summer 2015 silicon valley university confidential 1 introduction to unix / linux - 4 dr. jerry...
TRANSCRIPT
Summer 2015SILICON VALLEY UNIVERSITY
CONFIDENTIAL 1
Introduction to UNIX / Linux - 4
Dr. Jerry Shiao, Silicon Valley University
SILICON VALLEY UNIVERSITY CONFIDENTIAL 2Summer 2015
Introduction UNIX/Linux Course
Section 4 The UNIX File System
File Types and Representation. File Attributes File Organization and Management. File Storage in UNIX File System. File Command and Primitives
The UNIX File Security File Protection From Unauthorized Access
User Login. Encrypt File. User Access Privileges.
File and Directory Access Privileges Special Access Bits
SILICON VALLEY UNIVERSITY CONFIDENTIAL 3
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System UNIX File Concept
File is sequence of Bytes. Everything (Network Card, Disk Drive, Keyboard, File, Directory)
can be treated as a File. Meaning is attached to the file’s contents by the application that
uses/processes the file. Types of Files
Simple/ordinary File Directory Symbolic (soft) Link Special (Device) Files
Block Special Files Character Special Files
Named Pipe (FIFO) Socket
SILICON VALLEY UNIVERSITY CONFIDENTIAL 4
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System Simple / Ordinary Files
Store information and data on secondary storage device.
File Extensions
Meanings are attached to a file’s content by the application that uses/processes the file.Compiler expects “.c” extension, Web browser expects “.html” extension, Loader expects “.o” extension.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 5
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File System Directory
Names of files/directories and Inode Numbers. Array of Entries:
Inode (Index Node) Number: Index into an array on disk. Disk Array Entry:
Files attributes Inode for every file in UNIX
Inode Table Table of Inodes in memory for all open files. File’s Inode copied from disk to Inode Table. Access File attributes from memory, not from disk.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 6
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File System Link File
Created when a symbolic link is created to an existing file. Allows sharing file without duplicating the file. Alias of existing file.
Device File Special File is the means of accessing hardware devices.
Each hardware device associated with at least one Special File. To access hardware (device), applications accesses Device File with file operations
(i.e. open/read/write). /dev Directory. Character Device File: Character-oriented devices for streaming data (i.e.
keyboard, mice, console connection, virtual terminals). Block Device File: Block-oriented devices for data movement in blocks (i.e. disks,
CD-ROM, Flash Drives). Pseudo Device File: Simulate physical devices. Access UNIX via network or virtual
terminal in X Window System.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 7Summer 2015
Introduction UNIX/Linux Course Device Files
Name Type Major Minor Description
/dev/fd0 Block 2 0 Floppy disk.
/dev/hda Block 3 0 First IDE disk.
/dev/hda2 Block 3 2 Second primary partition of first IDE disk.
/dev/hdb Block 3 64 Second IDE disk.
/dev/hdb3 Block 3 67 Third primary partition of second IDE disk.
/dev/ttyp0 Char 3 0 Terminal
/dev/console Char 5 1 Console
/dev/lp1 Char 6 1 Parallel printer
/dev/ttyS0 Char 4 64 First serial port
/dev/rtc Char 10 135 Real-time clock
/dev/null Char 1 3 Null device
Not all device files are real hardware devices. Pseudo devices (fictitious logical devices) are /dev/null, /dev/zero.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 8Summer 2015
Introduction UNIX/Linux Course
Virtual File System (VFS)
To achieve the abstraction (i.e. “black box operation) to the user, common API to the user through glibc library and common callback function signature to the I/O functions.
Inode represents an object in the file system with a unique identifier (translating filename).
struct file_operations abstractions (i.e. read/write/open ) allow all I/O operations to have common interface. The indirect calls (i.e. callback functions) are APIs specific to the file system.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 9
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File System InterProcess Communication Mechanisms:
Pipes, Named Pipes (FiFO), and Sockets. Pipe
Two related processes communicate with each other on same system: UNIX auto-creates stdin, stdout, stderr. Tied to terminal: stdin = keyboard, stdout/stderr = console.
