Friday, August 5, 2011
5:39 AM

Users & Groups


The concept of users and groups is one of the most important thing to keep in mind. A Linux system is organized with a collection of files and a number of users who utilize these files. The file may come in many types i.e. executables, binary files, directories, modules, scripts, sockets and so on. On the other hand, users may be broadly divided into two categories- human users and system users. By default, a Linux system relies on Discretionary Access Control (DAC) for defining which user (human and process) can do what.
Users & Groups
Every Linux system has two kinds of users – local users (human) and system users (daemons or processes). Local users can again be divided into two categories – privileged (also known as super-user) and non-privileged. Most user information is stored in file /etc/passwd. /etc/shadow file contains encrypted passwords of local users.
The super-user (commonly root) is the only for whom the DAC permissions are obsolete. The root user is able to read, write and execute almost any file, even if he or she does not have explicit permission to do so.
Both local users and daemons are treated as users in Linux operating system. Each daemon has an entry in /etc/passwd. However, none of the daemons are allowed login shells for security purpose. Malicious software could cause massive damage to the system if it gains access to a shell.
Each user is assigned a user id (UID) which is the most important attribute of a user. Instead of referencing a user by name, the system refers to the UID to identify a user. Typically, user root has UID of 0. UID (1-499) is reserved for daemons or system users. Local users are given UID of 500 onward. However, users may set any UID if it is not already in use.
For convenience of maintaining number of users, most administrators organize users into groups. Groups are collection of users. By default, when a user is created; the user is already included in a group with groupname being same as username. This group is known as the primary group of a user. However, separate groups can be created and users can be added to these groups. These groups are known as secondary group for the users in it. All group information is stored in /etc/group file.
Again, Linux system assigns GroupID (GID) to groups. Instead of referencing a group using the group name, the system identifies a group by the GID.
File Permissions
There is a saying that everything in Linux is a file. using ls – l command displays detailed information about attributes of a file. Such as ls –l filename will display the following information
-rw-r--r-- 1 root root 1024 Feb 12 00:10 filename
The following information can be obtained from the above example-
Read, Write & Execute
Read write and execute permission are displayed in a 10 character long string. The first character denotes the type of the file. The rest of the nine characters are divided into 3 blocks: one for owner, one for group and one for all others (often referred to as world permission). Read, write, execute & no permissions are expressed as r,w,x and - respectively. File permission can be changed by the owner of the file and user root.
Because the each parameter in the rwx permission can be considered as binary system, these permissions are also expressed in octal fashion due to the fact that octal number can represent every combination of binary values of length three. In this case, the assigned values are r=4, w=2 and x=1. All these values are added to set the desired permission. Such as, permission of 750 means rwx for owner, r-x for group and none for all others.
Read and write permissions are self explanatory. Execute permission is used to run an executable program. Not even root can run a program if this permission is not set to a file. Some files, for instance directories, have execution permission by default. Execution permission only executes files that are created as executables such as a script or a perl or C code.
Number of Links
The second field denotes the number of hard/soft links that the file has. Linux filesystems are organized based on specific numbers known as inode numbers. Every file in the system is accessed using inode number instead of the filename. Two separate files having the same inode number indicates that the system sees both file as one, and editing one would change the other. These kinds of files are called link files.
Owner
Owner is the user account that owns a file. Typically, the owner is the creator of the file. A file may have only one owner. Only root is able to change the owner of a file.
Group
The group of a file allows all users within a group to have specific permissions on a file. This is useful when a file is accessed by many users. Such as, a file of Accounts Group should be accessible to all members of Accounts Group.
File Size
Denotes the size of the file in bytes.
Last Modified Time
This field expresses the creation time of the file. If the file is more than one years old, the time parameter is replaced by the year of creation. However, the exact creation time can be retrieved from an old file.
Filename
The final field shows the name of the file.
Permission Manipulation
Initial permission
Special permission
Octal Value
Command
Resulting Permission
rwxr-xr--
Read
4
chmod 400 fileName
r--------
rwxr-xr-x
Write
2
Chmod 222 directoryName
-w—w-r-w-
rw-r--r--
Execute
1
Chmod 555 fileName
r-xr-xr-x
rw-r--r--
All special permissions
7
Chmod 777 fileName
Rwxrwxrwx

