System access management is a critical aspect of Linux administration, ensuring that users have the appropriate permissions and access to resources while protecting the system from unauthorized access. Here are some important notes on Linux system access management.

1. User Accounts and Groups

User Accounts: Each user on a Linux system has a unique account identified by a username and a numeric user ID (UID). Regular user accounts typically have restricted permissions, while the root account has unrestricted access to all system resources.

$ sudo useradd username

EX:

Create User:

$ sudo useradd -m user1

Set user Password

$ sudo passwd user1

Create user with password with single command:

$ sudo useradd -m user1 -p PASSWORD

$ sudo useradd -r -s /sbin/nologin user1

-r: This flag creates a system account, which is typically used for system processes.

-s: /sbin/nologin: This specifies that the user cannot log in interactively.

$ sudo useradd -m user1

-m: Creates the user's home directory if it does not exist. The home directory will be located at /home/user1

Verify the User Creation:

Check the user's details:

$ id audit_member

Check the home directory:

$ ls -ld /home/audit_member

Groups: Users can belong to one or more groups. Groups allow administrators to manage permissions for multiple users efficiently. Each group is identified by a group name and a numeric group ID (GID).

$ sudo groupadd group_name

EX:

$ sudo groupadd group1

Add user to a group:

$ sudo usermod -a -G group_name user_name

$ sudo usermod -a -G group1 user1

Delete a group:

$ groupdel group_name

$ groupdel group1

Default Group: When a user is created, a primary group is automatically assigned. Users can also be added to secondary groups for additional permissions.

2. Permissions and Ownership

File Permissions: Linux files and directories have three types of permissions—read (r), write (w), and execute (x)—for three categories of users: owner, group, and others. These permissions control who can access or modify files.

Ownership: Every file and directory in Linux is owned by a user and a group. Ownership determines who can set permissions and access the file.

Changing Permissions: Use chmod to change file permissions.

Changing Ownership: Use chown to change the ownership of files and directories.

File Permissions in Linux refer to the access rights assigned to files and directories in the Linux operating system. These file permissions in Linux can be used to control the ability of users and processes to read, write, and execute files on the system.

Three basic types of permissions can be assigned to a file or directory in Linux:

Read Permission (r ):

This type of file permission in Linux grants the user or the group the ability to view the contents of a file or directory.

Write Permission (w):

This type of file permission in Linux grants the user or group the ability to modify or delete a file or directory. Users or a group can have the ability to add, remove, and rename files stored in a directory if they have write permission. Think about a situation where the user needs to have write access to a file but not to the directory where it is stored. The contents of the file can be changed. However, the user won't be able to rename the file, move it, or delete it from the directory.

Execute Permission (x):

This type of file permission in Linux grants the user or group the ability to execute a file or change it into a directory. If the read and write permissions are set, you might still be able to view and modify the program code without the execute permission, but in Linux, you won't be able to run it.

EX-1:

$ ls -al file.txt

output: -rw-rw-r-- 1 ubuntu ubuntu 0 Aug 17 09:39 file.txt

Explanation:

- : Type of file. Here its a file.

rw-: Indicates that the user ubuntu can perform read, write.

rw-: Indicates that the user group ubuntu and the members can perform read and write.

r--: indicates that the other members can perform read.

EX-2:

drwxr-xr-x 2 root root 4.0K Aug 1 16:30 test

d : Type of file. Here its a directory.

rwx: Indicates that the user root can perform read, write and execute.

r-x: Indicates that the user group root and the members can perform read and write.

r-x: indicates that the other members can perform read and execute.

How to Manage Permissions?

Managing Permissions in Absolute Mode in Linux

Linux provides the absolute (Numeric) mode as a means of modifying file and directory permissions. Each file permission (read, write, and execute) is given a number using this method, which sets file permissions using numerical values. The level of permission for a file is determined by adding the values of its permissions.

Each access level (read, write, execute) has an octal value:

Each Entity has a particular position in the code:

EX-1:

$ sudo chmod 741 file1

Let's break down the octal value 741 we have provided:

The first digit, 7, specifies the permissions for the owner of the file. In this case, the owner has read, write, and execute permissions (4+2+1=7).

