C H A P T E R 21 ■ ■ ■ 443 Understanding Linux Users and File Permissions Most modern operating systems work with user accounts to grant people access to the system, and Ubuntu is no exception. You might not have noticed this—if during installation or when you personalized your system you selected the option to allow automatic logins, you are taken directly to your desktop when you boot your PC, thus masking the fact that a user is actually logging into the system. So, whether you’re aware of it or not, you always have a user account inside Ubuntu. Your user account will have a defined set of attributes that will distinguish it from other user accounts: for example, a name and a Home folder. But it also will be a member of a group. Being a member of certain groups allows access to portions of the system that would be otherwise hidden, because groups can enable permissions to access and manipulate files on your hard disks. And, since all configuration in Ubuntu is stored in files (see Chapter 10), those permissions will allow it to change the system itself. Understanding User and Group Accounts We’ve already stated that to interact with Ubuntu you need a user account. However, there’s more to the story than that. For example, there are situations in which you might need more than one user account. Either in the office or at home there may be more than one person that uses the computer, and you surely will want to keep your personal configuration and data separate from theirs. That’s when the need for additional user accounts arises. This section will explain what a user account is, how to create it, and how to work with groups. Users and Groups Each person who wishes to log into Ubuntu must have a user account. This will define what that user can and cannot do on the system, with specific reference to files and folders. Because Ubuntu is effectively one large file system (even hardware devices are files; see Chapter 10), user permissions lie at the heart of controlling the entire system. They can limit which user has access to which hardware and software, and therefore control access to various PC functions. Each user also belongs to a group. Groups have the same style of permissions as individual users. File or folder access can be denied or granted to a user, depending on that person’s group membership. CHAPTER 21 ■ UNDERSTANDING LINUX USERS AND FILE PERMISSIONS 444 ■ Note As in real life, a group can have many members and can be based around various interests. In a business environment, this might mean that groups are created for members of the accounting department and the human resources department. By changing the permissions on files created by the group members, each group can have files that only the group members can access (although, as always, anyone with superuser powers can access all files). On a default Ubuntu system with just a handful of users, the group concept might seem somewhat redundant. However, the concept of groups is fundamental to the way Ubuntu works and cannot be avoided. Even if you don’t use groups, Ubuntu still requires your user account to be part of one. In addition to actual human users, the Ubuntu system has its own set of user and group accounts. Various programs that access hardware resources or particular sets of files are part of these groups. Setting up system users and groups in this way makes the system more secure and easier to administer. Root User On most Linux systems, the root user has power over the entire system. Root can examine any file and configure any piece of hardware. Root typically belongs to its own unique group, also called root. Ubuntu is different from most Linux distributions in that the root account isn’t used by default. Instead, certain users—including the one set up during installation—can “borrow” root-like, or superuser, powers by simply typing their login password. This is done by preceding commands with sudo or gksu at the command-line prompt, or as needed when using GUI programs that affect system settings. For some programs, including Users and Groups (System ➤ Administration ➤ Users and Groups), you need to click an Unlock button to gain superuser powers. Until you unlock the Users and Groups program, most of the buttons are grayed out and unusable. If you wish, you can activate the root user account on your system for administration purposes. To activate the root account, use the following command in a terminal window (see Appendix A for details on issuing commands in a terminal window): Sudo passwd root After typing your own login password, you’ll be invited to define a password for the root user. Because of its power, the root user can cause a lot of accidental damage, so by default Ubuntu prevents you from logging in as root. Instead, you can switch to being the root user temporarily from an ordinary user account by using the Switch From option in the Shutdown menu. This will leave your session open while letting you open an additional session as any user (e.g., root). You will be prompted for the root password