, each of which the UNIX fathers chosen a "file." Since every "file" is exposed through the same API, you tin can utilize the same gear up of basic commands to read/write to a deejay, keyboard, document or network device.

From Extending UNIX File Abstraction for General-Purpose Networking:

A primal and very powerful, consistent abstraction provided in UNIX and compatible operating systems is the file abstraction. Many Os services and device interfaces are implemented to provide a file or file organisation metaphor to applications. This enables new uses for, and greatly increases the power of, existing applications — simple tools designed with specific uses in mind can, with UNIX file abstractions, be used in novel ways. A simple tool, such equally cat, designed to read one or more files and output the contents to standard output, can be used to read from I/O devices through special device files, typically found under the /dev directory. On many systems, audio recording and playback can be done simply with the commands, "true cat /dev/audio > myfile" and "cat myfile > /dev/sound," respectively.

Every file on a GNU/Linux system is owned by a user and a group. In addition, there are iii types of admission permissions: read, write, and execute. Unlike access permissions can be applied to a file's owning user, owning group, and others (those without ownership). I tin decide a file'due south owners and permissions by viewing the long listing format of the ls command:

$ ls -50 /boot/

total 13740 drwxr-xr-x 2 root root    4096 January 12 00:33 chow -rw-r--r-- ane root root 8570335 January 12 00:33 initramfs-linux-fallback.img -rw-r--r-- i root root 1821573 Jan 12 00:31 initramfs-linux.img -rw-r--r-- 1 root root 1457315 Jan  viii 08:19 System.map26 -rw-r--r-- ane root root 2209920 Jan  8 08:xix vmlinuz-linux        

The first column displays the file's permissions (for example, the file initramfs-linux.img has permissions -rw-r--r--). The third and fourth columns brandish the file's owning user and group, respectively. In this example, all files are owned past the root user and the root group.

$ ls -l /media/

total 16 drwxrwx--- 1 root vboxsf 16384 January 29 11:02 sf_Shared        

In this example, the sf_Shared directory is owned by the root user and the vboxsf group. Information technology is also possible to decide a file's owners and permissions using the stat command:

Owning user:

$ stat -c %U /media/sf_Shared/

root        

Owning group:

$ stat -c %Thou /media/sf_Shared/

vboxsf        

Access rights:

$ stat -c %A /media/sf_Shared/

drwxrwx---        

Admission permissions are displayed in three groups of characters, representing the permissions of the owning user, owning group, and others, respectively. For example, the characters -rw-r--r-- indicate that the file'south possessor has read and write permission, just non execute (rw-), whilst users belonging to the owning grouping and other users take only read permission (r-- and r--). Meanwhile, the characters drwxrwx--- indicate that the file's possessor and users belonging to the owning group all accept read, write, and execute permissions (rwx and rwx), whilst other users are denied access (---). The first character represents the file's blazon.

Listing files owned by a user or group with the detect utility:

# observe / -group          groupname        

# find / -group          groupnumber        

# observe / -user          user        

A file's owning user and group tin can be changed with the chown (change owner) command. A file'southward access permissions tin can exist changed with the chmod (change mode) command.

Encounter chown(1), chmod(1), and Linux file permissions for boosted detail.

Shadow

The user, group and countersign management tools on Arch Linux come from the shadow bundle, which is a dependency of the base of operations meta packet.

File list

Warning: Do non edit these files by hand. There are utilities that properly handle locking and avoid invalidating the format of the database. Run into #User management and #Group management for an overview.

File	Purpose
/etc/shadow	Secure user account data
/etc/passwd	User account information
/etc/gshadow	Contains the adumbral data for group accounts
/etc/group	Defines the groups to which users belong

User management

To list users currently logged on the system, the who command can be used. To list all existing user accounts including their properties stored in the user database, run passwd -Sa as root. See passwd(ane) for the description of the output format.

To add a new user, use the useradd command:

# useradd -m -G          additional_groups          -s          login_shell          username        

-m/--create-home

the user's home directory is created as /dwelling house/username . The directory is populated by the files in the skeleton directory. The created files are owned past the new user.

