Introduction to UNIX /
Linux - 4
Dr. Jerry Shiao, Silicon Valley University
Summer 2015
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
1
Introduction UNIX/Linux Course


Section 4
The UNIX File System
 File
 File
 File
 File
 File

Types and Representation.
Attributes
Organization and Management.
Storage in UNIX File System.
Command and Primitives
The UNIX File Security
 File Protection From Unauthorized Access
 User Login.
 Encrypt File.
 User Access Privileges.
 File and Directory Access Privileges
 Special Access Bits
Summer 2015
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
2
Introduction UNIX/Linux Course


The UNIX File System
UNIX File Concept




File is sequence of Bytes.
Everything (Network Card, Disk Drive, Keyboard, File, Directory)
can be treated as a File.
Meaning is attached to the file’s contents by the application that
uses/processes the file.
Types of Files






Simple/ordinary File
Directory
Symbolic (soft) Link
Special (Device) Files
 Block Special Files
 Character Special Files
Named Pipe (FIFO)
Socket
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
3
Introduction UNIX/Linux Course


The UNIX File System
Simple / Ordinary Files
 Store
information and data on secondary storage
device.
Meanings are attached to a file’s content by the
application that uses/processes the file.
 File Extensions
Compiler expects “.c” extension, Web browser expects
“.html” extension, Loader expects “.o” extension.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
4
Introduction UNIX/Linux Course
 The UNIX File System
 Directory



Inode (Index Node) Number: Index into an array on disk.



Names of files/directories and Inode Numbers.
Array of Entries:
Disk Array Entry:
 Files attributes
Inode for every file in UNIX
Inode Table



Table of Inodes in memory for all open files.
File’s Inode copied from disk to Inode Table.
Access File attributes from memory, not from disk.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
5
Introduction UNIX/Linux Course
 The UNIX File System
 Link File

Created when a symbolic link is created to an existing file.
 Allows sharing file without duplicating the file.
 Alias of existing file.

Device File






Special File is the means of accessing hardware devices.
 Each hardware device associated with at least one Special File.
To access hardware (device), applications accesses Device File with file
operations (i.e. open/read/write).
/dev Directory.
Character Device File: Character-oriented devices for streaming data (i.e.
keyboard, mice, console connection, virtual terminals).
Block Device File: Block-oriented devices for data movement in blocks (i.e. disks,
CD-ROM, Flash Drives).
Pseudo Device File: Simulate physical devices. Access UNIX via network or
virtual terminal in X Window System.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
6
Introduction UNIX/Linux Course
 Device
Files
Name
Type
Major
Minor
Description
/dev/fd0
Block
2
0
Floppy disk.
/dev/hda
Block
3
0
First IDE disk.
/dev/hda2
Block
3
2
Second primary partition
of first IDE disk.
/dev/hdb
Block
3
64
Second IDE disk.
/dev/hdb3
Block
3
67
/dev/ttyp0
Char
3
0
/dev/console
Char
5
1
/dev/lp1
Char
6
1
Third primary partition of
second IDE disk.Not all device files
are real hardware
Terminal
devices. Pseudo
devices (fictitious
Console
logical devices) are
Parallel printer /dev/null, /dev/zero.
/dev/ttyS0
Char
4
64
First serial port
/dev/rtc
Char
10
135
Real-time clock
/dev/null
Char
1
3
Null device
Summer 2015
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
7
Introduction UNIX/Linux Course
Virtual
File System (VFS)
Inode represents an object in the file system with a
unique identifier (translating filename).
struct file_operations abstractions (i.e.
read/write/open ) allow all I/O operations to have
common interface. The indirect calls (i.e. callback
functions) are APIs specific to the file system.
Summer 2015
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
To achieve the abstraction (i.e.
“black box operation) to the user,
common API to the user through
glibc library and common callback
8
function signature to the I/O
functions.
Introduction UNIX/Linux Course
 The UNIX File System

InterProcess Communication Mechanisms:


Pipes, Named Pipes (FiFO), and Sockets.
Pipe

Two related processes communicate with each other on same system:
 UNIX auto-creates stdin, stdout, stderr.
 Tied to terminal: stdin = keyboard, stdout/stderr = console.
 A pipe allows output (stdout) of a command (process) to be sent to input (stdin)
of another command (process).
 Does not use disk, implemented in main memory.

