LAB-USER-01 - Understanding Users & Identity

Part A: The Field Guide

---

🎯 What & Why

In Linux, security is entirely identity-based. Every file, process, and socket is owned by an “Identity.”

Before you learn how to make users, you must understand what a user actually is to the Linux kernel.

Here is the secret: The computer does not know who “alice” or “bob” is. The computer only knows numbers. Names are just human-readable sticky notes attached to integer IDs. If you don’t understand the mapping between Names and Numbers, diagnosing permission errors will be impossible.

---

🧠 Mental Model: The Social Security Number

Imagine a massive corporation.

1. The Human Name: “Alice Smith.” This is printed on her office door. This is the Username (alice).
2. The Employee ID: 1005. This is what HR actually uses in the database. If Alice changes her last name, her Employee ID stays 1005. In Linux, this is the UID (User ID).
3. The Department ID: 2000 (Accounting). Alice belongs to a primary department. In Linux, this is the GID (Group ID).

When a process tries to open a file, the Linux kernel essentially says: “I don’t care about your username. Are you UID 1005? Does UID 1005 have permission?”

Linux uses the /etc/passwd file as the unified translator to map alice to 1005.

---

📖 Key Concepts

UID (User ID) Ranges

Different numbers mean different things to the system:

• UID 0: The Almighty God (Root). It bypasses all security checks automatically.
• UID 1 - 999: System or Service Users. These are fake “users” created exclusively to run specific software (like nginx or mysql) so that if the software is hacked, the hacker doesn’t get Root access. They don’t have passwords or home directories.
• UID 1000+: Actual physical humans. The first human created on a system is 1000. The second is 1001.

GID (Group ID)

Just like humans, Groups have names (developers) and numbers (1005). Every user must belong to exactly ONE primary group. They can optionally belong to multiple secondary groups.

---

📖 Command Reference

id — Who am I?

The id command is your ID badge scanner. It tells you your current Name, UID, Primary Group, and Secondary Groups.

Notice that Dave’s primary group is also named dave. Modern Linux creates a private primary group for every new user by default, ensuring their files are private from other users.

whoami & logname

Simple commands to return just the string username.

---

🌍 Real Scenarios

Scenario 1: You pull a file from a backup drive. You copy /backups/report.txt to your machine. You run ls -l and it says the owner of the file is 1015. Why the number? Because on the old server, UID 1015 was stan. But on your new machine,UID 1015 hasn’t been created yet. The kernel has no translation for 1015, so it just shows you the raw number!

Scenario 2: Software demands a specific user. You install a heavily secured database. It refuses to run unless the process is executed by the postgres user. You must check /etc/passwd to ensure the postgres system user (UID < 1000) was successfully created during installation.

---

⚠️ Gotchas & Pitfalls

1. Changing Usernames vs UIDs — You can easily rename dave to david. Since his UID stays 1000, he retains ownership of all his files. However, if you change his UID to 2000, he instantly loses access to all his old files (because the files are still stamped as owned by 1000).
2. UID Zero is Absolute — If you maliciously edit /etc/passwd and change the UID of a random user named hacker to 0, the system will literally treat hacker as root. The name doesn’t matter; 0 is supreme.

---

Part B: The Drill Deck

Terminal Required: Open your Linux terminal for these exercises.

---

G

Guided Step by step - type exactly this and compare the result

>

Exercise G1: Read your own badge

1. Run: id
2. Look at the uid= section. If you are the main user, it is likely 1000.
3. Look at the groups= section. Do you see sudo or wheel? If so, you are an administrator!

Exercise G2: Investigating others

1. The id command can check other people without switching to them.
2. Run: id root
3. Notice uid=0. Note the groups=0(root). Notice how small the numbers are.
4. (Optional) Run id on a known system user, like id sshd or id www-data. Notice their UID is under 1000.

Exercise G3: The Translator File

1. Run: grep "^root" /etc/passwd
2. You will see: root:x:0:0:root:/root:/bin/bash
3. Notice the two zero integers? That is the UID and GID mapping.

S

Solo Task described, hints available - figure it out

>

Exercise S1: Finding all Human Users

System users clutter up /etc/passwd. We only want to see the real humans. We know humans have UIDs of 1000 or higher.

Use standard text viewing/filtering commands to look at /etc/passwd and identify how many actual human users exist on your current system. (Look at the 3rd field, delimited by colons).

Exercise S2: Identify a Service

Many services create their own users to constrain privileges.

1. Run cat /etc/passwd.
2. Find the user account associated with the system logging daemon (usually called syslog).
3. What is the UID of the syslog user? Is it under 1000? What is its home directory?

M

Mission Real scenario - no hints, combine multiple skills

>

Mission M1: The Impostor Analysis

Your company just fired a system administrator named “eve”. Before leaving, Eve stated she created a “backdoor” into the server so she could maintain access.

You verify that the eve user account was deleted. However, you suspect she may have created a hidden secondary account and secretly given it absolute root power.

Using only simple commands like cat, awk, or grep against /etc/passwd, formulate a one-line command that will reliably detect if any user on the system (other than the official root account) has a UID of 0.