Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unix Systems Administration 1Y. K. Chang root: the super user 4 The UNIX semigod who can perform privileged tasks: controlling processes, adding devices,

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Unix Systems Administration 1Y. K. Chang root: the super user 4 The UNIX semigod who can perform privileged tasks: controlling processes, adding devices,"— Presentation transcript:

1 Unix Systems Administration 1Y. K. Chang root: the super user 4 The UNIX semigod who can perform privileged tasks: controlling processes, adding devices, etc. 4 Ownership Model –concept of ownership for files and processes –Can be overridden by the superuser –Groups are defined in /etc/group –User numbers (UID) and group numbers (GID), that are mapped to user and group names in file /etc/passwd, are used by UNIX.

2 Unix Systems Administration 2Y. K. Chang root: the super user –Four numbers are associated with each process: a real UID and a real GID used for accounting an effective UID and an effective GID used for determining access permission normally, real = effective owner can send processes signals and reduces the process’s scheduling priority

3 Unix Systems Administration 3Y. K. Chang root: the super user 4 situation where real  effective –A process wishing to execute a different program file calls one of the exec family of system calls. –The effective UID and GID of the process may be set to the UID and GID of the file containing the new program if the file has its “setuid” or “setgid” permission bits set. –exec + /bin/passwd and /bin/login with “setuid” or “setgid” bits set to temporarily gain superuser privileges.

4 Unix Systems Administration 4Y. K. Chang root: the super user 4 /bin/passwd /bin/login  -rws--x--x -rws--x--x root bin [OSF1 V3.0]  -rwsr-s--x -rwsr-xr-x root sys [IRIX5.3]  -r-sr-sr-x -r-sr-xr-x root sys [Solaris 2.4]  -rwsr-xr-x -rwsr-xr-x root taff[SunOS4.1.4] 4 /bin/login changes its UIDs and GIDs to the login user==> once a root changes its ownership to become a normal user, can not change them back.

5 Unix Systems Administration 5Y. K. Chang root: the super user 4 Choosing a root password –randomly generated 8 characters –change the root password at least every months or so every time someone who knows the password leaves your site whenever you think security may have been compromised not a day before party

6 Unix Systems Administration 6Y. K. Chang root: the super user 4 Becoming root –First step is to become a superuser ( administrator ) –using /bin/su is better than simply su command. Why? –On some systems, you must be a member of the group “wheel” or “system” in order to use su command and other restriction for remote login see p.121 and p.548.

7 Unix Systems Administration 7Y. K. Chang root: sudo 4 /etc/sudoers file  #define aliases for machines in CS and Physics  Host_Alias CS=tigger,anchor,piper,noet,sigi  Host_Alias Physics=eprince,pprince,icarus  #define an alias for all sump/restore commands

8 Unix Systems Administration 8Y. K. Chang root: sudo 4 C_Alias DUMP=/usr/etc/dump, /usr/etc/rdump, /usr/etc/restore, /usr/etc/rrestore  #  mark CS=ALL,Physics=DUMP  herb CS=/usr/local/bin/tcpdump  randy ALL=ALL

9 Unix Systems Administration 9Y. K. Chang root: sudo 4 Sudo logs: –command lines executed –who –directory form where they were run –time 4 Advantages: –accounting –operators do chores without unlimited power –root password known by only one/two person

10 Unix Systems Administration 10Y. K. Chang root: sudo 4 Advantages (cont.): –faster to use sudo than su or login as root –privileges my be revoked without changing the root password –A list of all users with root power is maintained –less chance of a root shell being left unattended –Since access restrictions are host-dependent, a single file controls access for an entire network 4 Disadvantages: mostly security if it has a hole

11 Unix Systems Administration 11Y. K. Chang root: sudo 4 Other important users –daemon: UID 1 files not belong to a particular user are often given to daemon, rather than root, to avoid security hazard. –bin: UID 2 or 3 directories that contain the system’s commands and most of the executables.