A pipe allows output (stdout) of a command (process) to be sent to input (stdin) of another command (process).
Does not use disk, implemented in main memory.
Named Pipe (FIFO) File of type Named Pipe.
Process reading FIFO blocks waiting for data. Two un-related processes to communicate with each other on same system.
Independently executing processes on a system.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 10
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System Socket
InterProcess Communication through Socket. Socket established on both hosts. Client / Server Model
Client connects to Server to request information. Two processes communicate with same socket type and in same
domain. UNIX Domain – Communicate through a common File System on same
host. Address: Character string (entry in the File System). Address Family: AF_UNIX
Internet Domain – Communicate through Internet on different hosts. Address: Internet Protocol (IP) address of the host and port number. Address Family: AF_INET
SILICON VALLEY UNIVERSITY CONFIDENTIAL 11
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File System Socket
Client Side Socket:System Calls
1)socket(): Create a socket. 2)connect(): Connect the socket to the address of the server.
AF_INET: Port number on host machine.
AF_UNIX: Character string (file).
. . . 3)read(): Receive data.4)write(): Send data.
Server Client Side Socket:System Calls
1)socket(): Create a socket. 2)bind(): Bind a socket to an address.
AF_INET: Port number on host machine.
AF_UNIX: Character string (file).3)listen(): List for connections.
. . . 4)accept(): Accept a connection.5)read(): Receive data.6)write(): Send data.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 12
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System File System Structure Issues: How are files …
Organized from User’s View Stored on Disk Files Manipulated
and Permissions Structured Hierarchy
Upside-Down Tree Base: /root
Specified in three ways: Absolute Path: / Relative to Present Working Directory Relative to User’s Home Directory
SILICON VALLEY UNIVERSITY CONFIDENTIAL 13
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System File System Structure Pathnames: Absolute and Relative
Absolute pathname starting from root. cd /home/sau/buildArmLinux
Relative pathname starting at Present Working Directory.
cd buildArmLinux Relative pathname starting at “~” (tilda) or Home
Directory. cd ~/buildArmLinux cd ~
SILICON VALLEY UNIVERSITY CONFIDENTIAL 14
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System File System Structure Home and Present Working Directories
$HOME, ~ (tilda), . (dot), pwd User’s Home Directory. Configured when User account created.
. (dot), pwd Present Working Directory: Point where Relative Pathname is
derived. Login Present Working Directory is the User’s Home Directory. . / <filename>: File in Present Working Directory.
. . (dot dot) Parent directory of the Present Working Directory. .. / <filename>: File in parent directory.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 15
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File System File System Structure Executing Commands
$ <filename> : Finds <filename> in $PATH or Shell Built-In. $ . / <filename>: Finds <filename> in CWD. $ / home / sau / <filename>: finds <filename> in path preceeding
<filename>.
Executing Shell Scripts $ <script>: Finds <script> in $PATH, uses “#!/bin/sh” as the Shell
Interpreter. $ . / <script>: Finds <script> in CWD, uses “#!/bin/sh” as the Shell
Interpreter. $ source <script>: Finds <script> in CWD, ignores “#!/bin/sh” and
uses current Shell Interpreter. $ . <script>: Same as “source <script>”.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 16
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File SystemSystem Administration Users and Groups
Specify user’s Login Shell and Home Directory.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 17
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System /etc/passwd
/etc/shadow
. . .sau:x:500:500:Simon Au:/home/sau:/bin/bash
student1:x:501:501:student1:/home/student1:/bin/bash
student2:x:502:502:student2:/home/student2:/bin/bash
claruspon:x:503:503:claruspon:/home/claruspon:/bin/bash
cs206student1:x:504:504:cs206student1:/user/cs206student1:/bin/bash
. . .sau:$1$xklKmTjR$7cOSRZv2IidNQgeUV/8UZ1:14930:0:99999:7:::
student1:$1$ElaqELFc$7/GVVYEG/YwKyVDxEyL7R.:15371:0:99999:7:::
student2:$1$BUXC1RaH$7aeZSMERxGSNLVRuH9CyX.:15598:0:99999:7:::
claruspon:$1$p9TJrbar$HO8iVTNieMTvGldXBJaZa1:15760:0:99999:7:::
cs206student1:$1$oyuB45f9$ceSvmEmF9s4vav3eqCPAA0:15979:0:99999:7:::
Username to userid and groupid mapping.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 18Summer 2015
Introduction UNIX/Linux Course
Linux Directory Structure
vmlinux
inittabfstab
passwd
bin mount
usr
/boot
etc
bingrep
varlog
devtty0
mntcdrom
home student1
/boot – Linux bootup files (i.e. Linux Kernel)
/etc – Linux system configuration files.
