diff options
author | Alan Hicks <alan@lizella.net> | 2010-05-01 14:17:18 -0400 |
---|---|---|
committer | Alan Hicks <alan@lizella.net> | 2010-05-01 14:17:18 -0400 |
commit | dbca998ce52d78ce5e525e0d799adc83d580f66a (patch) | |
tree | c2a5ee10d4e488f77354f12e4c76a64615b94890 /chapter_09.xml | |
parent | 8ec49bb2c5d0fd2d3ee8dd519e783002f3c8f9ec (diff) | |
download | slackbook-dbca998ce52d78ce5e525e0d799adc83d580f66a.tar.xz |
Making room for new chapter and a few minor modifications.
Diffstat (limited to 'chapter_09.xml')
-rw-r--r-- | chapter_09.xml | 562 |
1 files changed, 186 insertions, 376 deletions
diff --git a/chapter_09.xml b/chapter_09.xml index a0ab4d2..a2bb4e9 100644 --- a/chapter_09.xml +++ b/chapter_09.xml @@ -3,459 +3,269 @@ "/usr/share/xml/docbook/xml-dtd-4.5/docbookx.dtd"> <chapter> -<title>Filesystem Permissions</title> +<title>Users and Groups</title> <section> -<title>Permissions Overview</title> +<title>What Are Users and Groups?</title> <para> -As we've discussed, Slackware Linux is a multi-user operating system. -Because of this, its filesystems are mutli-user as well. This means -that every file or directory has a set of permissions that can grant or -deny privileges to different users. There are three basic permissions -and three sets of permissions for each file. Let's take a look at an -example file. +Slackware Linux inherits a strong multi-user tradition from its UNIX +inspiration. This means that multiple people may use the system at +once, but it also means that each of these people may have different +permissions. This allows users to prevent others from modifying their +files, or lets system administrators explicitly define what users can +and cannot do on the system. Moreover, users need not be actual people +at all. In fact, Slackware includes several dozen pre-defined user +and group accounts that are not typically used by regular users. Rather +these accounts allow the system administrator to segment the system for +security reasons. We'll see how that's done in the next chapter on +filesystem permissions. </para> -<screen><prompt>darkstar:~$ </prompt><userinput>ls -l /bin/ls</userinput> --rwxr-xr-x 1 root root 81820 2007-06-08 21:12 /bin/ls -</screen> +</section> + +<section> +<title>Managing Users and Groups</title> <para> -Recall from chapter 4 that <application>ls</application> <arg>-l</arg> -lists the permissions for a file or -directory along with the user and group that "own" the file. In this -case, the permissions are rwxr-xr-x, the user is root and the group is -also root. The permissions section, while grouped together, is really -three seperate pieces. The first set of three letters are the -permissions granted to the user that owns the file. The second set of -three are those granted to the group owner, and the final three are -permissions for everyone else. +The easiest way to add new users in Slackware is through the use of our +very fine <application>adduser</application> shell script. +<application>adduser</application> will prompt you to enter the details +of the new user you wish to creature and step you through the process +quickly and easily. It will even create a password for the new user. </para> -<table pgwide="0"> -<title>Permissions of /bin/ls</title> -<tgroup cols="3"> - <thead> - <row> - <entry>Set</entry> - <entry>Listing</entry> - <entry>Meaning</entry> - </row> - </thead> - <tbody> - <row> - <entry>Owner</entry> - <entry>rwx</entry> - <entry>The owner "root" may read, write, and execute</entry> - </row> - <row> - <entry>Group</entry> - <entry>r-x</entry> - <entry>The group "root" may read and execute</entry> - </row> - <row> - <entry>Others</entry> - <entry>r-x</entry> - <entry>Everyone else may read and execute</entry> - </row> - </tbody> -</tgroup> -</table> +<screen><prompt>darkstar:~# </prompt><userinput>adduser</userinput> -<para> -The permissions are pretty self explainatory of course, at least for -files. Read, write, and execute allow you to read a file, write to it, -or execute it. But what do these permissions mean for directories? -Simply put, the read permissions grants the ability to list the -directory's contents (say with <application>ls</application>). The write -permission grants the ability to create new files in the directory as -well as