Users, Groups & Permissions
Understand user management, groups, and the Linux permission system.
Understanding Users and Groups
Linux is a multi-user system. Each user has a unique UID, and users can belong to multiple groups for access control.
pranav
$ id
uid=1000(pranav) gid=1000(pranav) groups=1000(pranav),27(sudo),docker
$ groups
pranav sudo docker
File Permissions
Every file has three permission types for three user classes:
| Permission | Symbol | Numeric | Description |
|---|---|---|---|
| Read | r | 4 | View file contents / list directory |
| Write | w | 2 | Modify file / create files in directory |
| Execute | x | 1 | Run file as program / enter directory |
-rwxr-xr-- 1 pranav developers 1024 Dec 18 10:00 script.sh
βββ¬βββ¬βββ¬β
β β β βββ Others: read only (r--)
β β ββββββ Group: read + execute (r-x)
β βββββββββ Owner: read + write + execute (rwx)
βββββββββββ File type (- = regular file)
Changing Permissions
$ chmod u+x script.sh # Add execute for owner
$ chmod g-w file.txt # Remove write for group
$ chmod o=r file.txt # Set others to read only
# Numeric mode
$ chmod 755 script.sh # rwxr-xr-x
$ chmod 644 file.txt # rw-r--r--
Ownership: user + group
Permissions only make sense together with ownership. Every file has an owner (user) and a group. Ownership decides which permission triplet applies.
-rw-r----- 1 root adm ... /var/log/syslog
# Change owner and group
$ sudo chown pranav:developers project.txt
$ sudo chgrp developers project.txt
Creating and Managing Users
On servers, youβll often create service accounts, lock interactive login, and grant limited sudo.
Key files include /etc/passwd (public user info) and /etc/shadow (password hashes; root-only).
$ sudo useradd -m -s /bin/bash deploy
$ sudo passwd deploy
# Add to a group (e.g., sudo)
$ sudo usermod -aG sudo deploy
# Create a group
$ sudo groupadd developers
$ sudo usermod -aG developers deploy
Sudo: controlled privilege escalation
Instead of sharing root passwords, Linux uses sudo to allow specific users (or groups) to run privileged commands.
The main config is /etc/sudoers and drop-in files in /etc/sudoers.d/.
$ sudo visudo
# Check what you can run
$ sudo -l
Security note
Prefer granting sudo via a group and limit commands where possible. Avoid NOPASSWD: ALL on shared systems.
Special Permission Bits (setuid, setgid, sticky)
These bits change how permissions behave and are common on multi-user systems.
- β’setuid: run a binary with the file ownerβs privileges (often root). Example:
passwd. - β’setgid: run with the file group, or on directories, force new files to inherit the directory group.
- β’sticky bit: on shared directories (like
/tmp), users can only delete their own files.
drwxrwxrwt 10 root root ... /tmp
# Notice the trailing 't' (sticky bit)
umask and Defaults
umask controls default permissions for new files/directories. Itβs a safety net to avoid accidentally creating world-writable content.
0022
# 0022 typically means new files: 644 and directories: 755
ACLs (Fine-Grained Permissions)
Standard permissions are coarse. ACLs let you grant access to specific users/groups without changing ownership. Useful for shared directories in teams.
$ setfacl -m u:deploy:rw shared.txt
$ getfacl shared.txt | sed -n '1,12p'
β Practice (15 minutes)
- Create a directory and set
setgidon it so new files inherit the group. - Use
sudo -lto understand your sudo permissions. - Create a file and use
setfaclto grant read access to another user (or test with your own user + a group).