Users, Groups and their permissions, Debian Wheezy 7.2.

Users, Groups and their permissions, Debian Wheezy 7.2.

In this tutorial we’ll talk about users, groups and their permissions on files and directories.
We’ll guide you how to add users and make them members of groups.
At this point we’ve only one default user installed.
Let’s see wich user is active by using whoami commando.
Type whoami + enter.
We see user “anne” is logged into our system.

anne@alfa:~$ whoami
anne
anne@alfa:~$

You can use who commando to see all users on your system.
We didn’t execute that but we used users commando instead of who.
Type users + enter.

anne@alfa:~$ users
anne anne
anne@alfa:~$

Our output displays “anne” twice.
Our Debian Wheezy system handles different kinds of users and groups.
The first “anne” is the user itself (owner) and the second “anne” correspond her primary group membership.
Users can be member of primary and supplementary groups.
This will be discussed later on.
Short description of the characters u.g.o.a. used on our Debian Wheezy systeem.
u = user (owner)
g = group (group which user belongs to)
o = other (everyone who logged local or on a remote machine)
a = All users belonging to u,g and o.

Each file or directory created by the user “anne” becomes her property and she’ll have read, write and execute permission in her /home/anne directory.
The primary group “anne” and the “others” (everyone) have read and execute rights on the folders and subdirectories owned by anne.
Take in account that all users belonging to others can read the contents of the /home/anne directory.
This is in fact a security breach and it must be taken care off.
How to do that will be discussed later on.
Luckily nobody have write permission on /home/anne except “anne” and user “root”.
Let’s take a closer look at our permissions in the home directory of “anne”.
Type ls -l + enter.

anne@alfa:~$ pwd
/home/anne
anne@alfa:~$ ls -l
total 32
drwxr-xr-x 3 anne anne 4096 Nov  4 16:09 Desktop
drwxr-xr-x 3 anne anne 4096 Dec  1 14:51 Documents
drwxr-xr-x 2 anne anne 4096 Nov 16 20:18 Downloads
drwxr-xr-x 2 anne anne 4096 Oct 17 16:25 Music
drwxr-xr-x 2 anne anne 4096 Dec  7 13:05 Pictures
drwxr-xr-x 2 anne anne 4096 Oct 17 16:25 Public
drwxr-xr-x 2 anne anne 4096 Oct 17 16:25 Templates
drwxr-xr-x 2 anne anne 4096 Oct 17 16:25 Videos
anne@alfa:~$

We’ll explain our output displayed above.
d = directory
l = link (not displayed in this output)
– = file (not displayed in this output)
rwx = read, write, execute permission user anne
r-w = read, execute permission primary group anne
r-w = read, execute permission others (everyone)
3 = number of available links to directory
anne = user (owner)
anne = primary group anne which user anne belongs to
4096 = size of the direcoty in bytes
Nov = month of last modification directory
4 = date of last modification directory
16:09 = time stamp last modification directory
Desktop = name of the directory

Let’s examine our directory root /.
De root directory is the home directory owned by the user root.
The user root has full permission over the whole system even not owned folders and files.
The users which belongs to the primary group ‘root’ and ‘others’ are permitted to read and execute.
This mean everyone can read those directories but they aren’t able to write.
It’s nice to explore those directories who has learning purposes.
Our system is a free examine “place” to explore and having fun.
In a company environment can this affect the security purposes.
We’ll discus this later on.
Typ cd / + enter and than type ls -l + enter.

anne@alfa:~$ cd /
anne@alfa:/$ ls -l
total 88
drwxr-xr-x   2 root root  4096 Oct 17 16:12 bin
drwxr-xr-x   3 root root  4096 Oct 17 16:16 boot
drwxr-xr-x  14 root root  3160 Jan  9 17:59 dev
drwxr-xr-x 133 root root 12288 Jan  9 17:59 etc
drwxr-xr-x   3 root root  4096 Oct 17 16:18 home
lrwxrwxrwx   1 root root    30 Oct 17 15:47 initrd.img -> /boot/initrd.img-3.2.0-4-amd64
drwxr-xr-x  16 root root  4096 Oct 17 16:12 lib
drwxr-xr-x   2 root root  4096 Oct 17 15:46 lib64
drwx——   2 root root 16384 Oct 17 15:45 lost+found
drwxr-xr-x   4 root root  4096 Oct 25 11:57 media
drwxr-xr-x   2 root root  4096 Sep 23 00:31 mnt
drwxr-xr-x   2 root root  4096 Oct 17 15:46 opt
dr-xr-xr-x 135 root root     0 Jan  9 17:59 proc
drwx——   9 root root  4096 Dec 12 17:35 root
drwxr-xr-x  19 root root   840 Jan  9 18:03 run
drwxr-xr-x   2 root root  4096 Oct 17 16:19 sbin
drwxr-xr-x   2 root root  4096 Jun 10  2012 selinux
drwxr-xr-x   2 root root  4096 Oct 17 15:46 srv
drwxr-xr-x  13 root root     0 Jan  9 17:59 sys
drwxrwxrwt   9 root root  4096 Jan  9 19:17 tmp
drwxr-xr-x  10 root root  4096 Oct 17 15:46 usr
drwxr-xr-x  12 root root  4096 Oct 17 16:14 var
lrwxrwxrwx   1 root root    26 Oct 17 15:47 vmlinuz -> boot/vmlinuz-3.2.0-4-amd64
anne@alfa:/$