-Grand/--groups

a comma separated list of supplementary groups which the user is also a member of. The default is for the user to vest but to the initial group.

-s/--shell

a path to the user's login shell. Ensure the chosen shell is installed if choosing something other than Bash.

Warning: In club to be able to log in, the login beat must be one of those listed in /etc/shells, otherwise the PAM module pam_shell will deny the login request. In detail, practice not employ the /usr/bin/bash path instead of /bin/bash, unless it is properly configured in /etc/shells; see FS#33677.

Note: The password for the newly created user must and so be divers, using passwd every bit shown in #Example adding a user.

If an initial login group is specified by proper noun or number, it must refer to an already existing group. If not specified, the behaviour of useradd will depend on the USERGROUPS_ENAB variable contained in /etc/login.defs. The default behaviour (USERGROUPS_ENAB yes) is to create a group with the same proper noun every bit the username.

When the login trounce is intended to be not-functional, for example when the user account is created for a specific service, /usr/bin/nologin may be specified in identify of a regular shell to politely refuse a login (meet nologin(8)).

Meet useradd(8) for other supported options.

Case adding a user

To add together a new user named archie, creating its dwelling directory and otherwise using all the defaults in terms of groups, binder names, shell used and various other parameters:

# useradd -one thousand archie        

Tip: The default value used for the login shell of the new account can be displayed using useradd --defaults. The default is Fustigate, a unlike shell can be specified with the -southward/--crush option; see /etc/shells for valid login shells.

Although it is not required to protect the newly created user archie with a countersign, information technology is highly recommended to practice so:

# passwd archie        

The to a higher place useradd command will also automatically create a grouping chosen archie and makes this the default group for the user archie. Making each user have their own group (with the group name aforementioned equally the user proper name) is the preferred way to add users.

Yous could also make the default group something else using the -g pick, but annotation that, in multi-user systems, using a single default group (e.g. users) for every user is not recommended. The reason is that typically, the method for facilitating shared write access for specific groups of users is setting user umask value to 002, which means that the default group will by default always take write access to any file you lot create. See also User Individual Groups. If a user must exist a member of a specific group specify that group every bit a supplementary group when creating the user.

In the recommended scenario, where the default group has the same name as the user name, all files are by default writeable only for the user who created them. To permit write access to a specific group, shared files/folders can exist made writeable by default for anybody in this grouping and the owning group can be automatically fixed to the group which owns the parent directory by setting the setgid scrap on this directory:

# chmod g+s          our_shared_directory        

Otherwise the file creator'due south default group (usually the same every bit the user name) is used.

If a GID change is required temporarily you can also apply the newgrp command to change the user's default GID to another GID at runtime. For example, subsequently executing newgrp groupname files created by the user will be associated with the groupname GID, without requiring a re-login. To modify back to the default GID, execute newgrp without a groupname.

Example adding a system user

Organization users tin can exist used to run processes/daemons under a different user, protecting (e.thou. with chown) files and/or directories and more examples of computer hardening.

With the following command a arrangement user without shell access and without a home directory is created (optionally append the -U parameter to create a group with the aforementioned name equally the user, and add the user to this grouping):

# useradd -r -s /usr/bin/nologin          username        

If the organisation user requires a specific user and group ID, specify them with the -u/--uid and -g/--gid options when creating the user:

# useradd -r -u 850 -g 850 -southward /usr/bin/nologin          username        

Change a user's login name or home directory

To alter a user's dwelling directory:

# usermod -d /my/new/home -m          username        

The -one thousand pick also automatically creates the new directory and moves the content there.

Tip: You can create a link from the user'due south onetime home directory to the new 1. Doing this volition allow programs to find files that accept hardcoded paths.

# ln -southward /my/new/dwelling/ /my/onetime/domicile          

Brand sure there is no trailing / on /my/old/abode.

To change a user'southward login name:

# usermod -fifty          newname          oldname        

Alarm: Make certain that you are not logged in as the user whose name you lot are about to alter. Open a new tty (e.chiliad. Ctrl+Alt+F6) and log in equally root or as another user and elevate to root. usermod should prevent you from doing this by mistake.

