Group Policy and Linux Users/Groups
- Group Policy is a tool for administrators in Windows 2000 or later Active Directory Domains for centralized management of client and server settings and software distribution.
- It allows centralized management and configuration of operating systems, applications, and user settings in an Active Directory environment.
- A set of Group Policy configurations is called a Group Policy Object (GPO).
Active Directory Domain Services (ADDS)
- ADDS is a server role in Microsoft Windows used to store and structure objects like computers, users, or groups.
- Group Policy is used to add configuration and management to object types within ADDS to control configuration and behavior settings.
- A collection of settings are called Group Policy Objects.
Windows Group Policy Types
- The three Group Policy types are Local, Non-local, and Starter.
- Local GPOs (LGPO) apply to the local computer only on Windows client.
- Non-local GPOs apply settings to one or multiple Windows clients by linking them to sites, domains or organizational units (OUs) within ADDS.
- Starter GPOs are templates used to create new GPOs within ADDS.
Benefits of Group Policy Objects
- Ease of administration as system administrators can deploy software, patches, and other updates via GPO.
- Better password policy enforcement as GPOs determine password length, reuse rules, and establish other requirements for passwords to keep a company's network safe.
Linux Users and Groups
- Linux was designed to allow more than one user to have access to the system at the same time.
- Permissions are needed to protect users from each other.
User Groups in Linux
- They provide an easy way for a selected groups of users to share files with each other.
- They also allow sysadmins to more effectively manage user privileges, since they can assign privileges to groups rather than individual users.
Read, Write & Execute Permissions
- Permissions are the “rights” to act on a file or directory.
- The basic rights are read, write, and execute.
- Read - a readable permission allows the contents of the file to be viewed. A read permission on a directory allows you to list the contents of a directory.
- Write - a write permission on a file allows you to modify the contents of that file. For a directory, the write permission allows you to edit the contents of a directory (e.g. add/delete files).
- Execute - for a file, the executable permission allows you to run the file and execute a program or script. For a directory, the execute permission allows you to change to a different directory and make it your current working directory.
- Users usually have a default group, but they may belong to several additional groups.
Viewing File Permissions
- To view the permissions on a file or directory, issue the command ls -l
- The first ten characters show the access permissions.
- The first dash (-) indicates the type of file (d for directory, s for special file, and - for a regular file).
- The next three characters (rw-) define the owner’s permission to the file.
- In this example, the file owner has read and write permissions only.
- The next three characters (r–) are the permissions for the members of the same group as the file owner (which in this example is read only).
- The last three characters (r–) show the permissions for all other users and in this example, it is read only.
Creating a New Standard User
- To create a new standard user, use the useradd command.
- The syntax is as follows:
- Most user accounts on Linux systems are set up with the user and group names the same.
- The user "jdoe" will be set up with a group named "jdoe" and will be the only member of that newly created group.
- The user’s login name, user id, and group id will be added to the /etc/passwd and /etc/group files when the account is added.
- The useradd command utilizes a variety of variables, some of which are shown in the table below:
| Option | Description | Example |
|---|
| -d | home_dir will be used as the value for the user's login directory | useradd -d \/home\/ |
| -e | the date when the account will expire | useradd ** -e |
| -f | the number of days before the account expires | useradd -f |
| -s | sets the default shell type | useradd -s \/bin\/ |
Changing User Password
- The user will be able to change their password at any time using the passwd command with the syntax.
- Below is an example:
$ passwd
Changing password for 1martin.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Removing a User
- To remove the user, their home folder, and their files, use this command:
Creating and Removing Directories
- To make a directory use the command:
- To make a directory and set the permissions at the same time, use the following option and syntax:
- mkdir -m a=rwx
- The -m option is short for mode, and a=rwx means that all users have read, write, and execute permissions on the directory.
- To remove a file, use the following:
- To remove a directory:
- rm -r
- It is important to note that if you remove a directory all the files inside will be deleted as well.
Changing Directory and File Permissions
- To view file permissions and ownership on files and directories, use the ls -al command.
- The a option is to show hidden files or all files, and the 1 option is for the long listing.