/etc/inittab – Processes started at bootup (i.e. Runlevel)
/etc/fstab – File systems and mount points.
/etc/passwd – Users are defined and user accounts.
/bin – Linux system binaries (i.e. cat, cp, ls, mkdir, pwd, rm, rmdir)
/sbin/init – Process runned during boot process. System Administration.
/usr/bin – Applications for the users.
/lib – The shared libraries for dynamically linked modules.
/var – Data changes when the Linux system is running.
/var/log – The running Linux system updated log files.
/dev – Devices that are available to Linux system. Devices are treated like files and devices can be read/written as files.
/mnt – Storage devices (i.e. hard disk, CD-ROMs) must be attached to some directory before accessing. Directores are the mount points.
/home – Each users have own directory and only place normal users are allowed to write.
/proc – Special directory containing information about the kernel.
/proc/devices – List of devices configured into current kernel.proc
devices
lib
sbin init
SILICON VALLEY UNIVERSITY CONFIDENTIAL 19
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File System File System Structure
Navigating the File System Structure Log on: System places user in home directory.
Determining Absolute Pathname of Home Directory echo [ string ]
string: “string” sent to the console. sau@buildbed-vm:~> echo $HOME
/home/sau sau@buildbed-vm:~> echo $PWD
/home/sau Browsing File System
cd [ directory ] directory: Change Present Working Directory to absolute or relative
directory pathname. ls [ options ] [ pathname-list ]
-F: Display “/” after directories, * after binaries, @ after symbolic links. -a: Display name of all files, including hidden files. -l: Display long list, including permissions, owner, group, size, time. pathname-list: List of files to display.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 20Summer 2015
Introduction UNIX/Linux Course
The UNIX File System File System Structure
Browsing File System sau@buildbed-vm:~/class> cd $HOME/class sau@buildbed-vm:~/class> pwd /home/sau/class sau@buildbed-vm:~/class> ls -F file1 file2 file_dir/ power* power.c sau@buildbed-vm:~/class> ls -a . .. file1 file2 file_dir .hidden_file power power.c sau@buildbed-vm:~/class> ls -l total 28 -rw-r--r-- 1 sau users 10 2012-09-21 01:50 file1 -rw-r--r-- 1 sau users 11 2012-09-21 01:50 file2 drwxr-xr-x 2 sau users 4096 2012-10-01 18:08 file_dir -rwxr-xr-x 1 sau users 10042 2012-09-21 01:37 power -rw-r--r-- 1 sau users 288 2012-09-21 01:37 power.c sau@buildbed-vm:~/class> ls -l .hidden_file -rw-r--r-- 1 sau users 0 2012-10-01 18:10 .hidden_file
SILICON VALLEY UNIVERSITY CONFIDENTIAL 21
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System File System Structure
Summary of the “ls –l” Command (Fields listed left to right).
