Modern operating systems are designed to support multiple users.
Without user separation:
- Any user could access any file
- Any user could modify system settings
- Any user could impersonate another user
- Security boundaries would not exist
Linux solves this problem through users and groups.
Together, they form the foundation of authentication, authorization, ownership, and access control.
What Is a User?
A user represents an identity recognized by the operating system.
Examples:
alice
peter
root
www-data
mysql
Users may represent:
| Type | Example |
|---|---|
| Human users | alice |
| Administrators | root |
| Services | mysql |
| Web applications | www-data |
| System components | nobody (a highly restricted account traditionally used by some services when no dedicated service account exists) |
Not every user corresponds to a real person.
Many exist solely to run services securely.
Modern distros rely less on nobody and typically create dedicated users.
User Accounts
Linux stores local user information within:
/etc/passwd
Example:
alice:x:1000:1000:Alice:/home/alice:/bin/bash
Each field contains information about the account.
Important information includes:
| Component | Purpose |
|---|---|
| Username | Account name |
| UID | User Identifier |
| Home Directory | User workspace |
| Shell | Login shell |
User Identifiers (UIDs)
Linux internally identifies users using numeric IDs known as UIDs.
Examples:
| User | UID |
|---|---|
| root | 0 |
| alice | 1000 |
| peter | 1001 |
| mysql | 999 (distro-dependent, but you get the idea) |
The operating system ultimately trusts the UID, not the displayed username.
This distinction becomes important during investigations and privilege escalation.
The Root User
Linux contains a special administrative account:
root
Characteristics:
- UID 0
- Full system control
- Can bypass most permission restrictions
- Can access nearly all files
- Can modify system configuration
- Can manage other users
Root is conceptually similar to:
| Platform | Equivalent |
|---|---|
| Linux | root |
| Windows | SYSTEM |
The Root Home Directory
Most user home directories reside under:
/home
Examples:
/home/alice
/home/peter
Root is different.
Root's home directory is:
/root
Examples:
| User | Home Directory |
|---|---|
| alice | /home/alice |
| peter | /home/peter |
| root | /root |
This separation helps isolate administrative activity from standard user activity.
What Is a Group?
A group is a collection of users.
Groups simplify permission management.
Instead of assigning permissions individually:
alice
peter
bob
permissions can be granted to a group:
developers
and all members inherit access.
Group Examples
Examples:
developers
admins
docker
sudo
www-data
A user may belong to multiple groups simultaneously.
Example:
| User | Groups |
|---|---|
| alice | developers, docker |
| peter | developers |
| root | root |
| www-data | www-data |
The sudo group is commonly configured to allow members to execute commands as other users, including root.
The exact permissions are determined by sudo configuration (defined in /etc/sudoers).
Group Information
Linux stores group information within:
/etc/group
Example:
developers:x:1001:alice,peter
This identifies:
- Group name
- Group ID (GID)
- Group members
Primary and Secondary Groups
Every user has:
- One primary group
- Zero or more secondary groups
Example:
| User | Primary Group | Secondary Groups |
|---|---|---|
| alice | alice | sudo, docker |
| peter | peter | developers |
| bob | bob | developers, analysts |
This allows Linux to make access-control decisions efficiently.
Authentication
Authentication answers a simple question:
Who are you?
Examples:
- Passwords
- SSH keys
- Certificates
- MFA
Successful authentication establishes a user identity.
Examples:
alice
peter
root
Once authenticated, Linux knows who is interacting with the system.
Authorization
Authorization answers a different question:
What are you allowed to do?
Examples:
| Action | Authorization Required |
|---|---|
| Read file | Yes |
| Modify file | Yes |
| Install software | Yes |
| Start service | Yes |
| Reboot system | Yes |
Authentication identifies the user.
Authorization determines access.
Linux ultimately makes authorization decisions based on UIDs and GIDs rather than usernames and group names.
Names exist primarily for human readability.
Service Accounts
Many Linux services run as dedicated users.
Examples:
| Service | Common User |
|---|---|
| Apache | www-data (can be apache) |
| Nginx | www-data (can be nginx) |
| MySQL | mysql |
| PostgreSQL | postgres |
This limits the damage that can occur if a service is compromised.
Instead of running as root, the service operates within a restricted context.
Operator Perspective
When approaching an unfamiliar Linux system, Operators commonly ask:
Users
- What users exist?
- Which users are interactive?
- Which users appear unusual?
Groups
- What groups exist?
- Who belongs to privileged groups?
- What permissions do groups provide?
Root Access
- Who can become root?
- Who has sudo access?
- Has root activity occurred recently?
Services
- Which accounts run services?
- Are service accounts overly privileged?
Investigations
- Which user performed an action?
- Which account executed a process?
- Which account created a file?
Many investigations ultimately become questions about identity.
Key Takeaways
- Users represent identities.
- Groups represent collections of users.
- Linux internally identifies users using UIDs.
- Linux internally identifies groups using GIDs.
- Root is the highest-privileged local account.
- Root uses the home directory
/root. - User information is stored in
/etc/passwd. - Password hashes are stored in
/etc/shadow - Group information is stored in
/etc/group. - Authentication determines identity.
- Authorization determines access.
- Service accounts provide isolation for applications and services.
Understanding users and groups provides the foundation required to understand permissions, privileges, ownership, and access control.