lecture 11 (file per missions)
Post on 07-Apr-2018
215 Views
Preview:
TRANSCRIPT
-
8/6/2019 Lecture 11 (File Per Missions)
1/37
28/10/10 Punjab University College of Information Technology (PUCIT) 1
Instructor: Arif Butt.TA: Dilawer Hussain.
Lecture # 10
File Permissions
Course: Intro to Computing
Instructor: Arif Butt
TA: Dilawer Hussain
Punjab University College of Information Technology (PUCIT)
University of the Punjab
-
8/6/2019 Lecture 11 (File Per Missions)
2/37
28/10/10 Punjab University College of Information Technology (PUCIT) 2
Instructor: Arif Butt.TA: Dilawer Hussain.
Today's Agenda
Introduction to Permissions
Changing Permissions
Symbolic Method
Binary Method Special Access Bit
Permissions Lab
-
8/6/2019 Lecture 11 (File Per Missions)
3/37
28/10/10 Punjab University College of Information Technology (PUCIT) 3
Instructor: Arif Butt.TA: Dilawer Hussain.
Introduction to Permissions
-
8/6/2019 Lecture 11 (File Per Missions)
4/37
28/10/10 Punjab University College of Information Technology (PUCIT) 4
Instructor: Arif Butt.TA: Dilawer Hussain.
Permission Types Diagram
-
8/6/2019 Lecture 11 (File Per Missions)
5/37
28/10/10 Punjab University College of Information Technology (PUCIT) 5
Instructor: Arif Butt.TA: Dilawer Hussain.
Introduction
UsersEvery user of a system is assigned a unique UID. Users names andUIDs are stored in /etc/passwd file. Users cannot read, write orexecute each others files without permissions.
Groups
Users are assigned to groups with unique GID. GIDs are stored in/etc/group. Each user is given his own private group by default(primary group) in Red Hat. He/she can belong to other groups
(secondary groups) to gain additional access. All users in a group canshare files that belong to that group.
-
8/6/2019 Lecture 11 (File Per Missions)
6/37
28/10/10 Punjab University College of Information Technology (PUCIT) 6
Instructor: Arif Butt.TA: Dilawer Hussain.
Levels of Permission
There are three levels of permissions to files and directories inLinux. These levels correspond to the following three Categories:
User/owner (u) The owner is the user who created the file.Any file you create, your own.
Group (g) A user / owner of a file can grant access of afile to the members of a designated group.
Others (o) A user / owner of a file can also open up access
of a file to all other users on the system.
if
-
8/6/2019 Lecture 11 (File Per Missions)
7/37
28/10/10 Punjab University College of Information Technology (PUCIT) 7
Instructor: Arif Butt.TA: Dilawer Hussain.
Categories of Permission (Files)
Each level, or category, has associated privileges. These privilegescome in the form of three permissions:
Forfiles the permissions have following meanings:
READ ( r) Enables users to open files and read its contentsusing; less, more, head, tail, cat, grep, sort, view.
WRITE (w) Enables users to open a file and change itscontents using vi, vim.
EXECUTE (x) Enables users to execute files as commands.
I t t A if B tt
-
8/6/2019 Lecture 11 (File Per Missions)
8/37
28/10/10 Punjab University College of Information Technology (PUCIT) 8
Instructor: Arif Butt.TA: Dilawer Hussain.
Displaying Permissions
Examining the following long listing of the /etc/passwd filegives :
(File access Permission) (Number of links) (User) (Group) (File Size) (Last Modification Date)(LM Time)
Instructor: Arif Butt
-
8/6/2019 Lecture 11 (File Per Missions)
9/37
28/10/10 Punjab University College of Information Technology (PUCIT) 9
Instructor: Arif Butt.TA: Dilawer Hussain.
Displaying Permissions (cont..)
Instructor: Arif Butt
-
8/6/2019 Lecture 11 (File Per Missions)
10/37
28/10/10 Punjab University College of Information Technology (PUCIT) 10
Instructor: Arif Butt.TA: Dilawer Hussain.
Displaying Permissions (cont..)
When a user accesses a file, the user is compared with thepermission set of the file.
If the user matches the user permissions apply
If the group matches, but the user does not, the group
permissions apply
If neither matches the other permission applies
Instructor: Arif Butt
-
8/6/2019 Lecture 11 (File Per Missions)
11/37
28/10/10 Punjab University College of Information Technology (PUCIT) 11
Instructor: Arif Butt.TA: Dilawer Hussain.
Categories of Permission (Directories)
READ Users can view filenames in the directory
WRITE Users can create, delete files in the directory.
EXECUTE Users can search in the directory and changeto it using the cd command.
Instructor: Arif Butt.
-
8/6/2019 Lecture 11 (File Per Missions)
12/37
28/10/10 Punjab University College of Information Technology (PUCIT) 12
Instructor: Arif Butt.TA: Dilawer Hussain.
Examples
- - x permissions on a directory will not let the user to viewdirectory contents or create or delete files in that directory.However, the user can run executable file located in that directory.
r - xpermissions on a directory are OK, means ls can be done.
- w xpermissions on a directory are OK, means a file can be createdin this directory, however, ls cannot be done.
rw- orr - - or-w- permissions on a directory have no effect if theexecute bit is not set.
Instructor: Arif Butt.
-
8/6/2019 Lecture 11 (File Per Missions)
13/37
28/10/10 Punjab University College of Information Technology (PUCIT) 13
TA: Dilawer Hussain.
chmod Command
chmod is used to change file access permission
SYNOPSIS
Description
chmodtakes two lists as its arguments:permission changes andfilenames.
Instructor: Arif Butt.
-
8/6/2019 Lecture 11 (File Per Missions)
14/37
28/10/10 Punjab University College of Information Technology (PUCIT) 14
TA: Dilawer Hussain.
Changing Permissions
-
8/6/2019 Lecture 11 (File Per Missions)
15/37
Instructor: Arif Butt.
-
8/6/2019 Lecture 11 (File Per Missions)
16/37
28/10/10 Punjab University College of Information Technology (PUCIT) 16
TA: Dilawer Hussain.
Symbols for Level
Table below lists the level options that can be used with the
chmod command.
Instructor: Arif Butt.TA Dil H i
-
8/6/2019 Lecture 11 (File Per Missions)
17/37
28/10/10 Punjab University College of Information Technology (PUCIT) 17
TA: Dilawer Hussain.
Symbols for Permission
+ Add the following permissions (does not affect otherpermissions)
- Remove the following permissions (does not affect otherpermissions)
= Assigns entire set of permissions
Instructor: Arif Butt.TA: Dila er H ssain
-
8/6/2019 Lecture 11 (File Per Missions)
18/37
28/10/10 Punjab University College of Information Technology (PUCIT) 18
TA: Dilawer Hussain.
Adding Rights to a File
Adding write privileges for the group can be done by running chmodas follows:
Examining the permissions of the /etc/passwd file after themodifications shows the following::
Write bit added
Instructor: Arif Butt.TA: Dilawer Hussain
-
8/6/2019 Lecture 11 (File Per Missions)
19/37
28/10/10 Punjab University College of Information Technology (PUCIT) 19
TA: Dilawer Hussain.
Removing Rights from a File
Removing write bit form the group can be done by running chmod asfollows:
Examining the permissions of the /etc/passwd file after themodifications shows the following::
Write bit removed
Instructor: Arif Butt.TA: Dilawer Hussain
-
8/6/2019 Lecture 11 (File Per Missions)
20/37
28/10/10 Punjab University College of Information Technology (PUCIT) 20
TA: Dilawer Hussain.
Settings
Here are some common examples of settings that can be usedwith chmod:
Instructor: Arif Butt.TA: Dilawer Hussain.
-
8/6/2019 Lecture 11 (File Per Missions)
21/37
28/10/10 Punjab University College of Information Technology (PUCIT) 21
TA: Dilawer Hussain.
Examples
Add the execute permission and remove the write permission for
the mydata file for all categories (i.e. user, group and other) Theread permission is not changed
Set the permissions for the group to read and write
Set permissions for other users to read
Set the read permission for other users, but the write and executepermissions are removed
Instructor: Arif Butt.TA: Dilawer Hussain.
-
8/6/2019 Lecture 11 (File Per Missions)
22/37
28/10/10 Punjab University College of Information Technology (PUCIT) 22
Examples (cont..)
Another permission character exists, a, which represents all the
categories. The a character is the default. In the next example, thetwo commands are equivalent. The read permission is explicitly setwith the a character denoting all types of users: other, group, anduser.
By adding the -R option, we can change permissions for entiredirectory trees. To allow everyone read and write access to the
mylinux directory in our login directory,we just type:
Instructor: Arif Butt.TA: Dilawer Hussain.
-
8/6/2019 Lecture 11 (File Per Missions)
23/37
28/10/10 Punjab University College of Information Technology (PUCIT) 23
Changing Permissions: Binary Method
The absolute method changes all the permissions at once, instead
of specifying one or the other.
The three access levels, each with three permissions, conform to anoctal binary format.
Three octal digits in a number translate into three sets of threebinary digits, which is nine altogether and the exact number ofpermissions for a file.
The first octal digit applies to the owner category, the second to thegroup, and the third to the others category. Owner Group Other
The actual octal digit you choose determines the read, write, andexecute permissions for each category.
6 4 2
Instructor: Arif Butt.TA: Dilawer Hussain.
-
8/6/2019 Lecture 11 (File Per Missions)
24/37
28/10/10 Punjab University College of Information Technology (PUCIT) 24
Numbers to change a file's mode
Thechmod utility can also use numbers to change a file's mode. The
numbers range from 0-7 (octal)
Instructor: Arif Butt.TA: Dilawer Hussain.
-
8/6/2019 Lecture 11 (File Per Missions)
25/37
28/10/10 Punjab University College of Information Technology (PUCIT) 25
Changing Permissions with Numbers
Each Permission is assigned a number
Read = 4 write = 2 execute = 1
Add these numbers for each user category :
Owner Group Other
- r w - r - - r - -4 2 4 4
6 4 4
Use with chmod:
Permission changed
Instructor: Arif Butt.TA: Dilawer Hussain.
-
8/6/2019 Lecture 11 (File Per Missions)
26/37
28/10/10 Punjab University College of Information Technology (PUCIT) 26
Fun with Numbers and chmod
Heres a list of some common settings, numerical values and their
meanings:
Instructor: Arif Butt.TA: Dilawer Hussain.
-
8/6/2019 Lecture 11 (File Per Missions)
27/37
28/10/10 Punjab University College of Information Technology (PUCIT) 27
Fun with Numbers (cont)
Instructor: Arif Butt.TA: Dilawer Hussain.
-
8/6/2019 Lecture 11 (File Per Missions)
28/37
28/10/10 Punjab University College of Information Technology (PUCIT) 28
Example
File created
Default permission
Permission changed
Permission implemented
Instructor: Arif Butt.TA: Dilawer Hussain.
-
8/6/2019 Lecture 11 (File Per Missions)
29/37
28/10/10 Punjab University College of Information Technology (PUCIT) 29
Permission Defaults: umask
To display the current default permissions, use the umaskcommand
with no arguments. The -S option uses the symbolic format.
You can set a new default set of permissions for the files that youcreate. The following example specifies read, write and executepermissions to owner and gives no permissions to group or others.
Instructor: Arif Butt.TA: Dilawer Hussain.
-
8/6/2019 Lecture 11 (File Per Missions)
30/37
28/10/10 Punjab University College of Information Technology (PUCIT) 30
Permission Defaults: umask (cont..)
Note: For files delete umask from 666 and 777 for directories
A umask of 022 means that files will have permissions of 644 whiledirectories will have permissions of 755
Example 666 022 = 644 777 022 =755
If you trust no one use the following mask
Instructor: Arif Butt.TA: Dilawer Hussain.
-
8/6/2019 Lecture 11 (File Per Missions)
31/37
28/10/10 Punjab University College of Information Technology (PUCIT) 31
Special Access Bits
When a user starts a process it runs with the permissions of that
user. If you run vi, and try to edit /etc/shadow the operation willfail. Or if you try to edit your personal information in the file/etc/passwd again the operation will fail
Although /etc/passwd is a file that cannot be changed by a regular
user, however, a regular user can use /usr/bin/chfn program tochange his personal information contained in it. Similarly, a regularuser can use /usr/bin/passwd and /usr/bin/chage program to changehis password related information in /etc/shadow file. This isbecause these programs have their SUID permissions set
Three special types of permissions are available for executable filesand public directories: setuid, setgid, and sticky bit. When thesepermissions are set, any user who runs that executable file assumesthe ID of the owner (or group) of the executable file.