Named Pipe (FIFO)

File of type Named Pipe.
 Process reading FIFO blocks waiting for data.
 Two un-related processes to communicate with each other on same system.
 Independently executing processes on a system.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
9
Introduction UNIX/Linux Course


The UNIX File System
Socket



InterProcess Communication through Socket.
Socket established on both hosts.
Client / Server Model



Client connects to Server to request information.
Two processes communicate with same socket type and in same
domain.
UNIX Domain – Communicate through a common File System on
same host.



Address: Character string (entry in the File System).
Address Family: AF_UNIX
Internet Domain – Communicate through Internet on different hosts.


Address: Internet Protocol (IP) address of the host and port number.
Address Family: AF_INET
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
10
Introduction UNIX/Linux Course


The UNIX File System
Socket
Client Side Socket:
Server Client Side Socket:
System Calls
System Calls
1) socket(): Create a socket.
2) connect(): Connect the socket to
1) socket(): Create a socket.
2) bind(): Bind a socket to an address.
the address of the server.
AF_INET: Port number on host
machine.
AF_UNIX: Character string (file).
...
3) read(): Receive data.
4) write(): Send data.
Copyright @2005 Pearson
Addison-Wesley.
AF_INET: Port number on host
machine.
AF_UNIX: Character string (file).
3) listen(): List for connections.
...
4) accept(): Accept a connection.
5) read(): Receive data.
6) write(): Send data.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
11
Introduction UNIX/Linux Course


The UNIX File System
File System Structure Issues: How are files …




Structured Hierarchy



Organized from User’s View
Stored on Disk
Files Manipulated
and Permissions
Upside-Down Tree
Base: /root
Specified in three ways:



Absolute Path: /
Relative to Present Working Directory
Relative to User’s Home Directory
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
12
Introduction UNIX/Linux Course



The UNIX File System
File System Structure
Pathnames: Absolute and Relative
 Absolute pathname starting from root.
 cd /home/sau/buildArmLinux
 Relative pathname starting at Present
Working
Directory.

cd buildArmLinux
 Relative
pathname starting at “~” (tilda) or Home
Directory.


cd ~/buildArmLinux
cd ~
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
13
Introduction UNIX/Linux Course



The UNIX File System
File System Structure
Home and Present Working Directories
 $HOME, ~ (tilda), . (dot), pwd
 User’s Home Directory.
 Configured when User account created.
 . (dot), pwd
 Present Working Directory: Point where Relative Pathname
is derived.
 Login Present Working Directory is the User’s Home
Directory.
 . / <filename>: File in Present Working Directory.
 . . (dot dot)
 Parent directory of the Present Working Directory.
 .. / <filename>: File in parent directory.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
14
Introduction UNIX/Linux Course
 The UNIX File System
 File System Structure
 Executing Commands




$ <filename> : Finds <filename> in $PATH or Shell Built-In.
$ . / <filename>: Finds <filename> in CWD.
$ / home / sau / <filename>: finds <filename> in path preceeding
<filename>.
Executing Shell Scripts




$ <script>: Finds <script> in $PATH, uses “#!/bin/sh” as the Shell
Interpreter.
$ . / <script>: Finds <script> in CWD, uses “#!/bin/sh” as the
Shell Interpreter.
$ source <script>: Finds <script> in CWD, ignores “#!/bin/sh”
and uses current Shell Interpreter.
$ . <script>: Same as “source <script>”.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
15
Introduction UNIX/Linux Course

The UNIX File System
System  Administration  Users and Groups
Specify user’s Login
Shell and Home
Directory.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
16
Introduction UNIX/Linux Course

