Unix and Linux

Previous page
Table of content
Next page

Under Unix and Linux, users will fall into one of the three following camps:

  • User

  • Group

  • Superuser

Every user on a Unix system must be identified by a username, just as in all Windows operating systems, as well as NetWare. The user also can belong to one or more groups, one of which is considered to be the user's primary group. User groups provide a method for assigning access permissions to directories and files based on groups of users with similar needs. Finally, there is a special user called a superuser, whose capabilities on the system are superior to those of ordinary users.

The superuser or root user account is all powerful. The root account, as it is usually called, is represented by the user ID (UID) of zero. This UID can access any file on a local file system and can access information about any process on the system. Some functions that only the superuser can perform on most Unix systems include these:

  • Mount or unmount a file system

  • Create device special files

  • Change another user's password

  • Change the date or time on the system clock

  • Modify the local network interfaces

  • Shut down the system

In Windows it was possible to choose from a large number of specific rights to assign to a user or a group so that different users could perform functions requiring different degrees of access. In the Unix environment, the root user account is the one that possesses the super-powers, so to speak, and to perform these functions you must log in as or become the root user.

File permissions are assigned to each file or directory in the following three categories:

  • Owner permissions

  • Group permissions

  • Other permissions

The first category defines permissions that apply to the owner of the file. Group permissions apply to users who are in a group to which the file belongs. The last category is the permissions that will be applied to all other users who try to access the file. The access permissions that can be granted to each of these categories are as listed here:

  • Read This permission enables the user to read the contents of the file. When applied to a directory, this permission enables the user to list the files stored in the directory along with their attributes.

  • Write This permission enables the user to change the contents of the file. This right enables a user to add or delete files in a directory.

  • Execute For a program file, this right enables the user to execute, or run, the program. For a directory, this right enables the user to access the directory.

Viewing File Permissions

The ls command can be used to show a listing of files along with information about the permissions applied to the files. There are many command-line parameters you can use with this command, but the simple usage shown here is sufficient to view the ownership and permission information about a file:

ls -l /usr/bin/two dr-xr-xr-x  1 two biz        0 Jul 12 2001 html dr-xr-xr-x  1 two biz        0 Feb 13 2001 invoices -r-xr-xr-x  1 two biz      1624 Jun 20 2001 notices.txt -r-xr-xr-x  1 two biz      1624 Jun 20 2001 appt.dat


The first entry in the directory listing shows a directory file named html. You can tell it is a directory because the first character on the line is a d. The next file is also a directory, named invoices. Both of these directories are owned by the user listed in the third column, two. The group the file belongs to is found in the next column and, in these examples, is biz for all entries. The remaining items on each line show the size and date of the file and its name. Note that Unix is case sensitive when it comes to filenames. Keep this in mind when using the ls command with wildcards when hoping to locate a file.

In this listing, the first thing you notice on each line is a string of letters separated by dashes. This string contains the access permissions for the entry. It is sometimes called the permissions array. This is followed by other information, separated into columns. Each line represents either a directory or a file in the current directory. The permissions array can be easily deciphered. The first character indicates whether the file is a directory (d) or a user file (-), and the remaining three groups of letters indicate the access permissions for the file's or directory's owner, the file's group, and then a group called "other."

Note that the dashes in the permissions array are not separators. Each position in the array is a fixed place that can either contain a permission for the file or directory or represent the absence of the permission, using the dash (hyphen) character. In the previous listing this means that the owner, group, and world permissions for each of the directories and files listed is Read and Execute (r-x).

Granting permissions to "other" gives the permission to all users on the system. It is important to remember that, in Unix, if you grant access using the world permissions fields, denying access by owner or group fields will not work. Thus, use the world access permissions on files to set values that you would like to apply to all users. For example, if all users will be allowed to read the file, set the Read permission in the world permissions. Use the owner and group fields to grant more restricted access to smaller groups of users.

SUID and SGID File Permissions

In addition to the ordinary permissions that exist to control which users can access a file or directory, two other permissions are used on Unix and Linux systems to give special privileges to executable files. These are called the Set User ID (SUID) and Set Group ID (SGID) permissions. When an executable image is run that has the SUID permission set on it, the image will take on the permissions that are equivalent to those of the owner of the executable file.

The permissions available to a user can also be acquired from group membership. When an executable image is run, it usually runs under the permissions of the user who executes the file and the permissions available to the group to which the user belongs. When the SGID permission is set on an executable, it will inherit permissions from the group of the owner of the file and not the permissions of the user who executes the file.

These two permissions can be very useful. There are times when it is necessary to run a program that must have more access rights than the user who is executing the program. For example, when a user needs to change his password, he needs to be able to make edits to the password file. Because this file is normally protected against writing by most ordinary users, the program that changes your password can get the necessary permission to modify the file. This is a simple example of a process that occurs at many levels in an operating system. Other programs use permissions elevated above the ordinary user to accomplish such tasks as managing print queues and allowing basic system management tasks.

