granting permission to read or write a file, to view a directory or to execute a program to only those users allowed to do so; for instance, access to a payroll database is restricted by only allowing users in the Payroll Department to access the database files, and the ability to ping on the network is controlled by allowing only Networking Department personnel to execute the ping program
a policy is established for each action, defining who can perform it; ie., it should not be possible via telnet to login as root (since telnet does not know how to encrypt passwords)
Both before and after the next 3 steps, do the following: cat /etc/passwd ; cat /etc/group ; cat /etc/shadow. Note which files change after each command, and what the changes entail.
useradd -m john ; passwd john
groupadd networkingNote that some predefined groups are there to control access to hardware capabilities. For instance, you must be a member of the group audio to access the sound card.
usermod -G networking,john johnNote that at this point, the stage has been set, but no enforcement will take place because no permissions have been specified.
In case you make any mistakes, it might be useful to know the following: to delete a user, use the userdel command; likewise, to delete a group, use the groupdel command.
Both before and after the next 2 steps, do the following: ls -l /bin/ping. Note the changes after each command.
mount -wo remount /Use chgrp on the ping program to specify that it belongs to the networking group:
chgrp networking /bin/ping
chmod 4550 /bin/pingNow make the root filesystem read-only once again by
mount -ro remount /
The implementation and maintenance of a user and group structure is a design problem whose scope can only be appreciated by someone who has inherited a server which has a tangled mess of users and groups and does not adequately control security of system resources. It cannot be stressed strongly enough that the design of a useful and flexible group structure requires careful forethought and more than a little luck, and
when ad hoc changes are made for the sake of convenience, security will be compromised quickly and effectively.Most systems administrators will keep all of the commands needed to set up their user and group structure in one or more scripts, to facilitate rebuilding the server, and to make it easier to keep track of what is already in place when making changes.
|s g t||r w x||r w x||r w x|
|setuid setgid sticky||owner||group||anyone else|
|read write execute||read write execute||read write execute|
The octal permission is a four "octit" (base 8 digit) number; missing high order numbers are assumed to be zero (as in base 10). Hence a 750 would really mean 0750; written in binary, 750 is
|s g t||r w x||r w x||r w x|
|0 0 0||1 1 1||1 0 1||0 0 0|
and so we see that the owner (which is root) can read, write to and execute the file, the group members can read and execute the file, and anyone else can do nothing with the file.
Never add s or g permissions to a file which does not already have them, as they can open potentially enormous security holes.
The permissions which are set when ping is installed are 4555. After the changes in the above example, an ls -l /bin/ping produces the following output:
This means that ping is:-r-sr-x--- 1 root networking 23436 Aug 27 12:10 /bin/ping
Note that root does not need r or w permission to read from or write to a file or directory. Also, root can execute any file which has execute permission, even it the file is not owned by root.
The only time that it makes sense to use the symbolic permissions is if you need to add or remove a permission on multiple files, not all of which have the same permissions. For instance, if you needed to add write permission for the file's owner to all of the files in a directory, some of which were executable and some of which were not, the command chmod u+w * is very useful. You must be very careful, however, since it is easy to mistakenly use "o" for owner instead of "u" for user, and "o" does NOT mean owner, it means all of the other users who are not the owner or in the file group!
For instance, suppose root creates a directory containing multiple files and sub-directories, and wishes to copy the directory and its contents to a user's home directory, who should then own them. A simple way to accomplish this would be:
cp -a directory /home/user/The "-a" on the cp command causes it to copy the directory and everything it contains (without the "-a", cp will refuse to copy directories). The "user:user" causes chown to change both the user (before the colon) and group (after the colon) associated with the directory, and the "-R" will cause chown to do that recursively, to the contents of the entire directory sub-tree starting with /home/user/directory.
chown user:user /home/user/directory -R
This can be accomplished by setting umask to 077 in /etc/profile.d/umask.sh (it is currently set to 007, which means that the owner and group members have full access, but others do not). umask is an internal bash command which affects all files created by the shell or any of its children. The effect is to AND the mode specified at file creation with NOT the umask value; the resulting value is stored in the file inode. So umask specifies which bits MUST be zero in the permissions.
Note that the profile scripts are run only for a login shell (the one started by login). Therefore, changes made to any of them will only affect subsequent logins. Specifically, the changes will not affect current or new xterm shells unless you first logout.
suwith no parameters means that you want to become root, while
su usermeans you want to become that user.
su spawns (or forks) a new shell process which is stacked on top of the previous one, and which runs under the new user. When the new shell is exited, the old one resumes under the old identification. The id command can be used to find which user and group the current shell process is running under.
If you want to add files and directories to /etc/skel so that all of your users will have a predetermined environment in which to work, be sure to refer to home directories using the environment variable $HOME (or ~/); any references to /root will obviously be a problem!Be aware that when you use useradd -m, the permissions on the new directory are 755 (this is because root's umask value is 022; root often installs software that ordinary users will use, so that is the most useful value for root). When all users are a member of the same initial group (and umask is set to 077), you will probably want to chmod 700 the new home directory. If every user has their own group (as in our distribution), 770 would be acceptable.
If any of the files are used by programs which do not interpret environment variables, the user can execute the following command to manually change "$HOME" to the name of the user's home directory:sed -i~ -e "s%\$HOME%$HOME%g" filenameThe "-i~" means we are doing an "inline" edit, and a backup copy of the file will be saved as filename~. The double quotes on the expression are necessary so that the shell will change the second "$HOME" to the user's home directory, and the backward slash prevents the shell from do that to the first "$HOME". The g option tells sed to make the change on every occurrence of $HOME on every line it occurs in.
To see how the shell interprets that command, if it were executed by the user ken, it would be interpreted assed -i~ -e s%$HOME%/home/ken%g filenameWe used "%" as the delimiter for the sed s command because the second $HOME will have "/"s in it when the variable is expanded by bash.
Accounting allows the system administrator to keep track of how much each user is using various system resources, such as cpu time, memory and i/o. It can also keep track of which programs are used by each user, and resource usage by program. While in the past this information was typically used to charge users for computer resources, its primary use now is to allow the administrator to track usage (and misusage) of the system.
The system also allows the administrator to set and enforce maximums for disk space utilization by filesystem and user, via quota control.
©2014, Kenneth R. Koehler. All Rights Reserved. This document may be freely reproduced provided that this copyright notice is included.
Please send comments or suggestions to the author.