The UNIX File System
Username to userid and groupid mapping.
 /etc/passwd
. . .
sau:x:500:500:Simon Au:/home/sau:/bin/bash
student1:x:501:501:student1:/home/student1:/bin/bash
student2:x:502:502:student2:/home/student2:/bin/bash
claruspon:x:503:503:claruspon:/home/claruspon:/bin/bash
cs206student1:x:504:504:cs206student1:/user/cs206student1:/bin/bash
 /etc/shadow
. . .
sau:$1$xklKmTjR$7cOSRZv2IidNQgeUV/8UZ1:14930:0:99999:7:::
student1:$1$ElaqELFc$7/GVVYEG/YwKyVDxEyL7R.:15371:0:99999:7:::
student2:$1$BUXC1RaH$7aeZSMERxGSNLVRuH9CyX.:15598:0:99999:7:::
claruspon:$1$p9TJrbar$HO8iVTNieMTvGldXBJaZa1:15760:0:99999:7:::
cs206student1:$1$oyuB45f9$ceSvmEmF9s4vav3eqCPAA0:15979:0:99999:7:::
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
17
Introduction UNIX/Linux Course
 Linux
Directory Structure
/boot – Linux bootup files (i.e. Linux Kernel)
/etc – Linux system configuration files.
vmlinux
/
boot
etc
bin
usr
sbin
var
dev
mnt
home
/etc/inittab – Processes started at bootup (i.e. Runlevel)
inittab
fstab
mount
Summer 2015
/etc/passwd – Users are defined and user accounts.
/bin – Linux system binaries (i.e. cat, cp, ls, mkdir, pwd, rm, rmdir)
/sbin/init – Process runned during boot process. System Administration.
bin
grep
/usr/bin – Applications for the users.
/lib – The shared libraries for dynamically linked modules.
init
/var – Data changes when the Linux system is running.
log
/var/log – The running Linux system updated log files.
tty0
/dev – Devices that are available to Linux system. Devices are treated like
files and devices can be read/written as files.
cdrom
/mnt – Storage devices (i.e. hard disk, CD-ROMs) must be attached to some
directory before accessing. Directores are the mount points.
student1
lib
proc
/etc/fstab – File systems and mount points.
passwd
/home – Each users have own directory and only place normal users are
allowed to write.
/proc – Special directory containing information about the kernel.
devices
/proc/devices – List of devices configured into current kernel.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
18
Introduction UNIX/Linux Course
 The UNIX File System
 File System Structure

Navigating the File System Structure


Log on: System places user in home directory.
Determining Absolute Pathname of Home Directory

echo [ string ]




string: “string” sent to the console.
sau@buildbed-vm:~> echo $HOME
/home/sau
sau@buildbed-vm:~> echo $PWD
/home/sau
Browsing File System

cd [ directory ]


directory: Change Present Working Directory to absolute or relative
directory pathname.
ls [ options ] [ pathname-list ]




-F: Display “/” after directories, * after binaries, @ after symbolic links.
-a: Display name of all files, including hidden files.
-l: Display long list, including permissions, owner, group, size, time.
pathname-list: List of files to display.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
19
Introduction UNIX/Linux Course


The UNIX File System
File System Structure
 Browsing






File System
sau@buildbed-vm:~/class> cd $HOME/class
sau@buildbed-vm:~/class> pwd
/home/sau/class
sau@buildbed-vm:~/class> ls -F
file1 file2 file_dir/ power* power.c
sau@buildbed-vm:~/class> ls -a
. .. file1 file2 file_dir .hidden_file power power.c
sau@buildbed-vm:~/class> ls -l
total 28
-rw-r--r-- 1 sau users 10 2012-09-21 01:50 file1
-rw-r--r-- 1 sau users 11 2012-09-21 01:50 file2
drwxr-xr-x 2 sau users 4096 2012-10-01 18:08 file_dir
-rwxr-xr-x 1 sau users 10042 2012-09-21 01:37 power
-rw-r--r-- 1 sau users 288 2012-09-21 01:37 power.c
sau@buildbed-vm:~/class> ls -l .hidden_file
-rw-r--r-- 1 sau users 0 2012-10-01 18:10 .hidden_file
Summer 2015
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
20
Introduction UNIX/Linux Course


The UNIX File System
File System Structure

Summary of the “ls –l” Command (Fields listed left to right).
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
21
Introduction UNIX/Linux Course


The UNIX File System
File System Structure

Some Important Hidden Files and Their Purpose.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
22
Introduction UNIX/Linux Course


The UNIX File System
File System Structure


Creating and Removing Directories
mkdir [ options ] dirnames



dirnames: Create “dirname” directories.
-m MODE: Create with given access permissions.
-p: Create parent directories that do not exist in “dirname”.
mkdir –p usrdir1/usrdir1_1
mkdir /tmp/tmp1
tmp/
tmp1/
usrdir1/
/
usrdir1_1/
mkdir usrdir2
home/
sau/
usrdir2/
Current Working Directory
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
23
Introduction UNIX/Linux Course


