5_users_and_rights.Rmd

---
title: Users and rights
author: "Laurent Modolo"
---

```{r include = FALSE}
if (!require("fontawesome")) {
  install.packages("fontawesome")
}
library(fontawesome)
knitr::opts_chunk$set(echo = TRUE)
knitr::opts_chunk$set(comment = NA)
```

<a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/">
<img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-sa/4.0/88x31.png" />
</a>

Objective: Understand how rights works in GNU/Linux

GNU/Linux and other Unix-like OS are multiuser, this means that they are designed to work with multiple users connected simultaneously to the same computer.

There is always at least one user: the **root** user

- It’s the super user
- he has every right (we can say that he ignores the rights system)
- this account should only be used to administer the system.

There can also be other users who

- have rights
- belong to groups
- the groups also have rights

## File rights

Each file is associated with a set of rights:

- `-` nothing
- `r` **r**eading right
- `w` **w**riting right
- `x` e**x**ecution right

Check your set of rights on your `.bashrc` file

```sh
ls -l ~/.bashrc
```

The first column of the `ls -l` output shows the status of the rights on the file

![user_rights](./img/user_right.png)

```
 rwxr-xr--
 \ /\ /\ /
  v  v  v
  |  |  others (o)
  |  |
  |  group (g)
  |
 user (u)
```

- the 1st character is the type of the file (we already know this one)
- he 3 following characters (2 to 4) are the **user** rights on the file
- the characters 5 to 7 are the **group** rights on the file
- the characters 8 to 10 are the **others’** rights on the file (anyone not the **user** nor in the **group**)

To change the file rights you can use the command `chmod` 

Use the command  `ls -l` to check the effect of the following options for `chmod`

```sh
chmod u+x .bashrc
```

```sh
chmod g=rw .bashrc
```

```sh
chmod o+r .bashrc
```

```sh
chmod u-x,g-w,o= .bashrc
```

What can you conclude on the symbols `+` , `=`, `-` and `,` with the `chmod` command ?

> ### Numeric notation
>
> Another method for representing Unix permissions is an [octal](https://en.wikipedia.org/wiki/Octal) (base-8) notation as shown by `stat -c %a`. 
>
> | Symbolic  notation | Numeric  notation | English                                                      |
> | ------------------ | ----------------- | ------------------------------------------------------------ |
> | `----------`       | 0000              | no permissions                                               |
> | `-rwx------`       | 0700              | **read, write, & execute only for owner**                    |
> | `-rwxrwx---`       | 0770              | read, write, & execute for owner and group                   |
> | `-rwxrwxrwx`       | 0777              | read, write, & execute for owner, group and others           |
> | `---x--x--x`       | 0111              | execute                                                      |
> | `--w--w--w-`       | 0222              | write                                                        |
> | `--wx-wx-wx`       | 0333              | write & execute                                              |
> | `-r--r--r--`       | 0444              | read                                                         |
> | `-r-xr-xr-x`       | 0555              | read & execute                                               |
> | `-rw-rw-rw-`       | 0666              | read & write                                                 |
> | `-rwxr-----`       | 0740              | owner can read, write, & execute; group can only read; others have no permission |

The default group of your user is the first in the list of the groups you belong to. You can use the command `groups` to display this list. What is your default group ?

The command `id` show the same information, but with some differences what are they ?

Can you cross this additional information with the content of the file `/etc/passwd` and `/etc/group` ?

What is the user *id* of **root** ?

When you create an empty file, system default rights and your default groups are used. You can use the command `touch` to create a file.

```sh
touch my_first_file.txt
```

What are the default rights when you crate a file ?

You can create folders with the command `mkdir` (**m**a**k**e **dir**ectories).

```sh
mkdir my_first_dir
```

What are the default rights when you create a directory ? Try to remove the execution rights, what appends then ?

You can see the **/root** home directory. Can you see it’s content ? Why ?

Create a symbolic link (`ln -s`) to your **.bashrc** file, what are the default rights to symbolic links ?

