unix1_02
TRANSCRIPT
Exploring the UNIX/Linux File Systems and File Security
Understanding UNIX/Linux File Systems
• File: basic component for data storage
• File system: UNIX/Linux system’s way of organizing files on storage devices– Physical file system: section of the hard disk that
has been formatted to hold files
• UNIX/Linux consist of multiple file systems that form virtual storage space for multiple users
• UNIX/Linux systems support many file systems– Examples: UNIX file system (ufs), extended file
system (ext or ext fs)
Understanding UNIX/Linux File Systems (continued)
• ufs: original native UNIX file system– Expandable, supports large amounts of storage,
provides excellent security, reliable– Supports journaling– Supports hot fixes
• In Linux, the native file system is ext– Installed by default– Modeled after ufs
• First version contained some bugs
– Newer versions of Linux use ext2, ext3, or ext4• ext4 enables the use of extents
• Every file has a filename. The maximum length of a filename varies with the type of filesystem; Linux supports several types of filesystems. Although most of today's filesystems allow you to create files with names up to 255 characters long, some filesystems restrict you to shorter names.
• The root directory is always named / (slash) and referred to by this single character.
• You can use uppercase and/or lowercase letters within filenames. Linux is case sensitive, so files named JANUARY, January, and january represent three distinct files.
• you must quote the SPACE on the command line by preceding it with a backslash or by placing quotation marks on either side of the filename.
$ lpr my\ file
$ lpr "my file"
Filename with extension Meaning of extension
compute.c A C programming language source file
compute.o The object code for the program
compute The same program as an executable file
memo.0410.txt A text file
memo.pdf A PDF file; view with xpdf under a GUI
memo.ps A PostScript file; view with gs under a GUI
memo.Z A file compressed with compress; use uncompress or gunzip to decompress
memo.tgz or memo.tar.gz A tar archive of files compressed with gzip
memo.gz A file compressed with gzip; view with zcat or decompress with gunzip
memo.bz2 A file compressed with bzip2; view with bzcat or decompress with bunzip2
memo.html A file meant to be viewed using a Web browser, such as Firefox
photo.gif, photo.jpg, photo.jpeg, photo.bmp, photo.tif, or photo.tiff
A file containing graphical information, such as a picture
Understanding the Standard Tree Structure
• The treelike structure for UNIX/Linux file systems starts at the root file system level– Root is denoted by /
• Slash represents the root file system directory
• Directory: special kind of file that can contain other files and directories– May have subdirectories
• Subdirectory is considered child of parent directory
• The hierarchical filesystem frequently takes the shape of a pyramid
Using UNIX/Linux Partitions
• Partition: section of disk that holds a file system– UNIX/Linux partitions identified with names
• Examples: hda1, sda1
– First two letters tell Linux the device type
– Third letter indicates if disk is the primary or secondary disk
– Partitions on a disk are numbered starting with 1
• Peripherals connect through electronic interfaces– Examples of hard disk interfaces: IDE, SCSI, EIDE
Setting Up Hard Disk Partitions
• Partition to organize space to contain file systems
• Some UNIX/Linux vendors recommend that: – Root partition holds the root file system directory– Swap partition acts like an extension of memory
• General rule: same size as RAM
• A swap partition enables virtual memory
– /boot partition to store OS kernel files
• Other partitions:– /usr (for utilities), /home, /var
• Mount partition to become part of file system
Using Inodes
• Information nodes, or inodes– Each directory/file has an inode and is identified by
an inode number• Inode 0 contains the root of the directory structure (/)
– Jumping-off point for all other inodes
– Contains file/directory name, general information, pointer to the directory/file on a disk partition
• Superblock contains information about the layout of blocks on a specific partition
Exploring the Root Hierarchy
• The root (/) file system is mounted by the kernel when the system starts– To mount a file system is to connect it to the
directory tree structure• System administrator uses mount command
– Root file system contains all essential programs for file system repair
• Restoring from a backup
• Starting the system
• Initializing all devices and operating resources
• Information for mounting other file systems
The /bin Directory
• Contains binaries, or executables– Programs needed to start the system and perform
other essential system tasks
• Holds many programs that all users need to work with UNIX/Linux
The /boot Directory
• Normally contains:– Files needed by the bootstrap loader
• The bootstrap loader is the utility that starts the OS
– Kernel (OS) images
The /dev Directory
• Files in /dev reference system devices• Devices are managed through device special files
– Contain information about I/O devices that are used by OS kernel when a device is accessed
– Two types:• Block special files
– Example: for CD/DVD drives• Character special files
– Example: for printers
– To see the list of device files: ls -l /dev– null is a “black hole”
The /etc Directory
• Contains configuration files that the system uses when the computer starts– fstab– group– inittab– login.defs– motd– passwd– printcap and termcap– profile, bashrc and rc