SILICON VALLEY UNIVERSITY CONFIDENTIAL 22
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System File System Structure
Some Important Hidden Files and Their Purpose.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 23
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System File System Structure
Creating and Removing Directories mkdir [ options ] dirnames
dirnames: Create “dirname” directories. -m MODE: Create with given access permissions. -p: Create parent directories that do not exist in “dirname”.
home/ sau/
usrdir1/
usrdir2/
usrdir1_1/
mkdir –p usrdir1/usrdir1_1
mkdir usrdir2/
mkdir /tmp/tmp1
tmp/ tmp1/
Current Working Directory
SILICON VALLEY UNIVERSITY CONFIDENTIAL 24
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System File System Structure
Removing Directories rmdir [ options ] dirnames
dirnames: Remove “dirname” directories. -p: Remove parent directories.
home/ sau/
usrdir1/
usrdir2/
usrdir1_1/
rmdir –p usrdir1/usrdir1_1
rmdir usrdir2/
rmdir /tmp/tmp1
tmp/ tmp1/
Current Working Directory
SILICON VALLEY UNIVERSITY CONFIDENTIAL 25
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course File System Structure
File Attributes: Using ls command[student2@unknown001320aa6702 ~]$ lsDesktop Download mbox Pictures Templates VideosDocuments link_mbox Music Public testTools[student2@unknown001320aa6702 ~]$ ls -a. .bashrc Download .gnome2_private link_mbox Pictures .Trash.. .config .gconf .gstreamer-0.10 mbox Public Videos.bash_history Desktop .gconfd .gtk-bookmarks .metacity .redhat .viminfo.bash_logout .dmrc .gnome .gtkrc-1.2-gnome2 Music Templates .xsession-errors.bash_profile Documents .gnome2 .ICEauthority .nautilus testTools .zshrc[student2@unknown001320aa6702 ~]$ ls -FDesktop/ Download/ mbox Pictures/ Templates/ Videos/Documents/ link_mbox@ Music/ Public/ testTools*[student2@unknown001320aa6702 ~]$ ls -ltotal 592drwxr-xr-x 2 student2 student2 4096 2012-09-14 18:26 Desktopdrwxr-xr-x 2 student2 student2 4096 2012-09-14 18:26 Documentsdrwxr-xr-x 2 student2 student2 4096 2012-09-14 18:26 Downloadlrwxrwxrwx 1 student2 student2 4 2013-10-02 01:47 link_mbox -> mbox-rw------- 1 student2 student2 714 2012-09-23 14:26 mbox. . .-rwxr-xr-x 1 root root 517659 2013-10-02 01:48 testTools
SILICON VALLEY UNIVERSITY CONFIDENTIAL 26
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course File System Structure
File Attributes: Using ls command
$ ls –ldrwxr-xr-x 2 student2 student2 4096 2012-09-14 18:26 Desktop
SILICON VALLEY UNIVERSITY CONFIDENTIAL 27
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System File System Structure
File Content Type. File [ option ] file-list
-f FILE: Use FILE as a file of “file-list”
sau@buildbed-vm:~/class> file * file1: ASCII text file1~: ASCII text file1_link: symbolic link to `file1' file2: ASCII text file_dir: directory power: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.4, not stripped power.c: ASCII C program text
SILICON VALLEY UNIVERSITY CONFIDENTIAL 28
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System File Representation
Inode Table Entry
Block number = Disk Sector
Sector = Disk No, Cylinder No, Track No, Sector No
File Space allocated in clusters of two, four, or eight
512-Byte Disk Block.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 29
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System File Representation
1) Directory contains array of entries <inode #, filename>.
2) Entry placed in Inode Table in RAM when file is opened.
3) Indexing into Inode Table returns the entry of the Inode containing the block location of file on disk.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 30
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System Standard Files and File Descriptors File Descriptor for every open file in UNIX. Three Standard Files when command executed:
Stdin (0): Terminal Keyboard. Stdout (1): Monitor Screen. Stderr (2): Monitor Screen.
Redirect Operations: < Input Redirect > Output and Error RedirectFile Descriptor
File Descriptor Table
Systemwide File Table
Systemwide Inode Table
File Contents On Disk
SILICON VALLEY UNIVERSITY CONFIDENTIAL 31
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File System Standard Files and File Descriptors
SILICON VALLEY UNIVERSITY CONFIDENTIAL 32
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course
The UNIX File Security Time Sharing System Allows Multiple Users
Access. Protect Shared Hardware/Software Resources.