Irresolute a username is safe and like shooting fish in a barrel when done properly, just use the usermod command. If the user is associated to a group with the aforementioned proper name, you can rename this with the groupmod control.

Alternatively, the /etc/passwd file can be edited directly, come across #User database for an introduction to its format.

Also keep in listen the following notes:

• If you are using sudo brand sure you lot update your /etc/sudoers to reflect the new username(s) (via the visudo command as root).
• Personal crontabs need to exist adjusted by renaming the user's file in /var/spool/cron from the sometime to the new name, and so opening crontab -e to change whatever relevant paths and have it adjust the file permissions appropriately.
• Wine'southward personal folders/files' contents in ~/.wine/drive_c/users, ~/.local/share/applications/wine/Programs and possibly more need to be manually renamed/edited.
• Sure Thunderbird addons, similar Enigmail, may demand to exist reinstalled.
• Anything on your system (desktop shortcuts, trounce scripts, etc.) that uses an absolute path to your domicile dir (i.e. /habitation/oldname) will need to be changed to reflect your new name. To avoid these issues in shell scripts, simply use the ~ or $HOME variables for home directories.
• Also do not forget to edit accordingly the configuration files in /etc/ that relies on your absolute path (due east.g. Samba, CUPS, and so on). A prissy way to learn what files you demand to update involves using the grep control this way: grep -r old_user *

Other examples of user management

To enter user information for the GECOS annotate (east.1000. the full user name), type:

# chfn          username        

(this way chfn runs in interactive mode).

Alternatively the GECOS annotate tin exist fix more liberally with:

# usermod -c "Comment"          username        

To mark a user'due south countersign equally expired, requiring them to create a new password the get-go time they log in, type:

# chage -d 0          username        

User accounts may be deleted with the userdel command:

# userdel -r          username        

The -r option specifies that the user's habitation directory and postal service spool should likewise exist deleted.

To change the user's login beat out:

# usermod -s          /bin/bash          username        

Tip: The adduser ^AUR script allows carrying out the jobs of useradd, chfn and passwd interactively. See also FS#32893.

User database

Local user information is stored in the manifestly-text /etc/passwd file: each of its lines represents a user account, and has 7 fields delimited past colons.

          account:password:UID:GID:GECOS:directory:vanquish        

Where:

• account is the user proper noun. This field tin can not be blank. Standard *Zilch naming rules apply.
• password is the user password.

  Alarm: The passwd file is world-readable, so storing passwords (hashed or otherwise) in this file is insecure. Instead, Arch Linux uses shadowed passwords: the password field will comprise a placeholder graphic symbol (ten) indicating that the hashed password is saved in the access-restricted file /etc/shadow. For this reason it is recommended to always change passwords using the passwd command.

• UID is the numerical user ID. In Arch, the first login proper name (afterwards root) for a so chosen normal user, as opposed to services, is UID one thousand past default; subsequent UID entries for users should exist greater than 1000.
• GID is the numerical master group ID for the user. Numeric values for GIDs are listed in /etc/group.
• GECOS is an optional field used for informational purposes; commonly it contains the full user proper noun, just it can also be used by services such every bit finger and managed with the chfn command. This field is optional and may be left blank.
• directory is used past the login command to prepare the $Dwelling surroundings variable. Several services with their ain users utilize /, but normal users usually set a binder under /home.
• beat out is the path to the user'southward default command crush. This field is optional and defaults to /bin/bash.

Example:

jack:10:1001:1003:Jack Smith,some comment hither,,:/domicile/jack:/bin/bash        

Broken downwardly, this means: user jack, whose password is in /etc/shadow, whose UID is 1001 and whose primary group is 1003. Jack Smith is his total name and there is a comment associated to his account; his home directory is /abode/jack and he is using Bash.

The pwck command can be used to verify the integrity of the user database. Information technology can sort the user listing by GID at the same time, which tin exist helpful for comparing:

# pwck -s        

Alarm: Arch Linux defaults of the files are created as .pacnew files by new releases of the filesystem parcel. Unless Pacman outputs related letters for action, these .pacnew files can, and should, be disregarded/removed. New required default users and groups are added or re-added as needed past systemd-sysusers(viii) or the bundle install script.

