perm-pdf (en)

8/9/2019 perm-pdf (en)

http://slidepdf.com/reader/full/perm-pdf-en 1/24

Permissions

1.Benefits of file permissions

2.Definition of file permissions

3.Reading file permissions

4.Formulations of file permissions

5.Changing file permissions

6.Extra file permissions7.User Mask (Umask)

Version 1.0 linuxslides.blogspot.com



1.0 Benefits of file permission

Restricting user so that he can only read certain files

Restricting user so that he can not modify certain files

Restricting user so that he can not execute certain files

Restricting user so that he can not enter and seecertain directories

Restricting user so that he can not remove certain files




2.0 Definitions of file permission?

Rights which is gave by root to the certain user to

utilize certain objects. In other words, filepermissions consists three basic concepts: who,permissions (rights), and objects.




3.0 Reading file permissions

$ ls -ldrwxr-xr-x 2 john scientists 4096 2009-09-24 11:50 projects/

who?

john scientistsd rwx r-x ---

permissions? what objects?

directory

other(besides user & group)user john (owner)

have rights rwx

group scientists have rights rx

other: besides user john and groupscientists have no rights at all

projects/




3.1 Reading directory permission

john scientistsd rwx r-x ---

directory

other

user john (owner)have rights rwx:(r) read directory content(w) write/add/erase directory content(x) execute/enter directory

group scientists have rights rx:(r) read directory content(x) execute/enter directory


projects/




3.1 Reading file permission

john scientistsrwx r-x ---

file

other

user john (owner)have rights rwx:(r) read file content(w) write/add/erase file content(x) execute a file

group scientists have rights rx:(r) read file content(x) execute a file


robot.c




3.3 File and directory permissions

read (r)

write (w)

execute (x)

see directory

contents:ls, ls -l

see file

contents:cat, vi, grep

add/erase directorycontent:

mkdir, rmdir, rm

add/erase filecontent:vi, gedit

Directory File

enter to a directory:cd

execute a file




3.4 QUIZ

Explain file permissions below:$ ls -l /etc/shadow-rw- r-- --- 1 root shadow 1118 2009-09-24 11:48 /etc/shadow

Answers:User root have rights?Group shadow have rights?

Besides user root and group shadow have rights?




3.5 QUIZ

Adjust the permissions (rwx):I want a file named secret.doc (under projects directory) only

can be read and modified by user john. While groupscientists only can read the files. Others have no rights at all.

Answers:User john have rights?

Group scientists have rights?Besides user and group have rights?




3.6 QUIZ

Adjust the permissions (rwx):I want a file named secret.doc (under projects directory) onlycan be removed by user john. What rights should be added,

and where?

Answers:Which part is responsible for deleting a file?File permissions or directory permissions?

What permissions should be added? Where? User, group orother?




4.0 Formulations of permissions

There are two types of formulations:1. Symbolic (rwx r-x ---)

2. Octal (750, 644, etc)

read (r) = 4

-rwx

write (w) = 2 execute (x) = 1

rwx = 4+2+1 = 7

r-x ---

r-x = 4+0+1 = 5

--- = 0+0+0 = 0

rwx r-x --- = 750

Octal numerations:

Example:




4.1 QUIZ

Change from symbolic to octal, or vice versa:

1. rw r-- ---

2. rwx --x –x3. 544

4. 755




5.0 Changing file permissions

2.Change ownership

john scientistsrwx r-x ---

1.Change perm

projects/

REQUIREMENT: Only the owner can change the permissions

rw- r-- r-- jack(user)

officeboy(group)

chmod chown chgrp

There are two ways to change permissions :




5.1 Chmod

Adding rights, from existing:

$ chmod u+rw,g+r,o+w secret.doc

(adding rights rw to user, r to group, w to others )

Removing rights, from existing:

$ chmod u-x,g-rw,o-r secret.doc(removing rights x from user, rw from group, r from others)

Setting new rights and over writting the existing:

$ chmod u=rw,g=r,o= secret.doc

(setting new rights rw to user, r to group, --- to others)Setting new rights using octal:

$ chmod 640 secret.doc

(setting new rights rw to user, r to group, --- to others)




5.2 Lab

1.Enter to your home directory ($ cd)

2.Create an empty file “lab” ($ touch lab)

3.Check the permissions of the file

4.Change the file permissions to rwx r-x r-x

5.Change again to 644

6.Change again so the file is executable for all7.Learn and check chmod manual ($ man

chmod)