Storage Device. I/O Devices. CPU. Main Memory.
File Protection From Unauthorized Access: UNIX provides three mechanisms to protect files. User Login Name and Password. Encrypt File. Access Privileges to Users.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 33
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Password-Based Protection. Password Discovered by:
Telling Someone. Guessing “weak” Passwords. Brute Force Method.
Change Password. sau@buildbed-vm:~> passwd Changing password for sau. Old Password: New Password: Bad password: it is based on a dictionary word New Password: Bad password: too simple New Password: Reenter New Password: Password changed.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 34
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Encryption-Based Protection.
GNU Privacy Guard$ gpg -c minicom.logEnter passphrase:<password>
Repeat passphrase: <password>
$ ls… minicom.log.gpg …
$ gpg minicom.log.gpggpg: CAST5 encrypted dataEnter passphrase: <password>gpg: WARNING: message was not integrity protected
GNU Privacy Guard
SILICON VALLEY UNIVERSITY CONFIDENTIAL 35
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Encryption-Based Protection.
[student1@localhost ~]$ gpg --gen-key
gpg (GnuPG) 1.4.7; Copyright (C) 2006 Free Software …
…
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection?
…
What keysize do you want? (2048)
…
Please specify how long the key should be valid.
…
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N)
You need a user ID to identify your key; the software constructs the user ID …
Real name: Simon Au
Email address: [email protected]
Comment: Lecturer
You selected this USER-ID:
"Simon Au (Lecturer) <[email protected]>"
…
…
You need a Passphrase to protect your secret key.
…
gpg: /home/student1/.gnupg/trustdb.gpg: trustdb created
…
[student1@localhost ~]$ gpg --encrypt --recipient simon
minicom.log
[student1@localhost ~]$ ls
…
envSetup.bash minicom.log.gpg test2
…
[student1@localhost ~]$ gpg --output minicom_3.log –
decrypt minicom.log.gpg
You need a passphrase to unlock the secret key for
user: "Simon Au (Lecturer) <[email protected]>"
…
SILICON VALLEY UNIVERSITY CONFIDENTIAL 36
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Protection Based on Access Permission
Prevents users from accessing each other’s files when not logged on as the file’s owner.
File Owner: Assign Access Rights to Files. Dictates how other users can access them (i.e. Read, Write,
Execute).
Without this protection scheme: UNIX Filesystem is easy to access, has single root, from
which all files are derived. Users can access each other’s files.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 37
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Access Permission Protection. Types of Users
User (owner) : Group : Other User: Owner of the file. Group: Group of Users. Other: Other Users Not in Group.
$ more /etc/group…root:x:0:…video:x:33:sauusers:x:100:
$ groups sausau : video users $ groups rootroot : root
$ more /etc/passwd…root:x:0:0:root:/root:/bin/bash…sau:x:1001:100:sau:/home/sau:/bin/bash
Group Name: Info: Group ID: UsersUser : Pass: UserID: GroupID: UserInfo: Home: Shell
Name: Word: : : : :
SILICON VALLEY UNIVERSITY CONFIDENTIAL 38
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Access Permission Protection. Types of Users (Cont)
$ id sauuid = 1001 (sau) gid = 100 (users) groups = 100 (users), 33 (video)
Primary Group: Files created by owner (sau) will have primary group.
Supplementary Group: Access to additional resources (files).