and then given root powers for as long as you need. When you’ve finished, log out and return to your ordinary user account. ■ Tip You can tell when you’re logged in as the root user because in the Me menu your name is “root.” This should be seen as a warning that you now have unrestricted control over the system, so be careful what you type, and double-check everything before pressing Enter! Download from Wow! eBook <www.wowebook.com> CHAPTER 21 ■ UNDERSTANDING LINUX USERS AND FILE PERMISSIONS 445 If you enable the root password in the name of security, it might be a sensible precaution to then disable sudo, thus preventing nonadmin users from playing with things they shouldn’t. To do this, you’ll need to edit the file /etc/sudoers. There will be a line (shown in Figure 21-1) that reads as follows: %admin ALL=(ALL) ALL Comment this out with a # sign and save the file. This, of course, will all need to be done using root privileges, so use gksudo gedit in the Run Applications dialog box (accessible by pressing Alt+F2) to launch the text editor, and then navigate to and open the file. Also make sure you’ve set up the root password, as shown earlier, before you do this. Figure 21-1. Be very cautious when editing these files. Users and File Permissions The concepts of users and permissions are as important to Ubuntu as the idea of a central and all- encompassing file system. In fact, the two are implicitly linked. When initially installing Linux, you should have created at least one user account. By now, this will have formed the day-to-day login that you use to access Linux and run programs. Although you might not realize it, as a user you also belong to a group. In fact, every user on the system belongs to a group. Under Ubuntu, ordinary users belong to a group based on their usernames (under other versions of Linux, you might find that you belong to a group called users). CHAPTER 21 ■ UNDERSTANDING LINUX USERS AND FILE PERMISSIONS 446 ■ Note Groups are yet another reminder of Ubuntu’s UNIX origins. UNIX is often used on huge computer systems with hundreds or thousands of users. Putting each user into a group makes the system administrator’s job a lot easier. When controlling system resources, the administrator can control groups of users rather than hundreds of individual users. On most home user PCs, the concept of groups is a little redundant because there’s typically a single user, or at most two or three. However, the concept of groups is central to the way that Linux handles files. A standard user account under Ubuntu is typically limited in what it can do. As a standard user, you can save files to your own private area of the disk, located in the /home directory, but usually nowhere else. You can move around the file system, but some directories are strictly out of bounds. In a similar way, some files are read-only, so you cannot save changes to them. All of this is enforced using file permissions. Every file and directory is owned by a user. In addition, files and directories have three separate settings that indicate who within the Linux system can read them, who can write to them, and, if the files in question are runnable (usually programs or scripts), who can run (execute) them. In the case of directories, it’s also possible to set who can browse them, as well as who can write files to them. If you try to access a file or directory for which you don’t have permission, you’ll be turned away with an “access denied” error message. Root vs. Sudo Most versions of Linux have two types of user accounts: standard and root. Standard users are those who can run programs on the system but are limited in what they can do. The root user has the complete run of the system, and as such, is often referred to as the superuser. The root user can access and/or delete whatever files it wants. It can configure hardware, change settings, and so on. Most versions of Linux create a user account called root and let users log in as root to perform system maintenance. However, for practical as well as security reasons, most of the time the user should be logged in as a standard user. Ubuntu is different in that it doesn’t allow login as the root user. Instead, it allows certain users, including the one created during installation, to temporarily adopt root-like powers. You will already have encountered this when configuring hardware. As you’ve seen, all you need to do is type your password when prompted in order to administer the system. This way of working is referred to as sudo, which is short for superuser do. Most applications that require root privileges will ask you for your password if you are a sudoer (i.e., a standard user with permission to act as root in specific circumstances). Other applications might not require that you have root privileges, but you might want to open them as root from time to time. Good examples of this are Nautilus and gedit—maybe you want to completely remove a deleted user’s Home folder and you can’t do that as a standard user. For this you use Gksudo, which is a