When managing a Linux machine that hosts multiple users, you often need more advanced control over user rights than what basic user management tools provide. This is especially crucial when dealing with granular permission settings. For instance, if you have a directory, you might want users in one group to have read and write access, while users in another group only have read access. In Linux, this is entirely possible—provided you understand how to manage users through user groups and Access Control Lists (ACLs).
We'll start with the basics of user groups and gradually move into more complex ACL configurations. You can perform all these tasks on any Linux distribution you prefer. This article assumes you already have a basic understanding of user management.
For the purpose of demonstration, I will assume the following setup:
- Create two new users: Olivia and Nathan
- Create two user groups: Readers and Editors
- Olivia belongs to the Editors group, and Nathan belongs to the Readers group
- The Readers group has read-only access to the /DATA directory
- The Editors group has read and write access to the same directory
This is a simple task, but it provides a foundation for more complex permission setups. I’ll be demonstrating on Ubuntu 16.04 Server, though the commands are generally applicable across most Linux distributions. If your system doesn’t support the sudo command, you’ll need to switch to the root user to execute these commands.
Create Users
The first step is to create the two users for our experiment. We’ll use the useradd command, making sure to create their home directories and set passwords.
sudo useradd -m olivia
sudo useradd -m nathan
You can now check the /home directory to confirm that both users have their own home folders. Next, we’ll set their passwords using the passwd command:
sudo passwd olivia
sudo passwd nathan
Now, we have two users created and ready for further configuration.
Create User Groups and Add Users
Next, we’ll create the Readers and Editors user groups. Use the following commands:
sudo addgroup readers
sudo addgroup editors
Note: On some systems like CentOS, the addgroup command may not be available. In that case, use groupadd instead.
Once the groups are created, we’ll add the users to them:
sudo usermod -a -G readers nathan
sudo usermod -a -G editors olivia
Now, users are properly assigned to their respective groups.
Grant Permissions to User Groups for a Directory
Suppose you have a directory called /READERS, and you want members of the Readers group to have access. First, change the ownership of the directory:
sudo chown -R :readers /READERS
Then, grant read and write permissions to the group:
sudo chmod -R g+rw /READERS
To prevent other users from accessing this directory, remove their permissions:
sudo chmod -R o-rwx /READERS
At this point, only the owner (root) and members of the Readers group can access files in /READERS.
Similarly, for the /EDITORS directory, assign ownership and permissions as follows:
sudo chown -R :editors /EDITORS
sudo chmod -R g+rwx /EDITORS
sudo chmod -R o-rwx /EDITORS
Members of the Editors group can now read and modify files, while others cannot access them.
Using Access Control Lists (ACLs)
While the above method works, it’s limited to setting permissions for one group at a time. That’s where ACLs come in handy. Let’s take the example of a /DATA directory where Readers have read access and Editors have read and write access.
To set ACLs, we’ll use the setfacl command. The syntax is:
sudo setfacl -m g:GROUP:PERMISSIONS DIRECTORY
First, grant read access to the Readers group:
sudo setfacl -m g:readers:r-x /DATA
Then, give read and write access to the Editors group:
sudo setfacl -m g:editors:rwx /DATA
Now, members of the Editors group can read and write, while Readers can only read.
More Access Control Options
With ACLs, you can implement highly customized permission setups. You can add users to groups and control their access to specific directories as needed. If you want to explore these tools further, try the following commands:
man useradd
man addgroup
man usermod
man setfacl
man chown
man chmod
Three Phase Online UPS,Tower Online UPS,Rack Mount Online UPS,Isolation Transformer
Shenzhen Unitronic Power System Co., Ltd , https://www.unitronicpower.com