delete the entire directory, even if you otherwise wouldn't be -able to delete some of the other files inside it. The execute -permission grants the ability to actually enter the directory (with the -<application>bash</application> built-in command cd for example). -</para> +Login name for new user []: <userinput>david</userinput> -<para> -Let's look at the permissions on a directory now. -</para> +User ID ('UID') [ defaults to next available ]: -<screen><prompt>darkstar:~$ </prompt><userinput>ls -ld /home/alan</userinput> -drwxr-x--- 60 alan users 3040 2008-06-06 17:14 /home/alan/ -</screen> +Initial group [ users ]: +Additional UNIX groups: -<para> -Here we see the permissions on my home directory and its ownership. The -directory is owned by the user alan and the group users. The user is -granted all rights (rwx), the group is granted only read and execute -permissions (r-x), and everyone else is prohibited from doing anything. -</para> +Users can belong to additional UNIX groups on the system. +For local users using graphical desktop login managers such +as XDM/KDM, users may need to be members of additional groups +to access the full functionality of removable media devices. -</section> +* Security implications * +Please be aware that by adding users to additional groups may +potentially give access to the removable media of other users. -<section> -<title><application>chmod</application>, -<application>chown</application>, and -<application>chgrp</application></title> +If you are creating a new user for remote shell access only, +users do not need to belong to any additional groups as standard, +so you may press ENTER at the next prompt. -<para> -So now that we know what permissions are, how do we change them? And -for that matter, how do we assign user and group ownership? The answer -is right here in this section. -</para> +Press ENTER to continue without adding any additional groups +Or press the UP arrow to add/select/edit additional groups +: <userinput>audio cdrom floppy plugdev video</userinput> -<para> -The first tool we'll discuss is the useful -<application>chown</application> -(1) command. Using <application>chown</application>, we can (you guessed -it), change the ownership of a file or -directory. <application>chown</application> is historically used only -to change the user ownership, but can change the group ownership as well. -</para> +Home directory [ /home/david ] -<screen><prompt>darkstar:~# </prompt><userinput>ls -l /tmp/foo</userinput> -total 0 --rw-r--r-- 1 alan users 0 2008-06-06 22:29 a --rw-r--r-- 1 alan users 0 2008-06-06 22:29 b -<prompt>darkstar:~# </prompt><userinput>chown root /tmp/foo/a</userinput> -<prompt>darkstar:~# </prompt><userinput>ls -l /tmp/foo</userinput> -total 0 --rw-r--r-- 1 root users 0 2008-06-06 22:29 a --rw-r--r-- 1 alan users 0 2008-06-06 22:29 b -</screen> +Shell [ /bin/bash ] -<para> -By using a colon after the user account, you may also specify a new -group account. -</para> +Expiry date (YYYY-MM-DD) []: -<screen><prompt>darkstar:~# </prompt><userinput>chown root:root /tmp/foo/b</userinput> -<prompt>darkstar:~# </prompt><userinput> ls -l /tmp/foo</userinput> -total 0 --rw-r--r-- 1 root users 0 2008-06-06 22:29 a --rw-r--r-- 1 root root 0 2008-06-06 22:29 b -</screen> +New account will be created as follows: -<para> -<application>chown</application> can also be used recursively to change -the ownership of all files and directories below a target directory. -The following command would change all the files under the directory -<filename>/tmp/foo</filename> to have their ownership set to root:root. -</para> +--------------------------------------- +Login name.......: david +UID..............: [ Next available ] +Initial group....: users +Additional groups: audio,cdrom,floppy,plugdev,video +Home directory...: /home/david +Shell............: /bin/bash +Expiry date......: [ Never ] -<screen><prompt>darkstar:~# </prompt><userinput>chown -R root:root /tmp/foo/b</userinput></screen> +This is it... if you want to bail out, hit Control-C. Otherwise, press +ENTER to go ahead and make the account. -<para> -Specifying a colon and a group name without a user name will simply -change the group for a file and leave the user ownership intact. -</para> -<screen><prompt>darkstar:~# </prompt><userinput>chown :wheel /tmp/foo/a</userinput> -<prompt>darkstar:~# </prompt><userinput>ls -l /tmp/foo</userinput> -ls -l /tmp/foo -total 0 --rw-r--r-- 1 root wheel 0 2008-06-06 22:29 a --rw-r--r-- 1 root root 0 2008-06-06 22:29 b -</screen> +Creating new account... -<para> -The younger brother of <application>chown</application> is the -slightly less useful <application>chgrp</application>(1). This -command works just like <application>chown</application>, except -it can only change the group -ownership of a file. Since <application>chown</application> can -already do this, why bother with -<application>chgrp</application>? The answer is simple. Many other -operating systems use a -different version of <application>chown</application> that cannot -change the group ownership, so -if you ever come across one of those, now you know how. -</para> -<para> -There's a reason we discussed changing ownership before changing -permissions. The first is a much easier concept to grasp. The tool for -changing permissions on a file or directory is -<application>chmod</application>(1). The syntax for it -is nearly identical to that for <application>chown</application>, but -rather than -specify a user or group, the administrator must specify either a set of -octal permissions or a set of alphabetic permissions. Neither one is -especially easy to grasp the first time. We'll begin with the less -complicated octal permissions. -</para> +Changing the user information for david +Enter the new value, or press ENTER for the default + Full Name []: + Room Number []: + Work Phone []: + Home Phone []: + Other []: +Changing password for david +Enter the new password (minimum of 5, maximum of 127 characters) +Please use a combination of upper and lower case letters and numbers. +New password: +Re-enter new password: +Password changed. + + +Account setup complete. +</screen> <para> -Octal permissions derive their name from being assigned by one of eight -digits, namely the numbers 0 through 7. Each permissions is assigned a -number that is a power of 2, and those numbers are added together to -get the final permissions for one of the permission sets. If this -sounds confusing, maybe this table will help. +The addition of optional groups needs a little explaining. Every user +in Slackware has a single group that it is always a member of. By +default, this is the "users" group. However, users can belong to more +than one group at a time and will inherit all the permissions of every +group they belong to. Typical desktop users will need to add several +group memberships in order to do things like play sound or access +removeable media like cdroms or USB flash drives. You can simply press +the up arrow key at this section and a list of default groups for +desktop users will magically appear. You can of course, add to or +remove groups from this listing. </para> -<table pgwide="0"> -<title>Octal Permissions</title> -<tgroup cols="2"> - <thead> - <row> - <entry>Permission</entry> - <entry>Meaning</entry> - </row> - </thead> - <tbody> - <row> - <entry>Read</entry> - <entry>4</entry> - </row> - <row> - <entry>Write</entry> - <entry>2</entry> - </row> - <row> - <entry>Execute</entry> - <entry>1</entry> - </row> - </tbody> -</tgroup> -</table> - <para> -By adding these values together, we can reach any number between 0 and -7 and specify all possible permission combinations. For example, to -grant both read and write privilages while denying execute, we would -use the number 6. The number 3 would grant write and execute -permissions, but deny the ability to read the file. We must specify a -number for each of the three sets when using octal permissions. It's -not possible to specify only a set of user or group permissions this -way for example. +Now that we've demonstrated how to use the interactive +<application>adduser</application> program, lets look at some powerful +non-interactive tools that you may wish to use. The first is +<application>useradd</application>(8). +<application>useradd</application> is a little less friendly, but much +faster for creating users in batches. This makes it ideal for use in +shell scripts. In fact, <application>adduser</application> is just such +a shell script and uses <application>useradd</application> for most