Académique Documents
Professionnel Documents
Culture Documents
Today's Agenda
Permissions Lab
28/10/10
Introduction to Permissions
28/10/10
28/10/10
Introduction
Users
Every user of a system is assigned a unique UID. Users names and UIDs are stored in /etc/passwd file. Users cannot read, write or execute each others files without permissions.
Groups
Users are assigned to groups with unique GID. GIDs are stored in /etc/group. Each user is given his own private group by default (primary group) in Red Hat. He/she can belong to other groups (secondary groups) to gain additional access. All users in a group can share files that belong to that group.
28/10/10
Levels of Permission
There are three levels of permissions to files and directories in Linux. These levels correspond to the following three Categories:
The owner is the user who created the file. Any file you create, your own. A user / owner of a file can grant access of a file to the members of a designated group. A user / owner of a file can also open up access of a file to all other users on the system.
28/10/10
28/10/10
Displaying Permissions
Examining the following long listing of the /etc/passwd file gives :
(File access Permission) (Number of links) (User) (Group) (File Size) (Last Modification Date)(LM Time)
28/10/10
28/10/10
If the user matches the user permissions apply If the group matches, but the user does not, the group permissions apply If neither matches the other permission applies
28/10/10
10
28/10/10
11
Examples
- - x permissions on a directory will not let the user to view directory contents or create or delete files in that directory. However, the user can run executable file located in that directory. r - x permissions on a directory are OK, means ls can be done. - w x permissions on a directory are OK, means a file can be created in this directory, however, ls cannot be done. rw- or r - - or -w- permissions on a directory have no effect if the execute bit is not set.
28/10/10
12
chmod Command
chmod is used to change file access permission chmod takes two lists as its arguments: permission changes and filenames. SYNOPSIS
Description
28/10/10
13
Changing Permissions
28/10/10
14
Changing Permissions
You can specify the list of permissions in two different ways.
28/10/10
15
28/10/10
16
28/10/10
17
Examining the permissions of the /etc/passwd file after the modifications shows the following::
28/10/10
18
Examining the permissions of the /etc/passwd file after the modifications shows the following::
28/10/10
19
Settings
Here are some common examples of settings that can be used with chmod:
28/10/10
20
Examples
Add the execute permission and remove the write permission for the mydata file for all categories (i.e. user, group and other) The read permission is not changed Set the permissions for the group to read and write Set permissions for other users to read
Set the read permission for other users, but the write and execute permissions are removed
28/10/10
21
Examples (cont..)
Another permission character exists, a, which represents all the categories. The a character is the default. In the next example, the two commands are equivalent. The read permission is explicitly set with the a character denoting all types of users: other, group, and user.
By adding the -R option, we can change permissions for entire directory trees. To allow everyone read and write access to the mylinux directory in our login directory, we just type:
28/10/10
22
The absolute method changes all the permissions at once, instead of specifying one or the other. The three access levels, each with three permissions, conform to an octal binary format. Three octal digits in a number translate into three sets of three binary digits, which is nine altogether and the exact number of permissions for a file. The first octal digit applies to the owner category, the second to the group, and the third to the others category. Owner Group Other 6 4 2 The actual octal digit you choose determines the read, write, and execute permissions for each category.
Punjab University College of Information Technology (PUCIT) 23
28/10/10
28/10/10
24
Add these numbers for each user category : Owner r w 4 2 6 Use with chmod:
Permission changed
28/10/10 Punjab University College of Information Technology (PUCIT) 25
Group r- 4 4
Other r - 4 4
28/10/10
26
28/10/10
27
Example
File created
Permission changed
28/10/10
28
You can set a new default set of permissions for the files that you create. The following example specifies read, write and execute permissions to owner and gives no permissions to group or others.
28/10/10
29
28/10/10
30
When a user starts a process it runs with the permissions of that user. If you run vi, and try to edit /etc/shadow the operation will fail. Or if you try to edit your personal information in the file /etc/passwd again the operation will fail Although /etc/passwd is a file that cannot be changed by a regular user, however, a regular user can use /usr/bin/chfn program to change his personal information contained in it. Similarly, a regular user can use /usr/bin/passwd and /usr/bin/chage program to change his password related information in /etc/shadow file. This is because these programs have their SUID permissions set Three special types of permissions are available for executable files and public directories: setuid, setgid, and sticky bit. When these permissions are set, any user who runs that executable file assumes the ID of the owner (or group) of the executable file.
Punjab University College of Information Technology (PUCIT) 31
28/10/10
setuid Permission: When setuid permission is set on an executable file, a process that runs this file is granted access on the basis of the owner of the file. The access is not based on the user who is running the executable file. This special permission allows a user to access files and directories that are normally available only to the owner setgid Permission:The setgid permission is similar to the setuid permission. The process's effective group ID (GID) is changed to the group that owns the file, and a user is granted access based on the permissions that are granted to that group. The /usr/bin/mail command has setgid permissions Sticky Bit:The sticky bit is a permission bit that protects the files within a directory. If the directory has the sticky bit set, a file can be deleted only by the file owner, the directory owner, or by a privileged user. The root user and the Primary Administrator role are examples of privileged users.
Punjab University College of Information Technology (PUCIT) 32
28/10/10
Permissions Lab
28/10/10
33
Permissions Lab
1. Login as root and create three users tariq, khan and jamil and assign them passwords. 2. Login as khan and create a directory ~/dir1 and a file ~/dir1/file1 and check its permissions. 3. Login as tariq or jamil and try to access the home directory of khan. What happens? 4. Login as khan and create a directory /tmp/dir1 and a file /tmp/dir1/file1 and check its permissions. 5. Login as tariq or jamil and try to access the dir1 just created by khan. See What happens?
28/10/10
34
28/10/10
35
28/10/10
36
Things to do!
For a complete understanding perform the questions in sequence given in the slides (Permissions Lab). You are required to submit the solution of these lab questions hand written. Execute all the commands on the console before writing the solution down. Good Luck