Let’s make a direcoty “TEST” into / directory.
Be aware you’re logged in as default user $.
Type mkdir TEST + enter.
Your prompt will display “mkdir: cannot create directory `TEST’: Permission denied”.
As you already know the user root has ownership of the directory root.
At default the user root is the only one that can change every file and directory into our system.
User anne has no write permission, only read and execute.

We’ll create a second user Eddy and his /home/Eddy directory.
We’ve two commando’s available, useradd and adduser.
Adduser will create the new user at a interactive manner instead useradd.
We’ve chosen the low level utility useradd using the arguments -m and -U.
Short explanation of our arguments we’ll using to create new user Eddy.
-m:
Create the user’s home directory if it does not exist.
The files and directories contained in the skeleton directory (which can be defined with the
-k option) will be copied to the home directory.

-U:
Create a group with the same name as the user, and add the user to this group.
The default behavior (if the -g, -N, and -U options are not specified)
is defined by the USERGROUPS_ENAB variable in /etc/login.defs.

-p:
–password PASSWORD
The encrypted password, as returned by crypt (3).
The default is to disable the password.
Note: This option is not recommended because the password (or encrypted password) will be visible by users
listing the processes.
You should make sure the password respects the system’s password policy.

-p:
This argument will be not used because this will be visible in our terminal history.
The password will be provided using passwd commando instead useradd -p.

Let’s create user Eddy.
First login as root by typing su + enter.
You’ll be asked to fill in your “root” password + enter.
Your prompt shows # sign being root.

anne@alfa:~$ su
Password:
root@alfa:/home/anne#

Type useradd -m -U Eddy + enter.
The new user Eddy and his home directory is added into our system.

root@alfa:/home/anne# useradd -m -U Eddy
root@alfa:/home/anne#

Check Eddy’s /home directoy by using ls command.
Our new user’s home directory has been made successfully.
Type ls -l /home + enter.

root@alfa:/home/anne# ls /home
anne  Eddy
root@alfa:/home/anne#

Restart your computer to take affect modifications.
Our user Eddy has no login password set and would be unable to login the system.
We’ll provide one at Eddy but he must change it at first login.
We’re still logged as user root so we can carry on.
Type passwd Eddy + enter.
You’ll be asked to enter Eddy’s password + enter.
Retype the same password as your first attempt +enter.
At most companies it’s a mandatory task for new user to change their login passwords.
In most cases it’s forbidden to share login passwords even by system administrators.
Users can change their own password using the same command without being root.
If users can’t remember their passwords only sysadmins are able to provide new ones.
Our user Eddy has received his password provided by our system administrator and would be able to use his freshly created account.

root@alfa:~# passwd Eddy
Enter new UNIX password: (sdf123456)
Retype new UNIX password: (sdf123456)
passwd: password updated successfully
root@alfa:~#

Now we’ve two users Eddy and anne installed into our system.
We’ll face a security breach and privacy issues which will affect both users.
Let’s take a look which permissions our users have in their home directories.
Type cd /home + enter.
Check the permissions available on both directories anne and Eddy.
Type sl -l + enter.
We discover that everyone who’s logged into the system can access both user’s home directories and read contents of it.
At company employees it isn’t  a good practice and insecure.

anne@alfa:/$ cd /home
anne@alfa:/home$ ls -l
total 8
drwxr-xr-x 25 anne anne 4096 Jan 10 14:38 anne
drwxr-xr-x 19 Eddy Eddy 4096 Jan  9 22:39 Eddy
anne@alfa:/home$

Let’s take a closer look in /home/anne direcoty.
Type ls -Rl anne + enter.
Her folders, subfolders and files are readable by Eddy and everyone.

