Linux 13 - Users, Environment and Permissions in Linux

By Sheldon L

Published at 2020-04-29

Updated at 2020-04-29

Accounts, Users, and Groups

Identifying Users

# Identifying the Current User
whoami
who
who -a
id
id username

User Startup Files

The three user-owned startup files, startup in order when user logs onto system:

~/.bash_profile
~/.bash_login
~/.profile

Every time you create a new shell, or terminal window, etc., you do not perform a full system login; only a file named ~/.bashrc file is read and evaluated.
Most commonly, users only fiddle with ~/.bashrc, as it is invoked every time a new command line shell initiates, or another program is launched from a terminal window, while the other files are read and executed only when the user first logs onto the system.
Recent distributions sometimes do not even have .bash_profile and/or .bash_login , and some just do little more than include .bashrc
You can create customized commands or modify the behavior of already existing ones by creating aliases. Most often, these aliases are placed in your .bashrc file so they are available to any command shell. Or .bashrc is include ~/.bash_aliases, you can edit .bash_aliases.
Customizing the Bash Environment: Shell 1 - My Startup Files

Basics of Users and Groups

All Linux users are assigned a unique user ID (uid), which is just an integer; normal users start with a uid of 1000 or greater.
Users also have one or more group IDs (gid), including a default one which is the same as the user ID. These numbers are associated with names through the files /etc/passwd and /etc/group. Groups are used to establish a set of users who have common interests for the purposes of access rights, privileges, and security considerations.
Users and Groups:
- /etc/passwd - list of users
- /etc/shadow - encrypted passwords for users
- /etc/group - list of groups
- /etc/gshadow - encrypted passwords for groups

Adding and Removing Users

# Add user in Debian, see /etc/default/useradd
sudo useradd -m -c "[Full Name]" -s /bin/bash [username]
# m: make home directory
# c: Full Name
# s: shell
sudo passwd [username]
grep [username] /etc/passwd /etc/group
ssh [username]@localhost
ls -al    # everything here come from /etc/skel
ls -al /etc/skel

# Add user in SUSE
sudo /usr/sbin/useradd [username]

# This, by default, sets the home directory to:
# /home/[username]
# populates it with some basic files, copied from:
# /etc/skel
# and adds a line to:
# /etc/passwd
# such as:
# [username]:x:1002:1002::/home/[username]:/bin/bashc
# and sets the default shell to:
# /bin/bash

# Delete user
sudo userdel [username]     # will leave /home/[username]
sudo userdel -r [username]  # will remove recursively

Adding and Removing Groups

# Add group
sudo /usr/sbin/groupadd [groupname]
# OR
addgroup [group]

# Delete group
sudo /usr/sbin/groupdel [groupname]
# OR
delgroup [group]

# Check the groups a user belongs to
groups [username]

# Add a user to a group
sudo /usr/sbin/usermod -a -G [groupname] [username]  
# a: append, don't remove anything already exist
# G: giv a complete list of groups
# OR
adduser [user] [group] # conf file in /etc/adduser.conf
# WARNING:
sudo /usr/sbin/usermod -G anewgroup [username] # user will only belong to 'anewgroup'

# Add a user to sudo
sudo /usr/sbin/usermod -a -G sudo [username]
# OR
touch /etc/sudoers.d/[username]
echo "newuser      ALL=(ALL)     ALL" >> /etc/sudoers.d/[username]

The root Account

sudo configuration files:
- /etc/sudoers
- /etc/sudoers.d/

su                # login root, Dangerous!
sudo [command]    # every time command is complete will return to normal unprivileged user

su {username}
su - {username}
su -l {username}
su --login {username}

exit

Modify group and user config

getent passwd [user]   # return the information from the user database

chfn [user]            # CHange Full Name
chsh [user]            # CHange SHell among /etc/shells
chage [user]           # CHange passwd AGE
chage -l [user]        # list passwd age
passwd -e [user]       # forces the user to change their password
passwd -<l|u> [user]   # lock/unlock

groupmod -g [newgid]   # change group config
gpasswd [group]        # change
gpasswd -r [group]     # remove

Environment Variables

Environment variables are quantities that have specific values which may be utilized by the command shell, such as bash
Environment variables can be defined system-wide in /etc/profile or user’s ~/.profile, but variables that are not specific to command line interpreters are better put in /etc/environment, since those variables will be injected into all user sessions thanks to a ‘Pluggable Authentication Module (PAM)’ even when no shell is executed.

# View the values of currently set environment variables
set
env
export

# Create a variable only available in current shell
var="My Var"
echo "$$"
echo $var   # "My Var"
# new a bash and check:
bash
echo "$$"
echo $var   # Nonthing
exit

# Export a new variable available in current shell and its sub shell
export VARIABLE=value
# OR
VARIABLE=value
export VARIABLE

export all_proxy=socks5:127.0.0.1:1080

export address=10.11.1.120
ping -c 2 $address

# Add a variable permanently
vim ~/.bashrc
export VARIABLE=value
. ~/.bashrc   # = `sourc ~/.bashrc`

# Set environment variables to be fed as a one shot to a command
SDIRS=s_0* KROOT=/lib/modules/$(uname -r)/build make modules_install
# feeds the values of the SDIRS and KROOT environment variables to `make modules_install`

SECURITY: Adding PATH in a safe way!

echo "echo HELLO, this is the phony ls program." > /tmp/ls
cat /tmp/ls
chmod +x /tmp/ls
chmod u+x /temp/ls

bash
export PATH=$PATH:/tmp
echo $PATH
ls  # which ls run?

bash
export PATH=/tmp:$PATH  # DANGEROUSE!
echo $PATH
ls  # which ls run?

