Lecture 11 (File Per Missions)

Instructor: Arif Butt. TA: Dilawer Hussain.
Lecture # 10 File Permissions

Course: Intro to Computing
Instructor: Arif Butt TA: Dilawer Hussain
Punjab University College of Information Technology (PUCIT) University of the Punjab

28/10/10 Punjab University College of Information Technology (PUCIT) 1
Today's Agenda
Introduction to Permissions Changing Permissions
Symbolic Method Binary Method Special Access Bit
Permissions Lab
28/10/10
Punjab University College of Information Technology (PUCIT)
Introduction to Permissions
28/10/10
Permission Types Diagram
28/10/10
Introduction
Users
Every user of a system is assigned a unique UID. Users names and UIDs are stored in /etc/passwd file. Users cannot read, write or execute each others files without permissions.
Groups
Users are assigned to groups with unique GID. GIDs are stored in /etc/group. Each user is given his own private group by default (primary group) in Red Hat. He/she can belong to other groups (secondary groups) to gain additional access. All users in a group can share files that belong to that group.
28/10/10
Levels of Permission
There are three levels of permissions to files and directories in Linux. These levels correspond to the following three Categories:
User/owner (u) Group (g) Others (o)
The owner is the user who created the file. Any file you create, your own. A user / owner of a file can grant access of a file to the members of a designated group. A user / owner of a file can also open up access of a file to all other users on the system.
28/10/10
Categories of Permission (Files)

Each level, or category, has associated privileges. These privileges come in the form of three permissions: For files the permissions have following meanings: READ ( r) WRITE (w) EXECUTE (x) Enables users to open files and read its contents using; less, more, head, tail, cat, grep, sort, view. Enables users to open a file and change its contents using vi, vim. Enables users to execute files as commands.
28/10/10
Displaying Permissions
Examining the following long listing of the /etc/passwd file gives :
(File access Permission) (Number of links) (User) (Group) (File Size) (Last Modification Date)(LM Time)
28/10/10
Displaying Permissions (cont..)
28/10/10
Displaying Permissions (cont..)

When a user accesses a file, the user is compared with the permission set of the file.
If the user matches the user permissions apply If the group matches, but the user does not, the group permissions apply If neither matches the other permission applies
28/10/10
10
Categories of Permission (Directories)

READ WRITE EXECUTE Users can view filenames in the directory Users can create, delete files in the directory. Users can search in the directory and change to it using the cd command.
28/10/10
11
Examples
- - x permissions on a directory will not let the user to view directory contents or create or delete files in that directory. However, the user can run executable file located in that directory. r - x permissions on a directory are OK, means ls can be done. - w x permissions on a directory are OK, means a file can be created in this directory, however, ls cannot be done. rw- or r - - or -w- permissions on a directory have no effect if the execute bit is not set.
28/10/10
12
chmod Command
chmod is used to change file access permission chmod takes two lists as its arguments: permission changes and filenames. SYNOPSIS
Description
28/10/10
13
Changing Permissions
28/10/10
14
Changing Permissions
You can specify the list of permissions in two different ways.
Symbolic Method Binary mask
Uses permission symbols Referred to as the absolute / relative method.
28/10/10
15
Symbols for Level

Table below lists the level options that can be used with the chmod command.
28/10/10
16
Symbols for Permission

+ Add the following permissions (does not affect other permissions) - Remove the following permissions (does not affect other permissions) = Assigns entire set of permissions
28/10/10
17
Adding Rights to a File

Adding write privileges for the group can be done by running chmod as follows:
Examining the permissions of the /etc/passwd file after the modifications shows the following::
Write bit added
28/10/10
18
Removing Rights from a File

Removing write bit form the group can be done by running chmod as follows:
Examining the permissions of the /etc/passwd file after the modifications shows the following::
Write bit removed
28/10/10
19
Settings
Here are some common examples of settings that can be used with chmod:
28/10/10
20
Examples
Add the execute permission and remove the write permission for the mydata file for all categories (i.e. user, group and other) The read permission is not changed Set the permissions for the group to read and write Set permissions for other users to read
Set the read permission for other users, but the write and execute permissions are removed
28/10/10
21
Examples (cont..)
Another permission character exists, a, which represents all the categories. The a character is the default. In the next example, the two commands are equivalent. The read permission is explicitly set with the a character denoting all types of users: other, group, and user.
By adding the -R option, we can change permissions for entire directory trees. To allow everyone read and write access to the mylinux directory in our login directory, we just type:
28/10/10
22
Changing Permissions: Binary Method
The absolute method changes all the permissions at once, instead of specifying one or the other. The three access levels, each with three permissions, conform to an octal binary format. Three octal digits in a number translate into three sets of three binary digits, which is nine altogether and the exact number of permissions for a file. The first octal digit applies to the owner category, the second to the group, and the third to the others category. Owner Group Other 6 4 2 The actual octal digit you choose determines the read, write, and execute permissions for each category.
Punjab University College of Information Technology (PUCIT) 23
28/10/10
Numbers to change a file's mode

The chmod utility can also use numbers to change a file's mode. The numbers range from 0-7 (octal)
28/10/10
24
Changing Permissions with Numbers

Each Permission is assigned a number Read = 4 write = 2 execute = 1
Add these numbers for each user category : Owner r w 4 2 6 Use with chmod:
Permission changed
Group r- 4 4
Other r - 4 4
Fun with Numbers and chmod

Heres a list of some common settings, numerical values and their meanings:
28/10/10
26
Fun with Numbers (cont)
28/10/10
27
Example
File created
Default permission Permission implemented
Permission changed
28/10/10
28
Permission Defaults: umask

To display the current default permissions, use the umask command with no arguments. The -S option uses the symbolic format.
You can set a new default set of permissions for the files that you create. The following example specifies read, write and execute permissions to owner and gives no permissions to group or others.
28/10/10
29
Permission Defaults: umask (cont..)