- The output will be similar to the following:
drwxr-xr-x 2 user user 4096 Jan 9 10:11 documents
-rw-r--r-- 1 user user 675 Jan 7 12:05 .profile
drwxr-xr-x 4 user user 4096 Jan 7 14:55 public
- The first column with the ten letters and dashes shows the permissions of the file or directory.
- The second column (with the single number) indicates the number of files or directories contained in the directory.
- The next column indicates the owner, followed by the group name, the size, date, and time of last access, and finally the name of the file.
Chmod Command
- The command chmod is short for change mode.
- chmod is used to change permissions on files and directories.
- The command chmod maybe used with either letters or numbers (also known as octal) to set the permissions.
- The following table describes each column:
| Letter | Permission |
|---|
| r | Read |
| w | Write |
| x | Execute |
| X | Execute (only if file is a directory) |
| s | Set user or group ID on execution |
| t | Save program text on swap device |
| u | Current permissions the file has for owner |
| g | Current permissions the file has for users in the same group |
| o | Current permissions the file has for others not in the group |
- The first three characters are for the user, the next three are for the group, and the last three are for others. The example drwxrw-r– is broken down as follows:
- Conversely, the plus sign (+) is equivalent to granting permissions: chmod u+r,g+x
- u is for user
- r is for read
- g is for group
- x is for execute
- To use the octal format, you have to calculate the permissions for each portion of the file or directory.
- The first ten characters mentioned above will correspond to a four digit numbers in octal.
- The execute permission is equal to the number one (1), the write permission is equal to the number two (2), and the read permission is equal to the number four (4).
- Therefore, when you use the octal format, you will need to calculate a number between 0 and 7 for each portion of the permission.
| Octal Value | Read | Write | Execute |
|---|
| 7 | r (4) | w (2) | x (1) |
| 6 | r (4) | w (2) | |
| 5 | r (4) | | x (1) |
| 4 | r | | |
| 3 | | w | x |
| 2 | | w | |
| 1 | | | x |
| 0 | | | |
dr-------- 2 user user 4096 Dec 17 14:38 Work
d-directory
- file
user
group
others
- chmod 444 Work
- Output of ls -al after the chmod command:
dr--r--r-- 2 user user 4096 Dec 17 14:38 Work
d-directory
- file
user
group
others
Octal Table for Permissions
| Permission string | Octal code | Meaning |
|---|
| rwxrwxrwx | 777 | Read, write, and execute permissions for all users. |
| rwxr-xr-x | 755 | Read and execute permission for all users. The file's owner also has write permission. |
| rwxr-x-- | 750 | Read and execute permission for the owner and group. The file's owner also has write permission. Users who aren't the file's owner or members of the group have no access to the file. |
| rwx------ | 700 | Read, write, and execute permissions for the file's owner only; all others have no access. |
| rw-rw-rw- | 666 | Read and write permissions for all users. No execute permissions for anybody. |
| rw-rw-r-- | 664 | Read and write permissions for the owner and group. Read-only permission for all others. |
| rw-rw---- | 660 | Read and write permissions for the owner and group. No world permissions. |
| rw-r--r-- | 644 | Read and write permissions for the owner. Read-only permission for all others. |
| rw-r----- | 640 | Read and write permissions for the owner, and read-only permission for the group. No permission for others. |
| rw------- | 600 | Read and write permissions for the owner. No permission for anybody else. |
| r-------- | 400 | Read permission for the owner. No permission for anybody else. |
Changing File Ownership
- By default, all files are "owned" by the user who creates them and by that user's default group.
- To change the ownership of a file, use the chown command in the chown user:group/path/to/file format.
- Example:
chown cjones:marketing list.html
- To change the ownership of a directory and all the files contained inside, use the recursive option with the -R flag.
- Example:
chown -R cjones:marketing /srv/smb/leadership/
Leveraging Users and Groups
- User permissions are used to provide your system with greater security without any direct interaction.
- Many operating systems create specific system user accounts for different packages during the installation process.
- The best practice is to give each user their own login to your system.
- This protects each user’s files from all other users.
- Groups are useful for allowing multiple independent user accounts to collaborate and share files.
- If you create groups on a machine for common tasks on a per-task basis (e.g. web editors, contributors, content submitters, support) and add relevant users to the relevant groups, these users can all edit and run the same set of files without sharing these files with the world.
- Use of the chown command with file permissions of 770 and 740 would help accomplish this goal.