Contents

Linux permissions of users and groups - cheatsheet

Cheatsheet about main commands for managing users and groups for read/write access and specific sudo commands in Linux.

Usually you will a Linux server lying around and at one moment you’ll want to add access to another person, so it can read/update/upload files to a specific directory. You wouldn’t want to allow that user to touch anything outside of /home/my-web-server/ directory or execute some system commands on the server itself, that’s where roles, permissions and groups come in.

Programmatic access
In cases when you need programmatic access to your server, like a CI/CD runner, it’s also a best practice to have minimal access for that user, allowing it to do only the things it needs, nothing more, so if the credentials leak there is a permission limitation as to what the user can do.

Users

You will need sudo commands for most of these if not all.

When creating users they must always be assigned to a primary group, if you don’t assign them a group, a group will be created for them with the same name.

# Create user john, note that it will be assigned a unique id
useradd john

# Get the id of john
id john
# Output
# uid=1005(john) gid=1005(john) groups=1005(john)

# Create user john with specific id
useradd -g 1009 john 

# Create user john with primary group 'users' and secondary groups 'wheel' and 'docker'
useradd -g users -G wheel,docker john

The command adds an entry to the /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow files.

OptionDescriptionExample
-gSpecifies the primary groupuseradd -g users john
-GAdds the user to additional groupsuseradd -G sudo,admin john
-uSpecifies the user IDuseradd -u 1001 john
-eSets the account expiration dateuseradd -e 2022-12-31 john
-mCreates the user home directory /home/john/useradd -m john
-dSpecifies home directory of useruseradd -m -d /opt/john john
-cAdd comment to the created useruseradd -c "Test User" john
-rCreates system useruseradd -r john

To be able to log in as the newly created user, you need to set the user password. You can do that by running the passwd command followed by the username:

sudo passwd john

The command will prompt you to enter and confirm the password

Changing password for user john.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

For a different type of authentication check the other article: Linux SSH authentication

To see all users in the system

sudo cat /etc/passwd

Groups

Sometimes it’s easier to manage multiple users with same permissions through a group as all users assigned to that group will share its permissions.

# Create a group demo
groupadd standard

# If you want to manually specify an ID
groupadd -g 1009 standard1

# Renaming a group
groupmod -n test standard1

# Add user to a group
usermod --append --groups standard user1
# Or like this
usermod -aG standard user2

# You can use the id to see in which the group the user is
id user1
# Output
# uid=1005(user1) gid=1005(user1) groups=100(users),1009(standard1)

# To remove a specific user from a group
gpasswd --delete user1 standard1

# Delete a group
groupdel standard1

Permissions and ownership

Now that we have gone through how to create users and groups, lets see how to apply permissions to them on files, directories and sudo commands.

Ownership

The chown command allows you to change the user and/or group ownership of a given file or directory.

# User ownership of a file
chown user2 file1

# Group ownership of a file
chown :group1 file1

# User and group at the same time
chown user2:group1 file2

# Recursive (adding -R will execute recursively)
chown -R user1:group1 Resources

# Change the group ownership of a file
chown :www-data file1

Permissions

The chmod (change mode) sets the permissions accordingly. The syntax is the following:

chmod permissions resource-name

Here is an example of it in use (note that these commands do the same thing):

# Absolute mode
chmod 740 file2
# Symbolic mode
chmod u=rwx,g=r,o-rwx file2

# You can also use recursive flag
chmod -R 744 Resources

Most of the time you will be using absolute mode.

/posts/linux-users-and-groups/list-permissions.webp
Alias file perm/own listing

You can list the permissions od a directory via terminal command ls -la. I suggest to create a shortcut/alias for this command as it would make it easier to use via ll. Update your .bashrc or .zshrc (if you are on Mac) and specify the alias in the file:

alias ll='ls -l'

Don’t forget to run source .zshrc or .bashrc to load the changes to current terminal.

Absolute

Sometimes referred to as octal or numeric, each access level (read, write, execute) has an octal value:

Access levelOctal value
Read4
Write2
Execute1

Each identity (user, group, others) has a position:

IdentityPosition
UserFirst
GroupMiddle
OthersLast

The absolute mode syntax describes the desired permissions from left to right. So for the following example:

chmod 740 file2

Means that the user (owner) gets 7 (4 + 2 + 1) read, write and execute permissions, the group readonly 4 (4) and all others no access (0).

This translates into symbolic the following: user gets rwx, group r and all others no access.

Symbolic

Symbolic mode is similar but uses symbols to make it a bit easier to understand for each level of access:

Access

Access levelSymbol
Readr
Writew
Executex

Identity

IdentitySymbol
Useru
Groupg
Otherso

Task operators

TaskOperator
Grant a level of access+
Remove a level of access-
Set a level of access=

Example

# Remove read permission of others on a file
chmod o-r file1
# Grant read and write permission of a group
chmod g+rw file1
# Everything together recursive
chmod -R o=rwx,g+rw,o-rwx mydirectory

For 99% of use cases that you will need, the above will have you covered.