anne@alfa:/home$ ls -Rl anne
anne:
total 32
drwxr-xr-x 3 anne anne 4096 Nov  4 16:09 Desktop
drwxr-xr-x 3 anne anne 4096 Dec  1 14:51 Documents
drwxr-xr-x 2 anne anne 4096 Nov 16 20:18 Downloads
drwxr-xr-x 2 anne anne 4096 Oct 17 16:25 Music
drwxr-xr-x 2 anne anne 4096 Dec  7 13:05 Pictures
drwxr-xr-x 2 anne anne 4096 Oct 17 16:25 Public
drwxr-xr-x 2 anne anne 4096 Oct 17 16:25 Templates
drwxr-xr-x 2 anne anne 4096 Oct 17 16:25 Videos

anne/Desktop:
total 4
drwxr-xr-x 3 anne anne 4096 Nov  5 18:43 Gnubizz

anne/Desktop/Gnubizz:
total 8
-rw-r–r– 1 anne anne  450 Nov  5 18:43 GnubizzSite
drwxr-xr-x 4 anne anne 4096 Nov  4 16:09 OpenSourceComputing

anne/Desktop/Gnubizz/OpenSourceComputing:
total 8
drwxr-xr-x 2 anne anne 4096 Nov  5 20:54 Gnubizz1
drwxr-xr-x 2 anne anne 4096 Nov  5 20:55 Gnubizz2

anne/Desktop/Gnubizz/OpenSourceComputing/Gnubizz1:
total 4
-rw-r–r– 1 anne anne 1423 Nov  5 22:25 GnubizzSite

anne/Desktop/Gnubizz/OpenSourceComputing/Gnubizz2:
total 4
-rw-r–r– 1 anne anne 450 Nov  5 20:55 GnubizzSite

anne/Documents:
total 4
drwxr-xr-x 3 anne anne 4096 Jan  9 22:49 GnuBizz

anne/Documents/GnuBizz:
total 68
-rw-r–r– 1 anne anne 16999 Jan  9 22:21 INFO_USERADD
-rw-r–r– 1 anne anne 16999 Jan  9 20:37 INFO_USERADD~
-rw-r–r– 1 anne anne  9460 Jan  9 22:49 Permissions
-rw-r–r– 1 anne anne  9317 Jan  9 22:21 Permissions~
drwxr-xr-x 2 anne anne  4096 Jan  9 18:09 Published

anne/Documents/GnuBizz/Published:
total 188
-rw-r–r– 1 anne anne 31853 Nov  5 23:55 A.odt
-rw-r–r– 1 anne anne 30402 Nov 17 20:29 Application_Locations.odt
-rw-r–r– 1 anne anne 29148 Nov 12 23:55 GbuBizz
-rw-r–r– 1 anne anne 24809 Oct 29 19:22 Gnubizz
-rw-r–r– 1 anne anne 12728 Dec  7 13:38 OpenApplicationInGUIandTerminal.odt
-rw-r–r– 1 anne anne 31003 Nov 16 22:45 Programma_Locaties.odt
-rw-r–r– 1 anne anne 13496 Oct 25 12:40 TerminalExplorationInHomeDirectoryDebianWheezy7.odt

anne/Downloads:
total 0

anne/Music:
total 0

anne/Pictures:
total 0

anne/Public:
total 0

anne/Templates:
total 0

anne/Videos:
total 0
anne@alfa:/home$

Take in account that each user owns his/her home directory.
The user is able to change his/her permission on their own files and directories without being root.
We can grant three permissions available: read, write and execute.
While using chmod commando we’ll use numbers instead using read, write and execute.
The number shown below correspond each permission.
4 = read
2 = write
1 = execute

Let’s say we’ve a folder named Drive which has full permission set for all users.
It’ll look like: drwxrwxrwx 1 anna anne 4096 jan 10 15:56 Drive
We’ll avoid that everyone can access this Drive by changing some permissions.
The followed command would be: chmod 750 Drive + enter.
Now the permissions on Drive would look like: drwxr-x— 1 anna anne 4096 jan 10 15:56 Drive
Thus we’ve to count this numbers to get our permission set like shown below.
read, write and execute = 7
read and execute = 5
read and write = 6
The effective permissions on Drive would be:
750
7 = read, write and execute permission for the owner (user)
5 = read, execute permission for the group which the user belongs to.
0 = No permission set for everyone.

Ok let’s change both user’s permissions as user root.
Loggin as root by typing su + enter.
You’ll be asked to fill in your password + enter.
Your prompt will display # sign.

anne@alfa:~$ su
Password:
root@alfa:/home/anne#

Check existing permissions at both users /home directories.
Type ls -l /home + enter.

root@alfa:/home/anne# ls -l /home
total 8
drwxr-xr-x 25 anne anne 4096 Jan 10 15:56 anne
drwxr-xr-x 19 Eddy Eddy 4096 Jan  9 22:39 Eddy
root@alfa:/home/anne#

As you already know both users are able to access each others files and directories.
We’ll change those permissions that will affect everyone users except root.
They’re no longer allowed anymore to read contents of other users.
Type chmod -R 750 /home/Eddy + enter.
The argument -R will force the permission on the sub-folders as well.

root@alfa:/home/anne# ls -l /home
total 8
drwxr-xr-x 25 anne anne 4096 Jan 10 15:56 anne
drwxr-xr-x 19 Eddy Eddy 4096 Jan  9 22:39 Eddy
root@alfa:/home/anne# chmod 750 /home/Eddy
root@alfa:/home/anne#