Automated integrity checks

Instead of running pwck/grpck manually, the systemd timer shadow.timer, which is role of, and is enabled by, installation of the shadow package, will start shadow.service daily. shadow.service will run pwck(eight) and grpck(8) to verify the integrity of both password and group files.

If discrepancies are reported, group tin be edited with the vigr(eight) command and users with vipw(viii). This provides an extra margin of protection in that these commands lock the databases for editing. Note that the default text editor is vi, but an alternative editor will exist used if the EDITOR environs variable is set, then that editor will exist used instead.

Group management

/etc/group is the file that defines the groups on the organization (meet group(v) for details). There is also its companion gshadow which is rarely used. Its details are at gshadow(5).

Brandish group membership with the groups command:

$ groups          user        

If user is omitted, the current user'south group names are displayed.

The id command provides additional detail, such every bit the user'due south UID and associated GIDs:

$ id          user        

To list all groups on the system:

$ cat /etc/group        

Create new groups with the groupadd command:

# groupadd          grouping        

Add users to a group with the gpasswd command (see FS#58262 regarding errors):

# gpasswd -a          user          group        

Alternatively, add a user to additional groups with usermod (replace additional_groups with a comma-separated list):

# usermod -aG          additional_groups          username        

Warning: If the -a option is omitted in the usermod command above, the user is removed from all groups not listed in additional_groups (i.e. the user will be member only of those groups listed in additional_groups ).

Change an existing grouping with the groupmod command, due east.g. to rename the old_group group to new_group :

# groupmod -n          new_group          old_group        

Note: This will change a grouping proper noun but non the numerical GID of the group. Hence, all files previously owned by old_group volition be endemic past new_group .

To delete existing groups:

# groupdel          group        

To remove users from a grouping:

# gpasswd -d          user          group        

Annotation: If the user is currently logged in, they must log out and in again for the modify to accept effect.

The grpck command can be used to verify the integrity of the system's group files.

Warning: Arch Linux defaults of the files are created as .pacnew files past new releases of the filesystem packet. Unless Pacman outputs related messages for activeness, these .pacnew files tin, and should, be disregarded/removed. New required default users and groups are added or re-added as needed past systemd-sysusers(viii) or the package install script.

Group list

This section explains the purpose of the essential groups from the filesystem package. There are many other groups, which volition be created with correct GID when the relevant package is installed. Run across the main page for the software for details.

Note: A later removal of a packet does non remove the automatically created user/group (UID/GID) over again. This is intentional because any files created during its usage would otherwise be left orphaned equally a potential security risk.

User groups

Non-root workstation/desktop users ofttimes need to be added to some of following groups to let access to hardware peripherals and facilitate arrangement administration:

Group	Affected files	Purpose
adm		Administration group, commonly used to give read access to protected logs. It has full read access to journal files.
ftp	/srv/ftp/	Access to files served by FTP servers.
games	/var/games	Access to some game software.
http	/srv/http/	Access to files served by HTTP servers.
log		Access to log files in /var/log/ created by syslog-ng.
rfkill	/dev/rfkill	Right to control wireless devices power land (used by rfkill).
sys		Right to administer printers in CUPS.
systemd-journal	/var/log/journal/*	Can be used to provide read-but access to the systemd logs, as an alternative to adm and wheel [1]. Otherwise, only user generated messages are displayed.
uucp	/dev/ttyS[0-9]+, /dev/tts/[0-9]+, /dev/ttyUSB[0-9]+, /dev/ttyACM[0-ix]+, /dev/rfcomm[0-ix]+	RS-232 serial ports and devices connected to them.
wheel		Administration group, commonly used to give privileges to perform administrative actions. It has full read access to periodical files and the right to administer printers in CUPS. Can besides exist used to give access to the sudo and su utilities (neither uses it past default).

