Day 2: User Management & Permissions
In a multi-user Linux environment, security is built on the foundation of Ownership and Permissions.
1. Classical File Permissions
Linux uses a 10-character string to represent file types and access rights.
Anatomy of drwxrwxrwx
| Position | Character | Meaning |
|---|---|---|
| 1 | d / - / l |
Directory / Regular File / Symbolic Link |
| 2-4 | rwx |
User (Owner) permissions |
| 5-7 | rwx |
Group permissions |
| 8-10 | rwx |
Others (Everyone else) permissions |
Permission Effects
| Bit | For Files | For Directories |
|---|---|---|
| r (Read) | View file content | List files inside (ls) |
| w (Write) | Modify file content | Create/Delete files (touch, rm) |
| x (Execute) | Run as a program | Access/Enter the directory (cd) |
The Sticky Bit (t)
Used primarily on shared directories like /tmp to prevent users from deleting files owned by others.
- Behavior: Only the file owner, directory owner, or root can delete/rename files.
- Visual: Appears as
t(with execute) orT(without execute) in the “Others” block.
2. Modifying Access: chmod & chown
chmod (Change Mode)
Modify permissions using Numeric (Octal) or Symbolic modes.
Numeric Mode (4=r, 2=w, 1=x)
755:rwxr-xr-x(Standard for binaries/dirs)644:rw-r--r--(Standard for text files)1777: Sticky bit + Full access (Used for/tmp)
Symbolic Examples
chmod u+x script.sh- Add execute for owner.chmod -R g+w project/- Recursively add write for group.
chown (Change Owner)
Used to transfer ownership. Requires sudo.
chown alice:developers file.txt- Sets user and group.chown :staff file.txt- Changes only the group.chown -R www-data: project/- Syncs ownership to user and their primary group.
3. Privilege Escalation: su vs sudo
Understanding the difference is vital for auditability and security.
| Feature | su (Substitute User) |
sudo (Superuser Do) |
|---|---|---|
| Password Used | Target’s (Root’s) password | Your own password |
| Audit Trail | Poor (Hard to track who did what) | Excellent (Logged in journalctl) |
| Scope | Switches entire session | Executes a single command |
| Best Practice | Discouraged for admins | Standard for SREs |
The /etc/sudoers Logic
Edit safely using sudo visudo. The syntax follows:
User Host=(User:Group) Commands
Groups—sudo on Debian/Ubuntu, wheel on Red Hat/Arch, and sometimes admin on legacy systems—serve as predefined system containers that automatically grant administrative privileges to any member user through the /etc/sudoers configuration.
Example Entry:
# Allow members of %sudo to run everything
%sudo ALL=(ALL:ALL) ALL
# Restricted access for 'alice'
alice ALL=(root) /bin/systemctl restart nginxPractical Lab (1.5 Hours)
Step 1: User & Group Setup
sudo groupadd developers
sudo useradd -m -G developers dev-userStep 2: Shared Directory Config
Create /opt/project so only developers can write, but everyone can read.
sudo mkdir -p /opt/project
sudo chown :developers /opt/project
sudo chmod 775 /opt/project
# Add sticky bit to prevent devs from deleting each other's work
sudo chmod +t /opt/projectStep 3: Verification
- Check permissions with
ls -ld /opt/project. - Review sudo logs:
sudo journalctl _COMM=sudo.
Resources
- Permissions Explained (51:18): Permissions Explained
- Linux Crash Course - sudo: Linux Crash Course - sudo
- DigitalOcean: Edit Sudoers File: DigitalOcean: Edit Sudoers File
Self-study Task: Advanced Security
The following topics provide granular and mandatory security controls that extend beyond classical POSIX permissions. They are not covered in this session, and it is highly recommended to research them independently as you progress toward SRE mastery:
- ACLs (Access Control Lists): Provides more granular permissions than the standard User/Group/Other model (e.g., giving a specific fourth user access to a file).
- SELinux (Security-Enhanced Linux): A kernel security module (common in RHEL/Fedora) that uses a “Labeling” system to enforce Mandatory Access Control.
- AppArmor: A simpler alternative to SELinux (standard on Debian/Ubuntu) that restricts programs’ capabilities based on profiles.
- Look up the difference between Discretionary Access Control (DAC)—what we covered today—and Mandatory Access Control (MAC).