Check if the change has took place.
We notice the permission by everyone has changed.
Type ls -l /home + enter.

root@alfa:/home/anne# ls -l /home
total 8
drwxr-xr-x 25 anne anne 4096 Jan 10 15:56 anne
drwxr-xr-x 19 Eddy Eddy 4096 Jan  9 22:39 Eddy
root@alfa:/home/anne# chmod 750 /home/Eddy
root@alfa:/home/anne# ls -l /home
total 8
drwxr-xr-x 25 anne anne 4096 Jan 10 15:56 anne
drwxr-x— 19 Eddy Eddy 4096 Jan  9 22:39 Eddy
root@alfa:/home/anne#

Logout as user root by typing exit + enter.
Your prompt displays $ again.
Now we’re ready to test if our permissions works.
We’re logged in as anne.
Navigate to /home by typing cd /home + enter.
Our working directory is /home that contains the sub-folders anne and Eddy.
Type ls + enter.

anne@alfa:~$ cd /home
anne@alfa:/home$ ls
anne  Eddy
anne@alfa:/home$

Ok we would like to see anne’s subdirectories.
You’ll see all the folders owned by anne.
Type ls anne + enter.

anne@alfa:~$ cd /home
anne@alfa:/home$ ls
anne  Eddy
anne@alfa:/home$ ls anne
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos
anne@alfa:/home$

We’ll redo this command to see Eddy’s sub-directories.
Hm, We’ll encounter a issue displayed below.
Our output give us the reason why this task can’t be performed.
ls: cannot open directory Eddy: Permission denied
We’ve no read permission anymore because we belongs to the users “everyone”.
Type ls Eddy + enter.

anne@alfa:~$ cd /home
anne@alfa:/home$ ls
anne  Eddy
anne@alfa:/home$ ls anne
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos
anne@alfa:/home$ ls Eddy
ls: cannot open directory Eddy: Permission denied
anne@alfa:/home$

Can we access his home directoy? I don’t think so.
Let’s test it and type cd Eddy + enter.
No success  to access it which protects Eddy’s privacy.
Our output displays the reason why: cd: Eddy: Permission denied

anne@alfa:~$ cd /home
anne@alfa:/home$ ls
anne  Eddy
anne@alfa:/home$ ls anne
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos
anne@alfa:/home$ ls Eddy
ls: cannot open directory Eddy: Permission denied
anne@alfa:/home$ cd Eddy
bash: cd: Eddy: Permission denied
anne@alfa:/home$

We’ve shown how to set permissions at user level but this can become complicated when having much users.
In our example we’ve only two users which are easy manageable.
Our users are divided into two different primary groups anne and Eddy.
Type ls -l + enter.

root@alfa:/home# ls -l
total 8
drwxr-x— 25 anne anne 4096 Jan 11 12:03 anne
drwxr-x— 19 Eddy Eddy 4096 Jan  9 22:39 Eddy
root@alfa:/home#

The best practice is to set permissions at group level instead of users.
We’ll create two users Bert and Vivianne by executing useradd.
We will create a new supplementary group _gnubizzers using groupadd.
A directory GNUBIZZ-DRIVE will be created in our / home directory.
Create both users Bert, Vivianne and their /home directories.
Type useradd -m -U Bert + enter.

anne@alfa:~$ su
Password:
root@alfa:/home/anne# useradd -m -U Bert
root@alfa:/home/anne#

Repeat this command creating user Vivianne.
Type useradd -m -U Vivianne + enter.

anne@alfa:~$ su
Password:
root@alfa:/home/anne# useradd -m -U Bert
root@alfa:/home/anne# useradd -m -U Vivianne
root@alfa:/home/anne#

Restart your computer so the system can write down the modifications you’ve just made.
Check if both users exist by ls commando.
Now we see four users anne, Bert, Eddy and Vivianne.
Type ls /home + enter.

root@alfa:/home/anne# ls /home
anne  Bert  Eddy  Vivianne
root@alfa:/home/anne#

Asign users Bert and Vivianne a login password.
Type passwd Bert + enter.
You’ll be asked to fill in Bert’s new password + enter.
Retype this password + enter.
Do the same task by the user Vivianne.

root@alfa:/home/anne# passwd Bert
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@alfa:/home/anne# passwd Vivianne
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@alfa:/home/anne#

Check the newly user’s permissions by typing ls -l + enter.
Other users are able to read contents of both users Bert and Vivianne.
When you don’t like it to happen you’ve to change it.
Type chmod 750 Bert Vivianne + enter.