When used on a directory instead of a file, the SUID permission, placed in the group field, indicates that all files created in the directory will take on the ownership of the group that owns the directory.

You can tell from a directory listing (using the ls command) whether the SUID or SGID permission has been set for a file. In the permissions array, the letter S will appear in the position normally used to indicate the owner's execute access. If the S character is lowercase, the Execute permission for the owner is not set. If it is an uppercase S, the Execute permission is also set for the owner.

In a directory file the s character will appear in the character position that normally indicates a group's execute access.

Using the chmod and chown Commands

When moving files around on the network, it frequently is necessary to change their ownership or the access permissions so that a new set of users can gain the appropriate access. For example, when a user leaves a company, it is usually customary for someone else to take over managing files and important directories for which the user had been responsible. The two commands you can use to modify ownership and access for files are the chmod (change permission mode) and chown (change owner) commands.

The chown command is a simple one. If you are the owner of a file or if you are the superuser, you can use this command to assign a new owner and/or group to a file. The basic syntax is

chown [ -fhR ] owner [ : group ] file ...


Here, owner is the new user or group ID that will be assigned to the file or files represented by file.... The -f parameter suppresses error reporting. The -h parameter is used to cause an ownership change to be effective on a symbolic link to a file instead of the actual file the link references. Without this parameter, the ownership is changed on the actual file that is referenced by the symbolic link. The -R parameter causes the command to operate recursively, changing the owner ID for files and subdirectories under the current specification.

You can use chown to easily change the ownership of one or more directories when a new user takes responsibility for them. The chmod command can be used by users and administrators to change the access permissions on files or directories.

The chmod command can be used to change access permissions for the owner, group, or others by specifying the rights by either a numeric or a character format. The numeric format for the chmod command specifies rights as a numeric value, totaling each right as described in the following list:

  • 0 No access

  • 1 Execute file (or search a directory)

  • 2 Write

  • 4 Read

Using this format, you would change the access permissions on a file in a manner similar to this:

chmod 666 myfile1 chmod 664 myfile2 chmod 640 myfile3


Here the filename myfile1 has its access permissions set to Read + Write (4 + 2 = 6) for the owner, group, and world fields. The file myfile2 is set to Read + Write for the owner and group fields, but to only Read (4) for the other or world field. Finally, myfile3 is set to give the owner Read and Write permissions. The group permission is set to Read only and the other field is set to No Access (0).

Using the other syntax format for the chmod command enables you to change the permission fields without having to memorize numerical values. Instead, you use the letters r (read), w (write), and x (execute) to specify the permissions, and the letters u (user), g (group), o (other), or a (all, indicates user, group, and other) to specify the user field for which a permission will be modified. For example:

chmod u+rw myfile1 chmod g+rwx myfile1 chmod o+rw myfile1


Here it is easy to see that the user field (user owner, group, or other) is appended to the letter identifying a right (rw, rwx) by the plus sign. This indicates that the right is to be added to the user field indicated for the file myfile1. To remove a right using chmod, use the minus sign:

chmod g-x personalfile chmod o-w specialfile


Here the command is used to remove the Execute right from the group for the file named personalfile. For the file named specialfile, the owner has used chmod to remove his own right to write to the file. This is not done for security purposes, but because the owner wants to be sure he doesn't alter the contents of the file by mistake. Because he is the owner, he can always set the mode back to write if it becomes necessary.

Using the su Command

To perform some important system management tasks on a Unix or Linux system, only the privileges granted to the root account can be used. Although it would be easy to let multiple system administrators log in to the root account to perform administrative functions, this is not a very good thing to do from the viewpoint of security. If only one account is used, it is difficult to construct an audit trail to determine which administrator performed a specific function.

To get over this limitation, the su command enables you to log in using your normal user account and then become the root user or another user. The log file /var/adm/sulog tracks attempts to become another user using the su command, and so an audit trail is kept to help when troubleshooting. You can use the su command by itself to become the root superuser, or you can use it in the form of su username to become another user. In all cases you will be prompted for the password for the user account you want to become, unless you are already logged in to the root account.

The power held by the password to a root account can be seen by how it can be used with this command. As a standard security matter, you should regularly review the /var/adm/sulog log file to keep track of how the command is being used.



Previous page
Table of content
Next page
Upgrading and Repairing Networks
Upgrading and Repairing Networks (5th Edition)
ISBN: 078973530X
EAN: 2147483647
Year: 2006
Pages: 411
Authors: Scott Mueller, Terry William Ogletree, Mark Edward Soper
BUY ON AMAZON
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Java Concurrency in Practice
Extending and Embedding PHP
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy