Users and groups in a LAMP stack

What are Users and Groups?

In every system the files and directories of the system are “owned” by a user. This user is a virtual user which is registered/created by your system. It’s just like on your computer, whether you are on Windows, MacOS or Linux, you are connected as a user. This user has some rights and some restrictions. On Windows or MacOS X you may not see these restrictions if you are running your usual programs because you have the rights to execute them. It’s the same for the files and directories, the ones that you see and you can open are the only ones you have access to. But there are many other files used by your system to make all the things running, and these ones are not displayed to you.

Regarding the groups, that’s almost the same: Groups have restrictions on files and directories. A group can actually have several users and a user can be part of different groups.

Let’s see this in more detail hereafter.

Why are there users and groups? What are they for?

Having users with some specific rights allows the system to be secured. A user with little access cannot execute or modify files that are needed by the operating system to run, for example. He will just be able to run, modify or create files in his/her own space on the server.

A file or a directory is obligatorily associated to a user and a group. It can be a user and a different group (a user and a group which this user doesn’t belong to).

Let’s take the following exemple:

We have three websites on our server:

– domain1.com which belongs to the user “domain1” and the group “domain1”
– domain2.com which belongs to the user “domain2” and the group “domain2”
– domain3.com which belongs to the user “domain3” and the group “domain3”

In this example where each directory is owned by a specific user and its specific group, only the user “domain1” can use and modify the elements related to domain1.com, only the user “domain2” can use and modify the elements related to domain2.com, etc.

This allows to make sure that user “domain1” cannot change any elements on domain3.com for instance.

On the other hand, we might wish to have a super user who can modify elements on domain1.com, domain2.com and domain3.com. In this case – let’s call this user “superuser” belonging to the group “superpower” – we need to indicate that domain1.com, domain2.com and domain3.com belong to the group “superpower”.

Thus, domain1.com belongs to the user “domain1” and the group “superpower”, same for domain2.com belonging to the user “domain2” and the group “superpower” and domain3.com belonging to the user “domain3” and the group “superpower”.

All users in the group “superpower” (in our case just “superuser”, but there could be others as well), can now modify domain1.com, domain2.com and domain3.com.

This allows to give different access at different levels to different people. You, as an admin for instance, could have the right to modify these three websites without having to connect to three different user accounts on the server.

How did we get there? In the first course about understanding and using a web hosting, we have seen how to use FTP and create FTP access. When you have created a FTP access you started creating a user. Then you have logged in to your server with this user and the associated password. This user has some rights on your server, especially he/she can send or create files in a specific directory, the one where your website files are located. This is an example of a user on the Linux system of your server. Many other users are automatically created by your operating system. We will see some of them later, especially one, the “root” user, a super user referring to our example above.

How can I know the limitation of a specific user?

A user has usually the rights on a specific directory. For instance, let’s imagine you have installed a WordPress website on your Linux server. Your website may be installed in a folder named “mywebsite.com”. This folder is owned by the user who has the rights on it. In addition the user may have some other rights, especially about how to connect to the server. In the example of your FTP user, you can see that this user has the rights to create, send or execute some files on your server but he/she has also the right to connect through an FTP connection to your server. Being able to connect through FTP is another kind of right.

In Linux the file which lists the users and their permissions is named “passwd” and it is located in the “/etc/” folder at the root of your server. We will see how to open this file later. By opening it you would see a list like this:

users-groups-permissions-linux

Each line of this file corresponds to a user information:

username:password:user identifier:group identifier:comment:home of the user:kind of shell access

Obviously, the password is not displayed and replaced by “x”. The “user identifier” (uuid – user unique identifier) is a number as well as the group (guid) to which the user belongs. The comment is often the name of the user, it’s not really important besides having some extra information about the user. The home of the user is the directory of the user, for example for your FTP user, his/her home is the folder that contains the files of your website. The shell access is something we’ll see in the course related to how to use a secure shell connection.

The file permissions

Now we’ve seen what is a user and we have the basic understanding about what is a user and his/her rights, let’s see another kind of permission: The file permissions.

A file can have 3 kind of permissions: read, write, execute. A user can have the right to read only, to read and write only or to read and execute only. He/she can also have the full right to read, write and execute. You will see these permissions displayed using the letters r, w and x, for “read”, “write” and “execute”:

drwxr-xr-x  4 vps psacln  4096 Jul 14  2015 img

-rw-r--r--  1 vps psacln  8705 Jul 14  2015 index.html

drwxr-xr-x 11 vps psacln  4096 Jul 14  2015 test

In this example, the “d” is for “directory”, because “img” and “test” are directories while “index.html” is a file.

Why are there 3 batches of permissions? Because the permissions must be set for: the user and the group who own the file or the directory, and also the others (the ones who don’t own the file). In the example above here is the translation for the different items:

  • “img” directory: the user can read, write and execute, the group can read and execute, the others can read and execute
  • “index.html” file: the user can read and write, the group can read only, the others can read only
  • “test” directory: the user can read, write and execute, the group can read and execute, the others can read and execute

These permissions are often replaced by numbers:

  • “read” is worth 4 points
  • “write” is worth 2 points
  • “execute” is worth 1 point

In our example, the translation in numbers would be:

  • “img” directory: 755
  • “index.html” file: 644
  • “test” directory: 755

If you set a file to 777 that means anyone (any user) can read, write and execute this file. That can be a breach of security unless this file is not important for your system, your website or whatever.