root@alfa:/home# ls -l
total 16
drwxr-x— 25 anne     anne     4096 Jan 11 21:48 anne
drwxr-xr-x 19 Bert     Bert     4096 Jan 11 21:45 Bert
drwxr-x— 19 Eddy     Eddy     4096 Jan 11 21:30 Eddy
drwxr-xr-x 19 Vivianne Vivianne 4096 Jan 11 21:47 Vivianne
root@alfa:/home# chmod 750 Bert Vivianne
root@alfa:/home# ls -l
total 16
drwxr-x— 25 anne     anne     4096 Jan 11 21:48 anne
drwxr-x— 19 Bert     Bert     4096 Jan 11 21:45 Bert
drwxr-x— 19 Eddy     Eddy     4096 Jan 11 21:30 Eddy
drwxr-x— 19 Vivianne Vivianne 4096 Jan 11 21:47 Vivianne
root@alfa:/home#

Our next task is creating our directory GNUBIZZ-DRIVE using mkdir commando in the /home directory.
Navigate to /home using cd.
Type mkdir GNUBIZZ-DRIVE + enter.
We’ll face a permission issue by “Permission denied” because we were executing our command as default user.
The directory /home is owned by root.
Login as root by typing su + enter.
Typ your password + enter and retype it again + enter.
Now we’ll be able to perform this task.
Type mkdir GNUBIZZ-DRIVE + enter.
Check by ls -l and you’ll see our newly directoy GNUBIZZ-DRIVE and it’s permissions.
As you can see everyone has read and execute permissions at GNUBIZZ-DRIVE owned by root.

anne@alfa:/home$ mkdir GNUBIZZ-DRIVE
mkdir: cannot create directory `GNUBIZZ-DRIVE’: Permission denied
anne@alfa:/home$ su
Password:
root@alfa:/home# mkdir GNUBIZZ-DRIVE
root@alfa:/home# ls -l
total 20
drwxr-x— 26 anne     anne     4096 Jan 11 22:19 anne
drwxr-x— 19 Bert     Bert     4096 Jan 11 21:45 Bert
drwxr-x— 19 Eddy     Eddy     4096 Jan 11 21:30 Eddy
drwxr-xr-x  2 root     root     4096 Jan 11 22:28 GNUBIZZ-DRIVE
drwxr-x— 19 Vivianne Vivianne 4096 Jan 11 21:47 Vivianne
root@alfa:/home#

Change permission at GNUBIZZ-DRIVE so others aren’t able to gain access to it.
Type chmod 750 GNUBIZZ-DRIVE + enter.
At this stage user root and group root has still permissions set.
Check this by ls -l + enter.

root@alfa:/home# chmod 750 GNUBIZZ-DRIVE
root@alfa:/home# ls -l
total 20
drwxr-x— 26 anne     anne     4096 Jan 11 22:19 anne
drwxr-x— 19 Bert     Bert     4096 Jan 11 21:45 Bert
drwxr-x— 19 Eddy     Eddy     4096 Jan 11 21:30 Eddy
drwxr-x—  2 root     root     4096 Jan 11 22:28 GNUBIZZ-DRIVE
drwxr-x— 19 Vivianne Vivianne 4096 Jan 11 21:47 Vivianne
root@alfa:/home#

Now we’re ready to go further using groups instead of users.
Our purpose is to make users members of specific groups.
Our system handles two kinds of groups, primary and supplementary.
Each user becomes a member of a primary group when we created them.
Let’s look which group our users belongs to using id commando.
Type id username + enter.
Here we can see our primary groups of our users:
anne’s primary group is “anne”
Eddy’s primary group is “Eddy”
Bert’s primary group is “Bert”
Viviannes’s primary group is “Vivianne”

anne@alfa:~$ id anne
uid=1000(anne) gid=1000(anne) groups=1000(anne),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),106(scanner),111(bluetooth),113(netdev)
anne@alfa:~$ id Eddy
uid=1001(Eddy) gid=1001(Eddy) groups=1001(Eddy)
anne@alfa:~$ id Bert
uid=1002(Bert) gid=1002(Bert) groups=1002(Bert)
anne@alfa:~$ id Vivianne
uid=1003(Vivianne) gid=1003(Vivianne) groups=1003(Vivianne)
anne@alfa:~$

First we’ll create a new group named _gnubizzers.
To perform this you’ll need high privileges being root.
Login as user root by typing su + enter.
Fill in password of root user + enter.
Retype password + enter.
Your prompt will displays # again.
Create the group _gnubizzers using groupadd commando.
Type groupadd _gnubizzers + enter.

anne@alfa:~$ su
Password:
root@alfa:/home/anne# groupadd _gnubizzers
root@alfa:/home/anne#