Commands:
Add new user to primary ( -g ) and supplementary ( -G ) group.
useradd -G <group> <new user>
useradd -g <group> <new user>
Add existing user to primary ( -g ) and supplementary ( -G ) group.
usermod -G <group> <existing user>
usermod -g <group> <existing user>
SILICON VALLEY UNIVERSITY CONFIDENTIAL 39
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Types of Access Permissions
Read: Write: Execute
SILICON VALLEY UNIVERSITY CONFIDENTIAL 40
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Types of Access Permissions
Read: Write: Execute File has nine types of permissions: 3 for User, 3 for Group, 3 for Others
3 Bits For File Permission of Each Type. User = 7 (Read / Write / Execute) Group = 4 (Read / NA / NA) Others = 4 (Read / NA / NA)
1 1 1
1 0 0
1 0 0
SILICON VALLEY UNIVERSITY CONFIDENTIAL 41
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Types of Access Permissions View Access Permission of Files / Directories
ls - l [ file-list ] Display long list of files in ‘file-list’ or all files in Present
Working Directory. ls – l : List all files in Present Working Directory. ls – l /etc/passwd : List file /etc/passwd. ls – l /etc : List all files in /etc.
ls - ld [ directory-list ] Display long list of directories in ‘directory-list’ or all
directories in Present Working Directory. ls - ld : List Present Working Directory. ls - ld /etc/passwd: List file /etc/passwd. ls –ld /etc : List directory /etc.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 42
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Types of Access Permissions
View Access Permissions of Files / Directories ls - l , ls - ld
File Other Access Permission.
File Owner Access Permission.
File Group Access Permission.
File Type: “d” indicates Directory, “ – “ indicates File.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 43
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Types of Access Permissions
View Access Permissions of Directories r: Read the contents of the directory ( use “ls” command ). w: Create, remove entries in the directory. x: Searching the directory ( use “ls -l” command with files).
Group CANNOT write.Group CAN use “ls” command.Group CAN use “ls –l” command.
Other CANNOT write.Other CANNOT use “ls” command.Other CANNOT use “ls –l” command.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 44
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Changing File Access Privileges chmod [ options ] octal-mode file-list
octal-mode: Using Octal Value to Represent Read / Write / Execute Access Permission. 7 = Read/Write/Execute, 4 = Read-Only, 6 = Read/Write.
chmod [ options ] symbolic-mode file-list symbolic-mode: < who > < operator > < privilege >
“=“ Operator
SILICON VALLEY UNIVERSITY CONFIDENTIAL 45
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Changing File Access Privileges
SILICON VALLEY UNIVERSITY CONFIDENTIAL 46
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Changing File Access Privileges
SILICON VALLEY UNIVERSITY CONFIDENTIAL 47
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Changing File Access Privileges$ ls -ltotal 60drwxr-xr-x 2 sau users 4096 2012-10-03 15:58 file_dir$ ls -l file_dirtotal 0-rw-r--r-- 1 sau users 0 2012-10-03 15:54 temp-rw-r--r-- 1 sau users 0 2012-10-03 15:58 temp2$ chmod -R 711 file_dir$ chmod -R 700 file_dir/temp2$ ls -l total 60...drwx--x--x 2 sau users 4096 2012-10-03 15:58 file_dir...$ ls -l file_dirtotal 0-rwx--x--x 1 sau users 0 2012-10-03 15:54 temp-rwx------ 1 sau users 0 2012-10-03 15:58 temp2$ chmod 7 example$ chmod 70 file_dir$ ls -ltotal 60d------rwx 2 sau users 4096 2012-10-03 17:23 example...d---rwx--- 2 sau users 4096 2012-10-03 15:58 file_dir...
Octal-mode privileges positional.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 48
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Changing Directory Access Privileges
Read: Allows Reading the Directory’s Contents. Write: Allows Creating / Removing Files or Directories. Execute: Searching the Directory.
NOTE: Read / Write Privilege MUST Have Execute Privilege Set.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 49
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Default File or Directory Access Privileges Set Access Privilege For New File or Directory. umask [ mask ]
mask: Set access permissions on new files and directories EXCEPT for “mask’ bits.
umask 027 (Prohibit non-group members from accessing files and directories) New Files: umask: 027 ; --- -w- rwx Initial File Permission: 666 ; rw- rw- rw- Complement of mask: NOT(027) = 750 ; rwx r-x --- Resultant File Permission: 750 AND 666 = 640 ; rw- r-- --- New Directories: Initial Directory Permission: 777 ; rwx rwx rwx Complement of umask: NOT(027) = 750; rwx r-x --- Resultant Dir Permission: 750 AND 777 =750; rwx r-x ---
SILICON VALLEY UNIVERSITY CONFIDENTIAL 50
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Special Access Bits The Set-User-ID (SUID) Bit
If the SUID Bit is set for an executable file (i.e. command or shell script), the process takes on the User privilege of the owner of the file when it executes.