Arrangement groups

The post-obit groups are used for system purposes, an assignment to users is only required for defended purposes:

Group	Affected files	Purpose
dbus		used internally by dbus
kmem	/dev/port, /dev/mem, /dev/kmem
locate	/usr/bin/locate, /var/lib/locate, /var/lib/mlocate, /var/lib/slocate	See Locate.
lp	/dev/lp[0-nine]*, /dev/parport[0-9]*	Access to parallel port devices (printers and others).
mail	/usr/bin/mail
nobody		Unprivileged group.
proc	/proc/pid/	A group authorized to larn processes information otherwise prohibited past hidepid= mount selection of the proc file system. The grouping must be explicitly gear up with the gid= mount choice.
root	/*	Complete system administration and control (root, admin).
smmsp		sendmail group.
tty	/dev/tty, /dev/vcc, /dev/vc, /dev/ptmx
utmp	/run/utmp, /var/log/btmp, /var/log/wtmp

Pre-systemd groups

Before arch migrated to systemd, users had to be manually added to these groups in order to be able to access the corresponding devices. This way has been deprecated in favour of udev marking the devices with a uaccess tag and logind assigning the permissions to users dynamically via ACLs according to which session is currently active. Note that the session must non be cleaved for this to work (meet General troubleshooting#Session permissions to cheque it).

There are some notable exceptions which require calculation a user to some of these groups: for example if you desire to allow users to access the device fifty-fifty when they are not logged in. Nevertheless, note that adding users to the groups tin fifty-fifty cause some functionality to pause (for case, the audio grouping will break fast user switching and allows applications to block software mixing).

Group	Afflicted files	Purpose
sound	/dev/sound, /dev/snd/*, /dev/rtc0	Direct access to audio hardware, for all sessions. It is however required to make ALSA and OSS work in remote sessions, see ALSA#User privileges. Besides used in JACK to requite users realtime processing permissions.
deejay	/dev/sd[a-zA-Z]*[1-9]*	Admission to block devices not afflicted by other groups such every bit optical, floppy, and storage.
floppy	/dev/fd[0-9]*	Access to floppy drives.
input	/dev/input/event[0-nine]*, /dev/input/mouse[0-9]*	Access to input devices. Introduced in systemd 215 [2].
kvm	/dev/kvm	Access to virtual machines using KVM.
optical	/dev/sr[0-nine], /dev/sg[0-9]	Access to optical devices such as CD and DVD drives.
scanner	/var/lock/sane	Access to scanner hardware.
storage	/dev/st[0-9]*[lma]*, /dev/nst[0-9]*[lma]*	Used to gain access to removable drives such as USB hard drives, flash/jump drives, MP3 players; enables the user to mount storage devices.[iii] Now solely for direct access to tapes if no custom udev rules is involved.[iv][5][6][7]
video	/dev/fb/0, /dev/misc/agpgart	Access to video capture devices, 2D/3D hardware dispatch, framebuffer (10 tin can exist used without belonging to this group).

Unused groups

The following groups are currently non used for whatever purpose:

Group	Affected files	Purpose
bin	none	Historical
daemon
lock		Used for lockfile access. Required past e.g. gnokii AUR .
mem
network		Unused by default. Tin exist used e.g. for granting access to NetworkManager (come across NetworkManager#Ready PolicyKit permissions).
power
uuidd
users		The primary grouping for users when user private groups are not used (generally non recommended), e.chiliad. when creating users with USERGROUPS_ENAB no in /etc/login.defs or the -N/--no-user-group option of useradd.

This article or section is a candidate for merging with #Shadow.

The factual accurateness of this article or section is disputed.

getent(1) can be used to read a particular tape.

% getent group tty        

As warned in #User database, using specific utilities such every bit passwd and chfn, is a better manner to change the databases. Nevertheless, there are times when editing them direct is looked after. For those times, vipw, vigr are provided. Information technology is strongly recommended to use these tailored editors over using a general text editor as they lock the databases against concurrent editing. They also assist forestall invalid entries and/or syntax errors. Note that Arch Linux prefers usage of specific tools, such as chage, for modifying the shadow database over using vipw -south and vigr -s from util-linux. Encounter as well FS#31414.

huynhoveass.blogspot.com

Source: https://wiki.archlinux.org/title/Users_and_groups

Share this post