Instructor: Arif Butt.TA: Dilawer Hussain.
-
8/6/2019 Lecture 11 (File Per Missions)
32/37
28/10/10 Punjab University College of Information Technology (PUCIT) 32
Special Access Bits (cont..)
setuid Permission: When setuid permission is set on an executable file, aprocess that runs this file is granted access on the basis of the owner ofthe file. The access is not based on the user who is running the executablefile. This special permission allows a user to access files and directoriesthat are normally available only to the owner
setgid Permission:The setgid permission is similar to the setuid
permission. The process's effective group ID (GID) is changed to thegroup that owns the file, and a user is granted access based on thepermissions that are granted to that group. The /usr/bin/mail commandhas setgid permissions
Sticky Bit:The sticky bit is a permission bit that protects the files withina directory. If the directory has the sticky bit set, a file can be deleted onlyby the file owner, the directory owner, or by a privileged user. The rootuser and the Primary Administrator role are examples of privileged users.
Instructor: Arif Butt.TA: Dilawer Hussain.
-
8/6/2019 Lecture 11 (File Per Missions)
33/37
28/10/10 Punjab University College of Information Technology (PUCIT) 33
Permissions Lab
Instructor: Arif Butt.TA: Dilawer Hussain.
P i i L b
-
8/6/2019 Lecture 11 (File Per Missions)
34/37
28/10/10 Punjab University College of Information Technology (PUCIT) 34
Permissions Lab
1. Login as root and create three users tariq, khan and jamil and
assign them passwords.
2. Login as khan and create a directory ~/dir1 and a file ~/dir1/file1and check its permissions.
3. Login as tariq or jamil and try to access the home directory ofkhan. What happens?
4. Login as khan and create a directory /tmp/dir1 and a file/tmp/dir1/file1 and check its permissions.
5. Login as tariq or jamil and try to access the dir1 just created bykhan. See What happens?
Instructor: Arif Butt.TA: Dilawer Hussain.
P i i L b ( t )
-
8/6/2019 Lecture 11 (File Per Missions)
35/37
28/10/10 Punjab University College of Information Technology (PUCIT) 35
Permissions Lab (cont..)
6. Login as root and create two groups sales and mkt. Make tariqs
primary group as sales. Make khans primary group as sales andkhans secondary group as mkt. Make jamil primary group as mkt.Confirm using id command.
7. Login as khan and change permissions on /tmp/dir1/file1 so that
owner can read and write the file, group members can only read thefile nad others can do nothing. (Remember only root or owner of afile can change a files permissions).
8. Login as tariq or jamil and try to access the /tmp/dir1/file1. Whathappens? Check the owner ship of /tmp/dir1/file1, it is owned by
user khan and the group khan. So it can be accessed by only userkhan and users who are members of group khan.
Instructor: Arif Butt.TA: Dilawer Hussain.
P i i L b (C t )
-
8/6/2019 Lecture 11 (File Per Missions)
36/37
28/10/10 Punjab University College of Information Technology (PUCIT) 36
Permissions Lab (Cont..)
9. Login as root or khan and change the group owner ship of
/tmp/dir1/file1. Let his owner be khan and change the group tosales using the chmod command.
10.Login as tariq and try changing the contents of /tmp/dir1/file1.Since group permissions apply to tariq, so now he can read as
well as write to /tmp/dir1/file1.
11.Login as jamil and try changing the contents of /tmp/dir1/file1.Since others permissions apply to jamil, so he cannot read orwrite to /tmp/dir1/file1.
12.Login as root and make sales a secondary group of jamil. Thenlogin as jamil and again try accessing /tmp/dir1/file1. Success.
Instructor: Arif Butt.TA: Dilawer Hussain.
Thi t d !
-
8/6/2019 Lecture 11 (File Per Missions)
37/37
28/10/10 Punjab University College of Information Technology (PUCIT) 37
Things to do!
For a complete understanding perform the
questions in sequence given in the slides(Permissions Lab).
You are required to submit the solution of these labquestions hand written. Execute all the commands
on the console before writing the solution down. Good Luck
If you have problems visit me in counseling hours. . . .
top related