Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Linux Essenciais and System Administration

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Key Knowledge Areas

Manage access permissions on regular and special files as well as directories. Use access modes such as suid, sgid and the sticky bit to maintain security. Know how to change the file creation mask. Use the group field to grant file access to group members.

Devices, Linux Filesystems, Filesystem Hierarchy Standard

Manage file permissions and ownership

Terms and Utilities

chmod umask chown chgrp

2

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

Permissions

3

Permissions are for Superuser, User and group

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

Security levels

4

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

configuring files

5

• User information is stored in two files:/etc/passwd/etc/shadow• Group information is stored in one file:/etc/group

/etc/passwd List of user records, one per line, with columns separated by colons. Format: login:x:userid:groupid:gecos:homedir:shellEx: root:x:0:0:root:/root:/bin/bash

mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash

Ex:

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

configuring files

6

/etc/shadow Similar to passwd colon-separated-column list of records: Format: login:password:password aging fieldsaging fields track dates for password resets, locks, etcEx: root:pB8msP1fCbCqc:13904:0:99999:7:::

nisburgh:vRoPw6a/jQsp.:14466:0:99999:7:::

/etc/groups Same colon-separated-column list of records formatFormat: groupname:grouppassword:groupid:secondarymembersGroup passwords allow temporary access to a group, rarely used, not set up by defaultEx: daemon:x:2:root,bin,daemon

apache:x:48:jack,nisburgh

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

manage files with management commands

7

For /etc/passwd shadow and groups While it is possible to edit the three files directly, it’s easier and safer to use:management commands to create, modify and delete users and groupsuseradd, usermod, userdel, groupadd, groupmod, groupdel

Useradd Add a new user to the systemAccepts various arguments to control the settings on the user account. Most common is -g to specify primary group of user, and -G to list secondary group memberships. Ex: useradd lisa

useradd -g clowns -G trouble,simpson bart

Usermod Modify a user’s settings. Ex: usermod -G detention bart

userdel Remove a user from the system. Main option is -r, which tells userdel to remove the user’s home and spool directories. Ex: userdel moe

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

Passwords

8

Passwd Change login password.•Root can change the password for any user on the system•Root can setup password aging, allowing for timed password resets and account disabling•passwd is preferred way to lock user accountEx: passwd -l mary

PASSWORD AGING•To set maximum lifetime for a user’s password: passwd -x days login•When user’s password has expired, the number of days it can remain expired before disabling the account completely can be set: passwd -i days login

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

Permissions

9

Linux supports 3 main types of access on a file:1.read View the contents2.write Modify the contents and metadata3.Execute Run the contents

Actually, it’s different for files and directories

Files Directories

Read View the contents List contents

Write Change the contents/metadata Create/delete entries, change metadata

Execute Run the contents Operate with directory as CWD

Combining these permissions allows for the most common access levels:Read only; Read/Write; Execute; etc

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

Ownership and Permissions

10

All files are associated with one user and one group (ownership). This creates the foundation for the main security infrastructure in the Linux (Unix).

When a process attempts an operation on a file, the user and group of the process (every process is associated with one user and one group) are compared with the user and group of the file, which determines what level of permissions is granted or denied on the file.

Every file has 3 levels of permissions:

•User•Group•Other

When a process seeks access, the process user is compared to the file user - if they match, the process gets the User permissions. Next Group. If no match, Other level access

All permission information is summarized with 9 characters:rwxrwxrwx

The presence of the letter indicates the permission is granted, a hyphen in it’s place indicates the permission is denied. Read only: r--r--r--

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

Directory and File permissions

11

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

groups

12

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

chown

13

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

chgrp

14

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

chmod

15

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

chmod

16

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

chmod symbolic codes

17

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

chmod octal commands

18

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

umask

19

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Manage file permissions and ownership

Permissions – /etc/passwd

20

Core

Lin

ux fo

r Re

d H

at a

nd F

edor

a le

arni

ng u

nder

GN

U F

ree

Doc

umen

tatio

n Li

cens

e -

Copy

left

(c) A

cáci

o O

livei

ra 2

012

Ev

eryo

ne

is p

erm

itte

d to

co

py

and

dis

trib

ute

verb

atim

co

pie

s o

f th

is li

cen

se d

ocu

me

nt,

cha

ngin

g is

allo

wed

Fim de sessão

21