Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter I - Foundation / 01. Operating Systems / Linux / 03. Users & Groups

Users & Groups

Modern operating systems are designed to support multiple users.

Without user separation:

  • Any user could access any file
  • Any user could modify system settings
  • Any user could impersonate another user
  • Security boundaries would not exist

Linux solves this problem through users and groups.

Together, they form the foundation of authentication, authorization, ownership, and access control.


What Is a User?

A user represents an identity recognized by the operating system.

Examples:

alice
peter
root
www-data
mysql

Users may represent:

TypeExample
Human usersalice
Administratorsroot
Servicesmysql
Web applicationswww-data
System componentsnobody (a highly restricted account traditionally used by some services when no dedicated service account exists)

Not every user corresponds to a real person.

Many exist solely to run services securely.

Modern distros rely less on nobody and typically create dedicated users.


User Accounts

Linux stores local user information within:

/etc/passwd

Example:

alice:x:1000:1000:Alice:/home/alice:/bin/bash

Each field contains information about the account.

Important information includes:

ComponentPurpose
UsernameAccount name
UIDUser Identifier
Home DirectoryUser workspace
ShellLogin shell

User Identifiers (UIDs)

Linux internally identifies users using numeric IDs known as UIDs.

Examples:

UserUID
root0
alice1000
peter1001
mysql999 (distro-dependent, but you get the idea)

The operating system ultimately trusts the UID, not the displayed username.

This distinction becomes important during investigations and privilege escalation.


The Root User

Linux contains a special administrative account:

root

Characteristics:

  • UID 0
  • Full system control
  • Can bypass most permission restrictions
  • Can access nearly all files
  • Can modify system configuration
  • Can manage other users

Root is conceptually similar to:

PlatformEquivalent
Linuxroot
WindowsSYSTEM

The Root Home Directory

Most user home directories reside under:

/home

Examples:

/home/alice
/home/peter

Root is different.

Root's home directory is:

/root

Examples:

UserHome Directory
alice/home/alice
peter/home/peter
root/root

This separation helps isolate administrative activity from standard user activity.


What Is a Group?

A group is a collection of users.

Groups simplify permission management.

Instead of assigning permissions individually:

alice
peter
bob

permissions can be granted to a group:

developers

and all members inherit access.


Group Examples

Examples:

developers
admins
docker
sudo
www-data

A user may belong to multiple groups simultaneously.

Example:

UserGroups
alicedevelopers, docker
peterdevelopers
rootroot
www-datawww-data

The sudo group is commonly configured to allow members to execute commands as other users, including root.

The exact permissions are determined by sudo configuration (defined in /etc/sudoers).


Group Information

Linux stores group information within:

/etc/group

Example:

developers:x:1001:alice,peter

This identifies:

  • Group name
  • Group ID (GID)
  • Group members

Primary and Secondary Groups

Every user has:

  • One primary group
  • Zero or more secondary groups

Example:

UserPrimary GroupSecondary Groups
alicealicesudo, docker
peterpeterdevelopers
bobbobdevelopers, analysts

This allows Linux to make access-control decisions efficiently.


Authentication

Authentication answers a simple question:

Who are you?

Examples:

  • Passwords
  • SSH keys
  • Certificates
  • MFA

Successful authentication establishes a user identity.

Examples:

alice
peter
root

Once authenticated, Linux knows who is interacting with the system.


Authorization

Authorization answers a different question:

What are you allowed to do?

Examples:

ActionAuthorization Required
Read fileYes
Modify fileYes
Install softwareYes
Start serviceYes
Reboot systemYes

Authentication identifies the user.

Authorization determines access.

Linux ultimately makes authorization decisions based on UIDs and GIDs rather than usernames and group names.

Names exist primarily for human readability.


Service Accounts

Many Linux services run as dedicated users.

Examples:

ServiceCommon User
Apachewww-data (can be apache)
Nginxwww-data (can be nginx)
MySQLmysql
PostgreSQLpostgres

This limits the damage that can occur if a service is compromised.

Instead of running as root, the service operates within a restricted context.


Operator Perspective

When approaching an unfamiliar Linux system, Operators commonly ask:

Users

  • What users exist?
  • Which users are interactive?
  • Which users appear unusual?

Groups

  • What groups exist?
  • Who belongs to privileged groups?
  • What permissions do groups provide?

Root Access

  • Who can become root?
  • Who has sudo access?
  • Has root activity occurred recently?

Services

  • Which accounts run services?
  • Are service accounts overly privileged?

Investigations

  • Which user performed an action?
  • Which account executed a process?
  • Which account created a file?

Many investigations ultimately become questions about identity.


Key Takeaways

  • Users represent identities.
  • Groups represent collections of users.
  • Linux internally identifies users using UIDs.
  • Linux internally identifies groups using GIDs.
  • Root is the highest-privileged local account.
  • Root uses the home directory /root.
  • User information is stored in /etc/passwd.
  • Password hashes are stored in /etc/shadow
  • Group information is stored in /etc/group.
  • Authentication determines identity.
  • Authorization determines access.
  • Service accounts provide isolation for applications and services.

Understanding users and groups provides the foundation required to understand permissions, privileges, ownership, and access control.