The /home Directory
• Often located on the /home partition
• Used to offer disk space for users, such as on a system that has multiple user accounts– Examples:
• /home/jean
• /home/tricia
• /home/joseph
The /lib Directory
• /lib houses:– Kernel modules
– Security information
– Shared library images• Used by programmers to share code rather than
creating copies in their programs
• Many files in this directory are symbolic links to other library files– Symbolic link: name, file name, or directory name
that contains a pointer to a file/directory in the same directory or in another directory on your system
The /mnt Directory
• Mount points for temporary mounts by the system administrator reside in /mnt– A temporary mount is used to mount a removable
storage medium• Example: CD/DVD or USB/flash storage
• /mnt is often divided into subdirectories to clearly specify device types– Example: /mnt/cdrom
The /media Directory
• In newer distributions of UNIX/Linux, mount points for removable storage are in /media– Relatively new recommendation of the Filesystem
Hierarchy Standard (FHS)
• Modern Linux distributions include both /mnt and /media directories– Users and programmers are often encouraged to
use /media
The /proc Directory
• /proc occupies no space on the disk– Virtual file system allocated in memory only
• Files in /proc refer to various processes running on the system as well as details about the OS kernel
The /root Directory
• Home directory for the root user– The system administrator
The /sbin Directory
• Reserved for the system administrator
• Stores:– Programs that start the system– Programs needed for file system repair– Essential network programs
The /tmp Directory
• Many programs need a temporary place to store data during processing cycles– The traditional location for these files is /tmp
The /usr Directory
• Houses software offered to users– Software might be:
• Accounting programs
• Manufacturing programs
• Programs for research applications
• Office software
• Frequently located on the /usr partition
The /var Directory
• Located on the /var partition
• Holds subdirectories that often change in size – These subdirectories contain files such as error logs
and other system performance logs– Common subdirectories are:
• /var/spool/mail for incoming mail
• /var/spool/lpd for temporarily holding print files
Using the mount Command
• Use mount to connect the file system partitions to the directory tree when the system starts
• Example:mount -t iso9660 /dev/cdrom /media/cdrom
• Use umount before removing the storage mediaumount /media/cdrom
Using Paths, Pathnames, and Prompts
• Files are stored in directories in the file system, starting from the root file system directory
• To specify a file or directory, use its pathname– Follows the branches of the file system to the
desired file
• A forward slash (/) separates each directory name– Example: /home/jean/source/phones.502
• An absolute pathname always starts with a slash (/), the name of the root directory
• In another form of absolute pathname, the shell expands the characters ~/ (a tilde followed by a slash) at the start of a pathname into the pathname of your home directory. Using this shortcut, you can display your .bashrc startup file with the following command, no matter which directory is your working directory:
$ less ~/.bashrc
• A relative pathname traces a path from the working directory to a file. The pathname is relative to the working directory. Any pathname that does not begin with the root directory (/) or a tilde (~) is a relative pathname
Using and Configuring Your Command-Line Prompt
~ is shorthand for the home directory
The pwd Command
• pwd prints the working directory
• Useful for regular users, system administrators, and in scripts
• When you first log in on a Linux system or start a terminal emulator window, your working directory is your home directory. To display the pathname of your home directory, use pwd just after you log in.
• Startup files, which appear in your home directory, give the shell and other programs information about you and your preferences.
• The working directory is not the same as your home directory. Your home directory remains the same for the duration of your session and usually from session to session. Immediately after you log in, you are always working in the same directory: your home directory.
Navigating the File System
• cd stands for change directory
• Provide an absolute or relative path to the directory– Absolute path: begins at the root level and lists all
subdirectories to the destination file• Example: cd /home/jean/source
– Relative path: takes a shorter journey• Example: cd source or cd
Using Dot and Dot Dot Addressing Techniques
• A single dot character means the current working directory
• Dot dot means the parent directory
• These addressing mechanisms are useful when navigating the file system– Example: cd ../tricia/source
• The . is synonymous with the pathname of the working directory and can be used in its place; the .. is synonymous with the pathname of the parent of the working directory.
Listing Directory Contents
• Use the ls (list) command to display a directory’s contents, including files and other directories
Appear with a dot at the beginning
ACL: Access Control List
The –F option to ls displays a slash after the name of each directory and an asterisk after each executable file (shell script,
utility, or application).
