Module 9 · Users & Permissions
Linux was built from day one for lots of people sharing one computer. Every single file has an owner, a group, and a list of who's allowed to do what with it. Once it clicks, it's tidy and makes sense.
By the end of this module, you will:
- Create, modify, and delete user accounts from the terminal
- Explain the Linux permission model (owner, group, others)
- Change file permissions using chmod with numeric and symbolic notation
- Use sudo correctly and explain why it exists
- Use chmod symbolic notation (u+x, g-w, a+r) alongside numeric notation
- Create, modify, lock, and delete user accounts (adduser, passwd, usermod, deluser)
- Explain the umask and why new files get the permissions they do
- Use id, groups, who, and getent to discover users and group memberships
Reading those funny letters at the start of a file
chmod with numbers — the quick way to set permissions
| Number | What it means | When you'd use it |
|---|---|---|
777 | rwxrwxrwx — anyone can read, write or run it | Almost never. Be careful — this means strangers too. |
755 | rwxr-xr-x — you can do anything, everyone else can read and run | Scripts, programs, folders |
644 | rw-r--r-- — you can read and write, everyone else can only read | Normal files, settings files |
600 | rw------- — only you can read or write, nobody else can even look | SSH keys, anything secret |
400 | r-------- — only you can read, nobody can change it | Backups, certificates you mustn't edit |
Watch out: usermod -aG — don't forget the -a
The right way to add somebody to a group is sudo usermod -aG groupname username. The -a means "add to the list". If you leave the -a out and just type sudo usermod -G groupname username, Linux throws away every group the person was already in and leaves them in only the new one. That can lock somebody out of sudo in one second. Always type -aG, never -G on its own when you're adding somebody to a group.
A real example — start to finish
Here's a real permissions problem and how to fix it. Marie at work can't open a log file. She asks you for help. These are the same five steps a real Linux administrator would take.
Marie says: "It tells me 'Permission denied' on /var/log/nginx/access.log"
First, see what the permissions on the file actually are. Type ls -la /var/log/nginx/access.log.
Read what it tells you
You see this: -rw-r----- 1 root adm 45231 Apr 25 nginx/access.log. Translated: the owner is root (read and write), the group is adm (read only), and everyone else gets nothing. Marie isn't in the adm group, so she gets nothing — that's why she can't open it.
Check which groups Marie is in
Type groups marie. It says: marie : marie sudo. So Marie is in the sudo group, but she's not in adm — and adm is the group that can read the file. That confirms what's wrong.
Fix it — add Marie to the adm group
Run sudo usermod -aG adm marie. Don't forget the -a — without it you'd kick Marie out of every other group, including sudo. Marie also has to log out and log back in before the change kicks in.
Check it worked
After Marie logs back in, run groups marie again. This time it shows marie : marie sudo adm — adm is on the list. Marie can read the log file now.
chmod with letters — the surgical way to change permissions
Numbers like 755 and 644 are good for setting the whole permission in one go. Letters are better for tweaking just one bit — like "add the ability to run this, but leave everything else alone", or "stop strangers being able to write to this". Both ways do the same job — use whichever fits.
| Who you're changing | What you're doing | Which permission |
|---|---|---|
u = you (the owner) | + add this | r = read |
g = the group | - take this away | w = write (change the file) |
o = everyone else | = set it to exactly this | x = run it (for scripts and programs) |
a = all three at once | — | — |
Adding, changing and removing user accounts
At home you'll probably never make a second user account, but if you do, it's one line. At work, this is bread-and-butter stuff that admins do all the time.
| What you want to do | The command |
|---|---|
| Add a new user and give them a home folder | sudo adduser jane — the friendly version on Ubuntu, asks you for a password |
| Add a new user (the no-questions, scripty version) | sudo useradd -m -s /bin/bash jane |
| Set or change somebody's password | sudo passwd jane |
| Add somebody to a group | sudo usermod -aG sudo jane — don't forget the -a |
| Lock the account so the person can't log in | sudo passwd -l jane |
| Delete a user | sudo deluser jane keeps their home folder; sudo deluser --remove-home jane deletes it too |
Group changes only kick in the next time the person logs in. If you add Jane to the docker group while she's already logged in, she has to log out and back in (or run newgrp docker) before it works.
umask — what permissions new files get
When you make a new file, Linux gives it some default permissions. A setting called umask (short for "user mask") decides what they are. On most Linuxes it's 022, which means new files come out as 644 (you can read and write, everyone else can read) and new folders come out as 755. You almost never need to change it — but knowing it's there means you stop wondering "where did those permissions come from?"
Have a look
Type umask in a terminal. You'll see something like 0022. To work out what new files will be, take 666 and subtract the umask (so 666 - 022 = 644). For folders, take 777 instead. If you want your new files to be more private, add a stricter umask to ~/.bashrc — for example, umask 077 means only you can read anything you create from now on.
Finding out who's who: id, whoami, getent
A few small commands answer "who am I right now? who else has an account? which groups are they in?" These are useful when you're hunting down permission problems or writing little scripts.
| Command | What it tells you |
|---|---|
whoami | Your username right now. Handy after sudo -i when you've forgotten which user you've turned into. |
id | Your user number (UID), your main group, and every group you're in. |
id jane | Same thing, but for somebody else. |
groups / groups jane | Just the list of groups — nothing extra. |
who | Everybody who's logged into this computer right now. Useful on a shared machine. |
getent passwd | Every single user account the computer knows about (including ones from work directory servers if it's plugged into one). |
getent group sudo | Who's in a specific group. |