12 Unix Systems Administration 12Y. K. Chang root: sudo –sys: UID 2 or 4 /dev/kmem: kernel address space /dev/mem: physical memory of the system /dev/swap|/dev/drum: image of swap space –nobody: UID -1 or -2 -1 means 32767 for short integers owner of software that doesnot need or shouldnot have special permissions. NSF uses it fingerd daemon

13 Unix Systems Administration 13Y. K. Chang The Login Process 4 One of init process is to spawn a getty process on each terminal port that is turned on in the /etc/ttys or /etc/initab file. getty sets the port’s initial characteristics (such as speed and parity) and prints a login prompt: –enter a login prompt by bootup or telnet –getty cxecutes the login program with the specified account name –login requests a passwprd and validates the name and password with /etc/passwd

14 Unix Systems Administration 14Y. K. Chang The Login Process –login print the message of today from /etc/motd –login runs a shell and sets up the TERM environment variable –The shell executes.profile (Bourne shell) or.login and.cshrc (C shell) –The shell prints the UNIX prompt and waits for input 4 When log out, control returns to init, which wakes up and spawns a new getty on the terminal port

15 Unix Systems Administration 15Y. K. Chang chmod command 4 change the permissions mode of a file –SYNOPSIS chmod [ -fR ] file chmod [ -fR ] file... –-f :Force. chmod will not complain if it fails to change the mode of a file. –-R :Recursively descend through directory arguments, setting the mode for each file as described above. When symbolic links are encountered, the mode of the target file is changed, but no recursion takes place.

16 Unix Systems Administration 16Y. K. Chang chmod (cont.) 4 Absolute mode –use octal numbers: chmod nnnn file... –where:n = 0 to 7, constructed from the OR of a 4000 Set user ID on execution. 20#0 Set group ID on execution if # is 7, 5, 3, or 1. Enable mandatory locking if # is 6, 4, 2, or 0. For directories, files are created with BSD semantics for propagation of the group ID. With this option, files and subdirectories created in the directory inherit the group ID of the directory, rather than of the current process. It may be using symbolic mode. 1000 Turn on sticky bit. See chmod(2).

17 Unix Systems Administration 17Y. K. Chang chmod (cont.) 0400 Allow read by owner. 0200 Allow write by owner. 0100 Allow execute (search in dir) by owner. 0700 read, write, execute (search) by owner. 0040 Allow read by group. 0020 Allow write by group. 0010 Allow execute (search in dir) by group. 0070 read, write, execute (search) by group. 0004 Allow read by others. 0002 Allow write by others. 0001 Allow execute (search in dir) by others. 0007 read, write, and execute (search) by others.

18 Unix Systems Administration 18Y. K. Chang chmod (cont.) 4 Note that for directories, the setgid bit cannot be set (or cleared) in absolute mode; it must be set (or cleared) in symbolic mode using g+s (or g-s).  Mandatory file and record locking ( l ) refers to a file's ability to have its reading or writing permissions locked while a program is accessing that file.

19 Unix Systems Administration 19Y. K. Chang chmod (cont.) 4 Symbolic mode –A symbolic mode specification has the following format: –chmod file… –where: is a comma- separated list (with no intervening whitespace) of symbolic mode expressions of the form: [who] operator [permissions]

20 Unix Systems Administration 20Y. K. Chang chmod (cont.) who: zero or more of the characters u, g, o, and a specifying whose permissions are to be changed or assigned: u-user's, g- group's, o-others’ and a-all permissions (user, group, and other) operator either +, -, or =, signifying how permissions are to be changed permission: any compatible combination of the following letters: –r read permission –w write permission –x execute permission –l mandatory locking –s user or group set-ID –t sticky bit

21 Unix Systems Administration 21Y. K. Chang EXAMPLES 4 Denying execute permission to everyone –chmod a-x file 4 Allowing only read permission to everyone –chmod 444 file 4 Making a file readable&writable by group and others –chmod go+rw filechmod 066 file –chmod go+rw file or chmod 066 file 4 Causing a file to be locked during access –chmod +l file 4 Allowing everyone to read, write, and execute the file and turn on the set group-ID –chmod a=rwx,g+s filechmod 2777 file –chmod a=rwx,g+s file or chmod 2777 file

