A Look Inside Linux series
A series of short topics on how Linux works and how to make it work the way you want it to, which I present during the weekly sessions of the Linux User Net. The target audience is Hams who are new to Linux and want to know more about it, as well as experienced Linux users who can learn more about their chosen operating system. These are my notes for the presentations. (Russ, KC7MM)
Last time we looked at where your computer's resources are located in the Linux file system. Now that you know where they are, you need to know how to set them up for your use. That's our topic for today.
One of the difficulties of teaching over the radio is the complete lack of visual aids. In order to illustrate some points of this topic, I'll specify a few simple commands to be run at the command line in a terminal. If you want to follow along, open a terminal on your Linux box and be ready to type them in.
We begin with the fact that Linux is a multi-user operating system. That is, any number of users may work simultaneously on one host. In order to make that work, the system must be able to do two things:
Linux accomplishes that through a system of file permissions that are granted to users and groups of users. Let's see how that works.
File permissions are built-in as part of the Linux system. As the name implies, their function is to grant permission to use files in various ways. These are:
This is where the elegant design of the Linux system becomes apparent. We've seen before that all resources on a Linux computer are made available through the file system; that is, everything is treated as a file. The practical result of that is that access to all computer resources can be controlled through the judicious use of file permissions.
Users and groups are used to selectively grant permissions on files. They are created by the system administrator (which means you need to act as root when doing it).
Every Linux system provides utilities for doing this.
useraddto add users,
groupaddfor groups. Be aware that these pairs of commands work slightly differently – so be sure to use the one that does what you want.
Users are the sole means for controlling access to the Linux file system. The only way to do anything on a Linux computer is to be authenticated as a system user and employ the permissions granted to that user.
That applies to programs as well as to human operators. A program cannot get permissions by itself. Instead, it obtains user permissions by being executed by a user on the system – the program effectively inherits that user's permissions.
The basic process for administering users is:
As we noted last time, a user can optionally be given a home directory:
/home/username. If that is done, the user is automatically granted full permissions for that directory. In other parts of the file system, permissions are granted on a file-by-file basis.
To see all the users on your system, open a terminal and type in:
cat /etc/passwd. This is the file in which users are defined. You should see a lot of them, almost all of which were created by the system.
A group is simply an aggregation of users. Its purpose is to grant file permissions en masse to its members. The process is simple:
Here are some examples of how groups are used.
dialoutgroup that they can join to get access to USB ports.
Just as there's a file in
/etc that defines users, there's one that defines groups. In a terminal, run
cat /etc/group to display its contents. Two things to note here:
Let's look at how all users and groups are used to manage permissions. We won't get into detail here – just a high-level view of the process.
The goal is to grant only the permissions required for a job, and no more.
For each file in the system (this includes directories), three sets of permissions are granted, one each for
Every file in the system is “owned” by a user. When a file is created, the owner is set to be the user that created it. For example, unless you specify otherwise, you will be the owner of all files in you home directory. The owner can be changed, if necessary.
The owner has full permissions on the file:
rwx. Only the owner of a file can grant permissions to groups and to other users.
The second set of permissions is to one of the groups defined on the system. For files that you create, this will default to the group that has your username. This can be changed to another group if you want to make the file available to its members.
Finally, permissions can be granted to all the other users on the system. In general, you'll limit this to allow reading only. Write and execute permissions can be granted if needed for a specific situation.
At the command line, run
ls -l to view files and their permissions. Each file is displayed on a separate line.
rwxdenotes full permissions.
r--denotes read-only permissions.
In a GUI, the file browser should have a Properties dialog for a file, which will show the permissions.
Permissions can be set by using utilities provided by the system.
chmodto set for owner, group, everyone
chownto set owner and group
When installing software, the installation program can set up the users, groups, and permissions it needs to run properly.
We've seen that access to resources on a Linux computer is controlled by means of granting file permissions to users and groups of users. Permissions include read, write, and execute.
In practice, you want to run with the fewest permissions possible. This does two things, in particular:
In order to keep your permissions to a minimum:
sudo) only when absolutely necessary.