Skip to main content

Users and Groups in Operating Systems

What are Users?

Users are entities allowed to perform actions on processes and files in an operating system. Modern desktop operating systems are multiuser, meaning multiple users can execute programs simultaneously.

User Capabilities

When a user logs in, the system provides an environment with access to:

File Operations

  • Read files
  • Modify content
  • Change ownership
  • Delete files

Process Execution

  • Launch applications
  • Access configurations
  • Use hardware resources
  • All within permission bounds

Multi-user Environment

Modern systems support multiple concurrent login sessions:
  • Console logins (tty1-6 in Linux)
  • Graphical sessions (tty7 in Linux)
  • Remote connections (SSH, RDP)

What are Groups?

Groups are collections of users that can be assigned permissions collectively. Why use groups?
1

Create a Group

Define a group for a specific purpose (e.g., “developers”)
2

Assign Permissions

Grant permissions to the group (e.g., access to /var/www)
3

Add Users

Add all relevant users to the group
4

Automatic Inheritance

Users automatically receive group permissions
This is much more efficient than assigning permissions to individual users.

Windows Users and Groups

Built-in Users

UserDescription
AdministratorFull system access, created during installation
GuestLimited access for temporary users
DefaultUser0Template for new user profiles

Built-in Groups

GroupDescription
AdministratorsComplete and unrestricted access to computer/domain
UsersCan run most applications but cannot make system changes
Power UsersCompatibility group with limited admin rights
Remote Desktop UsersCan log in remotely
Backup OperatorsCan override security for backup/restore operations
GuestsSame access as Users, but more restricted
Network Configuration OperatorsCan manage network features
IIS_IUSRSUsed by Internet Information Services
Hyper-V AdministratorsFull access to Hyper-V features
Event Log ReadersCan read event logs
Performance Monitor UsersCan access performance counter data

Access Control in Windows

How Access Control Works

1

User Authentication

User logs in and receives an authentication token from the security subsystem
2

Resource Access Attempt

User tries to access an object (file, printer, etc.)
3

Token Presentation

User’s token is presented to the system
4

ACL Comparison

System compares token with object’s Access Control List (ACL)
5

Decision

Access granted or denied based on Access Control Entries (ACE)

ACE Types

For Files:
  • Read (r): View file contents
  • Write (w): Modify files
  • Execute (x): Run programs
For Printers:
  • Print documents
  • Manage printers
  • Manage documents

ACL Evaluation Order

The system checks ACEs in descending order:
  1. Check each ACE sequentially
  2. First allow or deny match returns immediately
  3. If no match found at end, deny access
Explicit deny permissions always override allow permissions.

NTFS Permissions

NTFS (NT File System) supports detailed permissions: Standard Permissions:
  • Full Control
  • Modify
  • Read & Execute
  • Read
  • Write
Permission Targets:
  • Groups
  • Users
  • Computer accounts (in domains)
  • Domain users and groups
  • Local users and groups

Permission Inheritance

Objects inherit permissions from parent containers:
  • Owner: Creator of object (can always change permissions)
  • Child objects: Automatically inherit parent permissions (if enabled)
  • Benefit: Easier administration and consistent security
Example: When you create files in a folder, they inherit the folder’s permissions.

User Rights

User rights differ from permissions:
AspectPermissionsUser Rights
Apply toObjects (files, printers)User accounts
ExamplesRead, Write, ExecuteLog on locally, Backup files
LocationObject propertiesSecurity Policy → User Rights Assignment
Best Practice: Assign user rights to groups rather than individual users.

Linux Users and Groups

User Management

Linux is a multiuser system that uses different users for secure management of applications and services.

User Login Requirements

  • Login name (username)
  • Password
Don’t confuse login name with full name. Login is typically lowercase, no spaces.

The root User

The root user (UID 0) is the superuser:
  • Full system access
  • Can create/delete users
  • Unrestricted file system access
  • Can modify any system setting
Ubuntu Approach:
  • root account is disabled by default
  • Use sudo for administrative tasks
  • Adds security layer (must know specific user account)
Other Distributions:
  • root account enabled
  • Direct root login disabled via SSH
  • Must log in as regular user first

User Information Storage

FileContents
/etc/passwdUser account information
/etc/shadowEncrypted passwords and password policies
/etc/groupGroup information and memberships

User Directories

  • Regular users: /home/username
  • root user: /root

Group Management

Groups allow assigning privileges to multiple users:
  • Primary group: Created automatically with same name as user
  • Secondary groups: Users can belong to multiple groups
  • Group ID (gid): Numeric identifier
  • User ID (uid): Numeric identifier (root is always 0)

Check User ID and Groups

id
Output: 
uid=1000(violin) gid=1000(violin) groups=1000(violin),27(sudo),100(users)

User Administration Commands

Creating Users

# Basic user creation
sudo useradd violonchelo

# Show defaults
useradd -D
adduser is preferred as it creates home directory, sets up shell, and provides interactive prompts.

Setting Passwords

# Set password for user
sudo passwd violin
# Prompts twice for password
Using chpasswd in scripts is risky - passwords are known to multiple people. Force password change on first login for security.

