I know how to change file permissions, ownership etc. But sometimes I feel I don't know what would be the best approach security wise. I just change permissions or ownership to make things work, but I really don't know whether my decisions are wisely chosen.
Example:
I have an external HDD that I back up to. Should root or the user who makes the backup be the owner of that partition and why? Which group should it belong to? Why does ubuntu have so many groups by default, why are they necessary?
I'd like to understand the underlying concept of that, so that I can make better decisions in the future on my own.
Does someone have an explanation for me? I am also thankful for further reading recommendations.
Thank you for your time.
In general I would use the "sudo" user to create backups. Ubuntu does not use "root" as a user; only for the internal workings of the system.
I do not believe this is an issue? Regardless on who owns the partition you need to keep the files and directories as they are.
Only advice I can give: use ext for the backup and not a Windows filesystem.
If the permissions change on the backup restoring it becomes a nightmare: software might depend on files having a specific user, or settings.
Not an issue. If you have a multiuser system and you want more than 1 user to be able to restore you could use a group. But you should then also have 2 admin accounts, since a restore is not a user task. It is an admin task.
If you worry about an unstable system do not set up your system to have more than 1 user to be able to restore. Otherwise that 2nd user might restore something the 1st user does not expect potentially removing something unintentionally.
Security. Hardware is owned by "root". So for a user to be able to access a printer, a dvd or device plugin system, admin tools etc you need some method for the system to know a user is allowed to use these.
So the initial user created when the system is created is added to these groups and the verification of a 2nd admin user is done by providing the "sudo" password. And now the system knows it can trust these users. Any other user needs to provide the "sudo" password (and maybe a user to switch to) before they can use this hardware.
It also makes it easy to remove permissions: do not want a user to use a "dvd"? Remove the group, and done.
What are you using to need to worry about permissions? Hosting a website? Otherwise I would assume you do not need to worry about permissions. The defaults the system uses (through the command "umask") are good enough. Only when you download something that needs executing you need to set that yourself with "chmod".
This totally depends on what you want to realize but permissions used on your own files do not make your system unstable and only using full permissions on "others" makes your system potentially vulnerable.
Read the link posted in comments. It does explain it all ;)