of +the heavy lifting. <application>useradd</application> has many options +and we can't explain them all here, so refer to its man page for the +complete details. Now, let's make a new user. </para> -<screen><prompt>darkstar:~# </prompt><userinput>ls -l /tmp/foo/a</userinput> --rw-r--r-- 1 root root 0 2008-06-06 22:29 a -<prompt>darkstar:~# </prompt><userinput>chmod 750 /tmp/foo/a</userinput> -<prompt>darkstar:~# </prompt><userinput>ls -l /tmp/foo/a</userinput> --rwxr-x--- 1 root root 0 2008-06-06 22:29 a +<screen><prompt>darkstar:~# </prompt><userinput>useradd -d /data/home/alan -s /bin/bash -g users -G audio,cdrom,floppy,plugdev,video alan</userinput> </screen> <para> -<application>chmod</application> can also use letter values along with -<keycap>+</keycap> or <keycap>-</keycap> to grant or deny permissions. -While this may be easier to -remember, it's often easier to use the octal permissions. +Here I have added the user "alan". I specified the user's home +directory as <filename>/data/home/alan</filename> and used +<application>bash</application> as my shell. Also, I specified my +default group as "users" and added myself to a number of useful groups +for dekstop use. You'll note that <application>useradd</application> +does not do any prompting like <application>adduser</application>. +Unless you want to accept the defaults for everything, you'll need to +tell <application>useradd</application> what to do. </para> -<table pgwide="0"> -<title>Alphabetic Permissions</title> -<tgroup cols="2"> - <thead> - <row> - <entry>Permission</entry> - <entry>Letter Value</entry> - </row> - </thead> - <tbody> - <row> - <entry>Read</entry> - <entry>r</entry> - </row> - <row> - <entry>Write</entry> - <entry>w</entry> - </row> - <row> - <entry>Execute</entry> - <entry>x</entry> - </row> - </tbody> -</tgroup> -</table> - -<table pgwide="0"> -<title>Alphabetic Users and Groups</title> -<tgroup cols="2"> - <thead> - <row> - <entry>Accounts Affected</entry> - <entry>Letter Value</entry> - </row> - </thead> - <tbody> - <row> - <entry>User/Owner</entry> - <entry>u</entry> - </row> - <row> - <entry>Group</entry> - <entry>g</entry> - </row> - <row> - <entry>Others/World</entry> - <entry>o</entry> - </row> - </tbody> -</tgroup> -</table> - <para> -To use the letter values with <application>chmod</application>, you -must specify which set to use them with, either "u" for user, "g" for -group, and "o" for all others. You must also specify whether you are -adding or removing permissions with the "+" and "-" signs. Multiple -sets can be changed at once by seperating each with a comma. +Now that we know how to add users, we should learn how to add groups. +As you might have guessed, the command for doing this is +<application>groupadd</application>(8). +<application>groupadd</application> works in the same way as +<application>useradd</application>, but with far fewer options. The +following command adds the group "slackers" to the system. </para> -<screen><prompt>darkstar:/tmp/foo# </prompt><userinput>ls -l</userinput> -total 0 --rw-r--r-- 1 alan users 0 2008-06-06 23:37 a --rw-r--r-- 1 alan users 0 2008-06-06 23:37 b --rw-r--r-- 1 alan users 0 2008-06-06 23:37 c --rw-r--r-- 1 alan users 0 2008-06-06 23:37 d -<prompt>darkstar:/tmp/foo# </prompt><userinput>chmod u+x a</userinput> -<prompt>darkstar:/tmp/foo# </prompt><userinput>chmod g+w b</userinput> -<prompt>darkstar:/tmp/foo# </prompt><userinput>chmod u+x,g+x,o-r c</userinput> -<prompt>darkstar:/tmp/foo# </prompt><userinput>chmod u+rx-w,g+r,o-r d</userinput> -<prompt>darkstar:/tmp/foo# </prompt><userinput>ls -l</userinput> --rwxr--r-- 1 alan users 0 2008-06-06 23:37 a* --rw-rw-r-- 1 alan users 0 2008-06-06 23:37 b --rwxr-x--- 1 alan users 0 2008-06-06 23:37 c* --r-xr----- 1 alan users 0 2008-06-06 23:37 d* +<screen><prompt>darkstar:~# </prompt><userinput>groupadd slackers</userinput> </screen> <para> -Which you prefer to use is entirely up to you. There are places where -one is better than the other, so a real Slacker will know both inside -out. +Deleting users and groups is easy as well. Simply run the +<application>userdel</application>(8) and +<application>groupdel</application>(8) commands. By default, +<application>userdel</application> will leave the user's home directory +on the system. You