The second digit, 4, specifies the permissions for the group that the file belongs to. In this case, the group has read permission only (4).

The third digit, 1, specifies the permissions for all other users. In this case, all other users have execute permission only (1).

In summary, after running the command chmod 741 file1, the file file1 will have the following permissions:

The owner of the file will have read, write, and execute permissions.

The group that the file belongs to will have read permission only.

All the other users will have execute permission only.

EX-2:

$ chmod -R 444 test

The -R option means that the command will be applied recursively to all files and subdirectories within the test directory.

The 444 specifies the permission for all users, including the owner, group, and other users. In this case, all users will have read-only permissions (4 = read).

Managing Permissions in Symbolic Mode in Linux

In Linux, we can also set permissions in symbolic mode by combining letters and symbols. The symbols denote the action to be made (+ to add permission, - to remove permission, and = to set the permission), while the letters denote the degree of authorization (u for the owner, g for group, o for others, and a for all).

Each access level (read, write, execute) has a symbol:

Each Entity has a Symbol:

There are operators that are used to manipulate the permissions.

EX-1:

$ chmod u+rwx file

In this specific command, u stands for user which means that the command will modify the permissions for the owner of the file. r, w, and x are shorthand for read, write, and execute, respectively. Therefore, the u+rwx part of the command means that the owner of the file will be granted read, write, and execute permissions.

EX-2:

$ chmod a-rwx file

In this specific command, a stands for all (owner, groups, and others), and -rwx stands for removing read, write, and execute permissions from all users, groups, and others. Therefore, the a-rwx part of the command means that all users and groups will have their read, write, and execute permissions revoked.

3. Special Permissions and Access Control Lists

Linux has additional rights and access control lists (ACLs) for more sophisticated control over file and directory access in addition to the fundamental read, write, and execute permissions.

By default getfacl / setfacl not available. We need to install acl in ubuntu.

$ apt install acl

$ getfacl file

The user::--- indicates that the file owner (in this case, root) has no permission for reading, writing, or executing the file.

The group::--- indicates that the group members (in this case, myGroup) have no permission for reading, writing, or executing the file

The other::--- line indicates that all the other users who are not the file owner or members of the group have no permission for reading, writing, or executing the file.

$ setfacl -m u:user1:rwx file

setfacl: This is used set or modify the ACL of a file or directory.

-m: This is used to modify an existing ACL entry or add a new one.

u:user1: This part specifies the user for which the new ACL entry will be created. In this case, the user is file here for which we will be creating the entry.

rwx: This part specifies the permissions that the user user will have on the file. The permissions are read (r), write (w), and execute (x).

file: This is the name of the file on which the ACL entry will be applied.

Hence, we can see that from the above command, the user user will be having to read, write, and execute permissions on file.

4. The sudo Command

• Privilege Escalation: The sudo command allows a permitted user to execute a command as the superuser (root) or another user, as specified by the security policy.

• The sudoers File: The /etc/sudoers file defines which users can use sudo and what commands they can execute. This file should be edited using visudo to prevent syntax errors.

• Least Privilege Principle: Grant users the minimum level of access required to perform their tasks. Avoid giving unnecessary root privileges.

Add user as sudo:

$ sudo useradd -r -s /usr/sbin/nologin user1

$ sudo vi /etc/sudoers

user1 ALL=(ALL:ALL) ALL

$ sudo su - user1

Add user as sudo without asking password:

$ sudo vi /etc/sudoers

user1 ALL=(ALL) NOPASSWD: ALL

Add user as sudo without asking password for specific commands:

$ sudo vi /etc/sudoers.d/user1

Add the following lines in this file:

user1 ALL=(ALL) NOPASSWD: /bin/cat /var/txt

user1 ALL=(ALL) NOPASSWD: /bin/systemctl restart nginx

user1 ALL=(ALL) NOPASSWD: /bin/systemctl status nginx