Note: For files delete umask from 666 and 777 for directories A umask of 022 means that files will have permissions of 644 while directories will have permissions of 755 Example 666 022 = 644 777 022 =755
If you trust no one use the following mask
28/10/10
30
Special Access Bits
When a user starts a process it runs with the permissions of that user. If you run vi, and try to edit /etc/shadow the operation will fail. Or if you try to edit your personal information in the file /etc/passwd again the operation will fail Although /etc/passwd is a file that cannot be changed by a regular user, however, a regular user can use /usr/bin/chfn program to change his personal information contained in it. Similarly, a regular user can use /usr/bin/passwd and /usr/bin/chage program to change his password related information in /etc/shadow file. This is because these programs have their SUID permissions set Three special types of permissions are available for executable files and public directories: setuid, setgid, and sticky bit. When these permissions are set, any user who runs that executable file assumes the ID of the owner (or group) of the executable file.
28/10/10
Special Access Bits (cont..)
setuid Permission: When setuid permission is set on an executable file, a process that runs this file is granted access on the basis of the owner of the file. The access is not based on the user who is running the executable file. This special permission allows a user to access files and directories that are normally available only to the owner setgid Permission:The setgid permission is similar to the setuid permission. The process's effective group ID (GID) is changed to the group that owns the file, and a user is granted access based on the permissions that are granted to that group. The /usr/bin/mail command has setgid permissions Sticky Bit:The sticky bit is a permission bit that protects the files within a directory. If the directory has the sticky bit set, a file can be deleted only by the file owner, the directory owner, or by a privileged user. The root user and the Primary Administrator role are examples of privileged users.
28/10/10
Permissions Lab
28/10/10
33
Permissions Lab
1. Login as root and create three users tariq, khan and jamil and assign them passwords. 2. Login as khan and create a directory ~/dir1 and a file ~/dir1/file1 and check its permissions. 3. Login as tariq or jamil and try to access the home directory of khan. What happens? 4. Login as khan and create a directory /tmp/dir1 and a file /tmp/dir1/file1 and check its permissions. 5. Login as tariq or jamil and try to access the dir1 just created by khan. See What happens?
28/10/10
34
Permissions Lab (cont..)

6. Login as root and create two groups sales and mkt. Make tariqs primary group as sales. Make khans primary group as sales and khans secondary group as mkt. Make jamil primary group as mkt. Confirm using id command. 7. Login as khan and change permissions on /tmp/dir1/file1 so that owner can read and write the file, group members can only read the file nad others can do nothing. (Remember only root or owner of a file can change a files permissions). 8. Login as tariq or jamil and try to access the /tmp/dir1/file1. What happens? Check the owner ship of /tmp/dir1/file1, it is owned by user khan and the group khan. So it can be accessed by only user khan and users who are members of group khan.
28/10/10
35
Permissions Lab (Cont..)

9. Login as root or khan and change the group owner ship of /tmp/dir1/file1. Let his owner be khan and change the group to sales using the chmod command. 10.Login as tariq and try changing the contents of /tmp/dir1/file1. Since group permissions apply to tariq, so now he can read as well as write to /tmp/dir1/file1. 11.Login as jamil and try changing the contents of /tmp/dir1/file1. Since others permissions apply to jamil, so he cannot read or write to /tmp/dir1/file1. 12.Login as root and make sales a secondary group of jamil. Then login as jamil and again try accessing /tmp/dir1/file1. Success.
28/10/10
36
Things to do!
For a complete understanding perform the questions in sequence given in the slides (Permissions Lab). You are required to submit the solution of these lab questions hand written. Execute all the commands on the console before writing the solution down. Good Luck
If you have problems visit me in counseling hours. . . .


Lecture 11 (File Per Missions)

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Lecture 11 (File Per Missions)

Transféré par

Droits d'auteur :

Formats disponibles

Instructor: Arif Butt. TA: Dilawer Hussain.

Lecture # 10 File Permissions

Punjab University College of Information Technology (PUCIT) University of the Punjab

Instructor: Arif Butt. TA: Dilawer Hussain.

Introduction to Permissions Changing Permissions

Symbolic Method Binary Method Special Access Bit

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Permission Types Diagram

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

User/owner (u) Group (g) Others (o)

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Categories of Permission (Files)

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Displaying Permissions (cont..)

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Displaying Permissions (cont..)

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Categories of Permission (Directories)

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Symbolic Method Binary mask

Uses permission symbols Referred to as the absolute / relative method.

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Symbols for Level

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Symbols for Permission

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Adding Rights to a File

Write bit added

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Removing Rights from a File

Write bit removed

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Punjab University College of Information Technology (PUCIT)

Instructor: Arif Butt. TA: Dilawer Hussain.

Changing Permissions: Binary Method