Why Linux Permissions Matter
If you've spent most of your career in Windows/Active Directory environments like I have, Linux permissions can feel like stepping back into the wild west. There's no Group Policy to enforce settings, no domain-wide password rules, and no central audit trail -- unless you set it up yourself. Understanding Linux user and permission management is essential for anyone running Linux in their homelab, whether it's Docker hosts, file servers, or application servers.
Users and Groups Fundamentals
Linux uses a simple but powerful model: every file belongs to a user and a group, with read/write/execute permissions for each.
Creating users and managing groups:
useradd -m -s /bin/bash jdoe-- Create a user with home directory and bash shellusermod -aG docker jdoe-- Add user to the docker group (common homelab need)usermod -aG sudo jdoe-- Grant sudo access (Debian/Ubuntu)usermod -aG wheel jdoe-- Grant sudo access (RHEL/CentOS)groupadd developers-- Create a new groupgroupdel oldgroup-- Remove a groupid jdoe-- Show user's groups and UIDgroups jdoe-- List groups for a user
For homelab users, I create a standard user account and add them to the groups they need. I never give users direct root access -- sudo is configured via /etc/sudoers with specific command restrictions.
File Permission Basics
Linux file permissions use a 10-character string shown by ls -la:
-rw-r--r-- 1 root root 4096 Jan 15 10:30 config.yml
The first character indicates file type (- = regular file, d = directory, l = symlink). The next 9 characters are 3 sets of rwx (read, write, execute) for owner, group, and others.
Changing permissions with chmod:
chmod 755 script.sh-- Owner: rwx, Group: r-x, Others: r-xchmod 644 config.yml-- Owner: rw-, Group: r--, Others: r--chmod 600 ssh_private_key-- Owner: rw-, Group: none, Others: none (required for SSH keys)chmod +x deploy.sh-- Add execute permission for the current user
Changing ownership with chown:
chown jdoe:developers /srv/app-- Change owner and groupchown -R www-data:www-data /var/www/html-- Recursive change for web rootchgrp developers /srv/shared-- Change group only
Sudo Configuration
Edit sudoers with visudo -- never edit /etc/sudoers directly. The visudo command checks syntax before saving, preventing you from locking yourself out:
# Allow jdoe to run Docker commands without password
jdoe ALL=(ALL) NOPASSWD: /usr/bin/docker, /usr/bin/docker-compose
# Allow admins full sudo access
%admins ALL=(ALL) ALL
# Deny root login via sudo for security
root ALL=(ALL) NOPASSWD: ALL
For homelab security, grant the minimum sudo privileges needed. If a user only needs to manage Docker containers, don't give them full root access.
Access Control Lists (ACLs)
When standard Unix permissions aren't enough, ACLs let you set fine-grained permissions:
# Install ACL tools
apt install acl # Debian/Ubuntu
yum install acl # RHEL/CentOS
# Set ACL for a specific user on a directory
setfacl -m u:jdoe:rwX /srv/shared
# Set ACL for a group
setfacl -m g:developers:rx /srv/project
# View ACLs
getfacl /srv/shared
# Remove ACL
setfacl -x u:jdoe /srv/shared
ACLs are particularly useful for shared directories where multiple users and groups need different levels of access. The X (capital X) permission means execute only for directories and files that already have execute permission for someone.
Password Management
passwd jdoe-- Change a user's passwordchage -M 90 jdoe-- Set password to expire after 90 dayschage -l jdoe-- Show password aging informationusermod -L jdoe-- Lock a user account (can't login, but home directory preserved)usermod -U jdoe-- Unlock a user accountpasswd -l jdoe-- Alternative lock method
Set global password policies in /etc/login.defs:
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
MIN_UID 1000
SSH Key Management
For homelab automation, SSH keys are essential. No passwords, no brute force attacks, fully scriptable:
ssh-keygen -t ed25519 -C "admin@homelab"-- Generate an Ed25519 key (modern, secure)ssh-copy-id user@server-- Copy public key to remote serverssh-agent bash-- Start SSH agent for key managementssh-add ~/.ssh/id_ed25519-- Add key to agent
Lock down SSH in /etc/ssh/sshd_config:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers jdoe admin
Homelab-Specific Tips
- Create a service account for each major service -- Don't run Docker containers as root. Create dedicated users (e.g.,
useradd -r -s /usr/sbin/nologin docker-app) for running services - Use group-based permissions for shared directories -- Create a group for each project/team, assign users to groups, and set group ownership on shared directories with
chmod 2775(the 2 sets the group ID bit, so new files inherit the group) - Audit permissions regularly --
find / -perm -4000 -type ffinds SUID files.find / -perm -2000 -type ffinds SGID files. Unexpected SUID/SGID bits are a security risk - Use /etc/ssh/ssh_config for per-host settings -- Configure SSH behavior per host (key type, strict host checking, proxy commands)