If the SUID Bit is NOT set for an executable file, the process takes on the privilege of the user executing the file.
File /etc/passwd is owned by root. Command passwd run by users that change /etc/passwd file. Allow /etc/passwd to be changed by passwd command, but not by other
users accessing /etc/passwd.
sau@buildbed-vm:/usr/bin> ls -l /etc/passwd -rw-r--r-- 1 root root 2029 2012-10-02 15:43 /etc/passwd sau@buildbed-vm:/usr/bin> ls -l /usr/bin/passwd -rwsr-xr-x 1 root shadow 80268 2011-07-29 12:55 /usr/bin/passwd
“s” = Execute and SUID set.“S” = SUID set.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 51
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Special Access Bits The Set-Group-ID (SGID) Bit
If the SGID Bit is set for an executable file, the process takes on the Group privilege of the owner of the file when it executes.
If the SGID Bit is NOT set for an executable file, the process takes on the privilege of the user executing the file.
sau@buildbed-vm:~/class> ls -ld file_dir d---rws--- 2 sau users 4096 2012-10-03 15:58 file_dir
The Sticky Bit If Sticky Bit is set, only the file or directory’s owner or SuperUser
can rename or delete the file or directory. If Sticky Bit is NOT set, any user with write and execute
permissions can rename or delete a file or directory. sau@buildbed-vm:/> ls -ld /tmp drwxrwxrwt 189 root root 12288 2012-10-04 03:15 /tmp
“t” = Execute and Sticky Bit set.“T” = Sticky Bit set.
“s” = Execute and SGID Bit set.“S” = SGID Bit set.
SILICON VALLEY UNIVERSITY CONFIDENTIAL 52
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Special Access Bits
The Set-User-ID (SUID) Bit chmod 4xxx file-list chmod u+s file-list
The Set-Group-ID (SGID) Bit chmod 2xxx file-list chmod g+s file-list
The Sticky Bit chmod 1xxx file-list chmod +t file-list
SILICON VALLEY UNIVERSITY CONFIDENTIAL 53
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Special Access Bits
[student3@unknown001320aa6702 ~]$ umask 0002 -rw-rw-r-- 1 student3 student3 0 2013-10-04 16:42 sau_file [student3@unknown001320aa6702 ~]$ ls -ld sau drwxrwxr-x 2 student3 student3 4096 2013-10-04 16:41 sau [student3@unknown001320aa6702 ~]$ chmod 2775 sau [student3@unknown001320aa6702 ~]$ ls -ld sau drwxrwsr-x 2 student3 student3 4096 2013-10-04 16:41 sau [student3@unknown001320aa6702 ~]$ ls -l sau_file [student3@unknown001320aa6702 ~]$ chmod 4664 sau_file [student3@unknown001320aa6702 ~]$ ls -ld sau_file -rwSrw-r-- 1 student3 student3 0 2013-10-04 16:42 sau_file [student3@unknown001320aa6702 ~]$
SILICON VALLEY UNIVERSITY CONFIDENTIAL 54
Copyright @2005 Pearson Addison-Wesley.
Introduction UNIX/Linux Course The UNIX File Security Special Access Bits
[student3@unknown001320aa6702 ~]$ [student3@unknown001320aa6702 ~]$ ls -ld sau drwxrwsr-x 2 student3 student3 4096 2013-10-04 16:41 sau [student3@unknown001320aa6702 ~]$ chmod 1775 sau [student3@unknown001320aa6702 ~]$ ls -ld sau drwxrwsr-t 2 student3 student3 4096 2013-10-04 16:41 sau