Depending on needs, some additional permission may be assigned to files. These permissions are-
SUID
If SUID is set in a file, the file is executed with the privilege of the owner of the file rather than the privilege of the user executing it. This is useful when certain daemons run using root privilege to get access to certain system elements. SUID is denoted with a s bit in execution part of owner in a file permission. Such as- rwsr—r-- means that SUID is set in to the file i.e. the file would be run as the creator of the file instead of the user executing it. SUID has octal value of 4.
SGID
SGID is used when files created in a certain directory automatically inherit the group ownership of the directory instead of the primary group of the user creating the file. Any file created in this directory will automatically have group ownership similar to the parent directory. This is useful when files need to be shared between users under the same secondary group. SGID is expressed with a s bit in the execution part of group in a file permission. Such as rw-r-sr-- means that SGID is set on the directory i.e. all files created in the directory would automatically have group ownership similar to the group of the owner. The octal value of SGID is 2.
Sticky Bit
The meaning of Sticky Bit has changed a lot since the beginning of Unix. In present Linux systems, sticky bit is used to deny file deletion by any user except for the user who created the file i.e. the owner of the file. For example, any user who has write permission within a directory has the ability to alter, even erase a file even if he or she does not own the file. But if sticky bit is used in a directory, only the owner of the file would be able to delete it. Sticky bit is denoted by a t in the execution part of others in file permission. Such as rw-r--r-t means that sticky bit is set to a file or directory i.e. files can be removed only by their owners. The octal value of sticky bit is 1.
Special Permission Manipulation
The following table illustrates manipulation of special permissions for a file or directory.
Initial permission
Special permission
Octal Value
Command
Resulting Permission
rwxr-xr--
SUID
4
chmod 4755 fileName
rwsr-xr-x
rwxr-xr-x
SGID
2
Chmod 2755 directoryName
rwxr-sr-x
rw-r--r--
Sticky bit
1
Chmod 1644 fileName
rw-r--r-t
rw-r--r--
All special permissions
7
Chmod 7644 fileName
rwsr-sr-t
Table: Special Permission Manipulation
Umask Value
Whenever a file or directory is created, it has some default permissions. The default owner is the user who created the file; default group is the primary group of the owner. However, these default permissions are customizable. These values are set by user mask (umask) values. The umask command takes an input octal value that is subtracted from 777 permissions for directories and 666 permissions for files.
The default umask value is 022. This causes directories to have default permission of 755 (rwxr-xr-x) and files to have permission of 644 (rw-r-r-). The default umask value, again, can be modified. Typically, /etc/profile contains the default umask value. But changes here might not actually have an effect, because it may be overridden at other points, such as a user’s own configuration files. Nonetheless, settings in /etc/profile can be a useful procedure in creating default system policy.
It may be mentioned here that umask is not just a simple subtraction form the values of 777 or 666; it is a bit-wise removal procedure. Any bit that is set in the umask value will be removed from the final permission for new files, but if the execute bit is not set; the umask will not affect it. Umask value of 7 corresponds to binary value of 111. For example, if a file has rw- (110 binary) values, a umask value of 7(111 binary) eliminates the 1 values but does not affect 0 value. The result is a 000(binary)value i.e. --- permission.
Typically, umask accepts octal values for input. However, umask can also take symbolic inputs. The following commands can be used for manipulating umask-    
Command
Output
#umask
Shows umask value in numeric form
#umask -S    
Shows umask value in symbolic form
#umask 000
Sets new umask value of 000
#umask u=rwx,g=rx,o=rx
Sets umask value to 022 (default)

0 comments:

Post a Comment