Side question:
Know a good place I can learn linux user/group/permission management?
I don’t understand it well enough so I do a stupid amount of things as root…
A good start is using something like sudo rather than logging in as root.
sudo gives your command root permission when it runs. That way you can delete the password from the root account and it can’t be logged in with. sudo will ask for YOUR password and then check if you have permissions to elevate your command to root level.
In a simple setup, you can just use for anything you would normally do as root.
This can protect you from mistakes too, when running commands that you’ve mistyped. For example, if you want to do “rm -rf ./*” to delete all files in the current directory, but you forget the dot (period); if you’re at a root prompt, you just deleted your entire filesystem. If you’re not, then you get a permission error.
How do I manage what users can use sudo?
One issue is trying to create a user to run services under, but not knowing how to give it permission to access what it needs (while also not entirely sure what it should/shouldn’t have permissions for).
Or just generally managing file permissions. I understand using chmod in a very basic capacity with a few letter arguments like +r, but then you toss in numbers (chmod 777, wut?) and I get lost.
The /etc/sudoers
file is what you’d need to edit, and you’d use the visudo
command to edit it.
chmod
is indeed used for file permissions, but you can also use SELinux or AppArmor for more access/role/action based permissions (aka Mandatory Access Controls) instead of just limiting yourself to file permissions (aka Discretionary Access Control). There’s also udev rules (for device/sysfs access) and PAM (Pluggable Authentication Modules). Then there’s cgroups and namespaces for process limits and sandboxing. Really depends on what you’re trying to achieve.
But is there any reason why you’re looking into micromanaging service permissions? Most users, or even power users wouldn’t need to touch that stuff at all.
If it’s in a corporate environment, you’d already be running something like SELinux or similar and you’d apply a baseline security profile that meets various compliance specs. Very rarely would you have to mess with permissions of a service.
If this is for personal stuff, you’d just make use of multiple user accounts (if it’s a multi-user system), or just sandboxing (containers, flatpak etc) to run untrustworthy stuff like web browsers. None of this stuff would require you to touch chmod.