# NOTE: the second form is a very dangerous thing to do!
# is a trivial way to insert a Trojan Horse program;
# if someone can put a malicious program in /tmp, they can trick you into running it accidentally.

Common Variables Preset

echo $SHELL # The SHELL Variable, user's default command shell

echo $PATH  # The PATH Variable, an ordered list of directories (the path) which is scanned when a command is given
export PATH=$HOME/bin:$PATH  
# Each directory in the path is separated by `:`
# A null (`::` or empty befor the first `:`) directory
# or `./` indicates the current directory at any given time.

echo $HOME  # The HOME Variable, = `~`
echo $PWD   # The PWD Variable, = `pwd`
echo $USER  # The USER Variable
echo "$$"   # process ID

The PS1 Variable and the Command Line Prompt

Prompt Statement (PS) is used to customize your prompt string in your terminal windows to display the information you want
PS1 is the primary prompt variable which controls what your command line prompt looks like. The following special characters can be included in PS1:
- \u - User name
- \h - Host name
- \w - Current working directory
- \! - History number of this command
- \d - Date

# always reminded of who you are and what machine you are on.
echo $PS1
OLD_PS1=$PS1

PS1="\u@\h:\w$ "
echo $PS1

PS1="$ "
echo $PS1

PS1=$OLD_PS1
echo $PS1

Customizing the Bash Environment Shell 1 - My Startup Files

Recalling Previous Commands

History is stored in ~/.bash_history

[command1]
[command2]
[command3]
history
history | tail -20
![n]      # case [n] in history
!!        # repeat last command line
!$        # repeat last command word
![string] # the most recent command starting with [string]
CTRL+R  # search previously used commands

echo $HISTFILE      # location of the history file
echo $HISTSIZE      # maximum number of lines in the history file (default 500)
echo $HISTFILESIZE  # maximum number of commands in the history file
echo $HISTCONTROL   # how commands are stored
echo $HISTIGNORE    # command lines can be unsaved
# see help in:
man bash

# # Search in history
# J: scroll backwards
# L: scroll forwards

Permissions

Linux is a multi-user system so it is necessary to provide a permissions system to control the set of authorized operations on files and directories, which includes all the system resources and devices.
- Types of users (ordered): owner, group, others = u, g, o;
- Types of rights (ordered): read, write, execute = r, w, x = 100, 010, 001 = 4, 2, 1;
- R, W, X apply only to directories.
- Modes: add, remove, set = +, -, =
- Linux set permission 666(file) and 777(dir) as default after downloading.
Special Permissions
- Granting Temporary Root Permissions with SUID (setuid, SET User ID): enter a 4 before the regular permissions: 644 -> 4644
- Granting Temporary Root User’s Permissions with SGID (setgid, SET Group ID): enter a 2 before the regular permissions: 644 -> 2644, or symbolized with the letter s;
- The Outmoded Sticky Bit (Unix)
There are two ways of representing rights:

# Opt1. Symbolic representation
chmod <-R> <a|u|g|o><-|+|=><w|r|x|X> [file] # -R = Recursive, a = ugo, X = applies only to directories
chmod -R a+X [directory]
ch

# Opt2. The (octal) numeric representation
chmod 467 [file]
# The most frequent right combinations are 755 for executable files and directories, and 644 for data files.
chmod 4467 [file]  # add bit 4, Granting Temporary Root User’s Permissions with `setuid`
chmod 2467 [file]  # add bit 2, Granting Temporary Root User’s Permissions with `setgid`
chmod 1467 [file]  # add bit 1, Granting Temporary Root User’s Permissions with `sticky`
# The use of octal notation only allows you to set all the rights at once on a file
umask # will see a mask such as 0022, used to restrict permissions on newly created files

Changing the user and group of a file

chown [user]:[group] [file]
chgrp [group] [file]
chmod [rights] [file]

TIP: A directory is handled differently from a file.
- Read access gives the right to consult the list of its contents (files and directories);
- Write access allows creating or deleting files;
- Execute access allows crossing through the directory to access its contents (for example, with the cd command). Being able to cross through a directory without being able to read it gives the user permission to access the entries therein that are known by name, but not to find them without knowing their exact name.
SECURITY: setuid and setgid executable files:
- The setuid and setgidare relevant to executable files.
- These two rights allow any user to execute the program with the rights of the owner or the group, respectively.
- This mechanism grants access to features requiring higher level permissions than those you would usually have.
- Since a setuid root program is systematically run under the super-user identity, it is very important to ensure it is secure and reliable.
- Any user who manages to subvert a setuid root program to call a command of their choice could then impersonate the root user and have all rights on the system.
- Penetration testers regularly search for these types of files when they gain access to a system as a way of escalating their privileges.
SECURITY: setgid directory and sticky bit:
- The setgid bit also applies to directories.
- Any newly-created item in such directories is automatically assigned the owner group of the parent directory, instead of inheriting the creator’s main group as usual. Because of this, you don’t have to change your main group (with the newgrp command) when working in a file tree shared between several users of the same dedicated group.
- The sticky bit (symbolized by the letter “t”) is a permission that is only useful in directories.
- It is especially used for temporary directories where everybody has write access (such as /tmp/): it restricts deletion of files so that only their owner or the owner of the parent directory can delete them.