From dbca998ce52d78ce5e525e0d799adc83d580f66a Mon Sep 17 00:00:00 2001 From: Alan Hicks Date: Sat, 1 May 2010 14:17:18 -0400 Subject: Making room for new chapter and a few minor modifications. --- chapter_09.xml | 562 +++++++++++++++++++-------------------------------------- 1 file changed, 186 insertions(+), 376 deletions(-) (limited to 'chapter_09.xml') diff --git a/chapter_09.xml b/chapter_09.xml index a0ab4d2..a2bb4e9 100644 --- a/chapter_09.xml +++ b/chapter_09.xml @@ -3,459 +3,269 @@ "/usr/share/xml/docbook/xml-dtd-4.5/docbookx.dtd"> -Filesystem Permissions +Users and Groups
-Permissions Overview +What Are Users and Groups? -As we've discussed, Slackware Linux is a multi-user operating system. -Because of this, its filesystems are mutli-user as well. This means -that every file or directory has a set of permissions that can grant or -deny privileges to different users. There are three basic permissions -and three sets of permissions for each file. Let's take a look at an -example file. +Slackware Linux inherits a strong multi-user tradition from its UNIX +inspiration. This means that multiple people may use the system at +once, but it also means that each of these people may have different +permissions. This allows users to prevent others from modifying their +files, or lets system administrators explicitly define what users can +and cannot do on the system. Moreover, users need not be actual people +at all. In fact, Slackware includes several dozen pre-defined user +and group accounts that are not typically used by regular users. Rather +these accounts allow the system administrator to segment the system for +security reasons. We'll see how that's done in the next chapter on +filesystem permissions. -darkstar:~$ ls -l /bin/ls --rwxr-xr-x 1 root root 81820 2007-06-08 21:12 /bin/ls - +
+ +
+Managing Users and Groups -Recall from chapter 4 that ls -l -lists the permissions for a file or -directory along with the user and group that "own" the file. In this -case, the permissions are rwxr-xr-x, the user is root and the group is -also root. The permissions section, while grouped together, is really -three seperate pieces. The first set of three letters are the -permissions granted to the user that owns the file. The second set of -three are those granted to the group owner, and the final three are -permissions for everyone else. +The easiest way to add new users in Slackware is through the use of our +very fine adduser shell script. +adduser will prompt you to enter the details +of the new user you wish to creature and step you through the process +quickly and easily. It will even create a password for the new user. - -Permissions of /bin/ls - - - - Set - Listing - Meaning - - - - - Owner - rwx - The owner "root" may read, write, and execute - - - Group - r-x - The group "root" may read and execute - - - Others - r-x - Everyone else may read and execute - - - -
+darkstar:~# adduser - -The permissions are pretty self explainatory of course, at least for -files. Read, write, and execute allow you to read a file, write to it, -or execute it. But what do these permissions mean for directories? -Simply put, the read permissions grants the ability to list the -directory's contents (say with ls). The write -permission grants the ability to create new files in the directory as -well as delete the entire directory, even if you otherwise wouldn't be -able to delete some of the other files inside it. The execute -permission grants the ability to actually enter the directory (with the -bash built-in command cd for example). - +Login name for new user []: david - -Let's look at the permissions on a directory now. - +User ID ('UID') [ defaults to next available ]: -darkstar:~$ ls -ld /home/alan -drwxr-x--- 60 alan users 3040 2008-06-06 17:14 /home/alan/ - +Initial group [ users ]: +Additional UNIX groups: - -Here we see the permissions on my home directory and its ownership. The -directory is owned by the user alan and the group users. The user is -granted all rights (rwx), the group is granted only read and execute -permissions (r-x), and everyone else is prohibited from doing anything. - +Users can belong to additional UNIX groups on the system. +For local users using graphical desktop login managers such +as XDM/KDM, users may need to be members of additional groups +to access the full functionality of removable media devices. -
+* Security implications * +Please be aware that by adding users to additional groups may +potentially give access to the removable media of other users. -