can remove this with the <arg>-r</arg> argument. </para> </section> <section> -<title>SUID, SGID, and the "Sticky" Bit</title> +<title>Other User and Group Tools</title> <para> -We're not quite done with permissions just yet. There are three other -"special" permissions in addition to those mentioned above. They are -SUID, SGID, and the sticky bit. When a file has one or more of these -permissions set, it behaves in special ways. The SUID and SGID -permissions change the way an application is run, while the sticky bit -restricts deletion of files. These permissions are applied with -<application>chmod</application> -like read, write, and execute, but with a twist. +Several other tools exist for managing users and groups. Perhaps the +most important one is <application>passwd</application>(1). This +command changes a user account's password. Normal users may change +their own passwords only, but root can change anyone's password. Also, +root can lock a user account with the <arg>-l</arg> argument. This +doesn't actually shutout the account, but instead changes the user's +encrypted password to a value that can't be matched. </para> <para> -SUID and SGID stand for "Set User ID" and "Set Group ID" respectively. -When an application with one of these bits is set, the application runs -with the user or group ownership permissions of that application -regardless of what user actually -executed it. Let's take a look at a common SUID application, the humble -<application>passwd</application> and the files it modifies. +Another useful tool is <application>chsh</application>(1) which changes a +user's default shell. Like <application>passwd</application>, normal +users can only change their own shell, but the root user can change +anyone's. </para> -<screen><prompt>darkstar:~# </prompt><userinput>ls -l /usr/bin/passwd \ - /etc/passwd \ - /etc/shadow</userinput> --rw-r--r-- 1 root root 1106 2008-06-03 22:23 /etc/passwd --rw-r----- 1 root shadow 627 2008-06-03 22:22 /etc/shadow --rws--x--x 1 root root 34844 2008-03-24 16:11 /usr/bin/passwd* -</screen> - <para> -Notice the permissions on <application>passwd</application>. Instead of -an <keycap>x</keycap> in the user's execute slot, we have an -<keycap>s</keycap>. This tells us that -<application>passwd</application> is a SUID program, and when we run -it, the process will run as the user "root" rather than as the user -that actually executed it. The reason for this is readily apparent as -soon as you look at the two files it modifies. Neither -<filename>/etc/passwd</filename> nor <filename>/etc/shadow</filename> -are writeable by anyone other than root. Since users need to change -their personal information, <application>passwd</application> must be -run as root in order to modify those files. +The last tool we're going to discuss is +<application>chfn</application>(1). This is used to enter identifying +information on the user such as his phone number and real name. This +information is stored in the <filename>passwd</filename>(5) file and +retrieved using <application>finger</application>(1). </para> -<para> -So what about the sticky bit? The sticky bit restricts the ability to -move or delete files and is only ever set on directories. Non-root -users cannot move or delete any files under a directory with the sticky -bit set unless they are the owner of that file. Normally anyone with -write permission to the file can do this, but the sticky bit prevents -it for anyone but the owner (and of course, root). Let's take a look at -a common "sticky" directory. -</para> +</section> -<screen><prompt>darkstar:~# </prompt><userinput>ls -ld /tmp</userinput> -drwxrwxrwt 1 root root 34844 2008-03-24 16:11 /tmp -</screen> +<section> +<title>Managing Users and Groups Manually</title> <para> -Naturally, being a directory for the storage of temporary files sytem -wide, <filename>/tmp</filename> needs to be readable, writeable, and -executable by anyone and everyone. Since any user is likely to have a -file or two stored here at any time, it only makes good sense to -prevent other users from deleting those files, so the sticky bit has -been set. You can see it by the presence of the <keycap>t</keycap> in -place of the <keycap>x</keycap> in the world permissions section. +Like most things in