The UNIX File System
File System Structure


Removing Directories
rmdir [ options ] dirnames


dirnames: Remove “dirname” directories.
-p: Remove parent directories.
rmdir –p usrdir1/usrdir1_1
rmdir /tmp/tmp1
tmp/
tmp1/
usrdir1/
/
usrdir1_1/
rmdir usrdir2
home/
sau/
usrdir2/
Current Working Directory
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
24
Introduction UNIX/Linux Course

File System Structure
 File
Attributes: Using ls command
[student2@unknown001320aa6702 ~]$ ls
Desktop Download mbox Pictures Templates Videos
Documents link_mbox Music Public testTools
[student2@unknown001320aa6702 ~]$ ls -a
.
.bashrc Download .gnome2_private link_mbox Pictures .Trash
..
.config .gconf .gstreamer-0.10 mbox
Public Videos
.bash_history Desktop .gconfd .gtk-bookmarks .metacity .redhat .viminfo
.bash_logout .dmrc
.gnome .gtkrc-1.2-gnome2 Music
Templates .xsession-errors
.bash_profile Documents .gnome2 .ICEauthority
.nautilus testTools .zshrc
[student2@unknown001320aa6702 ~]$ ls -F
Desktop/ Download/ mbox Pictures/ Templates/ Videos/
Documents/ link_mbox@ Music/ Public/ testTools*
[student2@unknown001320aa6702 ~]$ ls -l
total 592
drwxr-xr-x 2 student2 student2 4096 2012-09-14 18:26 Desktop
drwxr-xr-x 2 student2 student2 4096 2012-09-14 18:26 Documents
drwxr-xr-x 2 student2 student2 4096 2012-09-14 18:26 Download
lrwxrwxrwx 1 student2 student2
4 2013-10-02 01:47 link_mbox -> mbox
-rw------- 1 student2 student2 714 2012-09-23 14:26 mbox
...
-rwxr-xr-x 1 root root 517659 2013-10-02 01:48 testTools
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
25
Introduction UNIX/Linux Course

File System Structure
 File
Attributes: Using ls command
$ ls –l
drwxr-xr-x 2 student2 student2 4096 2012-09-14 18:26 Desktop
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
26
Introduction UNIX/Linux Course


The UNIX File System
File System Structure



File Content Type.
File [ option ] file-list
 -f FILE: Use FILE as a file of “file-list”
sau@buildbed-vm:~/class> file *
file1:
ASCII text
file1~: ASCII text
file1_link: symbolic link to `file1'
file2:
ASCII text
file_dir: directory
power:
ELF 32-bit LSB executable, Intel 80386, version 1
(SYSV), dynamically linked (uses shared libs), for
GNU/Linux 2.6.4, not stripped
power.c: ASCII C program text
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
27
Introduction UNIX/Linux Course


The UNIX File System
File Representation
Inode Table Entry
Block number = Disk Sector
Sector = Disk No, Cylinder No, Track No, Sector No
File Space allocated in clusters of two, four, or eight
512-Byte Disk Block.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
28
Introduction UNIX/Linux Course


The UNIX File System
File Representation
1) Directory contains array of entries
<inode #, filename>.
2) Entry placed in Inode Table in RAM
when file is opened.
3) Indexing into Inode Table returns the
entry of the Inode containing the block
location of file on disk.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
29
Introduction UNIX/Linux Course




The UNIX File System
Standard Files and File Descriptors
File Descriptor for every open file in UNIX.
Three Standard Files when command executed:
 Stdin (0): Terminal Keyboard.
 Stdout (1): Monitor Screen.
 Stderr (2): Monitor Screen.

Redirect Operations:
<
Input Redirect
 > Output and Error Redirect
File
Descriptor
Copyright @2005 Pearson
Addison-Wesley.
File
Descriptor
Table
Systemwide
File Table
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
Systemwide
Inode Table
File
Contents On
Disk
30
Introduction UNIX/Linux Course


The UNIX File System
Standard Files and File Descriptors
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
31
Introduction UNIX/Linux Course



The UNIX File Security
Time Sharing System Allows Multiple Users
Access.
Protect Shared Hardware/Software Resources.
 Storage Device.
 I/O Devices.
 CPU.
 Main

Memory.
File Protection From Unauthorized Access: UNIX
provides three mechanisms to protect files.
 User Login Name and Password.
 Encrypt File.
 Access Privileges to Users.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
32
Introduction UNIX/Linux Course



The UNIX File Security
Password-Based Protection.
Password Discovered by:
 Telling Someone.
 Guessing “weak” Passwords.
 Brute Force Method.