Modifying Users

# Change home directory
sudo usermod -d /home/primer_violin violin

# Change shell
sudo usermod -s /bin/zsh violin

# Add to secondary groups
sudo usermod -G users,disk violin

# Set account expiry
sudo usermod -e 2025-12-31 violin

# Lock account
sudo passwd -l violin

# Unlock account
sudo passwd -u violin

Deleting Users

# Delete user (keep home directory)
sudo userdel viola

# Delete user and home directory
sudo userdel -r viola

Group Management

# Create new group
sudo groupadd metal
sudo addgroup viento

User Information Commands

# Show user IDs and groups
id violin

# List logged-in users
who
who am i

# Detailed user activity
w
w violin

# Last logins
last

# Active user database (includes LDAP)
getent passwd
getent group

Switching Users

# Switch to root (login shell)
su -

# Switch to specific user
su violin

# Run single command as root
su -c "cat /etc/shadow"

File Permissions

Linux Permission System

Owner and Group

Every file has:
  • User owner: Creator of the file
  • Group owner: Primary group of creator
ls -l
Output: 
-rw-r--r-- 1 violin cuerda 359 2024-03-06 18:02 apuntes.doc
  • Owner: violin
  • Group: cuerda

Permission Types

Read Permission (r)

For files:
  • View file contents
  • Open with applications
For directories:
  • List directory contents
  • See files and subdirectories

Write Permission (w)

For files:
  • Modify file contents
  • Delete file
  • Change permissions (chmod)
  • Change ownership (chown)
For directories:
  • Create files and subdirectories
  • Delete files and subdirectories

Execute Permission (x)

For files:
  • Run as program/script
For directories:
  • Enter directory (cd)
  • Access files within (if you know names)

Permission Targets

Permissions can be granted to:
  1. User owner (u)
  2. Group owner (g)
  3. Others (o) - all other users
You cannot assign permissions to specific users or groups beyond owner/group owner. To grant access to specific users, add them to the group owner.

Viewing Permissions

ls -l
Output format: 
-rw-r--r-- 1 violin cuerda 11 2024-03-06 19:26 examen.txt
│││││││││
│└┬┘└┬┘└┬┘
│ │  │  └─ Others: read
│ │  └──── Group: read
│ └─────── User: read, write
└────────── File type (- = regular file)
File type indicators:
  • - : Regular file
  • d : Directory
  • l : Symbolic link
  • s : Socket
  • p : Pipe
  • b : Block device

Changing Permissions (chmod)

Symbolic Method

# Add permission
chmod u+w examen.txt      # User: add write
chmod g+x script.sh       # Group: add execute
chmod o+r doc.txt         # Others: add read

# Remove permission
chmod o-w examen.txt      # Others: remove write
chmod g-r doc.txt         # Group: remove read

# Multiple changes
chmod u+w,g-r,o-r examen.txt

# Multiple targets
chmod ug+w examen.txt     # User and group: add write

# Set exact permissions
chmod u=rwx,g=rx,o=r file.txt

Numeric Method

Permissions as octal numbers:
NumberBinaryPermissions
0000---
1001—x
2010-w-
3011-wx
4100r—
5101r-x
6110rw-
7111rwx
# rwx r-x r-- (755)
chmod 755 script.sh

# rw- r-- r-- (644)
chmod 644 document.txt

# rwx ------ (700)
chmod 700 private.sh

# Recursive
chmod -R 755 /var/www

Changing Ownership (chown)

# Change owner
sudo chown viola examen.txt

# Change owner and group
sudo chown viola:viola examen.txt
sudo chown violonchelo:instrumentos examen.txt

# Recursive
sudo chown -R www-data:www-data /var/www

Special Permissions

SUID (Set User ID)

File executes with owner’s permissions: 
# Set SUID
chmod u+s program
chmod 4755 program
SUID on root-owned files is a security risk. Use carefully.

SGID (Set Group ID)

On files: Execute with group’s permissions On directories: New files inherit directory’s group 
# Set SGID
chmod g+s directory
chmod 2755 directory
Use case: Shared project directory where all files should belong to project group.

Sticky Bit

On directories: Only file owner can delete files 
# Set sticky bit
chmod +t directory
chmod 1777 /tmp
Example: /tmp directory - users can create files but only delete their own.

umask

Default permissions for new files/directories:
  • Default file: 666 (rw-rw-rw-)
  • Default directory: 777 (rwxrwxrwx)
  • umask: Subtracts from defaults
# View current umask
umask

# Set umask (022 = u=rwx,g=rx,o=rx)
umask 022
# New files: 644 (rw-r--r--)
# New dirs: 755 (rwxr-xr-x)

# Set umask (002 = u=rwx,g=rwx,o=rx)
umask 002
# New files: 664 (rw-rw-r--)
# New dirs: 775 (rwxrwxr-x)

Windows NTFS Permissions

NTFS supports detailed permissions, but basic concepts are similar:
  • Read: View files and folders
  • Write: Create and modify files
  • Execute: Run programs, access folders
FAT32 file system does NOT support permissions - all users have full access to all files.
Key differences from Linux:
  • More granular permission control
  • Explicit deny permissions
  • Permission inheritance settings
  • Can assign to specific users (not just owner/group/others)

Best Practices

1

Principle of Least Privilege

Grant minimum permissions necessary for tasks
2

Use Groups

Assign permissions to groups, not individual users
3

Regular Audits

Review user accounts and permissions periodically
4

Document Everything

Keep records of permission structures and reasons
5

Test Changes

Verify permissions work as intended before deploying

Build docs developers (and LLMs) love

Get started for freeTalk to us