Linux directory structure, user, group, permission, ownership etc.

Before starting any mongodb administration job, we need to know very well about the system, where MongoDB is going to deploy. For this article I choose very common linux OS Ubuntu. Target readers should not be only for mongodb dba, but also for newcomers in linux, this article may be very basic for linux/Ubuntu SME’s.

Linux Directory Structure

Linux files are ordered in a tree structure, after login do cd / (change directory) this is the root directory which contains other directory and files on the system. This directory is the top of the tree structure, hence it is called root. In this directory you can run another list file command in most human readable output i.e. ls -lh it will bring total directory structure like this.

This my linux root directory, please check the below table for details.
Directory Purpose
/etc Holds system configuration file for the host, you need to be extra cautious while editing around this directory.
/homeContains personal data of user or owner.
/var Files whose value is changing continuously by system operation, called variable file need to store here.
/opt Park your optional software packages.
/usrDirectory containing user programs.
/tmpDirectory containing temporary files.
/rootThe root user’s home directory.
/mediaThis directory contains subdirectories where and removable devices are automounted.
/usr/binThis directory contains the essential user binaries (programs)
/usr/lib directory contains libraries needed by the essential binaries

User and Group

Before starting it, we need to know What is ‘sudo’? Its stand for ‘Superuser do‘, means when you running a command with sudo, actually that command run with root privilege’s. For mongodb deployments, its very important to start mongod or mongos process with mongodb user and group only, using sudo or root is not recommended. Now showing you how to create user and group and verify those stuff after creating it.

sudo adduser mongodb   //adding user mongodb needs only sudo permission, this command automatically add an user and group called mongodb

--------------It will return -------
Adding user `mongodb' ...
Adding new group `mongodb' (1003) ...
Adding new user `mongodb' (1003) with group `mongodb' ...
Creating home directory `/home/mongodb' ...
// It will promted for password for the user, complete the full process

Check the newly created user and group

cat /etc/passwd
    //this will show newly crated user info

-------This will return like this.------
mongodb:x:1003:1003:,,,:/home/mongod
b:/bin/bash

> cat /etc/group    // This will show newly created group
--------this will return like this-------
mongodb:x:1003:

# In this case both user and group has created and both are id 1003

Now you can log in with the new user (mongodb), after login enter id

> id   // it wiill return something like this
uid=1003(mongodb) gid=1003(mongodb) groups=1003(mongodb)

User  :A user has an account must belong to one primary group. Typically the the user’s primary group is also named after the user account name.
Primary Group  :The primary group is created at the same time the user account is created and the user is automatically added to it. File created by the user automatically belongs to the user group. The primary user’s group is stored in the /etc/passwd file and the supplementary groups, if any, are listed in the /etc/group file.

Permission

Mongodb binary files should be given read, write, execute permission over mongodb user name. Here we just get deeper understanding over permission. Permission can be changed with chmod command.

// login with mongodb user name with out sudo
chmod 400 <path-to-the-file>

You noticed that 3 digits after chmod 400, now we can explain it, what does it stands for.

The three digits of the chmod code set permissions for these groups in this order:

  1. Owner (you)
  2. Group (a group of other users that you set up)
  3. World (anyone else browsing around on the file system)

Each digit of this code sets permissions for one of these groups as follows. Read is 4. Write is 2. Execute is 1.

The sums of these numbers give combinations of these permissions:

  • 0 = no permissions; this user cannot read, write, or execute the file
  • 1 = execute only
  • 2 = write only
  • 3 = write and execute (1+2)
  • 4 = read only
  • 5 = read and execute (4+1)
  • 6 = read and write (4+2)
  • 7 = read and write and execute (4+2+1)
CommandPurpose
chmod 700 mongod.ymlOnly you can read, write and execute mongod.yml
chmod 777 mongod.ymlEverybody can read, write to, or execute mongod.yml
chmod 744 mongod.ymlOnly you can read, write to, or execute mongod.yml Everybody can read mongod.yml;
chmod 444 mongod.ymlYou can only read mongod.yml, as everyone else.
Chmod commands on file mongod.yml
Now you can run 
ls -l mongod.yml
-rwxr--r--   1 mongodb mongodb       84 Sep 14 10:25 mongod.yml

-rwxr–r– => Segregate this line 1) – 2) rwx 3)r– 4) r– and explained below.

Denotes, It’s a regular file.
rwxDenotes, owner has read, write, and execute permissions.
r- –Denotes, group permissions are read only.
r-Denotes, world permissions are read only.
Owner and group also ‘mongodb’ ‘mongodb’ first one is user and second one group

The first character shows the file type. In our example, the first character is - which indicates a regular file. Values for other file types are as follows:

  • - – Regular file
  • b – Block special file
  • c – Character special file
  • d – Directory
  • l – Symbolic link
  • n – Network file
  • p – FIFO
  • s – Socke

The permission character can take the following value:

  • r – Permission to read the file
  • w – Permission to write to the file
  • x – Permission to execute the file
  • s – setgid bit
  • t – sticky bit

Ownership

Every file is owned by a specific user and a specific group in Linux. Ownership can be changed using the chown command. We can explain chown command in below mention way.

chown [OPTIONS] USER[:GROUP] FILE(s)

  1. USER is the user name or user ID of the new owner. GROUP is the name of the new group or the group ID. FILE(s) is the name of one or couple of files, directories or links.
  2. USER – If only the user is specified, the specified user will become the owner of the given files, the group ownership is not changed.
  3. USER: – When the username is followed by a colon :, and the group name is not given, the user will become the owner of the files, and the files group ownership is changed to user’s login group.
  4. USER:GROUP – If both the user and the group are specified (with no space left between them), the user ownership of the files is changed to the given user and the group ownership is changed to the given group.
  5. :GROUP – If the User is omitted and the group is prefixed with a colon :, only the group ownership of the files is changed to the given group.
  6. : If only a colon : is given, without specifying the user and the group, no change is made.

By default, on success, chown doesn’t produce any output and returns zero.

// after login to mongodb user you can cange ownership like this
chown mongodb:mongodb mongod.yml // may required sudo and its password if the file is previously owned by root or other user or group
chmod 744 mongod.yml  // then giving the permission, user can read write and execute, other ready only

ls -lh // will bring the following out put
-rwxr--r-- 1 mongodb  mongodb        382 Sep  4 17:33 mongod.yml
 |              |         |
 |              |         |
read,wr,ex -->User ----> Group

Recursively Change the File Ownership and Permission (-R)

We need recursive flag, because of change whole lot of file permission and ownership inside a directory in a single command is necessary. So we can do this followings.

// Changing Ownership with recursive flag, may or may not required sudo, depending upon situation
chown -R USER:GROUP DIRECTORY

// Changing Permission with recursive flag 
chmod -R 744 mongod.yml

If the directory contains symbolic link the pass -h option

chown -hR mongodb: /var/www/html

Conclusion

Here, I am using mongod.yml file as an example, please do not relate with any deployments. It is recommended that all mongodb related binaries should have mongodb user and group owned, and 744 permission should be given. For key file authentication use 400 permission, for configuration file use 600 permission for safer side.