Change Password.

sau@buildbed-vm:~> passwd
Changing password for sau.
Old Password:
New Password:
Bad password: it is based on a dictionary word
New Password:
Bad password: too simple
New Password:
Reenter New Password:
Password changed.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
33
Introduction UNIX/Linux Course


The UNIX File Security
Encryption-Based Protection.
$ GNU
Privacy
gpg -c minicom.log
Guard
Enter passphrase:<password>
GNU Privacy Guard
Repeat passphrase: <password>
$ ls
… minicom.log.gpg …
$ gpg minicom.log.gpg
gpg: CAST5 encrypted data
Enter passphrase: <password>
gpg: WARNING: message was not integrity protected
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
34
Introduction UNIX/Linux Course


The UNIX File Security
Encryption-Based Protection.
[student1@localhost ~]$ gpg --gen-key
gpg (GnuPG) 1.4.7; Copyright (C) 2006 Free Software …
…
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection?
…
What keysize do you want? (2048)
…
Please specify how long the key should be valid.
…
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N)
You need a user ID to identify your key; the software
constructs the user ID …
Copyright @2005 Pearson
Addison-Wesley.
Real name: Simon Au
Email address: sau@svuca.edu
Comment: Lecturer
You selected this USER-ID:
"Simon Au (Lecturer) <sau@svuca.edu>"
…
…
You need a Passphrase to protect your secret key.
…
gpg: /home/student1/.gnupg/trustdb.gpg: trustdb created
…
[student1@localhost ~]$ gpg --encrypt --recipient simon
minicom.log
[student1@localhost ~]$ ls
…
envSetup.bash minicom.log.gpg
test2
…
[student1@localhost ~]$ gpg --output minicom_3.log –
decrypt minicom.log.gpg
You need a passphrase to unlock the secret key for
user: "Simon Au (Lecturer) <sau@svuca.edu>"
SILICON VALLEY…
UNIVERSITY
CONFIDENTIAL
35
Introduction UNIX/Linux Course


The UNIX File Security
Protection Based on Access Permission
 Prevents
users from accessing each other’s files
when not logged on as the file’s owner.
 File Owner:


Assign Access Rights to Files.
Dictates how other users can access them (i.e. Read, Write,
Execute).
 Without


this protection scheme:
UNIX Filesystem is easy to access, has single root, from
which all files are derived.
Users can access each other’s files.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
36
Introduction UNIX/Linux Course
 The UNIX File Security
 Access Permission Protection.
 Types of Users

User (owner) : Group : Other
 User: Owner of the file.
 Group: Group of Users.
 Other: Other Users Not in Group.
Group Name: Info: Group ID: Users
$ more /etc/group
…
root:x:0:
…
video:x:33:sau
users:x:100:
Copyright @2005 Pearson
Addison-Wesley.
$ groups sau
sau : video users
$ groups root
root : root
User : Pass: UserID: GroupID: UserInfo: Home: Shell
Name: Word:
:
:
:
:
$ more /etc/passwd
…
root:x:0:0:root:/root:/bin/bash
…
sau:x:1001:100:sau:/home/sau:/bin/bash
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
37
Introduction UNIX/Linux Course
 The UNIX File Security
 Access Permission Protection.
 Types of Users (Cont)
$ id sau
uid = 1001 (sau) gid = 100 (users) groups = 100 (users), 33 (video)
Primary Group: Files
created by owner (sau)
will have primary group.
Supplementary Group: Access to
additional resources (files).
Commands:
Add new user to primary ( -g ) and supplementary ( -G ) group.
useradd -G <group> <new user>
useradd -g <group> <new user>
Add existing user to primary ( -g ) and supplementary ( -G ) group.
usermod -G <group> <existing user>
usermod -g <group> <existing user>
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
38
Introduction UNIX/Linux Course
 The UNIX File Security
 Types of Access Permissions

Read: Write: Execute
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
39
Introduction UNIX/Linux Course
 The UNIX File Security
 Types of Access Permissions


Read: Write: Execute
File has nine types of permissions: 3 for User, 3 for Group, 3 for Others




