CT320: Network and System Administration

Fall 2018

Access

See this page as a slide show

CT320 Access

Original slides from Dr. James Walden at Northern Kentucky University.

Access Control

https://en.wikipedia.org/wiki/Access_control

Control Mechanisms

Control Mechanisms

System Access

Shadow passwords

Instead of keeping the encrypted passwords in the world-readable /etc/passwd, they can be kept in /etc/shadow.

Access Commands

Filesystem Protection

Access bits via ls

$ ls -l ~/bin
total 1712
lrwxrwxrwx 1 ct320 class      12 Nov 22  2016 checkin -> checkin_prog
-rwx------ 1 ct320 class     405 Oct 14  2017 checkin-file-checker
-rws--x--x 1 ct320 class   42040 Sep  6  2016 checkin_prog
-rwx------ 1 ct320 class    1060 Mar 17  2018 chit
-rwxr-xr-x 1 ct320 class     900 Dec 17  2017 cls
-rwxr-xr-x 1 ct320 class     160 Jun 14  2014 cronedit
-rwxr-xr-x 1 ct320 class    3068 May 18  2016 curve
-rwxr-xr-x 1 ct320 class     666 Dec 27  2017 demo-script
-rwxr-xr-x 1 ct320 class    1306 Mar  7  2018 domoss
-rwxr-xr-x 1 ct320 class    1019 Dec 27  2017 e
lrwxrwxrwx 1 ct320 class      12 Nov 22  2016 grade -> checkin_prog
-rwxr-xr-x 1 ct320 class      59 May 30  2015 grade-busy
-rwx------ 1 ct320 class    3233 Sep 23  2017 grade-file-checker
-rwxr-xr-x 1 ct320 class     145 Dec 16  2015 grades
-rwxr-xr-x 1 ct320 class     834 Feb  8  2018 imv
-rwxr-xr-x 1 ct320 class      30 Sep 20  2015 l
-rwxr-xr-x 1 ct320 class      30 Sep 20  2015 ll
-rwxr-xr-x 1 ct320 class      30 Sep 20  2015 lsf
-rwx------ 1 ct320 class   10640 May 30  2015 moss
-rwxr-xr-x 1 ct320 class     112 Aug  4  2014 new
-rwxr-xr-x 1 ct320 class     449 Sep 20 14:22 note
-rwxr-xr-x 1 ct320 class     112 Aug  4  2014 old
-rwxr-xr-x 1 ct320 class      39 Apr 22  2013 p
lrwxrwxrwx 1 ct320 class      12 Nov 22  2016 peek -> checkin_prog
-rwxr-xr-x 1 ct320 class     979 Dec 27  2017 playpen
-rwxr-xr-x 1 ct320 class     276 Dec  4  2017 pwget
-rwxr-xr-x 1 ct320 class     166 Dec  4  2017 ruler
-rwxr-xr-x 1 ct320 class    1975 Jun 29 12:28 run
-rwx------ 1 ct320 class      42 Jun 26 16:21 runner
-rwxr-xr-x 1 ct320 class     114 Aug  4  2014 save
-rwx------ 1 ct320 class    5585 Jan 30  2018 scores
-rwxr-xr-x 1 ct320 class    3366 Sep 12 20:15 stats
drwx------ 2 ct320 class    4096 Aug 30  2015 tools
-rwxr-xr-x 1 ct320 class 1541049 Oct  2 17:31 u
-rwxr-xr-x 1 ct320 class     294 Aug  4  2014 unold
-rwx------ 1 ct320 class    1078 Mar  7  2018 vman
-rwxr-xr-x 1 ct320 class    1078 Dec  9  2017 wikicat
-rwxr-xr-x 1 ct320 class     171 Dec 27  2017 wikidiff
-rwxr-xr-x 1 ct320 class     900 Dec 11  2017 wikiedit
-rwxr-xr-x 1 ct320 class    1004 Dec 30  2017 wikigrep
-rwxr-xr-x 1 ct320 class    2781 Dec  9  2017 wikiupdate
-rwxr-xr-x 1 ct320 class    1354 Dec 18  2017 wikiwhence

Access bits

d or l or -rwxrwxrwx
directory or fileusergroupother

The permissions can be different for user, group and other (everyone else). Typically, the user gets the most permissions, and others get very little.

Permissions: What do they mean?

Note that w for a directory means that you can change the directory, not the files it contains. Changing the files underneath it depends on their w bits.

Removing a file depends upon the w permission of containing directory, not any permissions of the file itself. Think of it as changing a relationship—you don’t need someone’s consent to unfriend them.

Protection Commands

    chown applin Desktop
    chgrp fac Desktop
    chmod 755 foo
    chmod ug+rw bar

Symbolic vs. octal

Some hackers consider it impressive to interpret the permission bits as an octal number. These are the same morons who think that memorizing the ASCII chart improves their dating prospects.

    chmod u=rw foo
    chmod go-w bar
    chmod g+r baz
    chmod g=r zip
    chmod a=rwx foo.*

That said, I will occasionally chmod 400 or chmod 666 a file, but I feel guilty when I do it.

Protection Commands

umask: set up default privileges:

More on Permissions

ACLS

Features of an access control list (ACL)

Linux ACL support

$ date >now
$ chmod go= now
$ ls -l now
-rw------- 1 ct320 class 29 Oct 18 19:12 now
$ setfacl -m applin:r now
$ getfacl now
# file: now
# owner: ct320
# group: class
user::rw-
user:applin:r--
group::---
mask::r--
other::---

$ ls -l now
-rw-r-----+ 1 ct320 class 29 Oct 18 19:12 now

Linux can support ACL mode

Process Ownership

$ ls -l /bin/passwd
-rwsr-xr-x. 1 root root 27832 Jan 29  2014 /bin/passwd

Root Privileges

A special root account exists that represents the omnipotent administrative user, often called the superuser account, that can perform tasks that are restricted to other users:

Root Privileges

Several ways exist in which root privileges can be accessed, and a number of concerns should be taken into account when deciding which method to use:

Root

Access Control Problems

Common Extensions

User: Guest

Check: HTML CSS
Edit History Source

Modified: 2018-08-30T12:31

Apply to CSU | Contact CSU | Disclaimer | Equal Opportunity
Colorado State University, Fort Collins, CO 80523 USA
© 2018 Colorado State University
CS Building