Master Linux Permissions: Users, Groups, SUID/SGID, ACLs and sudo

Basics

Linux is a multi‑user operating system where each user has a system account. Accounts are divided into administrator accounts (UID 0) and regular user accounts . The system identifies users by UID, not by name.

When a new account is created the system automatically assigns a unique UID and GID, stored in configuration files.

Group Types

Every user has a primary group created with the same name as the user. Users may belong to zero or more supplementary groups.

Configuration Files

All user and group information is stored as files because "everything is a file" in Linux.

/etc/passwd   – user attributes (name, UID, GID, …)
/etc/group    – group attributes
/etc/shadow   – encrypted passwords
/etc/gshadow  – group passwords

passwd file format

Login name

Password placeholder

UID

GID

Full name / comment

Home directory

Default shell

group file format

Group name

Group password (usually empty)

GID

Member list (comma‑separated)

shadow file format

Login name

Encrypted password

Last password change (days since 1970‑01‑01)

Minimum days before change

Maximum days before expiration

Warning period before expiration

Inactivity period before lock

Account expiration date

gshadow file format

Group name

Group password

Group administrators

Group members

User Account Management

Root has UID 0. Regular users have UID 1‑65535. In CentOS 6 system accounts use 1‑499, normal users start at 500. In CentOS 7 system accounts use 1‑999, normal users start at 1000.

Add Account

useradd [options] login

-u UID – specify UID

-o – allow non‑unique UID (not recommended)

-g GID – primary group (name or ID)

-c comment – description

-d directory – home directory (use -m to create it)

-G supplementary – supplementary groups

-s shell – login shell useradd -d /usr/ddz ddz Creates user ddz with home directory /usr/ddz.

Delete Account

userdel [options] username

Common option -r removes the user’s home directory as well.

userdel -r sam

Modify Account

usermod [options] username

-c comment

-d new_home

-m – move contents to new home

-g GID – change primary group

-G groups – change supplementary groups

-s shell – change login shell

-u UID – change UID

-o – allow duplicate UID

-l newname – rename user

usermod -s /bin/ksh -d /home/z -g developer sam

Query Account Information

id [options] [user]

-u – show UID

-g – show GID

-G – show supplementary groups

-n – show name

Password Management

passwd [options] username

-l – lock password (disable account)

-u – unlock password

-d – delete password (no password required)

-f – force password change on next login

Group Management

Add Group

groupadd [options] groupname

-g GID – specify GID

-o – allow duplicate GID

-r – create system group

groupadd group1

groupadd -g 101 group2

Delete Group

groupdel groupname

groupdel group1

Modify Group

groupmod [options] groupname

-g GID – change GID

-o – allow duplicate GID

-n name – rename group

groupmod -g 102 group2

groupmod -g 10000 -n group3 group2

Temporary Primary Group Switch

newgrp groupname

Switches the current primary group to groupname if the user belongs to it.

File Permission Control

File Permissions and Ownership

Each file has an owner, a group, and permission bits for owner, group and others (read r, write w, execute x). Directories use the same bits, where read lists entries, write creates/deletes/renames, and execute allows entering the directory.

Permissions can be expressed symbolically (rwx) or numerically (4 = r, 2 = w, 1 = x). Example: rwxrw‑r‑‑ equals 764.

Special Permission Bits

SUID

SUID allows an executable to run with the file owner’s privileges. Example: /bin/passwd is setuid root so ordinary users can change their passwords.

SGID

When set on a file, SGID gives the executing user the file’s group privileges. When set on a directory, new files inherit the directory’s group.

Sticky Bit (SBIT)

On a directory, the sticky bit (t) ensures that only a file’s owner or root can delete or rename the file. Commonly set on /tmp.

Changing Permissions

chmod [options] mode file

Example: set owner rwx, group rw, others none → chmod 760 file.

Changing Ownership

chown owner:group file

Example: chown linuxprobe:linuxprobe anaconda-ks.cfg.

Hidden File Attributes

Linux provides additional attributes that are not visible with ordinary ls. They are managed with chattr and viewed with lsattr.

chattr

Set attributes such as +a (append‑only) or +i (immutable). chattr +a file Attempting to delete an append‑only file fails.

lsattr

Displays current attributes.

lsattr file

Access Control Lists (ACL)

ACLs allow fine‑grained permissions for specific users or groups beyond the traditional owner/group/others model.

setfacl

setfacl -m u:dev1:rwx /root

Grants user dev1 full access to /root. Use -R for recursive changes.

getfacl

getfacl /root

Shows the ACL entries for the file or directory.

Privilege Escalation: su and sudo

su

Switches to another user. Using a leading dash ( su - user) also loads the target’s environment.

sudo

Allows a user to run specific commands as another user (usually root) without sharing the root password. Configuration is stored in /etc/sudoers and edited safely with visudo.

Typical sudoers entry granting all commands: dev2 ALL=(ALL) ALL To restrict to specific commands and avoid password prompts:

dev2 ALL=(ALL) NOPASSWD:/usr/bin/cat,/usr/sbin/reboot

Additional Commands

Commonly used for permission management: chmod – change mode chown – change owner/group chattr – change hidden attributes setfacl – set ACLs getfacl – get ACLs sudo / visudo – configure privileged command execution