3 Bits For File Permission of Each Type.
User = 7 (Read / Write / Execute)
Group = 4 (Read / NA / NA)
Others = 4 (Read / NA / NA)
Copyright @2005 Pearson
Addison-Wesley.
1
1
1
1
0
0
1
0
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
0
40
Introduction UNIX/Linux Course



The UNIX File Security
Types of Access Permissions
View Access Permission of Files / Directories
 ls




 ls




- l [ file-list ]
Display long list of files in ‘file-list’ or all files in Present
Working Directory.
ls – l : List all files in Present Working Directory.
ls – l /etc/passwd : List file /etc/passwd.
ls – l /etc : List all files in /etc.
- ld [ directory-list ]
Display long list of directories in ‘directory-list’ or all
directories in Present Working Directory.
ls - ld : List Present Working Directory.
ls - ld /etc/passwd: List file /etc/passwd.
ls –ld /etc : List directory /etc.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
41
Introduction UNIX/Linux Course
 The UNIX File Security
 Types of Access Permissions


View Access Permissions of Files / Directories
ls - l , ls - ld
File Type: “d” indicates Directory, “ – “ indicates File.
File Owner Access Permission.
File Group Access Permission.
File Other Access Permission.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
42
Introduction UNIX/Linux Course
 The UNIX File Security
 Types of Access Permissions




View Access Permissions of Directories
r: Read the contents of the directory ( use “ls” command ).
w: Create, remove entries in the directory.
x: Searching the directory ( use “ls -l” command with files).
Group CANNOT write.
Group CAN use “ls” command.
Group CAN use “ls –l” command.
Other CANNOT write.
Other CANNOT use “ls” command.
Other CANNOT use “ls –l” command.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
43
Introduction UNIX/Linux Course
 The UNIX File Security
 Changing File Access Privileges
 chmod [ options ] octal-mode file-list



octal-mode: Using Octal Value to Represent Read / Write /
Execute Access Permission.
7 = Read/Write/Execute, 4 = Read-Only, 6 = Read/Write.
chmod [ options ] symbolic-mode file-list

symbolic-mode: < who > < operator > < privilege >
“=“ Operator
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
44
Introduction UNIX/Linux Course
 The UNIX File Security
 Changing File Access Privileges
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
45
Introduction UNIX/Linux Course
 The UNIX File Security
 Changing File Access Privileges
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
46
Introduction UNIX/Linux Course
 The UNIX File Security
 Changing File Access Privileges
$ ls -l
total 60
drwxr-xr-x 2 sau users 4096 2012-10-03 15:58 file_dir
$ ls -l file_dir
total 0
-rw-r--r-- 1 sau users 0 2012-10-03 15:54 temp
-rw-r--r-- 1 sau users 0 2012-10-03 15:58 temp2
$ chmod -R 711 file_dir
$ chmod -R 700 file_dir/temp2
$ ls -l
total 60
...
drwx--x--x 2 sau users 4096 2012-10-03 15:58 file_dir
...
$ ls -l file_dir
total 0
-rwx--x--x 1 sau users 0 2012-10-03 15:54 temp
-rwx------ 1 sau users 0 2012-10-03 15:58 temp2
$ chmod 7 example
$ chmod 70 file_dir
$ ls -l
total 60
d------rwx 2 sau users 4096 2012-10-03 17:23 example
...
d---rwx--- 2 sau users 4096 2012-10-03 15:58 file_dir
...
Copyright @2005 Pearson
Addison-Wesley.
Octal-mode privileges
positional.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
47
Introduction UNIX/Linux Course
 The UNIX File Security
 Changing Directory Access Privileges



Read: Allows Reading the Directory’s Contents.
Write: Allows Creating / Removing Files or Directories.
Execute: Searching the Directory.