Our group _gnubizzers is abandon containing no members yet.
We’ll add users Eddy, Bert and Vivianne to _gnubizzers using usermod commando.
Take in account that our users and group already exist so we’ll use some arguments.
A short arguments -a and -G  explanation:
-a = Append existing user to the group
-G = Specify supplementary group which the user will join.
Be aware and use your root user.
We’re still logged in as root so we’ll continue to make our users members of _gnubizzers.
Type usermod -a -G _gnubizzers Eddy + enter.
Check Eddy’s groups membership using id commando.
Type id Eddy + enter.
Eddy’s primary group is “Eddy” and his supplementary group is “_gnubizzers”

root@alfa:/home# usermod -a -G _gnubizzers Eddy
root@alfa:/home# id Eddy
uid=1001(Eddy) gid=1001(Eddy) groups=1001(Eddy),1004(_gnubizzers)
root@alfa:/home#

Repeat this task by the users Bert and Vivianne.
Type usermod -a -G _gnubizzers Bert + enter.
Than type usermod -a -G _gnubizzers Vivianne + enter.
The group _gnubizzers contains three members Eddy, Bert and Vivanne.
Check their membership using id command followed by their username.
Type id Bert + enter.
Redo this command at the user Vivianne.
You we’ll see  _gnubizzers is added as a supplementary group.

root@alfa:/home# usermod -a -G _gnubizzers Bert
root@alfa:/home# usermod -a -G _gnubizzers Vivianne
root@alfa:/home# id Bert
uid=1002(Bert) gid=1002(Bert) groups=1002(Bert),1004(_gnubizzers)
root@alfa:/home# id Vivianne
uid=1003(Vivianne) gid=1003(Vivianne) groups=1003(Vivianne),1004(_gnubizzers)
root@alfa:/home#

At this moment our members of the group _gnubizzers has no permissions on GNUBIZZ-DRIVE.
Let’s check this using ls -l /home + enter.
We see GNUBIZZ-DRIVE is owned by root and group root.
Our purpose is to change the group ownership from root to _gnubizzers.
At this stage displayed below our user root has full permission and the group root has read and execute permissions.

anne@alfa:~$ ls -l /home
total 20
drwxr-x— 25 anne     anne     4096 Jan 14 11:23 anne
drwxr-x— 19 Bert     Bert     4096 Jan 11 21:45 Bert
drwxr-x— 19 Eddy     Eddy     4096 Jan 11 21:30 Eddy
drwxr-x—  2 root     root     4096 Jan 11 22:28 GNUBIZZ-DRIVE
drwxr-x— 19 Vivianne Vivianne 4096 Jan 11 21:47 Vivianne
anne@alfa:~$

Let’s change the group ownership by using chgrp commando.
We’ll insert some arguments like -v and -R.
-v Is used to see the diagnostics what happened .
-R Is used to operate on files and directories recursively.
Type chgrp -v -R _gnubizzers /home/GNUBIZZ-DRIVE + enter.
Our output displays that the group has changed from root to _gnubizzers.

anne@alfa:~$ su
Password:
root@alfa:/home/anne# chgrp -v -R _gnubizzers /home/GNUBIZZ-DRIVE
changed group of `/home/GNUBIZZ-DRIVE’ from root to _gnubizzers
root@alfa:/home/anne#

Check using ls -l verifying the changes.
The directory GNUBIZZ-DRIVE is still owned by user root but the group ownership has changed to _gnubizzers.
The group _gnubizzers are able to read and execute in the directory GNUBIZZ-DRIVE.

root@alfa:/home/anne# ls -l /home
total 20
drwxr-x— 25 anne     anne        4096 Jan 14 11:23 anne
drwxr-x— 19 Bert     Bert        4096 Jan 11 21:45 Bert
drwxr-x— 19 Eddy     Eddy        4096 Jan 11 21:30 Eddy
drwxr-x—  2 root     _gnubizzers 4096 Jan 11 22:28 GNUBIZZ-DRIVE
drwxr-x— 19 Vivianne Vivianne    4096 Jan 11 21:47 Vivianne
root@alfa:/home/anne#

We’ll change the permissions on GNUBIZZ-DRIVE so our members of the  group _gnubizzers will be able to read, write and execute.
Login as root using su.
Type chmod 770 /home/GNUBIZZ-DRIVE + enter.
Verify your changes using ls -l /home + enter.
The user root (owner) and the group _gnubizzers (group owner) has the same permissions on GNUBIZZ-DRIVE.
Be aware that this situation is far from ideal and insecure using such configurations at companies.
Each member is able to write, change, move, store and even delete other member’s directories and files by accident.
How to avoid this will be discussed later on.

root@alfa:/home/anne# ls -l /home
total 20
drwxr-x— 25 anne     anne        4096 Jan 14 11:23 anne
drwxr-x— 19 Bert     Bert        4096 Jan 11 21:45 Bert
drwxr-x— 19 Eddy     Eddy        4096 Jan 11 21:30 Eddy
drwxr-x—  2 root     _gnubizzers 4096 Jan 11 22:28 GNUBIZZ-DRIVE
drwxr-x— 19 Vivianne Vivianne    4096 Jan 11 21:47 Vivianne
root@alfa:/home/anne# chmod 770 /home/GNUBIZZ-DRIVE
root@alfa:/home/anne# ls -l /home
total 20
drwxr-x— 25 anne     anne        4096 Jan 14 11:23 anne
drwxr-x— 19 Bert     Bert        4096 Jan 11 21:45 Bert
drwxr-x— 19 Eddy     Eddy        4096 Jan 11 21:30 Eddy
drwxrwx—  2 root     _gnubizzers 4096 Jan 11 22:28 GNUBIZZ-DRIVE
drwxr-x— 19 Vivianne Vivianne    4096 Jan 11 21:47 Vivianne
root@alfa:/home/anne#

