Why User and Permission Management is Needed in Linux?¶

In Linux systems, user and permission management is the core mechanism to ensure system security and rational resource allocation. Imagine if all programs ran with the same identity—if one program were compromised, the entire system could be at risk. Permission management acts like assigning different “keys” to different users, allowing them to only access the “doors” they have permission to open. This ensures both reasonable resource usage and prevents misoperations or malicious damage.

一、Basic Concepts of Users and Groups¶

1.1 Relationship Between Users and Groups¶

• User: Each person or program using the system corresponds to a user. For example, you use root to manage the system, and www-data to run web services.
• Group: Multiple users can form a group for unified permission management. For example, team members can join the same group to share file permissions.

Metaphor: A user is an “individual,” and a group is a “family.” A user can belong to multiple groups (primary group + supplementary groups), but only has one primary group.

1.2 UID and GID¶

• UID (User ID): Each user has a unique numeric ID. root has a fixed UID of 0, and regular users start from 1000 (e.g., Ubuntu).
• GID (Group ID): Each group also has a unique numeric ID; the primary group ID matches the user ID.

二、Basic User Management¶

2.1 Creating/Deleting Users¶

• Create User: useradd [username] (requires root privileges)
• Example: useradd -m zhangsan (-m automatically creates the home directory)
• Set Password: passwd [username]
• Delete User: userdel -r [username] (-r deletes the home directory)

2.2 Switching Users¶

• Temporary Identity Switch: su - [username] (adding - switches environment variables; e.g., sudo su - directly switches to root)
• sudo Privilege Escalation: Regular users use sudo [command] to perform administrative operations (no need to switch to root)
• Example: sudo apt update (Ubuntu) or yum update (CentOS)
• Note: Add the user to the sudo group first: usermod -aG sudo [username]

三、Detailed File Permissions¶

3.1 Permission Meaning (rwx)¶

File permissions are represented by three groups of characters, each corresponding to user (u), group (g), and others (o). The format is rwxrwxrwx:
- r (Read): 4 (binary 100), allows viewing file content (e.g., cat)
- w (Write): 2 (binary 010), allows modifying/deleting files (use with caution)
- x (Execute): 1 (binary 001), allows running programs (files) or entering directories (directories)

Key Difference: The x permission for directories means “enter the directory” (not “run the directory”); for files, it means “execute the program.”

3.2 Permission Representation Methods¶

Numeric Permissions (Concise and Intuitive)¶

• Directly use numeric combinations to represent permissions, formatted as owner_permissions + group_permissions + others_permissions
• Example: 755 = owner rwx (7) + group r-x (5) + others r-x (5)
• Example: 644 = owner rw- (6) + group r-- (4) + others r-- (4)

Symbolic Permissions (Flexible and Precise)¶

Use u/g/o/a (user/group/others/all) + +/-/= (add/remove/set) + r/w/x to represent:
- Example: chmod u+x file.txt (add execute permission to the owner)
- Example: chmod go-w directory (remove write permission from group and others)

3.3 Commands for Changing Permissions¶

• Modify Permissions: chmod [permission type] [permissions] [file]
• Numeric: chmod 755 test.sh (all users can execute, owner can read/write/execute)
• Symbolic: chmod u+r,g+w test.txt (user + read, group + write)
• Modify Owner/Group:
• chown new_owner:new_group file (e.g., chown root:www-data app.log)
• chgrp new_group file (only changes group, requires root privileges)

四、Special Rules for Directory Permissions¶

• Directory Permission Priority: Entering a directory requires x permission, viewing its contents requires r permission, and creating/deleting files requires w permission.
• Example: Directory data with 700 (only owner can enter), directory public with 755 (all users can enter)

五、Special Permissions (Advanced)¶

5.1 SUID/SGID/SBIT¶

• SUID (Set UID): Makes a binary program temporarily inherit the owner’s permissions (e.g., the passwd command)
• Set: chmod u+s program (only valid for executable files)
• SGID (Set GID): Makes new files/directories inherit the group’s permissions (e.g., team-shared directories)
• Set: chmod g+s directory (new files in the directory inherit the directory’s group by default)
• SBIT (Sticky Bit): Prevents ordinary users from deleting others’ files (e.g., /tmp directory)
• Set: chmod o+t directory

六、Permission Inheritance and Default Permissions¶

6.1 umask (Default Permission Mask)¶

• Purpose: Controls the default permissions for newly created files/directories (e.g., new files are not executable by default, directories allow entry by default)
• View: umask (default 022, meaning new files have 644 and directories have 755 by default)
• Modify: Temporarily: umask 002; Permanently: Configure in /etc/profile or ~/.bashrc

七、Common Issues and Best Practices¶

1. Forgotten Password: root can reset with passwd [username]; regular users must switch to root via su -.
2. Principle of Least Privilege: Only assign necessary permissions (e.g., www-data only accesses website directories).
3. Avoid Root for Daily Operations: Use regular users + sudo to prevent accidental system file deletion.
4. Regular Permission Checks: find / -perm -600 (find high-risk files, where 600 means only owner can read/write).

With the above content, you should initially grasp the core logic of Linux user and permission management. For practical scenarios (e.g., setting up web servers, deploying programs), focus on “permissions’ different impacts on files/directories” and “conversion between numeric and symbolic permissions.”