15. The Linux file system 3: Access

Last time we looked at where your computer's resources are located in the Linux file system. Now that you know where they are, you need to know how to set them up for your use. That's our topic for today.

One of the difficulties of teaching over the radio is the complete lack of visual aids. In order to illustrate some points of this topic, I'll specify a few simple commands to be run at the command line in a terminal. If you want to follow along, open a terminal on your Linux box and be ready to type them in.

We begin with the fact that Linux is a multi-user operating system. That is, any number of users may work simultaneously on one host. In order to make that work, the system must be able to do two things:

1. Grant users access to resources they need.
2. Prohibit access to resources they don't need.

Linux accomplishes that through a system of file permissions that are granted to users and groups of users. Let's see how that works.

File permissions are built-in as part of the Linux system. As the name implies, their function is to grant permission to use files in various ways. These are:

1. Read: permits a program to acquire data from a file.
2. Write: permits a program to send data to a file.
3. Execute: allows a user to run a program contained in a file.

This is where the elegant design of the Linux system becomes apparent. We've seen before that all resources on a Linux computer are made available through the file system; that is, everything is treated as a file. The practical result of that is that access to all computer resources can be controlled through the judicious use of file permissions.

Users and groups are used to selectively grant permissions on files. They are created by the system administrator (which means you need to act as root when doing it).

Every Linux system provides utilities for doing this.

• At the command line: adduser or useradd to add users, addgroup or groupadd for groups. Be aware that these pairs of commands work slightly differently – so be sure to use the one that does what you want.
• GUI: Users and groups utility.

Users are the sole means for controlling access to the Linux file system. The only way to do anything on a Linux computer is to be authenticated as a system user and employ the permissions granted to that user.

That applies to programs as well as to human operators. A program cannot get permissions by itself. Instead, it obtains user permissions by being executed by a user on the system – the program effectively inherits that user's permissions.

The basic process for administering users is:

1. The system administrator (AKA root, sysadm), creates a user, giving it a usernname, plus other information.
2. For each file in the system, permissions for read, write, and execute can be granted specifically to that user. (These are abbreviated as “r”, “w”, and “x” and are displayed in file listings as rwx.)

As we noted last time, a user can optionally be given a home directory: /home/username. If that is done, the user is automatically granted full permissions for that directory. In other parts of the file system, permissions are granted on a file-by-file basis.

To see all the users on your system, open a terminal and type in: cat /etc/passwd. This is the file in which users are defined. You should see a lot of them, almost all of which were created by the system.

• Note that all but a few show “nologin”, which means they cannot log into an interactive shell.
• Your username likely is last on the list, and it should list both your home directory and your shell, /bin/bash.

A group is simply an aggregation of users. Its purpose is to grant file permissions en masse to its members. The process is simple:

1. The sysadm creates a group, giving it a name.
2. File permissions are granted to the group. (We'll see later how that's done.)
3. Existing users are added to the group, thereby granting them file access via the group's permissions.

Here are some examples of how groups are used.

• For users who are allowed to log in and work live in a terminal (or shell): grant access to Bash command-line utilities, along with programs installed in the /usr directory.
• Hams who run digital modes will be familiar with the dialout group that they can join to get access to USB ports.
• Programs that run as services without a UI often have both a dedicated user and group, to give them exclusive access to heir data files.

Just as there's a file in /etc that defines users, there's one that defines groups. In a terminal, run cat /etc/group to display its contents. Two things to note here:

1. There's a group that is named with your username. This is used in granting group permissions on files.
2. Your username appears in several groups – that means you are a group member. Whenever file permissions are granted to one of those groups, you will have them, as well.

Let's look at how all users and groups are used to manage permissions. We won't get into detail here – just a high-level view of the process.

The goal is to grant only the permissions required for a job, and no more.

For each file in the system (this includes directories), three sets of permissions are granted, one each for

• The file's owner
• A single group
• Other users

Every file in the system is “owned” by a user. When a file is created, the owner is set to be the user that created it. For example, unless you specify otherwise, you will be the owner of all files in you home directory. The owner can be changed, if necessary.

The owner has full permissions on the file: rwx. Only the owner of a file can grant permissions to groups and to other users.

The second set of permissions is to one of the groups defined on the system. For files that you create, this will default to the group that has your username. This can be changed to another group if you want to make the file available to its members.

Finally, permissions can be granted to all the other users on the system. In general, you'll limit this to allow reading only. Write and execute permissions can be granted if needed for a specific situation.

At the command line, run ls -l to view files and their permissions. Each file is displayed on a separate line.

1. The first character on the line specifies whether it's a file or a directory:
   • A dash character denotes a data file.
   • A “d” character denotes a directory.
2. The next nine characters show the permissions for the owner, group, and other users, respectively. Each has three characters: “r” for read, “w” for write, “x” for execute.
   • rwx denotes full permissions.
   • A dash denotes permission not granted. For example r-- denotes read-only permissions.
3. Skipping over the digit, we see two names:
   • The first is the username of the owner.
   • The second is the group for which permissions are granted.

In a GUI, the file browser should have a Properties dialog for a file, which will show the permissions.

Permissions can be set by using utilities provided by the system.

• At the command line:
  • chmod to set for owner, group, everyone
  • chown to set owner and group
• In a GUI: A properties dialog box in file browser.

When installing software, the installation program can set up the users, groups, and permissions it needs to run properly.

We've seen that access to resources on a Linux computer is controlled by means of granting file permissions to users and groups of users. Permissions include read, write, and execute.

In practice, you want to run with the fewest permissions possible. This does two things, in particular:

1. It allows you to operate safely, by minimizing the possibility of accidentally changing something you shouldn't – such a deleting files.
2. It enhances system stability and security, by making it more difficult for any user to interfere with what any other user is doing.

In order to keep your permissions to a minimum:

• Run as a specific user, whose permissions are tightly controlled.
• Run as root (including using sudo) only when absolutely necessary.

Return to series index