graphical front end to the sudo command (which will let you adopt root powers at the shell prompt—simply preface any command with sudo and type your password when prompted in order to run it with root privileges). If you open the Run Application dialog box (press Alt+F2) and type gksudo Nautilus, you will be able to browse the file system as root. Or, if you want to edit a file to which only root has write privileges, run gksudo gedit. Ubuntu remembers when you last used sudo, too, so it won’t annoy you by asking you again for your password within 15 minutes of its first use. In some ways, the sudo system is arguably slightly less secure than using a standard root account. But it’s also a lot simpler. It reduces the chance of serious errors too. Any command or tweak that can cause damage will invariably require administrative powers, and therefore requires you to type your password or preface the command with gksudo or sudo. This serves as a warning and prevents mistakes. CHAPTER 21 ■ UNDERSTANDING LINUX USERS AND FILE PERMISSIONS 447 UIDs and GIDs Although we talk of user and group names, these are provided only for the benefit of humans. Internally, Ubuntu uses a numerical system to identify users and groups. These are referred to as user IDs (UIDs) and group IDs (GIDs), respectively. Under Ubuntu, all the GID and UID numbers below 1,000 are reserved for the system. This means that the first nonroot user account created during installation will probably be given a UID of 1000. In addition, any new groups created after installation are numbered from 1,000. The first user you add has a UID of 1000 and a GID of 1000, the second user a UID of 1001, and so on. ■ Note UID and GID information isn’t important during everyday use, and most commands used to administer users, groups, and file permissions understand the human-readable names. However, knowing about UIDs and GIDs can prove useful when you’re undertaking more complicated system administration, such as setting up a restricted system for children or scripting. Adding and Deleting Users and Groups The easiest and quickest way to add a new user or group is to use the Users and Groups tool under the System ➤ Administration menu. Of course, you can also perform these tasks through the command line. Adding and Deleting Users To add a new user, choose System ➤ Administration ➤ Users and Groups. Next, click Add. In the authentication window, supply your password and click Authenticate. You’ll see the Create New User dialog box, as shown in Figure 21-2. CHAPTER 21 ■ UNDERSTANDING LINUX USERS AND FILE PERMISSIONS 448 Figure 21-2. Adding new users and groups is easy with the Users and Groups program. Fill out the fields on the Account tab, and optionally the Contact, User Privileges, and Advanced tabs, as follows: Create a new user: As during initial installation (see Chapter 5), you’re invited to enter a username as well as a real name. The username is how the user is identified to the system, while the real name is how the user will be identified to other users. By default they are set to the same. Press OK when done. Changing user password for: You can set the user’s password by hand or let the system generate a random password for you. In either case, make sure to remember the password to give it to the person that will use the user account. You can also select the option to let the user to log into his session without entering the password. Press OK when finished. Once the user has been created, you can set additional settings by selecting the user from the list and clicking the various options at the left of the User Settings window. Account type: You can select the profile you want the user to have: Administrator, Desktop User, or Custom. Users with the Administrator profile can use sudo or gksu to administer the system. Although desktop users can’t use these commands, they do have access to most other system resources. For most users, the Desktop User profile is a good choice. You cannot select the Custom profile for a user account, but if you manually change its privileges (more about this shortly), this profile is selected automatically. Password: An initial password for the user is required, but you can change it any time you want with the Users and Groups tool (as long as you have the required privileges). You can enter it in the text box (and confirm it below) or let the system generate a random password from letters and numbers, but this may be harder for the user to remember. CHAPTER 21 ■ UNDERSTANDING LINUX USERS AND FILE PERMISSIONS 449 If you click the Advanced Settings button, more options will be available, as follows: Contact Information: Here you can enter contact information for the user. This is not obligatory. User Privileges: The settings on this tab offer much more control over what a user can and cannot do on the system. Here you can prevent users from using certain hardware, such as the 3D capabilities of graphics cards, or modems. You can also control whether the user is able to administer the system. Simply put