Time to re-learn how the kernel handles users.
I know, I know – this is one of the most basic concepts we all have to know when it comes to the Linux system. But it’s also important to take a look again at how the kernel handles users and groups.
Multi-user system
Login is the process where you type your username and password. By logging in, you are in your home directory where your shell (such as Bash) will run, and you are allowed to read/write files within your accessibility.
So what’s the point of a multi-user system that requires us to log in every time? Wouldn’t it be better if it were designed for a single user so that we can get rid of the logging process? There are several single-user OSes, such as older versions of iOS and Android.
The major reason Linux is a multi-user system is because UNIX was. Since PCs were quite expensive back then, it was almost impossible to own a PC individually. So they had to share it among family members or within an organization.
So, what’s the point of a multi-user system in the modern age? The answer is for security-centric reasons. Think about libc.so.6, which is responsible for OS’s execution and booting process, and a text file you randomly created for taking a note. The system can’t treat the two equally and the essential file like libc.so.6 shouldn’t be accessed by general users.
This is why a multi-user system is needed. The important file like libc.so.6 should be owned by the admin user and make it exclusive to him/her. So that the file will never be accidentally deleted by someone else.
Windows used to be a single-user OS, but since the XP, the OS became a multi-user system for security reasons. So, the multi-user system is a must in the modern computing world.
Multiple roles
Just because you have multiple users in your system doesn’t mean you can secure it. It’s all about permissions. In Linux, a combination of multi-user system and file system settings secure your settings.
For an exception, a super user, known as root, has every necessary permission to create, delete, and edit any files within your system.
Groups
You can control the system’s security with users and permissions, but groups will make the flow even more flexible. When you give permission to a certain group, all members (users) in the group are automatically given the permission. For example, if you want a specific file to be read by a specific group, the file is only available to members of the group.
A user must be a member of at least one group, and adding a user to a group is simple. When you create a new user, useradd command will let you create one, and -g option will allow you to specify a group you want the user to belong to.
According to your system’s needs, you as an admin may need to add new groups to a user, and those newly added groups are called “supplementary groups”.
Permissions
How you handle files’ accessibility along with their owners (users) and groups is permission. Each file has its owner (user) and group, and you can control its accessibility with the following three concepts:
- The user that owns the file
- User(s) within the group that owns the file
- Other user(s)
And there are three different types of permissions:
- read (r)
- write (w)
- execute (x)
You can see the permission by executing ls -l command:
In image 01, there are permissions displayed as “-rwxrwxr-x”, and the nine digits shows its permissions. The one that starts with d is a directory.
Here is a specific description
- rw-r–r–
An inexecutable, readable, and writable file by its owner user. Other users can only read it. Most of the usual text or doc files are in this category.
- rwxr-xr-x
An executable, readable, and writable file by its user. Other users can only read and execute it. Most of the program files and directories are in this category.
- rw——-
A readable, and writable file by its user. Secured file such as SSH keys is in this category.
Permission in the octal numeral system
Along with the aforementioned rw-r–r– expression, you can also write the permission in the octal numerical system by replacing each permission in 1 bit.
Here is the numbers: r = 4, w = 2, x = 1 and – = 0.
For example, rwx is 4+2+1=7, and r-x is 4+0+1=5. So, numerically, rwxr-xr-x is 755, while rw-r–r– is 644. In bit-based mathematics, r=4 is 100, w=2 is 010, and x=1 is 001 in bilateral numbers. So, you can use it as flags in C’s bit-based mathematics.
Directory’s permissions
The directory’s permissions are a little different from the usual files.
- If it’s readable, you can list all the files within the directory by executing ls command.
- if it’s writable, you can add/delete files in it.
- if it’s executable, you can access all the files within it.
When it comes to readable, you can consider a directory as a file that recorded a list of files within it (this way of thinking may help you better understand what directly actually is). And what’s most confusing is executable. If it’s not executable, you can’t access any files within the directory regardless of permissions. If it’s executable, the accessibility is applied to the files within it according to permissions.
Credentials
Think about a situation where user A is accessing a file whose permission is rw-r–r–, so it’s readable/writable by the user. But what does it specifically mean by the fact that the file is readable/writable by user A?
It actually means that user A’s process is accessing the file. In the Linux system, all activities are controlled by processes, not users. So, you don’t control your user, rather you control user A’s processes. And this is what we call credentials.
Credentials are what you need to control your user’s processes within your system. The kernel will allow a process to read/write a file based on credentials. In other words, anyone can control your processes as far as they have your credentials.
So, when do you provide credentials to your system? The answer is to log in. By logging in, you are giving your credentials to the system, and it creates processes that have your credentials.
User name and user ID
When you log in to your system, you type your user name. But the kernel doesn’t recognize it, instead, it only handles the user id (number) that corresponds to it.
Not only files’ owners are recorded in the id, but also processes’ credentials are handled by the id. When you execute ls -l command, it lists file owners’ user names, but it is the kernel that translates to the IDs that correspond to them every time.
User database
User names and their corresponding ids are listed in /etc/passwd file. By typing less /etc/passwd, the Linux system will list all the user names and their IDs in it. Each record contains a user’s info and every piece of info is sectioned by a colon (:).
The first column is user name, the second is password, and the third is id. In image 02, daemon’s id is 1, while bin’s id is 2.
And the fourth column is the group a user belongs to. For example, daemon belongs to group 1.
*Password is written in x, and there is a security reason for that. Maybe you can look it up by yourself later.
So, how do we know the group name corresponds to the group id 1? In that case, execute the command less /etc/group.
In image 03, the first column is the group name, and the third is its id. So, in the below example, daemon group’s id is 1. And the fourth column contains users who belong to the group as supplementary group members. In this case, syslog and johnito belong to the group adm as supplementary group members.
How to access the user database?
You shouldn’t systematically translate user id from its corresponding user name by looking up at /etc/passwd or /etc/group, because there’s a specific API for that. And we’ll have a close look at this API later. The sole reason why we have to use the API is that user info isn’t necessarily in /etc/passwd in some cases. Systems like Network Information Service (NIS), which is responsible for middle-sized organizations, or Lightweight Directory Access Protocol (LDAP) allows admins to share multiple users among many machines connected to the same network.
By using the API, you can list all the users’ info on the network regardless of their use of NIS or LDAP.