NOTE: Read / Write Privilege MUST Have Execute Privilege Set.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
48
Introduction UNIX/Linux Course
 The UNIX File Security
 Default File or Directory Access Privileges
 Set Access Privilege For New File or Directory.
 umask [ mask ]

mask: Set access permissions on new files and directories EXCEPT
for “mask’ bits.


umask 027 (Prohibit non-group members from accessing files and directories)
New Files:
umask:
027 ;
---wrwx
Initial File Permission:
666 ;
rwrwrwComplement of mask:
NOT(027)
= 750 ;
rwx
r-x
--Resultant File Permission: 750 AND 666 = 640 ;
rwr--- New Directories:
Initial Directory Permission:
777 ;
rwx
rwx
rwx
Complement of umask:
NOT(027) = 750;
rwx
r-x
--Resultant Dir Permission: 750 AND 777 =750;
rwx
r-x
---
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
49
Introduction UNIX/Linux Course
 The UNIX File Security
 Special Access Bits
 The Set-User-ID (SUID) Bit


If the SUID Bit is set for an executable file (i.e. command or shell
script), the process takes on the User privilege of the owner of
the file when it executes.
If the SUID Bit is NOT set for an executable file, the process
takes on the privilege of the user executing the file.





File /etc/passwd is owned by root.
Command passwd run by users that change /etc/passwd file.
Allow /etc/passwd to be changed by passwd command, but not by other
users accessing /etc/passwd.
sau@buildbed-vm:/usr/bin> ls -l /etc/passwd
-rw-r--r-- 1 root root 2029 2012-10-02 15:43 /etc/passwd
sau@buildbed-vm:/usr/bin> ls -l /usr/bin/passwd
-rwsr-xr-x 1 root shadow 80268 2011-07-29 12:55 /usr/bin/passwd
“s” = Execute and SUID set.
“S” = SUID set.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
50
Introduction UNIX/Linux Course
 The UNIX File Security
 Special Access Bits
 The Set-Group-ID (SGID) Bit




If the SGID Bit is set for an executable file, the process takes on
the Group privilege of the owner of the file when it executes.
If the SGID Bit is NOT set for an executable file, the process
takes on the privilege of the user executing the file.
sau@buildbed-vm:~/class> ls -ld file_dir
d---rws--- 2 sau users 4096 2012-10-03 15:58 file_dir
The Sticky Bit


“s” = Execute and SGID Bit set.
“S” = SGID Bit set.
If Sticky Bit is set, only the file or directory’s owner or SuperUser
can rename or delete the file or directory.
If Sticky Bit is NOT set, any user with write and execute
permissions can rename or delete a file or directory.

sau@buildbed-vm:/> ls -ld /tmp
drwxrwxrwt 189 root root 12288 2012-10-04 03:15 /tmp
“t” = Execute and Sticky Bit set.
“T” = Sticky Bit set.
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
51
Introduction UNIX/Linux Course
 The UNIX File Security
 Special Access Bits

The Set-User-ID (SUID) Bit



The Set-Group-ID (SGID) Bit



chmod 4xxx file-list
chmod u+s file-list
chmod 2xxx file-list
chmod g+s file-list
The Sticky Bit


chmod 1xxx file-list
chmod +t file-list
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
52
Introduction UNIX/Linux Course
 The UNIX File Security
 Special Access Bits

[student3@unknown001320aa6702 ~]$ umask

0002
-rw-rw-r-- 1 student3 student3 0 2013-10-04 16:42 sau_file
[student3@unknown001320aa6702 ~]$ ls -ld sau
drwxrwxr-x 2 student3 student3 4096 2013-10-04 16:41 sau
[student3@unknown001320aa6702 ~]$ chmod 2775 sau
[student3@unknown001320aa6702 ~]$ ls -ld sau
drwxrwsr-x 2 student3 student3 4096 2013-10-04 16:41 sau
[student3@unknown001320aa6702 ~]$ ls -l sau_file
[student3@unknown001320aa6702 ~]$ chmod 4664 sau_file
[student3@unknown001320aa6702 ~]$ ls -ld sau_file
-rwSrw-r-- 1 student3 student3 0 2013-10-04 16:42 sau_file
[student3@unknown001320aa6702 ~]$











Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
53
Introduction UNIX/Linux Course
 The UNIX File Security
 Special Access Bits






[student3@unknown001320aa6702 ~]$
[student3@unknown001320aa6702 ~]$ ls -ld sau
drwxrwsr-x 2 student3 student3 4096 2013-10-04 16:41 sau
[student3@unknown001320aa6702 ~]$ chmod 1775 sau
[student3@unknown001320aa6702 ~]$ ls -ld sau
drwxrwsr-t 2 student3 student3 4096 2013-10-04 16:41 sau
Copyright @2005 Pearson
Addison-Wesley.
SILICON VALLEY UNIVERSITY
CONFIDENTIAL
54