-<application>chmod</application>, -<application>chown</application>, and -<application>chgrp</application> +If you are creating a new user for remote shell access only, +users do not need to belong to any additional groups as standard, +so you may press ENTER at the next prompt. - -So now that we know what permissions are, how do we change them? And -for that matter, how do we assign user and group ownership? The answer -is right here in this section. - +Press ENTER to continue without adding any additional groups +Or press the UP arrow to add/select/edit additional groups +: audio cdrom floppy plugdev video - -The first tool we'll discuss is the useful -chown -(1) command. Using chown, we can (you guessed -it), change the ownership of a file or -directory. chown is historically used only -to change the user ownership, but can change the group ownership as well. - +Home directory [ /home/david ] -darkstar:~# ls -l /tmp/foo -total 0 --rw-r--r-- 1 alan users 0 2008-06-06 22:29 a --rw-r--r-- 1 alan users 0 2008-06-06 22:29 b -darkstar:~# chown root /tmp/foo/a -darkstar:~# ls -l /tmp/foo -total 0 --rw-r--r-- 1 root users 0 2008-06-06 22:29 a --rw-r--r-- 1 alan users 0 2008-06-06 22:29 b - +Shell [ /bin/bash ] - -By using a colon after the user account, you may also specify a new -group account. - +Expiry date (YYYY-MM-DD) []: -darkstar:~# chown root:root /tmp/foo/b -darkstar:~# ls -l /tmp/foo -total 0 --rw-r--r-- 1 root users 0 2008-06-06 22:29 a --rw-r--r-- 1 root root 0 2008-06-06 22:29 b - +New account will be created as follows: - -chown can also be used recursively to change -the ownership of all files and directories below a target directory. -The following command would change all the files under the directory -/tmp/foo to have their ownership set to root:root. - +--------------------------------------- +Login name.......: david +UID..............: [ Next available ] +Initial group....: users +Additional groups: audio,cdrom,floppy,plugdev,video +Home directory...: /home/david +Shell............: /bin/bash +Expiry date......: [ Never ] -darkstar:~# chown -R root:root /tmp/foo/b +This is it... if you want to bail out, hit Control-C. Otherwise, press +ENTER to go ahead and make the account. - -Specifying a colon and a group name without a user name will simply -change the group for a file and leave the user ownership intact. - -darkstar:~# chown :wheel /tmp/foo/a -darkstar:~# ls -l /tmp/foo -ls -l /tmp/foo -total 0 --rw-r--r-- 1 root wheel 0 2008-06-06 22:29 a --rw-r--r-- 1 root root 0 2008-06-06 22:29 b - +Creating new account... - -The younger brother of chown is the -slightly less useful chgrp(1). This -command works just like chown, except -it can only change the group -ownership of a file. Since chown can -already do this, why bother with -chgrp? The answer is simple. Many other -operating systems use a -different version of chown that cannot -change the group ownership, so -if you ever come across one of those, now you know how. - - -There's a reason we discussed changing ownership before changing -permissions. The first is a much easier concept to grasp. The tool for -changing permissions on a file or directory is -chmod(1). The syntax for it -is nearly identical to that for chown, but -rather than -specify a user or group, the administrator must specify either a set of -octal permissions or a set of alphabetic permissions. Neither one is -especially easy to grasp the first time. We'll begin with the less -complicated octal permissions. - +Changing the user information for david +Enter the new value, or press ENTER for the default + Full Name []: + Room Number []: + Work Phone []: + Home Phone []: + Other []: +Changing password for david +Enter the new password (minimum of 5, maximum of 127 characters) +Please use a combination of upper and lower case letters and numbers. +New password: +Re-enter new password: +Password changed. + + +Account setup complete. + -Octal permissions derive their name from being assigned by one of eight -digits, namely the numbers 0 through 7. Each permissions is assigned a -number that is a power of 2, and those numbers are added together to -get the final permissions for one of the permission sets. If this -sounds confusing, maybe this table will help. +The addition of optional groups needs a little explaining. Every user +in Slackware has a single group that it is always a member of. By +default, this is the "users" group. However, users can belong to more +than one group at a time and will inherit all the permissions of every +group they belong to. Typical desktop users will need to add several +group memberships in order to do things like play sound or access +removeable media like cdroms or USB flash drives. You can simply press +the up arrow key at this section and a list of default groups for +desktop users will magically appear. You can of course, add to or +remove groups from this listing. - -Octal Permissions - - - - Permission - Meaning - - - - - Read - 4 - - - Write - 2 - - - Execute - 1 - - - -
