CT320

CT320: Network and System Administration

Fall 2017

Access

See this page as a slide show

Access Control and Root

CT320: Access

Original slides from Dr. James Walden at Northern Kentucky University.

Access Control

https://en.wikipedia.org/wiki/Access_control

Control Mechanisms

Control Mechanisms

System Access

Shadow passwords

Instead of keeping the encrypted passwords in the world-readable /etc/passwd, they can be kept in /etc/shadow.

Access Commands

Filesystem Protection

Access bits via ls

$ ls -l ~/bin
total 1748
lrwxrwxrwx 1 ct320 class      12 Nov 22  2016 checkin -> checkin_prog
-rwx------ 1 ct320 class    3915 Jun  1  2019 checkin-checker
-rwx------ 1 ct320 class     405 Oct 14  2017 checkin-file-checker
-rws--x--x 1 ct320 class   42040 Sep  6  2016 checkin_prog
-rwxr-xr-x 1 ct320 class    1339 Sep 23  2019 chit
-rwxr-xr-x 1 ct320 class     895 Sep 23  2019 cls
-rwx------ 1 ct320 class    2748 Dec 13  2019 code
-rwxr-xr-x 1 ct320 class     160 Jun 14  2014 cronedit
-rwxr-xr-x 1 ct320 class    3076 Oct 15  2019 curve
-rwxr-xr-x 1 ct320 class     666 Dec 27  2017 demo-script
-rwxr-xr-x 1 ct320 class    1306 Mar  7  2018 domoss
-rwxr-xr-x 1 ct320 class    1019 Dec 27  2017 e
lrwxrwxrwx 1 ct320 class      12 Nov 22  2016 grade -> checkin_prog
-rwxr-xr-x 1 ct320 class      59 May 30  2015 grade-busy
-rwx------ 1 ct320 class    3233 Sep 23  2017 grade-file-checker
-rwxr-xr-x 1 ct320 class     145 Dec 16  2015 grades
-rwxr-xr-x 1 ct320 class     834 Feb  8  2018 imv
-rwxr-xr-x 1 ct320 class      30 Sep 20  2015 l
-rwxr-xr-x 1 ct320 class      30 Sep 20  2015 ll
-rwxr-xr-x 1 ct320 class      30 Sep 20  2015 lsf
-rwx------ 1 ct320 class   10640 May 30  2015 moss
-rwxr-xr-x 1 ct320 class     112 Aug  4  2014 new
-rwxr-xr-x 1 ct320 class    1286 Jan 19  2020 note
-rwxr-xr-x 1 ct320 class     112 Aug  4  2014 old
-rwxr-xr-x 1 ct320 class      39 Apr 22  2013 p
lrwxrwxrwx 1 ct320 class      12 Nov 22  2016 peek -> checkin_prog
-rwxr-xr-x 1 ct320 class     789 Nov 17  2018 playpen
-rwxr-xr-x 1 ct320 class     276 Dec  4  2017 pwget
-rwxr-xr-x 1 ct320 class     166 Dec  4  2017 ruler
-rwxr-xr-x 1 ct320 class    1975 Jun 29  2018 run
-rwx------ 1 ct320 class      42 Jun 26  2018 runner
-rwxr-xr-x 1 ct320 class     114 Aug  4  2014 save
-rwxr--r-- 1 ct320 class    3150 Sep 29  2019 scores
-rwxr-xr-x 1 ct320 class    3404 Oct 15  2019 stats
drwx------ 2 ct320 class    4096 Aug 30  2015 tools
-rwxr-xr-x 1 ct320 class 1569660 Mar 10  2019 u
-rwxr-xr-x 1 ct320 class     294 Aug  4  2014 unold
-rwxrwxr-x 1 ct320 class    1036 Mar  7  2019 untar
-rwx------ 1 ct320 class    1078 Mar  7  2018 vman
-rwxr-xr-x 1 ct320 class    1078 Dec  9  2017 wikicat
-rwxr-xr-x 1 ct320 class     171 Dec 27  2017 wikidiff
-rwxr-xr-x 1 ct320 class     934 Jul 17  2019 wikiedit
-rwxr-xr-x 1 ct320 class    1004 Dec 30  2017 wikigrep
-rwxr-xr-x 1 ct320 class    2781 Dec  9  2017 wikiupdate
-rwxr-xr-x 1 ct320 class    1354 Dec 18  2017 wikiwhence

Access bits

d or l or -rwxrwxrwx
directory or fileusergroupother

The permissions can be different for user, group and other (everyone else). Typically, the user gets the most permissions, and others get very little.

Permissions: What do they mean?

Note that w for a directory means that you can change the directory, not the files it contains. Changing the files underneath it depends on their w bits.

Removing a file depends upon the w permission of containing directory, not any permissions of the file itself. Think of it as changing a relationship—you don’t need someone’s consent to unfriend them.

Protection Commands

    chown applin Desktop
    chgrp fac Desktop
    chmod 755 foo
    chmod ug+rw bar

Symbolic vs. octal

Some hackers consider it impressive to interpret the permission bits as an octal number. These are the same morons who think that memorizing the ASCII chart improves their dating prospects.

    chmod u=rw foo
    chmod go-w bar
    chmod g+r baz
    chmod g=r zip
    chmod a=rwx foo.*

That said, I will occasionally chmod 400 or chmod 666 a file, but I feel guilty when I do it.

Protection Commands

umask: set up default privileges:

More on Permissions

ACLS

Features of an access control list (ACL)

Linux ACL support

$ date >now
$ chmod go= now
$ ls -l now
-rw------- 1 ct320 class 29 Dec 23 08:08 now
$ setfacl -m applin:r now
$ getfacl now
# file: now
# owner: ct320
# group: class
user::rw-
user:applin:r--
group::---
mask::r--
other::---

$ ls -l now
-rw-r-----+ 1 ct320 class 29 Dec 23 08:08 now

Linux can support ACL mode

Process Ownership

$ ls -l /bin/passwd
-rwsr-xr-x 1 root root 33560 Apr 18  2022 /bin/passwd

Root Privileges

A special root account exists that represents the omnipotent administrative user, often called the superuser account, that can perform tasks that are restricted to other users:

Root Privileges

Several ways exist in which root privileges can be accessed, and a number of concerns should be taken into account when deciding which method to use:

Root

Access Control Problems

Common Extensions

Modified: 2017-08-29T12:54

User: Guest

Check: HTML CSS
Edit History Source
Apply to CSU | Contact CSU | Disclaimer | Equal Opportunity
Colorado State University, Fort Collins, CO 80523 USA
© 2015 Colorado State University
CS Building