Operating systems fundamentals - B10

Transcription

1 Operating systems fundamentals - B10 David Kendall Northumbria University David Kendall (Northumbria University) Operating systems fundamentals - B10 1 / 12

2 Introduction Basics of protection and security in UNIX Users Groups Files Permissions adduser, addgroup, groups umask chmod, chown, chgrp sudo David Kendall (Northumbria University) Operating systems fundamentals - B10 2 / 12

3 UNIX users and groups Usually, in order to use a UNIX system, you need a user account on the system A user account can be created by a system administrator using the adduser command, e.g. $ sudo adduser fred will create a new user with user name fred The new user will be given a home directory containing files copied from /etc/skel a unique user id (uid), usually in the range a unique group id (gid), usually the same as the uid The details are determined by /etc/adduser.conf David Kendall (Northumbria University) Operating systems fundamentals - B10 3 / 12

4 UNIX users and groups A user can belong to more than one group You can find out which groups a user belongs to using the groups command, e.g. $ groups cgdk2 cgdk2 : cgdk2 cdrom sudo plugdev lpadmin You can add a new group like this $ addgroup nufc which will add a new group called nufc Users can be added to this group like this $ adduser cgdk2 nufc Check that the user has been added to the group $ groups cgdk2 cgdk2 : cgdk2 cdrom sudo plugdev lpadmin nufc David Kendall (Northumbria University) Operating systems fundamentals - B10 4 / 12

5 Files and permissions Any files or directories created by a user are owned by the user, i.e. associated with user s uid, and are associated with the primary group (gid) of the user, e.g. $ cat >fred.txt <<<"Hello world" $ ls -l fred.txt -rw-rw-r-- 1 cgdk2 cgdk2 12 Mar 20 07:19 fred.txt There are 9 permission bits associated with the file User (owner) Group Other rw- rw- r-- which mean that the user that owns the file can read and write it, any user in the cgdk2 group can read and write it, anyone who is not the owner and not in the cgdk2 group, i.e. an other, can only read the file David Kendall (Northumbria University) Operating systems fundamentals - B10 5 / 12

6 Files and permissions In addition to the read and write bits, there is an execute bit, e.g. -rwxrwxr-x 1 cgdk2 cgdk2 12 Mar 20 07:19 hello the x in the third bit position of each class indicates that the file is executable by members of that class, i.e. user, group and other The permissions associated with a file can be changed using the chmod command, e.g. $ chmod g-w hello -rwxr-xr-x 1 cgdk2 cgdk2 12 Mar 20 07:19 hello Notice that now only the user (owner) of the file can write it u, g and o are used to indicate the class, and + and - are used to add or take away the permission, e.g. $ chmod go-x hello -rwxr--r-- 1 cgdk2 cgdk2 12 Mar 20 07:19 hello David Kendall (Northumbria University) Operating systems fundamentals - B10 6 / 12

7 Files and permissions The permission bits have slightly different meanings for directories r - can list directory w - can create and remove files from directory x - can cd to directory By default, a command to create a file, e.g. open, requests rw-rw-rwas the permissions A command to create a directory, e.g. mkdir, requests rwxrwxrwx as the permissions The defaults can be modified with a global mask created by the umask command, e.g. $ umask 002 $ mkdir bert $ ls -ld bert drwxrwxr-x 2 cgdk2 cgdk Mar 20 08:32 bert David Kendall (Northumbria University) Operating systems fundamentals - B10 7 / 12

8 Files and permissions File permissions can also be indicated using 3 digits between 0 and 7, e.g. $ chmod 754 hello -rwxr-xr-- 1 cgdk2 cgdk2 12 Mar 20 07:19 hello The permissions are determined as follows User (owner) Group Other rwx r-x r-- Each digit corresponds with a class of user (user, group, other) and each bit in the digit corresponds with a permission (read, write, execute) A 1 bit indicates that the permission is granted, a 0 bit indicates that the permission is not granted David Kendall (Northumbria University) Operating systems fundamentals - B10 8 / 12

9 Files and permissions The owner of a file can be changed using the chown command, e.g. $ sudo chown fred hello -rw-rw-r-- 1 fred cgdk2 12 Mar 20 07:19 hello makes fred the owner of the hello file Permissions are determined in the order 1. User 2. Group and 3. Other, e.g. assume the file properties for hello are -r--rw-r-- 1 fred nufc 12 Mar 20 07:19 hello and both fred and cgdk2 are in the group nufc When logged in as fred we cannot write hello (user (owner) has no write permission and even though fred is in a group (nufc) that does have write permission, that is trumped by the lack of owner permission When logged in as cgdk2 we can write the hello (we re not the owner and we re in a group (nufc) that has write permission David Kendall (Northumbria University) Operating systems fundamentals - B10 9 / 12

10 setuid setuid set user id for execution access right bit that allows a program to run with the effective user id of the owner of the executable file (rather than with the real user id) e.g. Any user can execute /usr/bin/passwd to change their password but changing a password requires special privileges. The access rights for usr/bin/passwd are -rwsr-xr-x 1 root root May /usr/bin/passwd Notice the s in the access rights this indicates that the setuid bit is set and that the program will execute with root as its effective user id and so will have root privileges while it executes The setuid bit can be set by using four octal digits in a chmod command, e.g. $ chmod 4755 hello -rwsr-xr-x 1 cgdk2 cgdk2 12 Apr 3 06:29 hello David Kendall (Northumbria University) Operating systems fundamentals - B10 10 / 12

11 setgid setgid set group id for execution access right bit that allows a program to run with the effective group id of the group of the executable file (rather than with the real user id) e.g. we could achieve the same effect as before if the access rights for usr/bin/passwd were -rwxr-sr-x 1 root root May /usr/bin/passwd Notice the s in the group access rights this indicates that the setgid bit is set and that the program will execute with root as its effective group id and so will have root privileges while it executes The setgid bit can be set by using four octal digits in a chmod command, e.g. $ chmod 2755 hello -rwxr-sr-x 1 cgdk2 cgdk2 12 Apr 3 06:29 hello David Kendall (Northumbria University) Operating systems fundamentals - B10 11 / 12

12 setgid and directories Setting the setgid bit on a directory behaves differently from setting it on a regular file. It causes new files and directories created within the directory to inherit the directory s group id, rather than acquiring the group id of the user who created those new files and directories, e.g. $ mkdir www-data $ chmod 2755 www-data $ sudo chgrp nufc www-data $ ls -l www-data drwxr-sr-x 2 cgdk2 nufc 4096 Apr 3 07:17 www-data $ cat >www-data/hello <<<"Hello world" $ ls -l www-data/hello -rw-rw-r-- 1 cgdk2 nufc 12 Apr 3 07:17 www-data/hello David Kendall (Northumbria University) Operating systems fundamentals - B10 12 / 12