access control
play

Access Control Dr. John Yoon How do you know yours? Finding about - PowerPoint PPT Presentation

Advanced Linux File Permission Access Control Dr. John Yoon How do you know yours? Finding about you and the system $ who $ hostname $ whoami $ uname $ id $ date $ ps -aux Environment Variables Environment Settings of a


  1. Advanced Linux File Permission Access Control Dr. John Yoon

  2. How do you know yours?  Finding about you and the system $ who $ hostname $ whoami $ uname $ id $ date $ ps -aux

  3. Environment Variables  Environment • Settings of a Linux Shell $ printenv  Printing $ printenv TERM  Setting $ py3=python3 $ export py3 $ echo $py3 $ unset py3

  4. Commands for Systems/Sessions  lpr : prints a file  alias : creates an alias for a command. • Aliases can be placed in your .cshrc login script. • Example: alias rm ‘rm –i’.

  5. The UNIX Pipe (|)  The pipe (|) creates a channel from one command to another. Think of the pipe as a way of connecting the output from one command to the input of another command.  The pipe can be used to link commands together to perform more complex tasks that would otherwise take multiple steps (and possibly writing information to disk).  Examples: • Count the number of users logged onto the current system. o The who command will give us line by line output of all the current users. o We could then use the wc -l to count the number of lines... o who | wc –l • Display long listings in a scrollable page. o The lpq command will give us a list of the waiting print jobs. o lpq | less

  6. Commands for Processes  ps : lists the processes running on the machine. • ps -u username lists only your processes. • ps -a : lists all processes running on the machine. • The PID column of the listing, provides the information required by the kill command.  kill : terminates a process • kill process_id : sends a terminate signal to the process specified by the process_id (PID). • In cases where the terminate signal does not work, the command " kill -9 process_id " sends a kill signal to the process.  nice : runs a process with a lower priority.

  7. Try ls() -l  See what it displays

  8. Access Permissions  Limiting unauthorized access to your directories and files is a very important concern for ALL Linux (Unix) users.  Consequences of Unauthorized Access: • Copying your assignments (cheating) • Using your account for illegal activity • Using your account to send obscene messages • Tampering with files

  9. Access Control Check  Given an access request, return an access control decision based on the policy • allow / deny Access Control A Request Allow / Deny Check The Policy

  10. File / Directory Permissions  The Linux (Unix) OS can allow the user to specify read, write and execute permissions to the user (owner of file), group (same group members) or all others (different group members)  Directory Permissions: • Read (r) – View directory contents (filenames only) • Write (w) – Create / Remove subdirectories and files • Execute (x) – Access directory contents  File Permissions • Read (r) – View contents (inside) of file • Write (w) – Make changes to file’s contents • Execute (x) – Run program or shell script

  11. chmod Command (Relative Method) Used to change the access permissions of a file or directory Format: chmod [who] [operation] [permission] file • who relates to user (u), group (g), others (o), or all (a) • operation relates to adding (+), removing (-), or setting (=) permissions • permissions are read (r), write (w), or execute (x)

  12. Type Enforcement [BoebertKain84] Permission Assignment Object User Subject Type Can Type Type Access Object Type Object User (Subject) (Object) To Perform Operations On Objects User Object

  13. chmod Command (Relative Method) Examples: • Add Permission chmod g+rw file.name Note: you can chmod o+x file.name • Remove Permission use wildcard symbols (eg *) to chmod g-w file.name chmod a-w file.name (removes match particular write for ug) files • Set Permission chmod o=rx file.name chmod go=rx filename

  14. Privileges  Three Identities • Owner, Group, Worlds  Three Privileges • Read, Write, Execute • 4 2 1 in sticky bit Possible additive bits 1  Command Can execute 2 Can write • $ chmod 1+2 = 3 Can execute and write • # chgrp 4 Can read 1+4 = 5 • $ chown Can execute and read 2+4 = 6 Can write and read • $ ch 1+2+4 = 7 Cal do all

  15. chmod - Example (Absolute Method) Applying octal values of rwx using the absolute chmod command: chmod ___ file - r w x r w x r w x chmod ___ file - r w x r - x r - x chmod ___ file - r w x - - x - - x chmod ___ file - r w - r - - r - - Q: Fill in the number

  16. Practical Applications of chmod  Directory Pass-Through Permission (x) • Pass-through permission allows users to pass- through a directory in order to access the contained files and subdirectories • To deny access to your files by other users, you can remove group and other pass-through permissions on your home directory (rwx------)

  17. Creating a User Mask  The Unix / Linux OS allows “masks” to be created to set default permissions for “newly-created” directories and files.  The umask command automatically sets the permissions when the user creates directories and files (umask stands for “user mask”).  This process is useful, since user may sometimes forget to change the permissions of newly-created files or directories.

  18. umask Command Used to automatically establish file permission upon creation umask [mask] where mask represents a 3-digit octal number for permissions to be denied for UGO. • Think of a mask as “hiding” permissions that are available from the system.

  19. Setting Directory Mask To change directory mask: • Determine octal number that would set directory permission • Subtract octal number determined above from octal number 777 to get result • issue the command : umask [octal number]

  20. Setting Directory Mask Example: • To set mask for newly-created directories to: r w x r - - r - - • Determine octal number 1 1 1 1 0 0 1 0 0 = 744 • Subtract 744 from 777 = 033 Why 777? Because the system • Issue command umask 033 wants to give full permissions for user, group and others. The mask 033 takes away the • Issue command umask to verify change specified permissions.

  21. Default Directory Permissions Example: • With umask of 033 from previous example: • Subtract 033 from 777 = 744 • Convert to permissions: r w x r - - r - -

  22. umask for Files • When creating new regular files, the system can only provide read and write permissions (i.e. no execute permissions). • Thus there is no way to have execute permission as a default for files. • Note that there is only one umask setting, which determines default permissions for newly created files and directories.

  23. Determining Default File Permissions Example: • With umask of 033 from previous example: • Subtract 033 from 777 = 744 • Convert to permissions: r w x r - - r - - • Remove any “x” permissions remaining: r w - r - - r - -

Recommend


More recommend