5.3 Chown

Change user ownership, from john to jack:$ chown jack secret.doc

Change group ownership, from scientists to officeboy:

$ chgrp officeboy secret.doc

Change user and group ownership at the same time:

$ chown jack.officeboy secret.doc

or

$ chown jack:officeboy secret.doc

(file secret.doc now belongs to user jack & group officeboy)

(file secret.doc now belongs to user boni)

(file secret.doc now belongs to group officeboy)




5.4 Lab

1.Enter to your home directory ($ cd)

2.Create an empty file “lab2” ($ touch lab2)

3.Check the ownership of the file

4.Change the ownership to other user

5.Change the ownership to other group

6.Change back to the previous ownership (withsingle command)

7.Learn and check chgrp manual ($ man chgrp)




6.0 Extra file permissions

SUID (Set User ID)

SGID (Set Group ID)

Sticky BitExecutable files with sticky bit, after execution will remain stay in memory.So it will accelerate the file access if there are other users who wants toexecute the same file.

Executable files with SUID, when executed will change the user ID of theexecutor, to the owner of the file/application (even though the originalrole of the executor only other). After the execution is finished, the user IDchange back to the original.

Executable files with SGID, when executed will change the user ID of theexecutor, to the group of the file/application (even though the originalrole of the executor only other). After the execution is finished, the user IDchange back to the original.




6.1 Positions of extra file permissions

--s --- ---

suid

(set user id) chmod u+s file chmod 4xxx file

--- --s ---sgid

(set group id)chmod g+s file chmod 2xxx file

--- --- --Tsticky bit chmod +t file chmod 1xxx file

attribute position chmod symbolic chmod octal




6.2 Contoh Kasus SUID/SGID1. User john wants to change his login password:

2. So He executes the command:$ /usr/bin/passwd joni

3. Command passwd above will change the password restoredin /etc/shadow

4. But wait! User john can't modifies /etc/shadow,

take a look at the permissions:$ ls -l /etc/shadow-rw-r----- 1 root shadow 1118 2009-09-24 11:48 /etc/shadow

5. john position as other have no rights at all, even modifying the file.Only user root can do that.

6. So john (and others) in order to change his password, he have tobecome root.

7. This is accomplished by giving the SUID rights at the executablefile passwd:$ ls -l /usr/bin/passwd

-rwsr-xr-x 1 root root 29104 2008-04-03 08:08 /usr/bin/passwdVersion 1.0 linuxslides.blogspot.com



6.3 Lab

1.Enter your home directory ($ cd)

2.Create an empty file “lab3” ($ touch lab3)

3.Check the permissions of the file

4.Add SUID right at the file

5.Add SGID right at the file

6.Remove SUID and SGID rights from the file7.Add Sticky Bit permission at the file




7.0 User Mask (Umask)

Create three files with touch, and check the permissions:

$ touch file1 file2 file3

-rw-r--r-- 1 john scientists 0 2009-09-27 21:38 file1-rw-r--r-- 1 john scientists 0 2009-09-27 21:38 file2

-rw-r--r-- 1 john scientists 0 2009-09-27 21:38 file3

$ ls -l file1 file2 file3

Create three directories with mkdir , and check the permissions:

$ mkdir dir1 dir2 dir3

drwxr-xr-x 2 john scientists 4096 2009-09-27 21:43 dir1drwxr-xr-x 2 john scientists 4096 2009-09-27 21:43 dir2drwxr-xr-x 2 john scientists 4096 2009-09-27 21:43 dir3

$ ls -ld dir1 dir2 dir3

From above we can see that the default permission for file is 644, and fordirectory is 755.




7.1 Change Umask

The default permission is determined by the value of user mask (umask):

$ umask

0022

For file: 666 - 22 = 644

Change the value of user mask (umask):

$ umask 33

For directory: 777 - 22 = 755

For file: 666 - 33 = 633 For directory: 777 - 33 = 744

The change above is temporarily, when computer restart it will change back to0022. If we want to change permanently, define the umask value inside/etc/profile.




7.2 Lab

1.Go to your home directory ($ cd)

2.Check the current umask value

3.Change the umask value to 54

4.Create some files and check the permissions

5.Create some directories and check thepermissions

6.Change back the umask value to 22

7.Find the umask setting inside /etc/profile


perm-pdf (en)

Documents