Slackware Linux, users and groups are stored in +plain-text files. This means that you can edit all the details of a +user, or even create a new user or group simply by editing these files +and doing a few other tasks like creating the user's home directory. Of +course, after you see how this is done you'll appreciate just how +simple the included tools make this task. </para> -<table pgwide="0"> -<title>SUID, SGID, and "Sticky" Permissions</title> -<tgroup cols="3"> - <thead> - <row> - <entry>Permission Type</entry> - <entry>Octal Value</entry> - <entry>Letter Value</entry> - </row> - </thead> - <tbody> - <row> - <entry>SUID</entry> - <entry>4</entry> - <entry>s</entry> - </row> - <row> - <entry>SGID</entry> - <entry>2</entry> - <entry>s</entry> - </row> - <row> - <entry>Sticky</entry> - <entry>1</entry> - <entry>t</entry> - </row> - </tbody> -</tgroup> -</table> - <para> -When using octal permissions, you must specify an additional leading -octal value. For example, to recreate the permission on -<filename>/tmp</filename>, we would use 1777. To recreate those -permissions on <filename>/usr/bin/passwd</filename>, we would use 4711. -Essentially, any time this leading fourth octet isn't specified, -<application>chmod</application> assumes its value to be 0. +Our first stop is the <filename>/etc/passwd</filename> file. Here, all +the information about a user is stored, except for (oddly enough) the +user's password. The reason for this is rather simple. +<filename>/etc/passwd</filename> must be readable by all users on the +system, so you wouldn't want passwords stored there, even if they are +encrypted. Let's take a quick look at my entry in this file. </para> -<screen><prompt>darkstar:~# </prompt><userinput>chmod 1777 /tmp</userinput> -<prompt>darkstar:~# </prompt><userinput>chmod 4711 /usr/bin/passwd</userinput> +<screen> +alan:x:1000:100:,,,:/home/alan:/bin/bash </screen> <para> -Using the alphabetic permission values is slightly different. Assuming -the two files above have permissions of 0000 (no permissions at all), -here is how we would set them. +Each line in this file contains a number of fields seperated by a +colon. They are, from left to right: username, password, UID, GUID, a +comment field, home directory, and shell. You'll notice that the +password field for every entry is an <keycap>x</keycap>. That is +because Slackware uses shadow passwords, so the actual encrypted +password is stored in <filename>/etc/shadow</filename>. Let's take a +look there. </para> -<screen><prompt>darkstar:~# </prompt><userinput>chmod ug+rwx,o+rwt /tmp</userinput> -<prompt>darkstar:~# </prompt><userinput>chmod u+rws,go+x /usr/bin/passwd</userinput> +<screen> +alan:$1$HlR?M3fkL@oeJmsdLfhsLFM*4dflPh8:14197:0:99999:7::: </screen> +<para> +The <filename>shadow</filename> file contains more than just the +encrypted password as you'll notice. The fields here, again from left +to right, are: username, encrypted password, last day the password was +changed, days before the password may be changed again, how many days +before the password expires, days that the account will be disabled +after expiring, when the account was disabled, and a reserved field. +You may notice on some accounts that the various "days" fields often +include very large numbers. The reason for this is that Slackware +counts time from the "Epoch" which is January 1, 1970 for historical +reasons. +</para> +<para> +To create a new user account, you'll just need to open these files +using <application>vipw</application>(8). This will open +<filename>/etc/passwd</filename> in the editor +defined by your VISUAL variable or your EDITOR variable if VISUAL isn't +defined. If neither is present, it will fall back to +<application>vi</application> by default. If you pass the <arg>-s</arg> +argument, it will open <filename>/etc/shadow</filename> instead. It's +important to use <application>vipw</application> instead of using any +other editor, because <application>vipw</application> will lock the +file and prevent other programs from editing it right underneath your feet. +</para> - - - +<para> +That isn't all you'll need to do however; you must also create the +user's home directory and change the user's password using +<application>passwd</application>. +</para> </section> |