Listing Directory Contents (continued)
File or directory name (bin)
File type and access permissions: drwxr-xr-x
Number of links (2)
Owner (root)
Group (root) Size (4096 bytes)
Date and time of last modification
• type of file (first column):
hyphen (–): ordinary file
d: directory file
l: link
• access permissions for the owner, group , and other users of the file:
r: read
w: write
x: execute
-: no permission
Using Wildcards
• Wildcard: special character that can stand for any other character or a group of characters– * represents any group of characters in a file name
• Example: ls *.txt
instructions.txt minutes.txt
– ? takes the place of only a single character• Example: ls list?
list1 list2
Creating and Removing Directories
• mkdir is used to create a new directory
• Delete empty directories using rmdir
– Use rm -r to delete a directory that is not empty
• Use the –p (parents) option to mkdir to create both the parent and child directories with one command:
$ mkdir -p p/c
$ mkdir -p /home/alex/p/c
• you can use touch to create an empty file:
$ cd
$ pwd
/home/alex
$ touch letter
• The rm utility has a –r option (rm –r filename) that recursively deletes files, including directories, within a directory and also deletes the directory itself.
• Caution: Use rm –r carefully, if at all
• Although rm –r is a handy command, you must use it carefully. Do not use it with an ambiguous file reference such as *. It is frighteningly easy to wipe out your entire home directory with a single short command.
Copying and Deleting Files
• Use cp to copy files and rm to delete them
• use mv to move files from one directory to another (change the pathname of a file) as well as to change a simple filename (rename files)
mv existing-file-list directory
$ mv file1 file2 subdir • Just as it moves ordinary files from one
directory to another, so mv can move directories
mv existing-directory-list new-directory • you can rename directories using mv • you cannot copy their contents with cp unless
you use the –r option.
Configuring File Permissions for Security
• Users can set permissions for files/directories they own so as to establish security– System administrators also set permissions to
protect system and shared files
• Permissions manage who can read, write, or execute files
• Original file owner of a file is the account that created it– File ownership can be transferred to another account
Configuring File Permissions for Security (continued)
chmod: Changes Access Permissions • chmod uses three sets of permissions or three
octal numbers (one each for the owner, group, and other users)
• The owner of a file controls which users have permission to access the file and how they can access it. When you own a file, you can use the chmod (change mode) utility to change access permissions for that file. In the following example, chmod adds (+) read and write permissions (rw) for all (a) “user”, “group”, and “other” :
$ chmod a+rw filename
• You must have read permission to execute a shell script. Because a shell needs to read a shell script (a text file containing shell commands) before it can execute the commands within that script, you must have read permission for the file containing the script to execute it.
• You also need execute permission to execute a shell script directly on the command line. In contrast, binary (program) files do not need to be read; they are executed directly. You need only execute permission to run a binary (nonshell) program.
Configuring File Permissions for Security (continued)
• In addition to a (all) and o (other), you can use g (group) and u (user, although user refers to the owner of the file who may or may not be the user of the file at any given time) in the argument to chmod
• When using chmod, many people assume that the o stands for owner; it does not. The o stands for other, whereas u stands for owner (user). The acronym UGO (user-group-other) can help you remember how permissions are named
• You can also use absolute, or numeric, arguments with chmod
• Anyone who knows the root password can log in as Superuser and gain full access to all files, regardless of the file's owner or access permissions.
Configuring File Permissions for Security (continued)
• The system administrator assigns group ids when he or she adds a new user account– A group id (GID) gives a group of users equal
access to files that they all share
• Using chmod to change permissions of a file:chmod ugo+rwx myfile
chmod go-wx account_info– Or, use the octal (0~7) permission format
chmod 711 data
chmod 642 data
• Three-digit format:
read: 4
write: 2
execute: 1
Total could be 0 to 7 for each of UGO permissions
chmod 711 data
chmod u+rwx data
chmod g+x-rw data
chmod o+x-rw data
• Directory Access Permissions :
– users can read from or write to a directory; the directory cannot be executed.
– you can cd into the directory and/or examine files that you have permission to read from in the directory.
– When you have only execute permission for a directory, you can use ls to list a file in the directory if you know its name. You cannot use ls without an argument to list the entire contents of the directory.