- -By adding these values together, we can reach any number between 0 and -7 and specify all possible permission combinations. For example, to -grant both read and write privilages while denying execute, we would -use the number 6. The number 3 would grant write and execute -permissions, but deny the ability to read the file. We must specify a -number for each of the three sets when using octal permissions. It's -not possible to specify only a set of user or group permissions this -way for example. +Now that we've demonstrated how to use the interactive +adduser program, lets look at some powerful +non-interactive tools that you may wish to use. The first is +useradd(8). +useradd is a little less friendly, but much +faster for creating users in batches. This makes it ideal for use in +shell scripts. In fact, adduser is just such +a shell script and uses useradd for most of +the heavy lifting. useradd has many options +and we can't explain them all here, so refer to its man page for the +complete details. Now, let's make a new user. -darkstar:~# ls -l /tmp/foo/a --rw-r--r-- 1 root root 0 2008-06-06 22:29 a -darkstar:~# chmod 750 /tmp/foo/a -darkstar:~# ls -l /tmp/foo/a --rwxr-x--- 1 root root 0 2008-06-06 22:29 a +darkstar:~# useradd -d /data/home/alan -s /bin/bash -g users -G audio,cdrom,floppy,plugdev,video alan -chmod can also use letter values along with -+ or - to grant or deny permissions. -While this may be easier to -remember, it's often easier to use the octal permissions. +Here I have added the user "alan". I specified the user's home +directory as /data/home/alan and used +bash as my shell. Also, I specified my +default group as "users" and added myself to a number of useful groups +for dekstop use. You'll note that useradd +does not do any prompting like adduser. +Unless you want to accept the defaults for everything, you'll need to +tell useradd what to do. - -Alphabetic Permissions - - - - Permission - Letter Value - - - - - Read - r - - - Write - w - - - Execute - x - - - -
- - -Alphabetic Users and Groups - - - - Accounts Affected - Letter Value - - - - - User/Owner - u - - - Group - g - - - Others/World - o - - - -
- -To use the letter values with chmod, you -must specify which set to use them with, either "u" for user, "g" for -group, and "o" for all others. You must also specify whether you are -adding or removing permissions with the "+" and "-" signs. Multiple -sets can be changed at once by seperating each with a comma. +Now that we know how to add users, we should learn how to add groups. +As you might have guessed, the command for doing this is +groupadd(8). +groupadd works in the same way as +useradd, but with far fewer options. The +following command adds the group "slackers" to the system. -darkstar:/tmp/foo# ls -l -total 0 --rw-r--r-- 1 alan users 0 2008-06-06 23:37 a --rw-r--r-- 1 alan users 0 2008-06-06 23:37 b --rw-r--r-- 1 alan users 0 2008-06-06 23:37 c --rw-r--r-- 1 alan users 0 2008-06-06 23:37 d -darkstar:/tmp/foo# chmod u+x a -darkstar:/tmp/foo# chmod g+w b -darkstar:/tmp/foo# chmod u+x,g+x,o-r c -darkstar:/tmp/foo# chmod u+rx-w,g+r,o-r d -darkstar:/tmp/foo# ls -l --rwxr--r-- 1 alan users 0 2008-06-06 23:37 a* --rw-rw-r-- 1 alan users 0 2008-06-06 23:37 b --rwxr-x--- 1 alan users 0 2008-06-06 23:37 c* --r-xr----- 1 alan users 0 2008-06-06 23:37 d* +darkstar:~# groupadd slackers -Which you prefer to use is entirely up to you. There are places where -one is better than the other, so a real Slacker will know both inside -out. +Deleting users and groups is easy as well. Simply run the +userdel(8) and +groupdel(8) commands. By default, +userdel will leave the user's home directory +on the system. You can remove this with the -r argument.
-SUID, SGID, and the "Sticky" Bit +Other User and Group Tools -We're not quite done with permissions just yet. There are three other -"special" permissions in addition to those mentioned above. They are -SUID, SGID, and the sticky bit. When a file has one or more of these -permissions set, it behaves in special ways. The SUID and SGID -permissions change the way an application is run, while the sticky bit -restricts deletion of files. These permissions are applied with -chmod -like read, write, and execute, but with a twist. +Several other tools exist for managing users and groups. Perhaps the +most important one is passwd(1). This +command changes a user account's password. Normal users may change +their own passwords only, but root can change anyone's password. Also, +root can lock a user account with the -l argument. This +doesn't actually shutout the account, but instead changes the user's +encrypted password to a value that can't be matched. -SUID and SGID stand for "Set User ID" and "Set Group ID" respectively. -When an application with one of these bits is set, the application runs -with the user or group ownership permissions of that application -regardless of what user actually -executed it. Let's take a look at a common SUID application, the humble -passwd and the files it modifies. +Another useful tool is chsh(1) which changes a +user's default shell. Like passwd, normal +users can only change their own shell, but the root user can change +anyone's. -darkstar:~# ls -l /usr/bin/passwd \ - /etc/passwd \ - /etc/shadow --rw-r--r-- 1 root root 1106 2008-06-03 22:23 /etc/passwd --rw-r----- 1 root shadow 627 2008-06-03 22:22 /etc/shadow --rws--x--x 1 root root 34844 2008-03-24 16:11 /usr/bin/passwd* - - -Notice the permissions on passwd. Instead of -an x in the user's execute