Linux permissions of users and groups - cheatsheet
Cheatsheet about main commands for managing users and groups for read/write access and specific sudo commands in Linux.
Usually you will a Linux server lying around and at one moment you’ll want to add access to another person, so it can
read/update/upload files to a specific directory. You wouldn’t want to allow that user to touch anything outside of
/home/my-web-server/
directory or execute some system commands on the server itself, that’s where roles, permissions
and groups come in.
Users
You will need sudo commands for most of these if not all.
When creating users they must always be assigned to a primary group, if you don’t assign them a group, a group will be created for them with the same name.
# Create user john, note that it will be assigned a unique id
useradd john
# Get the id of john
id john
# Output
# uid=1005(john) gid=1005(john) groups=1005(john)
# Create user john with specific id
useradd -g 1009 john
# Create user john with primary group 'users' and secondary groups 'wheel' and 'docker'
useradd -g users -G wheel,docker john
The command adds an entry to the /etc/passwd
, /etc/shadow
, /etc/group
, and /etc/gshadow
files.
Option | Description | Example |
---|---|---|
-g | Specifies the primary group | useradd -g users john |
-G | Adds the user to additional groups | useradd -G sudo,admin john |
-u | Specifies the user ID | useradd -u 1001 john |
-e | Sets the account expiration date | useradd -e 2022-12-31 john |
-m | Creates the user home directory /home/john/ | useradd -m john |
-d | Specifies home directory of user | useradd -m -d /opt/john john |
-c | Add comment to the created user | useradd -c "Test User" john |
-r | Creates system user | useradd -r john |
To be able to log in as the newly created user, you need to set the user password. You can do that by running the passwd command followed by the username:
sudo passwd john
The command will prompt you to enter and confirm the password
Changing password for user john.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
For a different type of authentication check the other article: Linux SSH authentication
To see all users in the system
sudo cat /etc/passwd
Groups
Sometimes it’s easier to manage multiple users with same permissions through a group as all users assigned to that group will share its permissions.
# Create a group demo
groupadd standard
# If you want to manually specify an ID
groupadd -g 1009 standard1
# Renaming a group
groupmod -n test standard1
# Add user to a group
usermod --append --groups standard user1
# Or like this
usermod -aG standard user2
# You can use the id to see in which the group the user is
id user1
# Output
# uid=1005(user1) gid=1005(user1) groups=100(users),1009(standard1)
# To remove a specific user from a group
gpasswd --delete user1 standard1
# Delete a group
groupdel standard1
Permissions and ownership
Now that we have gone through how to create users and groups, lets see how to apply permissions to them on files, directories and sudo commands.
Ownership
The chown command allows you to change the user and/or group ownership of a given file or directory.
# User ownership of a file
chown user2 file1
# Group ownership of a file
chown :group1 file1
# User and group at the same time
chown user2:group1 file2
# Recursive (adding -R will execute recursively)
chown -R user1:group1 Resources
# Change the group ownership of a file
chown :www-data file1
Permissions
The chmod (change mode) sets the permissions accordingly. The syntax is the following:
chmod permissions resource-name
Here is an example of it in use (note that these commands do the same thing):
# Absolute mode
chmod 740 file2
# Symbolic mode
chmod u=rwx,g=r,o-rwx file2
# You can also use recursive flag
chmod -R 744 Resources
Most of the time you will be using absolute mode.
You can list the permissions od a directory via terminal command ls -la
. I suggest to create a shortcut/alias for
this command as it would make it easier to use via ll
. Update your .bashrc
or .zshrc
(if you are on Mac) and specify the
alias in the file:
alias ll='ls -l'
Don’t forget to run source .zshrc
or .bashrc
to load the changes to current terminal.
Absolute
Sometimes referred to as octal or numeric, each access level (read, write, execute) has an octal value:
Access level | Octal value |
---|---|
Read | 4 |
Write | 2 |
Execute | 1 |
Each identity (user, group, others) has a position:
Identity | Position |
---|---|
User | First |
Group | Middle |
Others | Last |
The absolute mode syntax describes the desired permissions from left to right. So for the following example:
chmod 740 file2
Means that the user (owner) gets 7
(4 + 2 + 1) read, write and execute permissions, the group readonly 4
(4)
and all others no access (0).
This translates into symbolic the following: user gets rwx
, group r
and all others no access.
Symbolic
Symbolic mode is similar but uses symbols to make it a bit easier to understand for each level of access:
Access
Access level | Symbol |
---|---|
Read | r |
Write | w |
Execute | x |
Identity
Identity | Symbol |
---|---|
User | u |
Group | g |
Others | o |
Task operators
Task | Operator |
---|---|
Grant a level of access | + |
Remove a level of access | - |
Set a level of access | = |
Example
# Remove read permission of others on a file
chmod o-r file1
# Grant read and write permission of a group
chmod g+rw file1
# Everything together recursive
chmod -R o=rwx,g+rw,o-rwx mydirectory
For 99% of use cases that you will need, the above will have you covered.