a check alongside any relevant boxes. Advanced: Here you can alter additional settings, if you wish, relating to the technical setup of the account on the system. If you’re not sure about these parameters, it’s best to leave the default settings alone. You can disable the account from here, and it will no longer be available for login. You might like to change the main group for the user as well. By default, the user will belong to a newly created group based on the user’s own username. For example, if you add the user john, he will be added to the group john. This private group approach enforces a more stringent policy regarding personal file access. Alternatively, you could create a single group and assign several users to that group for file-sharing purposes. We’ll discuss adding and removing groups in the next section. ■ Caution Many groups are listed in the Main Group drop-down list. Nearly all of these relate to the way the Linux operating system works and can be ignored (you can see the list of groups in Table 21-1). You should never delete any of these groups or add new users to them. This may make the system unstable and/or insecure. Deleting a user is simply a matter of highlighting the username in the list within the main Users and Groups window and clicking the Delete button. Note that you can choose to either delete the user’s Home folder or to keep the files. You might want to access the files yourself and make a backup of them before completely removing the Home folder. Creating and Deleting Groups Adding a group is simply a matter of clicking the Manage Groups button in the Users and Groups program window (System ➤ Administration ➤ Users and Groups). After clicking the Add button, you’ll be prompted to give the group a name. The GID will be filled in for you automatically, but you could choose a different number if you have good reason to do so. (Remember to use a number above 1,000 to keep in line with the way Ubuntu operates.) It isn’t essential that you add users to the group then and there, but a list of users is provided at the bottom of the dialog box. Put a check alongside any user to grant that user access to your group. ■ Note Bear in mind that users can be members of more than one group, although all users have a main group that they belong to, from which the GID is assigned to files they create. As with user accounts, deleting a group is simply a matter of highlighting it in the list and clicking the Delete button. You should ensure that the group no longer has any members before doing this, CHAPTER 21 ■ UNDERSTANDING LINUX USERS AND FILE PERMISSIONS 450 because Ubuntu won’t prevent you from removing a group that has members (although it will warn you that this is a bad thing to do). ■ Note Ubuntu appears to offer protection against the havoc caused by deleting a group that is the main group of users on your system. When we deleted an entry that was the main group of a different user and then logged in as that user, the group was automatically re-created! You shouldn’t rely on this kind of protection, however, and should always check before deleting a group. Table 21-1. System Groups Within Ubuntu Group Definition adm Used for system logging dialout Required for use of serial port devices, such as older modems cdrom Allows the user to access the CD/DVD-ROM plugdev Allows the user access to removable storage, such as card readers, digital cameras, and so on lpadmin Allows the user to administer the printer admin Gives the user system administration abilities (superuser powers) sambashare Facilitates sharing files with others across the network As you might have guessed, to manually add a user under Ubuntu, not only must you create a group and then add the user to it, but you must also add that user to the required selection of supplementary groups. Some are considered mandatory for effective use of the computer, such as plugdev, while others are optional, depending on how much freedom you want to afford the new user. Adding and Changing Passwords On a default Ubuntu installation, ordinary users are able to change their own passwords by using the Users and Groups tool. Select your user account from the list and click the Change button next to the Password field. You will be prompted with the Change User Password window, shown in Figure 21-3, in which you must enter your current password and select the new one, with the same options as when you originally created the account. CHAPTER 21 ■ UNDERSTANDING LINUX USERS AND FILE PERMISSIONS 451 Figure 21-3. The Change User Password window You need root privileges to change other users’ passwords, but the procedure is the same. For obvious security reasons, Ubuntu won’t allow blank passwords. (It might allow you to set a blank password, but then it won’t let that user log in—this is an interesting way of disabling a user account). You can enter just about anything as a password, but you should bear in mind some common-sense rules. Ideally, passwords should be at least eight characters long and contain letters, numbers, and even punctuation symbols. You might also want to include both uppercase and lowercase letters, because that makes passwords harder to guess. ■ Tip You can temporarily switch into any user account by using the Switch From option on the Shutdown menu. In this way your session will be kept open. If you log out, on the other hand, the session will be closed and you’ll need to save your open documents to keep them for future use. [...]