slot, we have an -s. This tells us that -passwd is a SUID program, and when we run -it, the process will run as the user "root" rather than as the user -that actually executed it. The reason for this is readily apparent as -soon as you look at the two files it modifies. Neither -/etc/passwd nor /etc/shadow -are writeable by anyone other than root. Since users need to change -their personal information, passwd must be -run as root in order to modify those files. +The last tool we're going to discuss is +chfn(1). This is used to enter identifying +information on the user such as his phone number and real name. This +information is stored in the passwd(5) file and +retrieved using finger(1). - -So what about the sticky bit? The sticky bit restricts the ability to -move or delete files and is only ever set on directories. Non-root -users cannot move or delete any files under a directory with the sticky -bit set unless they are the owner of that file. Normally anyone with -write permission to the file can do this, but the sticky bit prevents -it for anyone but the owner (and of course, root). Let's take a look at -a common "sticky" directory. - +
-darkstar:~# ls -ld /tmp -drwxrwxrwt 1 root root 34844 2008-03-24 16:11 /tmp - +
+Managing Users and Groups Manually -Naturally, being a directory for the storage of temporary files sytem -wide, /tmp needs to be readable, writeable, and -executable by anyone and everyone. Since any user is likely to have a -file or two stored here at any time, it only makes good sense to -prevent other users from deleting those files, so the sticky bit has -been set. You can see it by the presence of the t in -place of the x in the world permissions section. +Like most things in Slackware Linux, users and groups are stored in +plain-text files. This means that you can edit all the details of a +user, or even create a new user or group simply by editing these files +and doing a few other tasks like creating the user's home directory. Of +course, after you see how this is done you'll appreciate just how +simple the included tools make this task. - -SUID, SGID, and "Sticky" Permissions - - - - Permission Type - Octal Value - Letter Value - - - - - SUID - 4 - s - - - SGID - 2 - s - - - Sticky - 1 - t - - - -
- -When using octal permissions, you must specify an additional leading -octal value. For example, to recreate the permission on -/tmp, we would use 1777. To recreate those -permissions on /usr/bin/passwd, we would use 4711. -Essentially, any time this leading fourth octet isn't specified, -chmod assumes its value to be 0. +Our first stop is the /etc/passwd file. Here, all +the information about a user is stored, except for (oddly enough) the +user's password. The reason for this is rather simple. +/etc/passwd must be readable by all users on the +system, so you wouldn't want passwords stored there, even if they are +encrypted. Let's take a quick look at my entry in this file. -darkstar:~# chmod 1777 /tmp -darkstar:~# chmod 4711 /usr/bin/passwd + +alan:x:1000:100:,,,:/home/alan:/bin/bash -Using the alphabetic permission values is slightly different. Assuming -the two files above have permissions of 0000 (no permissions at all), -here is how we would set them. +Each line in this file contains a number of fields seperated by a +colon. They are, from left to right: username, password, UID, GUID, a +comment field, home directory, and shell. You'll notice that the +password field for every entry is an x. That is +because Slackware uses shadow passwords, so the actual encrypted +password is stored in /etc/shadow. Let's take a +look there. -darkstar:~# chmod ug+rwx,o+rwt /tmp -darkstar:~# chmod u+rws,go+x /usr/bin/passwd + +alan:$1$HlR?M3fkL@oeJmsdLfhsLFM*4dflPh8:14197:0:99999:7::: + +The shadow file contains more than just the +encrypted password as you'll notice. The fields here, again from left +to right, are: username, encrypted password, last day the password was +changed, days before the password may be changed again, how many days +before the password expires, days that the account will be disabled +after expiring, when the account was disabled, and a reserved field. +You may notice on some accounts that the various "days" fields often +include very large numbers. The reason for this is that Slackware +counts time from the "Epoch" which is January 1, 1970 for historical +reasons. + + +To create a new user account, you'll just need to open these files +using vipw(8). This will open +/etc/passwd in the editor +defined by your VISUAL variable or your EDITOR variable if VISUAL isn't +defined. If neither is present, it will fall back to +vi by default. If you pass the -s +argument, it will open /etc/shadow instead. It's +important to use vipw instead of using any +other editor, because vipw will lock the +file and prevent other programs from editing it right underneath your feet. + - - - + +That isn't all you'll need to do however; you must also create the +user's home directory and change the user's password using +passwd. +
-- cgit v1.2.3