How users are organized
Linux configuration is text based. So all users in Linux reside in a file
called /etc/passwd. You can view the file one page at a time with the
the /etc directory
The construction of this file is fairly straightforward. Each line contains a new user with parameters separated by a colon.
The first column contains the user name. The second column contains the user's password. The third column contains the user's numeric id. The fourth column contains the numeric id for the user's primary group. The fifth column contains the user's full name, or a comment. The sixth column contains the location of the user's home directory. Normally this directory lives in the /home directory and has the same name as the user id. The seventh column contains the user's default console shell.
Password file structure
|Login ID||Password||User ID||Group ID||Comment||Home directory||Default shell|
Notice that the example above has an "x" in the Password column. This does not mean that the user has a password of "x." At one time passwords were normally stored in plain text within this file. This configuration is still possible, but it is rare because of the implications. The solution was to create something called a shadow password. An "x" is placed in the password portion of the /etc/passwd file, and an encrypted version of the password goes into the /etc/shadow file. This technique improved the security by separating the user information from the password data. The MD5 password encryption algorithm further improved security by allowing more robust passwords. An example of a shadow password entry is below:
Shadow passwords and user rights
This approach is still not optimal, because it provides some user information to a potential cracker. A better option is to keep users in a separate repository such as LDAP.
All of the shadow password function is handled behind the scenes, and you will rarely need to do anything more with it than turn it on.
Groups in Linux are much the same as in Windows. You create a group and add members into the group's list. Then resources can have rights assigned by group. Members of a group have access to a resource associated with that group.
Creating a group is simple, using the console command
This will create a group with no members called "newgroup." Groups live in a file called /etc/group. Each group is listed on a separate line like the following:
The first column shows the name of the group. The second column is a password. Again, the "x" indicates that the real password is stored in a shadow file called /etc/gshadow. The third column is a numeric index for the group. Everything after the third column will be the group members' user ids separated by commas.
To add members to the group, use the
command with the
-a switch and the user id you wish to add:
gpasswd -a userid mygroup
Remove users from a group with the same command, but a
gpasswd -d userid mygroup
It is also possible to make changes to groups by editing the /etc/group file directly.
Taking care in editing the passwd file
These are errors a human would make. The tools keep that straight. However, sometimes a quick edit to the /etc/group file is the quickest fix to a simple problem. Just bear in mind that you are dealing with some real power when you edit those files. Be careful.
Groups can be created, edited, and destroyed in Webmin with the same tool used above for working with users.
User and group associations
While this is not the place for a thorough discussion on access control, you will need some idea about how users and groups are applied to files. If you look at a long directory listing of a file, you'll see something like the following.
-rw-r--r-- 1 userid mygroup 703 Jun 23 22:12 myfile
Ignoring the other columns for the moment, look at the third, fourth, and last columns. The third column contains the name of the owner of the file, userid. The fourth column contains the group associated with the file, mygroup. The last column is the file name. Each file can have only one owner and one group. It is possible to assign rights to Other, the users who don't fall into either category. Think of Other as the equivalent of the Windows group Everyone.
A single file owner is common in operating systems, but the single group ownership feels limiting to administrators new to the technique. It is not. Since users can be members of any number of groups, it is simple to create new groups to handle resource security. In Linux, group definitions tend to be based more on the resource access required than on business units. If resources are logically organized on the system, then create more groups to finely tune access to resources.
More detailed information about associating users and groups is in
the Resources section at the end of this
article. For details on how to change file permissions, see