$ who am Ijenny pts/7 Aug 21 10:02$ ls -ld /home/alex/infodrwx-----x 2 alex pubs 512 Aug 21 09:31 /home/alex/info$ ls -l /home/alex/infols: /home/alex/info: Permission denied $ ls -l /home/alex/info/financial /home/alex/info/notes-rw------- 1 alex pubs 34 Aug 21 09:31 /home/alex/info/financial-rw-r--r-- 1 alex pubs 30 Aug 21 09:32 /home/alex/info/notes$ cat /home/alex/info/notesThis is the file named notes.$ cat /home/alex/info/financialcat: /home/alex/info/financial: Permission denied Alex can give others read access to his info directory: $ chmod o+r /home/alex/info
Configuring File Permissions for Security (continued)
• Sticky bit: t (used in place of x)– Before: caused executable program to stay resident in
memory after it was exited– Now: enables file to be executed, but only the file’s
owner or root have permission to delete or rename it
• Set user id (SUID) bit: s (used in place of x)– Gives current user temporary permissions to execute
program-related files as though they are the owner
• Set group ID (SGID) bit: s (used in place of x)– Similar to SUID, but applies to groups
Setuid and Setgid Permissions • When you execute a file that has setuid (set user ID)
permission, the process executing the file takes on the privileges of the file's owner. For example, if you run a setuid program that removes all files in a directory, you can remove files in any of the file owner's directories, even if you do not normally have permission to do so.
• Executable files that are setuid and owned by root have Superuser privileges when they are run, even if they are not run by root. This type of program is very powerful because it can do anything that Superuser can do (and that the program is designed to do). Similarly executable files that are setgid and belong to the group root have extensive privileges.
• setgid (set group ID) permission means that the process executing the file takes on the privileges of the group the file is associated with.
• Because of the power they hold and their potential for destruction, it is wise to avoid indiscriminately creating and using setuid and setgid programs owned by or belonging to the group root. Because of their inherent dangers, many sites minimize the use of these programs on their systems. One necessary setuid program is passwd. Security: Minimize use of setuid and setgid programs owned by root.
• Never give shell scripts setuid permission. Several techniques for subverting them are well known. Security: Do not write setuid shell scripts.
$ ls -l program1
-rwxr-xr-x 1 alex pubs 15828 Nov 5 06:28 program1
$ chmod u+s program1
$ ls -l program1
-rwsr-xr-x 1 alex pubs 15828 Nov 5 06:28 program1
$ chmod g+s program1
$ ls -l program1
-rwsr-sr-x 1 alex pubs 15828 Nov 5 06:28 program1
ACLs: Access Control Lists
• Caution: Most utilities do not preserve ACLs
• When used with the –p (preserve) or –a (archive) option, cp preserves ACLs when it copies files. Another utility that is supplied with Red Hat Linux that preserves ACLs is mv. When you use cp with the –p or –a option and it is not able to copy ACLs, and in the case where mv is unable to preserve ACLs, the utility performs the operation and issues an error message:
$ mv report /tmp
mv: preserving permissions for '/tmp/report': Operation not supported
• You can never copy ACLs to a filesystem that does not support ACLs or to a filesystem that does not have ACL support turned on.
setfacl • setfacl uses a single set of permissions or a single
octal number to represent the permissions being granted to the user or group represented by ugo and name
• The setfacl –-modify (or –m) option adds or modifies one or more rules in a file's ACL using the following format:
setfacl --modify ugo:name:permissions file-list
-name: name of the user or group that permissions are being set for; omitted when specify permissions for other users (o)
-permissions: permissions in either symbolic (rwx ) or absolute format (octal number)
$ setfacl -m u:sam:rw- report
$ setfacl --modify u:sam:6 report
• After having an ACL, the + indicated to the right of the permissions
$ls -latotal 137716
drwxr-xr-x 2 oracle oinstall 4096 2008-01-30 15:06 .
drwxr-xr-x 27 oracle oinstall 4096 2008-01-29 15:29 ..
-rw-rwxr--+ 1 oracle oinstall 1570 2008-01-30 13:22 file1
-rwxrwxrwx+ 1 oracle oinstall 8072 2008-01-30 15:06 file2
getfacl • the getfacl utility displays a file's ACL
$ getfacl report
# file: report
# owner: max
# group: max
user::rw-
user:sam:rw-
group::r--
mask::r--
other::r--• The –-omit-header (or just –-omit) option causes
getfacl not to display the header
Summary
• In UNIX/Linux, a file is the basic component for data storage
• A file system is the UNIX/Linux systems’ way of organizing files on storage devices
• The standard tree structure starts with the root (/) file system directory
• The section of the disk that holds a file system is called a partition
• A path, as defined in UNIX/Linux, serves as a map to access any file on the system
Summary (continued)
• You can customize your command prompt to display useful information
• The ls command displays the names of files and directories contained in a directory
• Wildcard characters can be used in a command and take the place of other characters in a file name
• Use mkdir to create a new directory
• Use cp to copy a source file to a destination file
• Use chmod to set permissions for files that you own
Command Summary
Command Summary (continued)