We’ll show you a security breach on GNUBIZZ-DRIVE.
Login as user Eddy in the same terminal you working on.
First become user root before using login commando.
Type login Eddy + enter.
You’ll be asked to fill in Eddy’s password + enter.
You’re now logged in as “Eddy”.
Verify who is logged by using whoami command.
Type whoami + enter.
Eddy will be displayed.
Check Eddy’s working directory by pwd commando.
Type pwd + enter.
Eddy’s working directory would be /home/Eddy.
Navigate to GNUBIZZ-DRIVE by typing cd /home/GNUBIZZ-DRIVE + enter.
Eddy will create a sub-directory “Eddy-gnu”.
Type mkdir Eddy-gnu + enter.
Verify with ls and Eddy will see his new directory Eddy-gnu stored at GNUBIZZ-DRIVE.
Logout by typing exit + enter and you’ll become root user.
Your prompt shows # sign again being root user.

root@alfa:/home/anne# login Eddy
Password:
Last login: Tue Jan 14 12:43:58 CET 2014 on pts/0
Linux alfa 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ whoami
Eddy
$ pwd
/home/Eddy
$ cd /home/GNUBIZZ-DRIVE
$ pwd
/home/GNUBIZZ-DRIVE
$ mkdir Eddy-gnu
$ ls
Eddy-gnu
$ exit
root@alfa:/home/anne#

So far nothing happened yet to proof our configuration issue.
Login as user Vivianne.
Verify Vivianne’s working directory by pwd.
Navigate to GNUBIZZ-DRIVE.
Check which directories are stored at GNUBIZZ-DRIVE by ls -l.
Vivianne will see Eddy’s directory Eddy-gnu.
Take in account the whole group _gnubizzers has full rights on GNUBIZZ-DRIVE.
Let’s test our security risk by removing Eddy’s folder.
Type rmdir Eddy-gnu + enter.
Use ls and you’ll see Eddy’s directory Eddy-gnu is gone.
This is not a good practice being able to delete each others folders and files.
Logout by typing exit + enter.
We’re root again and ready to modify it at a better way.

root@alfa:/home/anne# login Vivianne
Password:
Linux alfa 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ pwd
/home/Vivianne
$ cd /home/GNUBIZZ-DRIVE
$ ls -l
total 4
drwxr-xr-x 2 Eddy Eddy 4096 Jan 14 12:52 Eddy-gnu
$ rmdir Eddy-gnu
$ ls
$ exit
root@alfa:/home/anne#

Our goal is working more secure for everyone who’s member of the group _gnubizzers.
Let’s change our permission using a sticky bit.
The user root will not be affected by sticky bit and the permission will remain unchanged.
This will prevent the user being able by deleting files and directories accidently by other users which belongs to the same group _gnubizzers.
Set your permission on GNUBIZZ-DRIVE using chmod commando.
Type chmod -v 1770 /home/GNUBIZZ-DRIVE + enter.
Check this by ls -l /home + enter.

root@alfa:/home/anne# chmod -v 1770 /home/GNUBIZZ-DRIVE
mode of `/home/GNUBIZZ-DRIVE’ changed from 0770 (rwxrwx—) to 1770 (rwxrwx–T)
root@alfa:/home/anne# ls -l /home
total 20
drwxr-x— 25 anne     anne        4096 Jan 14 11:23 anne
drwxr-x— 19 Bert     Bert        4096 Jan 11 21:45 Bert
drwxr-x— 19 Eddy     Eddy        4096 Jan 11 21:30 Eddy
drwxrwx–T  2 root     _gnubizzers 4096 Jan 14 12:59 GNUBIZZ-DRIVE
drwxr-x— 19 Vivianne Vivianne    4096 Jan 11 21:47 Vivianne
root@alfa:/home/anne#

Our security breach must be solved so we’ll test it again.
Type the bold text displayed in our example below.
The red text represents our terminal output.
Just follow this small content and explore and discuss your thoughts.
Don’t forget to be root when logging as another user in the same terminal.
Login as user Eddy and create a directory Eddy-gnu at GNUBIZZ-DRIVE.

