Advanced Linux File Permission Access Control Dr. John Yoon
How do you know yours? Finding about you and the system $ who $ hostname $ whoami $ uname $ id $ date $ ps -aux
Environment Variables Environment • Settings of a Linux Shell $ printenv Printing $ printenv TERM Setting $ py3=python3 $ export py3 $ echo $py3 $ unset py3
Commands for Systems/Sessions lpr : prints a file alias : creates an alias for a command. • Aliases can be placed in your .cshrc login script. • Example: alias rm ‘rm –i’.
The UNIX Pipe (|) The pipe (|) creates a channel from one command to another. Think of the pipe as a way of connecting the output from one command to the input of another command. The pipe can be used to link commands together to perform more complex tasks that would otherwise take multiple steps (and possibly writing information to disk). Examples: • Count the number of users logged onto the current system. o The who command will give us line by line output of all the current users. o We could then use the wc -l to count the number of lines... o who | wc –l • Display long listings in a scrollable page. o The lpq command will give us a list of the waiting print jobs. o lpq | less
Commands for Processes ps : lists the processes running on the machine. • ps -u username lists only your processes. • ps -a : lists all processes running on the machine. • The PID column of the listing, provides the information required by the kill command. kill : terminates a process • kill process_id : sends a terminate signal to the process specified by the process_id (PID). • In cases where the terminate signal does not work, the command " kill -9 process_id " sends a kill signal to the process. nice : runs a process with a lower priority.
Try ls() -l See what it displays
Access Permissions Limiting unauthorized access to your directories and files is a very important concern for ALL Linux (Unix) users. Consequences of Unauthorized Access: • Copying your assignments (cheating) • Using your account for illegal activity • Using your account to send obscene messages • Tampering with files
Access Control Check Given an access request, return an access control decision based on the policy • allow / deny Access Control A Request Allow / Deny Check The Policy
File / Directory Permissions The Linux (Unix) OS can allow the user to specify read, write and execute permissions to the user (owner of file), group (same group members) or all others (different group members) Directory Permissions: • Read (r) – View directory contents (filenames only) • Write (w) – Create / Remove subdirectories and files • Execute (x) – Access directory contents File Permissions • Read (r) – View contents (inside) of file • Write (w) – Make changes to file’s contents • Execute (x) – Run program or shell script
chmod Command (Relative Method) Used to change the access permissions of a file or directory Format: chmod [who] [operation] [permission] file • who relates to user (u), group (g), others (o), or all (a) • operation relates to adding (+), removing (-), or setting (=) permissions • permissions are read (r), write (w), or execute (x)
Type Enforcement [BoebertKain84] Permission Assignment Object User Subject Type Can Type Type Access Object Type Object User (Subject) (Object) To Perform Operations On Objects User Object
chmod Command (Relative Method) Examples: • Add Permission chmod g+rw file.name Note: you can chmod o+x file.name • Remove Permission use wildcard symbols (eg *) to chmod g-w file.name chmod a-w file.name (removes match particular write for ug) files • Set Permission chmod o=rx file.name chmod go=rx filename
Privileges Three Identities • Owner, Group, Worlds Three Privileges • Read, Write, Execute • 4 2 1 in sticky bit Possible additive bits 1 Command Can execute 2 Can write • $ chmod 1+2 = 3 Can execute and write • # chgrp 4 Can read 1+4 = 5 • $ chown Can execute and read 2+4 = 6 Can write and read • $ ch 1+2+4 = 7 Cal do all
chmod - Example (Absolute Method) Applying octal values of rwx using the absolute chmod command: chmod ___ file - r w x r w x r w x chmod ___ file - r w x r - x r - x chmod ___ file - r w x - - x - - x chmod ___ file - r w - r - - r - - Q: Fill in the number
Practical Applications of chmod Directory Pass-Through Permission (x) • Pass-through permission allows users to pass- through a directory in order to access the contained files and subdirectories • To deny access to your files by other users, you can remove group and other pass-through permissions on your home directory (rwx------)
Creating a User Mask The Unix / Linux OS allows “masks” to be created to set default permissions for “newly-created” directories and files. The umask command automatically sets the permissions when the user creates directories and files (umask stands for “user mask”). This process is useful, since user may sometimes forget to change the permissions of newly-created files or directories.
umask Command Used to automatically establish file permission upon creation umask [mask] where mask represents a 3-digit octal number for permissions to be denied for UGO. • Think of a mask as “hiding” permissions that are available from the system.
Setting Directory Mask To change directory mask: • Determine octal number that would set directory permission • Subtract octal number determined above from octal number 777 to get result • issue the command : umask [octal number]
Setting Directory Mask Example: • To set mask for newly-created directories to: r w x r - - r - - • Determine octal number 1 1 1 1 0 0 1 0 0 = 744 • Subtract 744 from 777 = 033 Why 777? Because the system • Issue command umask 033 wants to give full permissions for user, group and others. The mask 033 takes away the • Issue command umask to verify change specified permissions.
Default Directory Permissions Example: • With umask of 033 from previous example: • Subtract 033 from 777 = 744 • Convert to permissions: r w x r - - r - -
umask for Files • When creating new regular files, the system can only provide read and write permissions (i.e. no execute permissions). • Thus there is no way to have execute permission as a default for files. • Note that there is only one umask setting, which determines default permissions for newly created files and directories.
Determining Default File Permissions Example: • With umask of 033 from previous example: • Subtract 033 from 777 = 744 • Convert to permissions: r w x r - - r - - • Remove any “x” permissions remaining: r w - r - - r - -
Recommend
More recommend