CT320: Access
Original slides from Dr. James Walden at Northern Kentucky University.
https://en.wikipedia.org/wiki/Access_control
/etc/passwd
file that stores passwords and maps usernames to user
identification numbers (UIDs).
/etc/group
file that maps group names to group
identification numbers (GIDs).
Instead of keeping the encrypted passwords in the world-readable
/etc/passwd
, they can be kept in /etc/shadow
.
pwconv
, punconv
, grpconv
, grpunconv
:
convert password/group files to & from shadow.
useradd
: add new user, associate with group, create home
directory, set default shell, set initial password
userdel
: remove existing user, delete home directory and
files, edit associated groups, assuming no processes!
usermod
: modify existing users, including initial group,
home directory, user identification number
groupadd
/groupdel
/groupmod
: functions for groups
instead of users, assigns group identification numbers
passwd
: modify or delete a password, users can modify
their own password, root can modify any password
login
: authenticate a username and password before
allowing user access
ls -l
: listing directory in long format
$ ls -l ~/bin total 1748 lrwxrwxrwx 1 ct320 class 12 Nov 22 2016 checkin -> checkin_prog -rwx------ 1 ct320 class 3915 Jun 1 2019 checkin-checker -rwx------ 1 ct320 class 405 Oct 14 2017 checkin-file-checker -rws--x--x 1 ct320 class 42040 Sep 6 2016 checkin_prog -rwxr-xr-x 1 ct320 class 1339 Sep 23 2019 chit -rwxr-xr-x 1 ct320 class 895 Sep 23 2019 cls -rwx------ 1 ct320 class 2748 Dec 13 2019 code -rwxr-xr-x 1 ct320 class 160 Jun 14 2014 cronedit -rwxr-xr-x 1 ct320 class 3076 Oct 15 2019 curve -rwxr-xr-x 1 ct320 class 666 Dec 27 2017 demo-script -rwxr-xr-x 1 ct320 class 1306 Mar 7 2018 domoss -rwxr-xr-x 1 ct320 class 1019 Dec 27 2017 e lrwxrwxrwx 1 ct320 class 12 Nov 22 2016 grade -> checkin_prog -rwxr-xr-x 1 ct320 class 59 May 30 2015 grade-busy -rwx------ 1 ct320 class 3233 Sep 23 2017 grade-file-checker -rwxr-xr-x 1 ct320 class 145 Dec 16 2015 grades -rwxr-xr-x 1 ct320 class 834 Feb 8 2018 imv -rwxr-xr-x 1 ct320 class 30 Sep 20 2015 l -rwxr-xr-x 1 ct320 class 30 Sep 20 2015 ll -rwxr-xr-x 1 ct320 class 30 Sep 20 2015 lsf -rwx------ 1 ct320 class 10640 May 30 2015 moss -rwxr-xr-x 1 ct320 class 112 Aug 4 2014 new -rwxr-xr-x 1 ct320 class 1286 Jan 19 2020 note -rwxr-xr-x 1 ct320 class 112 Aug 4 2014 old -rwxr-xr-x 1 ct320 class 39 Apr 22 2013 p lrwxrwxrwx 1 ct320 class 12 Nov 22 2016 peek -> checkin_prog -rwxr-xr-x 1 ct320 class 789 Nov 17 2018 playpen -rwxr-xr-x 1 ct320 class 276 Dec 4 2017 pwget -rwxr-xr-x 1 ct320 class 166 Dec 4 2017 ruler -rwxr-xr-x 1 ct320 class 1975 Jun 29 2018 run -rwx------ 1 ct320 class 42 Jun 26 2018 runner -rwxr-xr-x 1 ct320 class 114 Aug 4 2014 save -rwxr--r-- 1 ct320 class 3150 Sep 29 2019 scores -rwxr-xr-x 1 ct320 class 3404 Oct 15 2019 stats drwx------ 2 ct320 class 4096 Aug 30 2015 tools -rwxr-xr-x 1 ct320 class 1569660 Mar 10 2019 u -rwxr-xr-x 1 ct320 class 294 Aug 4 2014 unold -rwxrwxr-x 1 ct320 class 1036 Mar 7 2019 untar -rwx------ 1 ct320 class 1078 Mar 7 2018 vman -rwxr-xr-x 1 ct320 class 1078 Dec 9 2017 wikicat -rwxr-xr-x 1 ct320 class 171 Dec 27 2017 wikidiff -rwxr-xr-x 1 ct320 class 934 Jul 17 2019 wikiedit -rwxr-xr-x 1 ct320 class 1004 Dec 30 2017 wikigrep -rwxr-xr-x 1 ct320 class 2781 Dec 9 2017 wikiupdate -rwxr-xr-x 1 ct320 class 1354 Dec 18 2017 wikiwhence
d or l or - | rwx | rwx | rwx |
directory or file | user | group | other |
The permissions can be different for user, group and other (everyone else). Typically, the user gets the most permissions, and others get very little.
r
: gives permission to read a a file or directory
w
: gives you permission to write a file or directory
x
: gives you permission to execute (run) a file
or cd
into a directory
Note that w
for a directory means that you can change the directory,
not the files it contains. Changing the files underneath it depends
on their w
bits.
Removing a file depends upon the w permission of containing directory, not any permissions of the file itself. Think of it as changing a relationship—you don’t need someone’s consent to unfriend them.
chown applin Desktop
chgrp fac Desktop
chmod 755 foo chmod ug+rw bar
Some hackers consider it impressive to interpret the permission bits as an octal number. These are the same morons who think that memorizing the ASCII chart improves their dating prospects.
chmod u=rw foo chmod go-w bar chmod g+r baz chmod g=r zip chmod a=rwx foo.*
That said, I will occasionally chmod 400
or chmod 666
a file,
but I feel guilty when I do it.
umask
: set up default privileges:
umask 077
— I trust nobody!
umask u=rwx,go=
— I trust nobody!
umask u=rwx,g=r,o=
— I trust my group, and nobody else.
~/.bashrc
/tmp
.
Features of an access control list (ACL)
$ date >now $ chmod go= now $ ls -l now -rw------- 1 ct320 class 29 Dec 23 08:08 now $ setfacl -m applin:r now $ getfacl now # file: now # owner: ct320 # group: class user::rw- user:applin:r-- group::--- mask::r-- other::--- $ ls -l now -rw-r-----+ 1 ct320 class 29 Dec 23 08:08 now
Linux can support ACL mode
rwxrwxrwx
) model
mount -o acl option
setfacl
command to define permissions
$ ls -l /bin/passwd -rwsr-xr-x 1 root root 33560 Apr 18 2022 /bin/passwd
A special root account exists that represents the omnipotent administrative user, often called the superuser account, that can perform tasks that are restricted to other users:
Several ways exist in which root privileges can be accessed, and a number of concerns should be taken into account when deciding which method to use:
su
(switch user/substitute user/super user) command (bad)
sudo
command (best)
su
command is of limited duration, but doesn’t do any logging.
su ct320
sudo
command is of limited duration, and does logging,
thus making it easy to monitor system administration activities.
(OK, who broke the C compiler!?)
Modified: 2017-08-29T12:54 User: Guest Check: HTML CSSEdit History Source |
Apply to CSU |
Contact CSU |
Disclaimer |
Equal Opportunity Colorado State University, Fort Collins, CO 80523 USA © 2015 Colorado State University |