Can you remove the writing right of this link ? What happened ?

## Users and Groups

We have seen how to change the right associated with the group, but what about changing the group itself ? The command `chgrp` allows you to do just that:

```sh
chgrp audio .bashrc
```

Now the next step is to change the owner of a file, you can use the command `chown` for that.

```sh
chown ubuntu my_first_file.txt
```

You can change the user and the group with this command:

```sh
chown ubuntu:audio my_first_file.txt
```

What are the rights on the program `mkdir` (the command `which` can help you find where program file are) ?

Can you remove the execution rights for the others ?

The command `cp` allows you to **c**o**p**y file from one destination to another.

```sh
man cp
```

Copy the `mkdir` tool to your home directory. Can you remove execution rights for the others on your copy of `mkdir` ? Can you read the contentof the `mkdir` file ?

You cannot change the owner of a file, but you can always allow another user to copy it and change the rights on its copy.

## Getting admin access

Currently you don’t have administrative access to your VM, this means that you don’t have the password to the *root* account. Another way to get administrative access in Linux is to use the `sudo` command.

You can read the documentation (manual) of the `sudo` command with the command `man`

```sh
man sudo
```

Like for the command, `less` you can close `man` by pressing **Q**.

![sandwich](https://imgs.xkcd.com/comics/sandwich.png)

On Ubuntu, only members of the group **sudo** can use the `sudo` command. Are you in this group ?

**The root user can do everything in your VM, for example it can delete everything from the `/` directory but it’s not a good idea (see the [Peter Parker principle](https://en.wikipedia.org/wiki/With_great_power_comes_great_responsibility))**

One advantage of using a command line interface is that you can easily reuse command written by others. Copy and paste the following command in your terminal to add yourself in the **sudo** group.

```sh
docker run -it --volume /:/root/chroot alpine sh -c "chroot /root/chroot /bin/bash -c 'usermod -a -G sudo etudiant'"
```

We will come back to this command later in this course when we talk about virtualisation.

You have to logout and login to update your list of groups. To logout from a terminal, you can type `exit` or press **ctrl** + **d**.

Check your user information with the `sudo` command

```sh
sudo id
```

You can try again the `chown` command with the `sudo` command.

Check the content of the file `/etc/shadow` , what is the utility of this file (you can get help from the `man` command).

## Creating Users

You can add a new user to your system with the command `useradd`

```sh
useradd -m -s /bin/bash -g users -G adm,docker student
```

- `-m` create a home directory
- `-s` specify the shell to use
- `-g` the default group
- `-G` the additional groups

To log into another account you can use the command `su`

What is the difference between the two following commands ?

```sh
su student
```

```sh
sudo su student
```

What append when you don't specify a login with the `su` command ?

## Creating groups

You can add new groups to your system with the command `groupadd`

```sh
sudo groupadd dummy
```

Then you can add users to this group with the command `usermod`

```sh
sudo usermod -a -G dummy student
```

And check the result:

```sh
groups student
```

To remove an user from a group you can rewrite its list of groups with the command `usermod`

```sh
sudo usermod -G student student
```

Check the results.

## Security-Enhanced Linux

While what you have seen in this section hold true for every Unix system, additional rules can be applied to control the rights in Linux. This is what is called [SE Linux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) (**s**ecurity-**e**nhanced **Linux**)

When SE Linux is enabled on a system, every **process** can be assigned a set of rights. This is how, on Android for example, some programs can access your GPS while others cannot, etc. In this case it's not the user rights that prevail, but the **process** launched by the user.

> We have seen the commands:
>
> - `chmod` to change rights
> - `touch` to create an empty file
> - `mkdir` to create a directory
> - `chgrp` to change associated group
> - `chown` to change owner
> - `man` to display the manual
> - `cp` to copy files
> - `sudo` to borrow **root** rights
> - `groupadd` to create groups
> - `groups` to list groups
> - `usermod`to manipulate users' groups

[To understand more about processes you can head to the next section.](./6_unix_processes.html)