Users and Groups
From Linux 101, The beginner's guide to all things Linux.
Before we stray too far into the next few topics, we need to linger here and discuss something critical to your system.
Contents |
[edit] The Super User
The one user on the system that can do anything is 'root'. He has the power to create, delete, or modify any file. He can add kernel support for hardware or remove it with modules. He can create or remove user accounts. You must be very careful and seldom use the account.
As you will read about soon enough in the next articles, using users that are limited to writing to certain directories helps ensure system stability and security.
When it comes to modifying system settings or installing new programs, you will need to use root. You should not use the root account for anything else.
I should point out at this point that many people also consider it a security issue to log in as root and then go into a graphical environment. So, if it is a security issue to log in as root, how can you use him?
[edit] Introducing su
The su command allows you to "switch user" -- to become another user during a login session. This is a very powerful tool, because it can allow you to switch to the root user as well.
There is one thing that should be pointed out about this command that sometimes gets by people. In order to "su to root," your original user may have to be a member of the wheel group. This is a security measure often put in place so a random user on your system cannot su to root without authorization.
To use su to become another user, use the following command
su - [userid]
The - following su is important as it instructs su to source that users login scripts to pick up their environment variables. If [userid] is ommitted, root is assumed.
When it prompts you for the password, type in the password for that user.
See also: su
[edit] sudo -- An alternative to using su
The su command allows a non-privileged user to "switch user" to root to perform administrative activities by providing that user with a root login shell. The problem that then arises is "What if I forget to logout of my root shell and someone gains access to my terminal?" Also, on a production system, only one user should have the root password, even if several individuals are responsible for different aspects of system administration.
The sudo command resolves these issues. sudo allows a permitted user to execute commands as root as specified in the /etc/sudoers file. Commonly, sudo is configured to allow anyone in the wheel group to execute any command as root by having the following in /etc/sudoers:
%wheel ALL = (ALL) ALL
Using the above configuration, anyone in the wheel group can execute commands as root by doing the following:
sudo <command>
At this point, the user is typically prompted for his or her password, NOT the root password. The <command> specified is then executed as the root user, and when that command terminates, the user is left with his or her login session, NOT root's.
Configuration of sudo is performed by root using the visudo command -
/etc/sudoers should not be edited directly.
sudo can be configured at the granularity of individual commands, that is, allowing individual users to execute only selected commands as root. See the sudo main page for more detailed information.
[edit] A few useful commands
The whoami command will tell you what user you are. This is useful for reminding yourself if you have su'ed to root or not.
The groups command will tell you what groups you are a member of. This is useful to see if you are in the wheel group.
The usermod command can be used by root to modify a user and add them into new groups. You should always add the wheel group as a secondary group (-G) and not the primary (-g). If the user is currently a member of a group which is not listed by the -G option, the user will be removed from the group. Therefore run groups first and list them all out when using -G so you do not wipe out all of your groups.
The gpasswd command can be used to add and remove users from groups. To add a user to a group, do gpasswd -a <user> <group>. To remove a user, change the -a option to -d.
Before using any command which modifies your users or groups, you should always read the man page prior to using the command, at least for the first time and as often as you find yourself feeling uncomfortable about the material. Many of the commands also accept the --help parameter.
See also: Adding users and groups