root@alfa:/home/anne# login Eddy
Password:
Last login: Tue Jan 14 12:44:45 CET 2014 on pts/0
Linux alfa 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ pwd
/home/Eddy
$ cd /home/GNUBIZZ-DRIVE
$ pwd
/home/GNUBIZZ-DRIVE
$ mkdir Eddy-gnu
$ ls -l
total 4
drwxr-xr-x 2 Eddy Eddy 4096 Jan 14 13:27 Eddy-gnu
$ exit
root@alfa:/home/anne#

Login as user Bert and Vivianne and create sub-directory correspond by username:
Vivianne will create directory Vivianne-gnu.
Bert will create directory Bert-gnu.
Type the bold text displayed below.
Login as user Bert and perform the task described above.

root@alfa:/home/anne# login Bert
Password:
Last login: Tue Jan 14 13:30:39 CET 2014 on pts/0
Linux alfa 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ pwd
/home/Bert
$ cd /home/GNUBIZZ-DRIVE
$ ls
Eddy-gnu
$ mkdir Bert-gnu
$ ls -l
total 8
drwxr-xr-x 2 Bert Bert 4096 Jan 14 13:31 Bert-gnu
drwxr-xr-x 2 Eddy Eddy 4096 Jan 14 13:27 Eddy-gnu
$$ exit
root@alfa:/home/anne#

Login as user Vivianne and create a sub-directory Vivianne-gnu at GNUBIZZ-DRIVE.
Type the bold text and follow our example below.

root@alfa:/home/anne# login Vivianne
Password:
Last login: Tue Jan 14 12:58:36 CET 2014 on pts/0
Linux alfa 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ pwd
/home/Vivianne
$ cd /home/GNUBIZZ-DRIVE
$ mkdir Vivianne-gnu
$ ls -l
total 12
drwxr-xr-x 2 Bert     Bert     4096 Jan 14 13:31 Bert-gnu
drwxr-xr-x 2 Eddy     Eddy     4096 Jan 14 13:27 Eddy-gnu
drwxr-xr-x 2 Vivianne Vivianne 4096 Jan 14 13:42 Vivianne-gnu
$ exit
root@alfa:/home/anne#

Let’s see if users can delete files and directories by accident of othter members.
Login as user Eddy again.
Eddy will remove other members their directories stored at GNUBIZZ-DRIVE.
The bold text must be typed. Explore what will happen and enjoy it.
Nobody of the group _gnubizzers will be able to delete each others files and direcoties.
Notice they’re still be able to read each others contents but they can’t create or remove contents at other members.

If you don’t like that group members are able to read your contents you can change it at your own folders and files stored at GNUBIZZ_DRIVE.
A example what a group member can do.
Supposing Eddy don’t like that others are able to read his contents.
At this stage permissions read and execute rights on Eddy’s-gnu owned by Eddy are granted  for everyone.
drwxr-xr-x 2 Eddy     Eddy     4096 Jan 14 13:27 Eddy-gnu
Eddy can change this by executing chmod 750 Eddy-gnu to avoid reading permissions by others.
Now his folder permission would like this:
drwxr-x— Eddy     Eddy     4096 Jan 14 13:27 Eddy-gnu
The members of the group _gnubizzers aren’t able anymore to read Eddy’s folders and files contents.
Setting permissions can become very complicated and must be well documented by system administrators.

root@alfa:/home/anne# login Eddy
Password:
Last login: Tue Jan 14 13:27:13 CET 2014 on pts/0
Linux alfa 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ pwd
/home/Eddy
$ cd /home/GNUBIZZ-DRIVE
$ ls -l
total 12
drwxr-xr-x 2 Bert     Bert     4096 Jan 14 13:31 Bert-gnu
drwxr-xr-x 2 Eddy     Eddy     4096 Jan 14 13:27 Eddy-gnu
drwxr-xr-x 2 Vivianne Vivianne 4096 Jan 14 13:42 Vivianne-gnu
$ rmdir Bert-gnu
rmdir: failed to remove `Bert-gnu’: Operation not permitted
$ rmdir Vivianne-gnu
rmdir: failed to remove `Vivianne-gnu’: Operation not permitted
$ exit
root@alfa:/home/anne# 

A permission overview configured in our example.
Our system has four users anne, Eddy, Bert and Vivianne.
Membership _gnubizzers:
Eddy, Bert and Vivianne
Non membership of _gnubizzers:
anne and root
The permissions set at users home direcories:
Read, write and execute by the owner (user itself).
Read and execute permission granted at primary group which user belongs to.
No rights granted for everyone.
Permission set at GNUBIZZ-DRIVE shared by the group _gnubizzers:
Read, write and execute rights granted user root.
Read, write and execute rights granted to _gnubizzers members.
Sticky bit set preventing by removing contents of other members.
No rights granted for everyone

So that’s it and we hope you’ve enjoyed it.
Feel free to share your thoughts so we can get things going better.
Don’t hesitate to leave a comment.
We’ll back soon to giude you through this nice system Debian Wheezy 7.2. 😉

Written by Anne-Marie.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: