Linux+ TechNotes
Users and Permissions


Users and Permissions
Managing Users and Groups
Octal Permissions
Changing Permissions and Ownership
Advanced File Permissions

Users and Permissions

Like its Unix predecessors, Linux is capable of supporting multiple users simultaneously. It is also capable of providing access to different programs and files to different users. The operating system determines which files a user has access to based on two things: the permissions granted to the user and the permissions granted to the groups to which the user belongs.

Managing Users and Groups

One of the most basic functions a server administrator will perform is creating accounts for new users. The useradd command is used to create a new login account on the system. The basic syntax is:

useradd [options] username

The table below lists some of the most common options that can be passed to useradd:


Sets the user’s home directory (default is /home/username)


Sets the user’s primary group


Used to add the user to additional groups


Sets the user’s login shell (default is bash)

The useradd command will create an account but will leave the password blank. You need to use the passwd command to set a password for an account.

Usermod and userdel are two other commands that can be used to manage user accounts. Usermod is used to make changes to an existing user account, for example, to change the user’s default login shell. The userdel command is used to delete a user account. When using the –r option, userdel will also delete a user’s home directory and files. Both of these commands use the same basic syntax as useradd :

command [options] username

Linux maintains a master list of all user accounts and account settings in the /etc/passwd file. Each entry in the /etc/passwd file contains seven fields separated by colons: username, encrypted password, user ID number (UID), group ID number (GID), comments, home directory, and shell. For example:

bob:eE5/.vj7NB3dx:581:500:Bob Smith:/home/bob:/usr/bin/bash  

Because many programs require a way to verify that a user account exists, the /etc/passwd file must be readable by all users. This can present a security hole because the hashed password values contained in this file can be seen by all users. To correct this, you should enable shadowed passwords with the pwconv command. With shadowed passwords, the hashed password value in /etc/passwd is replaced by the letter ‘x’. The real hashed password is stored in the /etc/shadow file which can only be read by the root user.

The other security feature that becomes available when using shadowed passwords is the ability to enforce password aging. Entries in the /etc/shadow file are made up of the following fields:






Hashed password


Days since Jan 1, 1970 that password was last changed


Days before password can be changed


Days until password must be changed


Days before password is to expire that user is warned


Days after password expires that account is disabled


Days since Jan 1, 1970 that account is disabled



When using shadowed passwords, the previous entry in /etc/passwd would look like this:

ob:x:581:500:Bob Smith:/home/bob:/usr/bin/bash

There would be a corresponding entry in /etc/shadow that would look similar to this:


The commands for creating, deleting and modifying groups are similar to the commands for user administration. Groupadd creates a group, groupmod allows you to change the properties of an existing group, and groupdel deletes a group. These commands cannot be used to add a user to a group. That can only be done by running the useradd or usermod command. The /etc/group file stores group and group membership information.

Octal permissions

Linux understands three basic types of file permissions: read, write and execute. There are three categories for which permissions can be assigned: owner, group owner, and everyone. These permissions can be seen as a ten-bit sequence when doing a long listing of a file or directory.

[root@server /usr/bin]# ls –al
-rwxr-xr-x 1 root system 4657 Aug 18 10:43

The first bit shows the type of file: a dash for a regular file, a ‘d’ for a directory, ‘l’ for a link, ‘c’ for a special file, ‘s’ for a socket, or ‘p’ for a named pipe. The next three bits show read, write and execute permissions for the file owner. An ‘r’, ‘w’, or ‘x’ indicates that the permission has been granted. A dash means the permission has been denied. The next group of three bits lists permissions for the group owner. The final three bits list permissions for everyone.

[root@server /usr/bin]# ls –al
-rwxr-xr-x 1 root system 4657 Aug 18 10:43

In this case:

  • Bit 1 (-) states that this is a regular file.
  • Bits 2-4 (rwx) state that the owner, root, can read, write to, or execute the file.
  • Bits 5-7 (r-x) state that members of the system group can read or execute the file but not change its contents.
  • Bits 8-10 (r-x) state that all users can read or execute the file but not change its contents.

Each group of permissions is stored by the operating system as a three bit binary number. The following table shows possible permissions and their corresponding binary and octal representations.

Binary value

Octal value

Text value

























Setting permissions for a file involves specifying an octal value for the owner, group owner and everyone. For example, setting permissions to 744 means granting read, write and execute access to the owner and read-only access to members of the group owner and everyone else.

