ENDS 12/4: Get 50% off your Pro annual membership using code [CYBER23](https://www.codecademy.com/checkout?periods=year&plan_id=proGoldAnnualV2&discountCode=CYBER23)


This lesson will explore users, groups, and permissions that are part of the Linux operating system.

Users, Groups, and Permissions in Linux

Good security practices suggest that administrator/root access be limited. Typical day-to-day activities such as word processing, web browsing, or listening to music should never be done using the administrator account.

However, there are times when an administrator account is required to perform specific tasks, like adding and modifying permissions and configuring system software. 

The Linux shell has the `sudo` command that can temporarily elevate privileges to a user that is a member of the administrator group.

Let's say we need to modify the owner of a file named **sketches.ppt** from **bob** to **debbie**. We could enter the `chown` command with the right parameters in the terminal:
```
chown debbie sketches.ppt
```

However, if we have admin privileges but are not logged in as the administrator, this command will return an "operation not permitted" error since we don’t have sufficient privileges. But, we can use the handy command `sudo` in front of the same command to temporarily invoke admin privileges by confirming our identity. We can use the following command:
```
sudo chown debbie sketches.ppt
```
and enter our password to prove we are the current authorized user.

Elevating Privileges (sudo)

Linux provides users the ability to elevate or relax access permissions on any files where they are an owner. Of course, an administrator can make changes anywhere in the system, including creating users and groups, modifying them, and elevating or reducing any permissions for files.

### Adding and Modifying Users and Groups
As an administrator, there are commands at your disposal to add, delete, or modify users and groups:
- `useradd` creates a new user
- `groupadd` creates a new group
- `usermod` and `groupmod` can be used to modify users and groups
- `userdel` and `groupdel` can be used to delete users and groups.

### Modifying Owners and Permissions
Additionally, `chown` and `chgrp` allow the superuser/admin to change who owns the resource, file, or directory while `chmod` changes the read-write-execute permission levels. As an example, the following commands would allow an administrator to change the owner of a file named **designs.doc** to a new user named **peter** and then modify this file to have read, write, and execute permissions for the user, group, and others.

```
chown peter designs.doc
```
```
chmod 777 designs.doc
or
chmod u=rwx,g=rwx,o=rwx designs.doc
```
Note: We need to be the owner of the file or admin to use `chmod`.

### Viewing and Modifying Permissions Outside of the Terminal
We can view and modify permissions in the file manager application on a Linux Ubuntu desktop as well. Just right-click on the file, select properties from the drop-down, and choose the permissions tab. All the users/groups and permissions are easily selected from the drop-down menus.

![graphical view of file permissions](https://static-assets.codecademy.com/Courses/learn-linux/user-groups-permissions-lesson/ex5/gui_permissions.png)

Modifying Users, Groups, and Permissions

How do users and groups relate to what files they can access?

If we use the command `ls -l` on a working directory, we will see directory/file permissions, user, group, filesize, creation date/time, and filename.
 
In Linux, everything is based on file permissions. Each file or directory has an owner and a group (or groups) that usually has more permissions to read, write, or execute than users not in the owner or in the permission group.

![title](https://static-assets.codecademy.com/Courses/learn-linux/user-groups-permissions-lesson/ex4/ls.png)

Let's break down the permissions line for **file-1.txt** from the screenshot:
```
-rw-rw-r--
```
Note: the first character identifies the resource as either a directory (`d`) or file (`-`).

The following nine characters should actually be read as triplets: `rw-` for the file owner, `rw-` for the group(s) that have permission to the file, and `r--` for all others. What do these symbols mean?

- read (`r`) = contents can be viewed but not edited, renamed, added, or deleted
- write (`w`) = contents can be viewed, edited, renamed, added, and deleted
- execute (`x`) = contents can run as a program or script
- (`-`) = permissions don't apply

So, the permissions shown for **file-1.txt** means that the owner can read and write, the group can read and write, and all others can only read.

Read-write-execute permissions can also be written as numbers, with each being a power of two. Each set of triplets can be expressed as the sum of the permissions that apply.

| PERMISSION | NUMBER | LETTER |
| --- | --- | --- |
| read | 4 | r |
| write | 2 | w |
| execute | 1 | x |

For example, a file's permission being `777` is equivalent to `rwxrwxrwx`, whereas a file's permission being `755` is equivalent to `rwxr-xr-x`.

### Default Permissions
When a normal user creates a folder, the default owner for the user and group is set to the username. The default permissions are typically set to 755 (or “rwx” for the user, “rx” for the group, and “rx” for others). These defaults are designed to restrict access until deliberately granted!

When a user then creates a file inside the folder, the default owner for the user and group is again set to the username while the permissions for that file are set to 644 (or “rw” for the user, “r” for the group, and “r” for others).

