Whether your Linux box has hundreds of users or just one account for you and one for your dog it is important to understand how Linux user accounts work. There are GUI tools for this within GNOME and KDE but here we lift the lid on the bonnet to show what really makes a user exist, and what these commands are doing to your filesystem.

Many users can be logged on to the one Linux computer all at the same time, by remote connections over the Internet or a network, or through terminals that boot from the Linux computer.

Linux has one special user called root. This super-user can read any file and write to any file. File permission restrictions do not affect the super-user.

Every other user is subject to file permission constraints. This means a typical user cannot wander into directories where they do not have permission. They can’t read files that they are not permitted to read. They can’t edit or delete files unless they are allowed to do so.

This is why we say above that programs like Web servers might run with limited access to the system – they will run under some sort of user account like “www” or “http”. The Web server can deliver files and take requests and can write to its own logs. The Web server might even run CGI programs to perform tasks like database manipulation. However, if the Web server runs under a typical user account, then a rogue CGI program can not, for example, delete the all-important password file. The CGI program is subject to file permission restrictions. If the Web server ran as root, the rogue CGI program could do any damage it liked.

Fortunately, most Linux distros enforce good security practices from the get-go by actively encouraging users to log in as an ordinary account, and only become root when required. This minimises the potential destructive power of root. One reason Linux is generally considered to have less security concerns than Windows is not even due to any software protection but simply this practice which was never generally enforced in the Windows world.

/etc/passwd

One of the most critical of all files in Linux is /etc/passwd. All user accounts are stored here, with identifying information like so:

For example, a user “fred” who was added as user 200 and group 100 has an entry that might look like this:

Ironically, passwords are no longer stored in the password file and the “x” in the password field indicates this information is being shadowed. Originally, the encrypted password could be found here. By necessity, all users can read the password file which meant a glaring security risk existed; tools could very easily encrypted dictionary words and compare these to the contents of this file. By contrast, the shadow password file – generally /etc/shadow – is only readable by root.