CT320

CT320: Network and System Administration

Fall 2018

Access

See this page as a slide show

Access Control and Root

CT320: Access

Original slides from Dr. James Walden at Northern Kentucky University.

Access Control

https://en.wikipedia.org/wiki/Access_control

Control Mechanisms

Control Mechanisms

System Access

Shadow passwords

Instead of keeping the encrypted passwords in the world-readable /etc/passwd, they can be kept in /etc/shadow.

Access Commands

Filesystem Protection

Access bits via ls

$ ls -l ~/bin
total 1632
lrwxrwxrwx 1 ct320 class      12 Nov 22  2016 checkin -> checkin_prog
-rwx------ 1 ct320 class     405 Oct 14 19:58 checkin-file-checker
-rws--x--x 1 ct320 class   42040 Sep  6  2016 checkin_prog
-rwxr-xr-x 1 ct320 class     900 Dec 17 16:47 cls
-rwxr-xr-x 1 ct320 class     666 Dec 27 14:28 demo-script
-rwxr-xr-x 1 ct320 class    1019 Dec 27 14:30 e
lrwxrwxrwx 1 ct320 class      12 Nov 22  2016 grade -> checkin_prog
-rwxr-xr-x 1 ct320 class      59 May 30  2015 grade-busy
-rwx------ 1 ct320 class    3233 Sep 23 10:50 grade-file-checker
-rwxr-xr-x 1 ct320 class     145 Dec 16  2015 grades
-rwxr-xr-x 1 ct320 class      30 Sep 20  2015 l
-rwxr-xr-x 1 ct320 class      30 Sep 20  2015 ll
-rwxr-xr-x 1 ct320 class      30 Sep 20  2015 lsf
-rwx------ 1 ct320 class   10640 May 30  2015 moss
-rwxr-xr-x 1 ct320 class     112 Aug  4  2014 new
-rwxr-xr-x 1 ct320 class     585 Dec 26 13:41 note
-rwxr-xr-x 1 ct320 class     112 Aug  4  2014 old
-rwxr-xr-x 1 ct320 class      39 Apr 22  2013 p
lrwxrwxrwx 1 ct320 class      12 Nov 22  2016 peek -> checkin_prog
-rwxr-xr-x 1 ct320 class     979 Dec 27 14:41 playpen
-rwxr-xr-x 1 ct320 class     166 Dec  4 12:48 ruler
-rwxr-xr-x 1 ct320 class    1923 Dec 28 21:08 run
lrwxrwxrwx 1 ct320 class      34 Nov 22  2016 runner -> /s/parsons/d/fac/applin/bin/runner
-rwxr-xr-x 1 ct320 class     114 Aug  4  2014 save
drwx------ 2 ct320 class    4096 Aug 30  2015 tools
-rwxr-xr-x 1 ct320 class 1507228 Mar  4  2017 u
-rwxr-xr-x 1 ct320 class     294 Aug  4  2014 unold
-rwxr-xr-x 1 ct320 class    1078 Dec  9 17:40 wikicat
-rwxr-xr-x 1 ct320 class     171 Dec 27 14:30 wikidiff
-rwxr-xr-x 1 ct320 class     900 Dec 11 20:01 wikiedit
-rwxr-xr-x 1 ct320 class    1004 Dec 30 11:29 wikigrep
-rwxr-xr-x 1 ct320 class    2781 Dec  9 17:18 wikiupdate
-rwxr-xr-x 1 ct320 class    1354 Dec 18 12:52 wikiwhence

Access bits

d or l or -rwxrwxrwx
directory or fileusergroupother

The permissions can be different for user, group and other (everyone else). Typically, the user gets the most permissions, and others get very little.

Permissions: What do they mean?

Note that w for a directory means that you can change the directory, not the files it contains. Changing the files underneath it depends on their w bits.

Removing a file depends upon the w permission of containing directory, not any permissions of the file itself. Think of it as changing a relationship—you don’t need someone’s consent to unfriend them.

Protection Commands

    chown applin Desktop
    chgrp fac Desktop
    chmod 755 foo
    chmod ug+rw bar

Symbolic vs. octal

Some hackers consider it impressive to interpret the permission bits as an octal number. These are the same morons who think that memorizing the ASCII chart improves their dating prospects.

    chmod u=rw foo
    chmod go-w bar
    chmod g+r baz
    chmod g=r zip
    chmod a=rwx foo.*

That said, I will occasionally chmod 400 or chmod 666 a file, but I feel guilty when I do it.

Protection Commands

umask: set up default privileges:

More on Permissions

ACLS

Features of an access control list (ACL)

Linux ACL support

$ date >now
$ chmod go= now
$ ls -l now
-rw------- 1 ct320 class 29 Jan 19 22:12 now
$ setfacl -m applin:r now
$ getfacl now
# file: now
# owner: ct320
# group: class
user::rw-
user:applin:r--
group::---
mask::r--
other::---

$ ls -l now
-rw-r-----+ 1 ct320 class 29 Jan 19 22:12 now

Linux can support ACL mode

Process Ownership

$ ls -l /bin/passwd
-rwsr-xr-x. 1 root root 27832 Jan 29  2014 /bin/passwd

Root Privileges

A special root account exists that represents the omnipotent administrative user, often called the superuser account, that can perform tasks that are restricted to other users:

Root Privileges

Several ways exist in which root privileges can be accessed, and a number of concerns should be taken into account when deciding which method to use:

Root

Access Control Problems

Common Extensions

Modified: 2017-12-13T11:55

User: Guest

Check: HTML CSS
Edit History Source
Apply to CSU | Contact CSU | Disclaimer | Equal Opportunity
Colorado State University, Fort Collins, CO 80523 USA
© 2015 Colorado State University
CS Building