Security and File Permission

Chapter 4
 Getting Information - Some Further Notes
We have looked at the man command for showing
documentation about a command.
Often further information is available with
info <command>
If you have no idea what command is to be used, try the
following:
apropos <keyword>
or (equivalently)
man -k <keyword>
This will list all commands that have the keyword in the
documentation.
Note: Don't put < > around the keyword or command.
2
Users and Groups

3
 Use of Groups
Suppose a group of people are working on a
project and they wish to share files (i.e. allow
anyone in the group to read, write, or execute the
files), but they don’t want anyone outside of the
group doing these things.
UNIX allows a collection of user names or ids to
be specified as part of a group.
Permissions for access to files or directories can
be granted or denied to the user, a group or the
world (other).
Every user is part of one group (themselves), but
can be part of many groups (called secondary
groups).
4
 Using Groups

The wheel group is the group of individuals that

can use su to become a superuser.
Group name for this directory

A superuser can create the name for a new

group with
# groupadd mydemo
This is in the /etc/group file
5
 Using Groups-chgrp on File
(At end, any mydemo group member can read and
execute in the directory prior)

6
 The groups Command
UNIX provides a command, groups, to determine a
user’s groups. (Note the ‘s’ at the end.)
groups with no user id responds with your group.
groups with a user id responds with the groups for
that user id.

7
 Security Levels
There are three levels of security:
system, directory, and file.
The system security is controlled by a superuser.
The directory and file securities are controlled by the
users who own them.

8
 System Security
System security controls who is allowed to access the
system.
When the system administrator opens an account for
you, (s)he creates an entry in the system password
file.
You can look at this file, but only a superuser can
change it. (/etc/passwd )
Passwords are encrypted and don't really appear in
the file. In our file, you'll see x in that position.

9
The /etc/passwd File on cs.hiram.edu

10
 Fields in etc/passwd File

1) Username
2) x - If shadow file is not used for passwords, this would be the
encrypted password.
3) User id (UID)
4) Primary group id
5) Personal information if you wish to use the field. I don't
recommend this.
6) Home directory
7) Default shell
11
Locating More Info About Your Account

1) Username
2) L=locked, NP = no password, P = usable password
3) Date of last change
4) Number of days until can change again
5) Maximum time until must change
6) Warning period
7) Inactivity period - i.e. still on 12
 Only a Superuser Can Access the
Shadow File

The shadow file contains sensitive information

such as the encrypted form of the password.
Although the encrypted password can be cracked,
it is not easy.
Moreover, the hacker must access the shadow file
to do this.

13
encrypted password with center removed for security purposes
The Shadow File

superuser prompt 14
 Fields in Shadow File

1) Username
2) Encrypted password
3) Days since Jan 1, 1970 in which password was changed
4) Minimum days before password can be changed
5) Days after which password must be changed
6) Days before a warning is sent that password will expire
7) Days after expiration date that account will be disabled
8) (7) given as days since Jan 1, 1970.
Note: man passwd shows how the superuser can set these values. 15
 Permission Codes
Both the directory and file security levels use a set
of permission codes to determine who can access
and manipulate a directory or file.

16
 Directory Level Permissions
Read Permission (only if there is execute permission
also)
 Can read the directory.
 Can display the names and their attributes with the list
command.
Write Permission
 Can add or delete entries to the directory.
 Can copy and move file from another directory.
 Can delete a file from the directory.
Execute Permission (search permission)
 Can reference a directory.
 Can move to the directory using the cd command.

17
 File Level Permissions
Read Permission
 Can read or copy file

Write Permission
 Files can be modified and deleted.

Execute permission
 Can execute (run) program, utilities, and scripts

 If you have a program in a Web page, it needs

to have its execute permission set for all levels.

 Executing a text file can cause funny things to

happen.

18
 Use ls -l To See Permissions on Files

1) Initial - is regular file; initial d is a directory

2) Left to right : User, Group, Other permissions
3) Number of hard links
4) Username followed by group name
5) Size in bytes
6) Date last modified
7) Name of file
19
ls -la Lists Hidden Files Also

20
 Remember
Independent of the settings, a superuser can read,
write, and execute any file on the system.
If you have root privilege (what a superuser has), you
must be very, very cautious as there are no checks to
what you can do.
If you are generating a system, you are asked to set the
root password.
That should be done very carefully and be sure to
remember it!!
If you are a regular user and you forget your password,
a superuser can change it to something else so you can
access the system.
A superuser can change the root password, but only if
they know it and can become a superuser!
21
 The chmod Command

To change the permissions we use the chmod

command.

22
Changing Permissions

23
 Symbolic chmod Codes
u user g group o others
a all
= to change all permissions in a set
+/- to add/remove one or two permissions in a set.

User: set to r, w, and x.

Group: add w.
Others: Remove w
For file memo.doc 24
Thinking of the Permission Codes as Octal
Numbers
Recall that an octal number is a base 8 number:
0, 1, 2, 3, 4, 5, 6, 7, 108, 118, ..., 178, 1008, ...
Recall, also, that an octal number can be converted to a
binary number by converting each triplet to a binary
number:
7 5 38 =
111 101 0112
The permission codes are really bit settings where 0
means not granted and 1 means granted.
So, using the ordering rwx for each of u, g, and o, the
octal number 753 can be interpreted as
 u has rwx permission

 g has r and x permission

 o has w and x permission. 25

 Examples

777 means
 All permissions to everyone (111 111 111)

302 means
 user has write and execute permission

(011 000 010)

 group has none

 everyone else has write permission only

(Note: this is a rather strange setting)

26
 Octal chmod Commands
All the permission codes are changed when a 3 digit
octal setting is specified.

27
 A Difference Between Symbolic and Octal
Settings
With symbolic settings, you can provide just
some of the settings and the others are
untouched – for example, only for the user:
chmod u+r myfile
With octal settings, you must provide settings
for each of u, g, and o – for example,
chmod 541 mine
sets u to rx, g to r, and o to x
You can check the current settings by using the
ls command.

28
 Options for chmod

There is only one – Recursion (-R)

Be VERY careful when using this.
 1) Use only with symbolic settings so you

don’t change all permissions for files and

directories.
 2) Be positive you know what your current

directory is or you may wreck havoc with your

permissions!

29
 Default Permissions
How are permissions set when a file or directory is created?
When your account is created, the system administrator defines a
mask for you.
A mask is a 3 digit octal number that specifies which permissions are
to be removed from the default when a file or directory is created.
Later when we see how to create our own login file, you will be able
to set your own mask.
The default permissions at the time of creation are often
777 for a directory (open to all)
and 666 for a file (ie. everyone can read and write only)
We changed these by providing masks.
We use:
 022 for directories - giving us 755 for permissions

 133 for files - giving us 644 for permissions

30
 Masks

mask is directory permission file permission

000 (Public) 777 (rwx rwx rwx) 666 (rw- rw- rw-)

011 (Public) 766 (rwx rw- rw-) 666 (rw- rw- rw-)

022 (Write protected) 755 (rwx r-x r-x) 644 (rw- r-- r--)

007 (Project private) 770 (rwx rwx ---) 660 (rw- rw- ---)

077 (Private) 700 (rwx --- ---) 600 (rw- --- ---)
31
 The umask Command
To display the current user mask settings, use the
umask command with no argument.
To set it, use the command with the new mask
setting.

32
 The chown Command
Only a current owner or a superuser may change the
ownership.
The new owner is a login name of a user id.
The group is optional. The group is a group name or a
group id.

33
 The chgrp Command
To change the group without changing the owner,
you use the change group (chgrp) command.

34