Unix Users and Groups

Basic info

Each user has a primary group and a list of supplementary groups. The primary group is used mainly when creating new files. The list of groups (primary and all supplementary) are used for granting access.

A file has a user-owner and group-owner. Any particular user is either the file owner, in the file's group, or other.

The user who is the user-owner is the file's owner.
Users who are not the file's owner but whose primary or supplementary groups include the file's group are in the file's group.
All other users are in the "other" category.

The user permissions (rwx------ 0700) grant access to the owner.
The group permissions (---rwx--- 0070) grant access to users who are in the file's group.
All other users get other permissions (------rwx 0007).

The setuid bit (--s------ 4000):

If set on an executable file then the program gets the permissions of the file's owner while it runs.
Turn on: chmod u+s foo
Turn off: chmod u-s foo

The setgid bit (-----g--- 2000):

If set on an executable file then the program gets the permissions of the file's group while it runs.
If set on a non-executable file then the file has mandatory file/record locking.
If set on a directory then all files created in that directory get the same group as the directory, and directories created in that directory also have the setgid bit set (without the setgid bit the group of a newly created file is the primary group of the user who created the file).
Turn on: chmod g+s foo
Turn off: chmod g-s foo

The sticky bit (--------t 1000):

If set on a directory then files in the directory may only be renamed/deleted by the owner of the file or the owner of the directory. (Without the sticky bit anyone with write access to the directory can do that.)
Turn on: chmod o+t foo
Turn off: chmod o-t foo

The umask is a per-process value that indicates which permission bits to turn off when creating a file. See and set its value with the umask shell command.

Creating files

When a file is created:

Its owner is the user creating the file.

Its group is the primary group of the user creating the file.

If the file is created in a directory with the setgid bit set, then the group is the group of the directory

Its permissions are 0666 & ~umask. The umask is a per-process value that indicates which permission bits to turn off when creating a file.

Create new user

This creates a new user and adds them to /etc/password. It also creates a group of the same name and assigns it as the primary group. The -m option causes a home directory to be created with default files.

    sudo useradd -m -s /bin/bash username

Useful options:

                -m           - create the home dir and cp files from /etc/skel
                -s /bin/bash - set shell

Create new group

    sudo groupadd name_of_new_group

Add existing user to existing group

This adds the user to the group so the group will be in the users list of supplementary groups.

    sudo usermod -a -G name_of_group username