Daily Archives: February 2, 2006

Unix accounts primer

Posted by on February 2, 2006

This is a quick primer on what Unix accounts are and the different roles that they can have. While the terminology being used is for Unix (and Linux/Mac OS X), the ideas can be used for some other systems as well.

What is an account?

Unix and Linux computers were designed to have many different people (accounts) using the same computer at the same time, remotely connected by networks.

Each account is separate from every other account; so one person’s work will not interfere with another person’s work on the same system, even if they are both using the system at the same time.

Normally, a Unix system requires you to authenticate yourself (prove that you have access rights) before it will let you use system resources. This helps determine such things as what resources you are allowed (printers, applications, etc), where to put your files, the types of permissions you have, and what preferences you have set for your work environment.

To authenticate you, most Unix systems ask for a username (account name) and password. The combination of the two helps determine what you are allowed to use and do once you log in.

How many accounts should you have?

Different accounts for different privileges

Unix is a multi-user system, and not all users need to have the same privileges. Here are a few examples of the different roles you might see on any given system.

User accounts

This is a normal account. A user account has limited access to anything outside of their work environment. They might create and edit documents, run applications and utilities, and other normal day-to-day work.

They usually cannot change system settings that would affect other users, only themselves. They can only modify their own account and preferences.

If you think in terms of keys and responsibilities, a user account only has a key to their own office space. They do not have keys to other people’s offices or to the front doors of the building. If you lose that one key, only one office might be compromised and only one lock needs to be changed.

There are usually many different users on a Unix system.

Administrator accounts

Administrators have more responsibilities than regular user accounts. They might be able to create/modify/delete other users, change system-wide settings, install software or hardware, and perform maintenance or upgrades that affect all users.

Experienced administrators only log in with these privileges when they need to. They usually use a regular user account when doing day-to-day work. This least-privilege-required mentality helps the overall security of the system.

To continue on with our keys analogy, the administrator is like a custodian. They have keys to many offices, in addition to broom closets, electrical panels, and so on. If the keychain is lost, many locks need to be changed, and a serious security breach has occurred.

There may be more than one administrator for a Unix system.

Superuser (root) accounts


, or

, account is the most powerful account on a Unix system. They can do anything, delete any files, and can cause complete chaos if in the wrong hands. Many system administrators will only use the root account when they have to, and then switch to a lesser account as soon as they have completed the task required.

The root user has the ‘skeleton’ key. It opens all doors in the building. If it gets lost, people lose their jobs.