22 Unix Systems Administration 22Y. K. Chang Protecting Files with Sticky Bit 4 Unix dir access permissions:if writable on a dir, can rename/remove any files there –$ mkdir share; chmod 1777 share drwxrwxrwt 2 jerry ora 32 Nov 19 10:31 share –ls -l -rw-r--r-- 1 ellie ora 120 Nov 19 11:32 data.ellie -rw-r--r-- 1 jen ora 3421 Nov 19 15:34 data.jen -rw-r--r-- 1 peter ora 728 Nov 20 12:29 data.peter –rm data.ellie (from jen) –data.ellie: 644 mode ? Y –rm: data.ellie not removed.\Permission denied

23 Unix Systems Administration 23Y. K. Chang sticky(5) 4 sticky - mark files for special treatment sticky directory –A file in a sticky directory may only be removed or renamed by a user who has write permission on the directory, and either owns the file, owns the directory, or is the super-user. useful for /tmp, –If sticky bit on a regular file and no execute bits are set, the system's page cache will not be used to hold the file's data.

Download ppt "Unix Systems Administration 1Y. K. Chang root: the super user 4 The UNIX semigod who can perform privileged tasks: controlling processes, adding devices,"

Similar presentations

The UNIX File System Harry Chen Department of CSEE University of MD Baltimore County.

The UNIX File System Harry Chen Department of CSEE University of MD Baltimore County.
Linux Users and Groups Management

Linux Users and Groups Management
Basic Unix system administration

Basic Unix system administration
Unix permissions, ownership and setuid File security and ownership The chmod(1) command Process Ownership Setuid, Setgid and the Sticky bit Writing setuid.

Unix permissions, ownership and setuid File security and ownership The chmod(1) command Process Ownership Setuid, Setgid and the Sticky bit Writing setuid.
UNIX file systems Learning Objectives: 1. To understand the basics of file systems 2. To understand the hierarchical structure in Unix file system 3. To.

UNIX file systems Learning Objectives: 1. To understand the basics of file systems 2. To understand the hierarchical structure in Unix file system 3. To.
CS 497C – Introduction to UNIX Lecture 26: - The Process Chin-Chih Chang

CS 497C – Introduction to UNIX Lecture 26: - The Process Chin-Chih Chang
1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Passwords in Unix/Linux Systems.

1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Passwords in Unix/Linux Systems.
1 CSE 390a Lecture 4 Persistent shell settings; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller

1 CSE 390a Lecture 4 Persistent shell settings; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
UNIX Chapter 08 File Security Mr. Mohammad Smirat.

UNIX Chapter 08 File Security Mr. Mohammad Smirat.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
Getting Started with Linux Linux System Administration Permissions.

Getting Started with Linux Linux System Administration Permissions.
File System Security 1. General Principles Files and folders are managed by the operating system Applications, including shells, access files through.

File System Security 1. General Principles Files and folders are managed by the operating system Applications, including shells, access files through.
O.S security Ge Zhang Karlstad University. Outline Why O.S. security is important? Security schemes in Unix/Linux system Security schemes in windows system.

O.S security Ge Zhang Karlstad University. Outline Why O.S. security is important? Security schemes in Unix/Linux system Security schemes in windows system.
Filesystem Hierarchy Standard (FHS) –Standard of outlining the location of set files and directories on a Linux system –Gives Linux software developers.

Filesystem Hierarchy Standard (FHS) –Standard of outlining the location of set files and directories on a Linux system –Gives Linux software developers.
The file structure and related utilities CS240 Computer Science II.

The file structure and related utilities CS240 Computer Science II.
Lesson 7-Creating and Changing Directories. Overview Using directories to create order. Managing files in directories. Using pathnames to manage files.

Lesson 7-Creating and Changing Directories. Overview Using directories to create order. Managing files in directories. Using pathnames to manage files.
Files & Directories Objectives –to be able to describe and use the Unix file system model and concepts Contents –directory structure –file system concepts.

Files & Directories Objectives –to be able to describe and use the Unix file system model and concepts Contents –directory structure –file system concepts.
Unix System Administration Rootly Powers Chapter 3.

Unix System Administration Rootly Powers Chapter 3.
File Permissions. What are the three categories of users that apply to file permissions? Owner (or user) Group All others (public, world, others)

File Permissions. What are the three categories of users that apply to file permissions? Owner (or user) Group All others (public, world, others)

Similar presentations

Ads by Google