In the following exercise, we'll go over how these permissions can be changed!

File Permissions in Linux

Again, Linux is a highly secure operating system that depends on strict file permissions dictating which users and groups can access them. Let’s look at some classifications of users that are found on a Linux system.

### Admin or Non-admin?
A Linux user is either an administrator or non-administrator. The administrator is a superuser (or root user) with full control over the entire system. With that in mind, it is important to ensure that only a very limited number of folks have read and write permissions on all the files in the entire system. In contrast, a non-administrator by default has limited (or no) access to certain system/configuration files.

### Normal user
A majority of the accounts will be non-administrators. These users can be divided into two subtypes: normal user or system user. Normal users are real people. The individual is given a user account for login and limited access to computer applications, files, and resources.

### System user
A system user is typically a non-human or computer-generated account. System users are created to run a specific program or process/daemon such as a web server or backup program. This type of "user" is limited in control and is assigned only enough access to manage its particular process.

The illustration shows two columns. The first column lists users (one superuser and three regular users) and their associated relative groups (admin, marketing, sales, and business). The second column lists three share drive folders (marketing, sales, and business). A connecting line is drawn between the user/group and the associated share folder to represent access permissions. The superuser is shown having access to all folders.

Types of Linux Users

Now that we've covered how different Linux users can coexist, let's learn about users, groups, and their IDs!

On a Linux system, all users added are assigned a name, unique user identification (UID), group, and group identification (GID). When a user is initially created, a new UID and matching GID are assigned. 

UID and matching GID numbers are assigned based on the type of user:
- Administrator (root): UID and GID = 0
- System user (computer-generated): UID and GID assigned from 1 to 999
- Normal users (real people): UID and GID = 1000 or greater, incremented with every new user

The new user is by default assigned a matching group name (and typically a matching GID) so that the user will be a member of their own group. For example, a user **stephen** (UID = 1000) will also be assigned to the group **stephen** (GID = 1000).

We can create groups and add users to them. For example, in our diagram, we have a group called **Business** that includes the user **Tony**. Users can also exist in more than one group as well.

We can use the `id` and `groups` commands in the terminal to check our `uid` and `gid`.

![terminal output of ‘id’ command](https://static-assets.codecademy.com/Courses/learn-linux/user-groups-permissions-lesson/ex3/id.png)

![terminal output of ‘groups’ command](https://static-assets.codecademy.com/Courses/learn-linux/user-groups-permissions-lesson/ex3/groups.png)

Admin users can also view and modify the user and group information stored in the read-only **/etc/passwd** and **/etc/group** files.

![terminal output of `/etc/passwd file`](https://static-assets.codecademy.com/Courses/learn-linux/user-groups-permissions-lesson/ex3/etc-passwd.png)

![terminal output of `/etc/group file`](https://static-assets.codecademy.com/Courses/learn-linux/user-groups-permissions-lesson/ex3/etc-group.png)

Up next, we'll talk about how users and groups relate to file permissions.

Users and Groups in Linux

Linux is a highly secure operating system. How? This lesson will dig into the way that Linux handles users, groups, and permissions to keep information secure.

Linux is designed from the ground up to prevent individual users from accessing areas of the file structure they shouldn't access. Linux environment administrators have to define separate accounts and permissions to determine who can access specific files, directories, applications, and resources.

Throughout the lesson, we'll go over:
- Classification of Linux users
- Users and groups
- File permissions
- Modifying users, groups, and permissions
- Admin-related commands

The illustration shows three columns (users, groups, and share drive folders). Each regular user is mapped to one or more groups (business, design, engineering, HR, and marketing). Each group is mapped to one or more shared folders (business-data, ops-data, hr-data, and marketing-data). The folders and files show the associated user and group owners.

Introduction

We now have a fairly good idea of how Linux provides resource security by separating administrator accounts from non-administrator accounts and then further applying specific user and group permissions for every folder, file, and resource on the system. By default, permissions are limited.

User and group accounts can be created, modified, or deleted by admins and permissions can be adjusted by typing just a few simple terminal commands.

Here’s what we learned:
- The different classifications of users and range of user ID's
- What users and groups are in Linux
- How file-based permissions work in Linux:
   - owners and groups
   - read, write, and execute
- Commands used to create, delete, or modify users and groups:
   - `useradd` and `groupadd`
   - `userdel` and `groupdel`
   - `usermod` and `groupmod`
- Commands used to change owners and permissions:
   - `chown`
   - `chmod`
- Using `sudo` to access admin commands

These are just the fundamentals for navigating the users, groups, and permissions system on Linux! We encourage you to keep practicing to get used to the commands and the filesystem.