[root@server /usr/bin]# ls –al
-rwxr-xr-x 1 root system 4657 Aug 18 10:43

The octal representation of the permissions on this file would be 755.

Most systems are configured such that newly created files are given default permissions of 755. The umask command can be used to change the default permissions on new files. This command only affects the current shell environment consequently it is usually called in a login script rather then at the command line. The command takes the form:

umask umask_value

The umask value is the inverse of the normal octal permission value. If you wanted all files created with read and write permissions for everyone (666), the umask value should be 111. A umask value of 002 would result in all new files being created with 775 permissions.

Changing permissions and ownership

The chown command is used to change file ownership. A simple chown command would be:

chown root /etc/passwd

This changes the owner of the /etc/passwd file to root. Chown can also be used to set the group owner. The command:

chown root:system /etc/passwd

Sets root as the owner and the system group and the group owner of the /etc/passwd file. Chgrp is used to change the group owner of a file. It uses the same syntax as chown. The chmod command is used for setting permissions on a file. It is most commonly invoked using octal permissions such as:

chmod 755 /etc/printcap

Additionally, chmod also accepts symbolic permissions. These take the form [uga][+-=][rwx]. The first parameter is used to specify the user (owner), group (group owner) or all (everyone). The second parameter is used to add to existing permissions, take away from existing permissions or set permissions equal to. The third parameter specifies the type of permission. The command:

chmod ug+x /bin/ls

grants execute permissions to the owner and members of the group owner in addition to any existing permissions. This method of specifying permissions has many other options for setting advanced permissions, some of which are covered later.

Each of these commands, chown, chgrp and chmod, can be used to change ownership or permissions of several files at once simply by listing each of the files within the command, i.e.:

chown root /etc/passwd /etc/group /bin/rm

The –R option can also be used with each command to change settings for all files and subdirectories within a given directory.

Advanced file permissions

Linux does support some advanced permissions. Of these, the suid, sgid and sticky bit are the most common. When the suid bit (short for set user ID) is used, any user who executes the file is treated as if they were the owner of the file. The suid bit appears as an ‘s’ in the fourth position. One example of this is the mount command:

-rwsr-xr-x 1 root root 28724 Sep 11 04:27 mount

Normal users do not have the ability to mount and unmount filesystems but this can cause a problem, as users frequently need to access floppy disks, CDs and other media, which need to be mounted before they can be accessed. Rather than giving users root access, the suid bit has been set on the mount command. When a normal user runs mount, Linux treats it as if the root user had initiated the command. Note that mount has additional settings that determine which filesystems can be mounted. These settings are stored in the /etc/fstab file.

The sgid bit (short for set group ID) is very similar. A user who executes a command with the sgid bit set assumes the identity and permissions of a member of the group owner of the file. The sgid bit shows up as an ‘s’ in the seventh position:

-r-xr-sr-x 1 root tty 7484 Feb 5 2004 /usr/bin/wall

The sticky bit has a different meaning depending if it is set on a file or a directory. A file or directory has the sticky bit set if a ‘t’ appears in the last bit:

-rwsr-xr-t 1 root sales 2324 Jan 19 11:26 revenues

If a user opens or executes a file with the sticky bit set, Linux will keep that file in memory after it is closed speeding up access time the next time the file is needed. With faster hardware in use today, this feature is rarely used. The sticky bit has a completely different meaning if it is set on a directory. In this situation the sticky bit means that files in the directory can only be moved or deleted by their owner regardless of who else has write permissions. This is useful for ensuring that users can change files but not accidentally delete them.


Current related exam topics for the Linux+ exam:

DOMAIN 2.0 Management

2.6 Modify file and directory permissions and ownership (e.g., chmod, chown, sticky bit, octal permissions, chgrp) using CLI commands

2.7 Identify and modify default permissions for files and directories (for example: umask) using CLI commands

2.20 Create, modify, and delete user and group accounts (e.g., useradd, groupadd, /etc/passwd, chgrp, quota, chown, chmod, grpmod) using CLI utilities

DOMAIN 4.0 Security

4.2 Delete accounts while maintaining data stored in that user's home directory

4.6 Set process and special permissions (e.g., SUID, GUID)

4.11 Given a set of security requirements, set password policies to match (complexity / aging / shadowed passwords) (for example: identify systems not shadow passwords)


Date: July 22, 2005
Author: Drew Miller
Comptia A+ Network+ I-net+ Linux+ MCP