... logged into Linux as the user ubuntu Typical Data File Permissions Here’s the first example: Name Owner Group Permissions myfile2 ubuntu - Ubuntu Ubuntu -rw-rw 453 CHAPTER 21 ■ UNDERSTANDING LINUX USERS AND FILE PERMISSIONS Download from Wow! eBook You know that this file is owned by user ubuntu because that username appears in the Owner column Also notice that the group Ubuntu has... Permissions Myfile ubuntu - Ubuntu ubuntu -rw-r r In the Permissions column are the permissions for the file or folder The permission list usually consists of the characters r (for read), w (for write), x (for execute), and/or — (meaning none are applicable) The Owner column lists the owner of the file (ubuntu in this example) and the group that has permission to access the file (in this case, Ubuntu) The... error Permissions on a User’s Directory Here’s another example: Name Owner Group Permissions mydirectory ubuntu - Ubuntu ubuntu drwxr-xr-x The list of permissions starts with d, which tells you that this isn’t a file but a directory After this is the list of permissions for the owner of the directory (ubuntu) , who can read files in the directory and also create new ones there The x indicates that you can... discusses; by default Ubuntu already works great without applying any optimizations to it, so you can skip it if you’re satisfied with how your system runs More often than not, the chapter discusses hacks—clever methods of making things work in a nonstandard fashion But as your experience of Ubuntu might have already taught you, such hacks are the lifeblood of Linux One of the strengths of Linux is the ability... your own readahead list: Reboot Ubuntu, and at the boot menu, highlight the Ubuntu entry and press E If Ubuntu is the only operating system on your computer (that is, your computer doesn’t dual-boot with Windows), you might need to press Shift to see the boot menu when prompted 2 Highlight the line, beginning with the word linux and press E again 3 Download from Wow! eBook 1 Using... way of learning how Linux works, and if it all goes well, the sense of achievement is enormous Some people choose to download the kernel source code from the official Linux kernel site, www.kernel.org However, it makes more sense to download the official Ubuntu release, because this will be tailored for the way your system works Using the Synaptic Package Manager, simply search for linux- source You can... Owned by Root Here’s the last example: Name Group Permissions root 454 Owner root - root root drwx CHAPTER 21 ■ UNDERSTANDING LINUX USERS AND FILE PERMISSIONS You can see that the file is owned by root Remember that in this example, you’re logged in as ubuntu and your group is Ubuntu The list of permissions starts with a d, so you can tell that this is actually a directory After this, you see that the... chapter carefully and consider applying its tips Speeding Up Booting Since Ubuntu 6.10 (Edgy Eft), Ubuntu has been using a boot routine called Upstart that effectively optimizes itself Upstart is responsible for starting services and has been greatly enhanced with the release of 10.04 You can learn more about Upstart at http://upstart ubuntu. com However, you can still tweak performance by enabling startup... This is a background component necessary for the application that generates and stores encryption keys If you do not encrypt files and/or e-mails, this service can be disabled Ubuntu One: This item gives access to Ubuntu One, the Ubuntu cloud solution offered by Canonical Switch it on if you intend to use this service Update Notifier: This is the Update Manager tool You shouldn’t disable this applet,... PROFILE Ubuntu includes a feature called readahead, which is able to order the list of files to be loaded during bootup by their locations on the hard disk A default readahead list is installed on a standard Ubuntu installation This is created on a generic PC, but you can build your own version of the list, customized for your own computer Here are the steps to create your own readahead list: Reboot Ubuntu, . into Linux as the user ubuntu. Typical Data File Permissions Here’s the first example: Name Owner Group Permissions myfile2 ubuntu - Ubuntu Ubuntu -rw-rw CHAPTER 21 ■ UNDERSTANDING LINUX. UNDERSTANDING LINUX USERS AND FILE PERMISSIONS 450 because Ubuntu won’t prevent you from removing a group that has members (although it will warn you that this is a bad thing to do). ■ Note Ubuntu. of one line of a file listing from our test PC: Name Owner Group Permissions Myfile ubuntu - Ubuntu ubuntu -rw-r r In the Permissions column are the permissions for the file or folder.