BSDwiki/ Determine identity and group membership

Determine identity and group membership

Author: Cezary Morga cm@therek.net FreeBSD

Reviewer: name contact BSD flavour

Reviewer: name contact BSD flavour

Concept

In the context of the Unix permission system, determining one's identity and group membership is essential to determine what authorizations are available. Be able to determine, and as required, change identity or group membership.

Introduction

The user's priviledges determine what kind of access (if any) to given files and directories a user have. Groups are a mean to simplify user management.

Examples

We can determine our identity -- that is our username and groups to which we belong -- using id, groups and whoami commands.

Our username can be determined by simply executing whoami command without any parameters.

""$ whoami ""user

In the above example we're logged into the system as a user. The whoami command is equivalent to id -un.

The groups command let us check to which groups we're currently begin assigned to. It can also be used to check other existing user's group membership. Executing groups without a username will display information on us.

""$ groups ""users audio mail cvs ""$ groups john ""users mail ""$ groups mike ""groups: mike: no such user

The groups command is equivalent to id -Gn.

The id command may take few arguments and can output many informations on given user. In most basic usage it displays our user ID (uid), our basic group id (gid) and groups to which we belong to.

""$ id ""uid=1001(user) gid=100(users) groups=100(users), 92(audio), 1003(mail), 1004(cvs)

It can also be used to display the very same information on other user.

""$ id john ""uid=1002(john) gid=100(users) groups=100(users), 1003(mail)

Note, that the above mentioned commands will not display our new groups membership untill we'll logout and login again.

As explained above, some commands let us peek into other user's identity information, which might be useful to system administrators for checking other logged in users. To see who is currently logged in execute who command:

""$ who ""root ttyv1 Jan 4 23:16 ""user ttyp0 Jan 5 22:19 (192.168.86.11)

This command outputs some more information on all logged users: username, tty name, date and time of login and remote host's IP address if it is not local. It can also display the very same information only about us:

""$ who am I ""user ttyp0 Jan 5 22:19 (192.168.86.11)

Finaly, having determined who we are -- our username and groups membership -- we may sometimes need to switch to more priviledged account (most commonly root) without completely logging out current user. To do so, we'll use the su command.

The su command may be given with or without a username. Given without a username su switches do superuser root. Password is not echoed in any form (not even with * marks).

""$ whoami ""user ""$ su ""Password: ""# whoami ""root

Most commonly, when switching to normal user account, we'd like to simulate a full login. This is done with the - parameter:

""$ whoami ""user ""$ echo $HOME ""/home/user ""$ su - john ""Password: ""$ whoami ""john ""$ echo $HOME ""/home/john

Practice Exercises

  1. Compare the output of whoami and id -un commands.
  2. Compare the output of groups and id -Gn commands.
  3. Try executing id with a variation of all parameters described in id(1) system manual.
  4. Try checking information on both existing and not existing users.
  5. Try executing who with arguments: -H, -q, -m, and -u.
  6. Check the result of su command with parameters: -, -l, and -m.

More information

id(1), groups(1), who(1), whoami(1), su(1)