Unix for Busy People - Users, superusers, groups, su and sudo
Users, superusers, groups, su and sudo
In order to log in to a unix system you must have an account. Accounts are used to control access to the unix system. Normally each individual has their own login id (commonly referred to as an account). When you login to the unix system you are prompted for your login id (commonly referred to as a user id) and this username (or "login") becomes your user throughout your entire session. It is possible to become another user without logging out of your current session but we will talk about that further down.
Users in the unix system are organized by groups. The intent was to allow multiple users on the system to share resources while maintaining some security and access control. Generally members of the same group can be allowed to access other group members files or in some cases control group members processes. It is possible for a user to be a member of more than one group.
UID and GID's
Each user is assigned a user and group identifier. While a user can be a member of several groups there is only ever one user identifier (UID). Each group also has it's own group identifier (GID).
User accounts and their corresponding UID are stored in the file /etc/passwd. Group identifiers (GID) are stored in the file /etc/group.
The UID and GID numbers must be stored as Octal or base-8 number system (0-7).
Who am I
With apologies to Admiral Stockdale.
whoami command shows you who you are logged in as.
For shell scripting the USER environment variable also shows your login account name (user id):
$ env | grep -i user
We will talk about shell scripting in a future class.
What groups do I belong to?
You can determine what your current group membership is using the command id.
$ id uid=101(kinscoe) gid=10(staff)
The groups command show all the groups your a member of.
staff mysql wheel class
But let's say we now want to work with a different default group because we are working on a different project with files that have access by group only. We can use the newgrp command to create a new shell with that default group we want. For instance let's say I want to become a default member of the class group:
$ id uid=101(kinscoe) gid=10(staff) $ newgrp class $ id uid=101(kinscoe) gid=1020(class)
Remember to always exit out of new shells we create when we are done with them.
$ exit exit
Who is logged in?
There are several commands to show you who is logged into the system: w, who, users and finger commands all will do this.
The "w" command is the usual command used for this. It tells us just about everything we might possibly want to know about other users currently on the system:
$ w 8:49am up 62 day(s), 19:32, 3 users, load average: 0.02, 0.01, 0.00 User tty login@ idle JCPU PCPU what kinscoe pts/2 8:39am 6 -bash kinscoe pts/3 8:45am w slindsay pts/4 8:49am -sh
The "who" command is similar but with less information:
kinscoe pts/2 Apr 12 08:39 (10.88.75.6) kinscoe pts/3 Apr 12 08:45 (10.88.75.6) slindsay pts/4 Apr 12 08:49 (10.88.75.6)
However sometimes less is more and who actually tells us less but more useful information such as the IP address that user has logged in from.
The users command is even more simple and to the point:
kinscoe kinscoe slindsay
Users is often the command used in shell scripts for this purpose because of it's very simple output.
And finally we have the finger command a very old left over from the BSD world.
$ finger Login Name TTY Idle When Where kinscoe Kevin P. Inscoe pts/2 12 Mon 08:39 10.88.75.6 kinscoe Kevin P. Inscoe pts/3 Mon 08:45 10.88.75.6 slindsay Shane_Lindsay pts/4 7 Mon 08:49 10.88.75.6
Finger, like the who command tells you essentially the same information however it has one additional feature: you can use the finger command on individual accounts to see when they last logged in and if they receive email on unix and the last time they checked their email (some see this as an invasion of privacy and this can be turned off at the finger server).
$ finger kinscoe Login name: kinscoe In real life: Kevin P. Inscoe Directory: /export/home/kinscoe Shell: /bin/bash On since Apr 12 08:39:31 on pts/2 from 10.88.75.6 14 minutes Idle Time No unread mail Plan: Hello my name is Kevin Inscoe and work in Unix Engineering. Today is Monday, April 12 and I am WFH today. My web site is at https://kevininscoe.com Have a nice day! :-) Login name: kinscoe In real life: Kevin P. Inscoe Directory: /export/home/kinscoe Shell: /bin/bash On since Apr 12 08:45:38 on pts/3 from 10.88.75.6
Finger in it's day (early-80's to mid-90's) was much like the world wide web is now. I can remember updating my finger .plan file daily with witty sayings and quotes much like web sites are now. I should note that for various reasons finger is not normally installed on Linux systems but still comes shipped on Solaris systems even today in OpenSolaris. So have fun with it.
In order to maintain any system you must have an account which is has "super powers" over all other accounts and in unix this is known as "root". Actually any account having a UID of 0 would become like root but it's a bad idea to have more than one account having the same UID (and just won't work in Solaris and Linux). In that case it is possible to have an account like root as far as file permissions go by assigning it a member of GID 1.
Becoming a superuser
The su command is the standard way of becoming root the root user although you can login directly to the account if you know the password (don't ask haha). Because of security the root account is often disabled for logins from any where but the system console. Must installations require the use of the su command for auditing purposes. It should be noted that if you are root or if you know the password of another account it is possible to su to another account not just root from your account.
$ su - Password: ----------------------------------------- Welcome to the Unix for Busy People Solaris lab server. Questions? You can reach Kevin Inscoe at 407-345-2569 or email after hours at firstname.lastname@example.org ----------------------------------------- Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008 # id uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty), 8(lp),9(nuucp),12(daemon)
It should be noted that the root prompt is typically "#" and the non-privileged user's prompt is usually "$" however that is convention and often many folks customize their prompts (particularly on Linux) so that is not always true. However for the purposes of documentation I always show the prompt as "$" for users and "#" for root commands.
$ su - slindsay Password: ----------------------------------------- Welcome to the Unix for Busy People Solaris lab server. Questions? You can reach Kevin Inscoe at 407-345-2569 or email after hours at email@example.com ----------------------------------------- Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008 $ id uid=1007(slindsay) gid=1020(class)
Sudo is a third party command that is not installed by default on most unix systems except on many Linux distributions. However it is widely used at HMH to control access to certain commands or accounts. Sudo reads a file controlled by the root account that dictates what commands or what accounts a given login can execute. The command takes the form of:
$ sudo <command>
Here are some examples:
$ sudo -u root id uid=0(root) gid=0(root) $ sudo -u slindsay id uid=1007(slindsay) gid=1020(class)
sudo command assumes you wish to run a command as root be default unless you use the -u option. It will also by default (and as configured here at HMH) ask you for your login password prior to executing the command on the off chance you left your seat and someone unscrupulous is now sitting at your computer trying to make access with your still logged in account.
Some examples of legitimate and not legitimate requests:
$ sudo ls -l / total 426 lrwxrwxrwx 1 root root 9 Dec 17 10:29 bin -> ./usr/bin drwxr-xr-x 6 root sys 7 Dec 17 10:29 boot drwxr-xr-x 2 root root 4 Dec 17 05:04 cdrom drwxr-xr-x 276 root sys 276 Feb 8 12:17 dev drwxr-xr-x 10 root sys 10 Feb 8 12:17 devices drwxr-xr-x 86 root sys 235 Apr 12 09:17 etc drwxr-xr-x 4 root root 4 Jan 11 12:55 export dr-xr-xr-x 1 root root 1 Feb 8 12:18 home drwxr-xr-x 19 root sys 20 Dec 17 10:13 kernel ... $ sudo rm file.x Sorry, user slindsay is not allowed to execute '/usr/bin/rm file.x' as root on kinscoe-solaris. $ sudo ls We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: slindsay is not in the sudoers file. This incident will be reported.
Further reading: http://docstore.mik.ua/orelly/networking/puis/ch04_01.htm