Linux Tutorial - Managing Group Access on Linux and UNIX

advertisement
All Linux users have a user ID and a group ID and a unique numerical
identification number called a userid (UID) and a groupid (GID) respectively.
Groups can be assigned to logically tie users together for a common security,
privilege and access purpose. It is the foundation of Linux security and access.
Files and devices may be granted access based on a users ID or group ID. This
tutorial attempts to show how this is used.
File, directory and device (special file) permissions are granted based on "user",
"group" or "other" (world) identification status. Permission is granted (or denied)
for read, write and execute access.
File, Directory and Device permissions:
Modification of file, directory and device access is achieved with the chmod
command.

Grant read permissions to a file which you own so that everyone may
read it:
chmod ugo+r file-name

Grant read permissions on a directory:
chmod ugo+rx directory-name

Note that "execute" permission is required in order to read a directory.
Deny read access to a file by everyone except yourself:
chmod o-r file-name

Allow everyone in your group to be able to modify the file:
chmod 660 file-name
See chmod man page for more info.
Permissions may be viewd by issuing the command: ls -l file-name

File can be written by youself and members of the group. Others may
only view it.
-rw-rw-r-- user group file-size date file-name

Directory is completely open for read/write:
drwxrwxrwx user group file-size date directory-name

File can only be accessed by owner (user):
-rwx------ user group file-size date file-name
Groups and group members:
Users are members of a default group. Red Hat Linux will add new users to a
group of the same group name as the user name. The default group is
specified in the file /etc/passwd
user-name:x:user-number:group-number:comment section:/homedirectory:default-shell
user1:x:500:500:Greg:/home/user1:/bin/bash
The user id has a user system number associated with it and this is defined in
/etc/passwd. The group has a group system number associated with it and
this is defined in /etc/group
group-name:x:group-number:user1,user2
user1:x:500:
user2:x:501:
floppy:x:19:user1
accounting:x:600:user2
apache:x:48:
User "user1" is a member of default group "user1" and also a member of
group "floppy".
Group Commands:




gpasswd: administer the /etc/group
groupadd: Create a new group
groupmod: Modify a group
groupdel: Delete a new group
file
If using NIS, view the groups using the command: ypcat group
Switching your default group:
Use the command newgrp group-name to switch your default used in file
creation or directory access. This starts a new shell. Exit to return to the
previous group id. Use the ps command to see if more than one shell is
active.
For example "user2" would like to create a file in the accounting directory
which can be read my members of his group. First switch the default group
with the command: newgrp accounting
To return to your default group issue the "exit" command. If confused, issue
the "ps" command. There should only be one instance of bash, else you are in
the alternate group and not the default group.
Use the command newgrp group-name file-name to change the group
associated with a file. You must be a member of the group to execute the
command sucessfully. (or be root)
The newgrp command logs a user into a new group by changing a user's real
and effective group ID. The user remains logged in and the current directory is
unchanged. The execution of newgrp always replaces the current shell with a
new shell, even if the command terminates with an error (unknown group).
Any variable that is not exported is reset to null or its default value. Exported
variables retain their values. System variables (such as PS1, USER, PATH
and HOME), are reset to default values unless they have been exported by
the system or the user.
With no operands and options, newgrp changes the user's group IDs (real
and effective) back to the group specified in the user's password file entry.
This is a way to exit the effect of an earlier newgrp command.
A password is demanded if the group has a password and the user is not
listed in /etc/group as being a member of that group. The only way to create
a password for a group is to use passwd(1), then cut and paste the password
from /etc/shadow to /etc/group. Group passwords are antiquated and not
often used.
Gives new login as if logged in as group member: newgrp -
Changing group ownership:
If the user creates a file, the default group association is the group id of user.
If he wishes to change it to another group of which he is a member issue the
command: chgrp new-group-id file-name
If the user is not a member of the group then a password is required.
Default user groups:
Users are assigned upon user creation, a User Private Group (UPG) which is
a unique group ID of the same name as the user ID. This allows for a fine
atomic level of group permissions to be assigned for tighter and simpler
default security.
Pre-Configured system groups:
The typical Linux installation will come with some exisitng standard groups:
(See /etc/group)
Group ID GID
root
0
bin
1
daemon
2
sys
3
adm
4
tty
5
disk
6
lp
7
mem
8
kmem
9
wheel
10
mail
12
man
15
floppy
19
named
25
rpm
37
xfs
43
apache
48
ftp
50
lock
54
sshd
74
nobody
99
users
100
This is only a partial listing of the default groups. There will also be a default
set of member user ID's associated with most of the groups.
Grant use of a device to system users:
The first example will be of granting access to a device, the CD-ROM. This is
generally not done for regular users on a server. Server access to a CD-ROM
is limited to root by default. (This example may also be applied to the diskette.
Group: floppy, first floppy device: /dev/fd0)
1.
2.
3.
4.
Grant mount privileges to system users
Create group cdrom .
Allow use of device by group cdrom .
Add user to group cdrom .
1. Grant privileges to system users to mount the device:
o Manual method: This requires a change to the file /etc/fstab.The
fourth column defines mounting options. By default only root
may mount the device (option owner ). To grant users the ability
to mount the device, change the owner option to user . With the
user option only the user who mounted the device can unmount
the device. To allow anyone to unmount the device, use the
option users .
o Linuxconf GUI method: (Note: Linuxconf is no longer included
with Red Hat Linux 7.3 and later)
 RH 5.2: Start + Programs + Administration + Linuxconf .
 RH 6.0: Select Gnome Start icon + System + Linuxconf .
 Select Config + File systems + Access local drive .
 Select the device /dev/cdrom
 Select the tab Options .
 Add the option User mountable to allow users to mount
the CD-ROM. The user who mounted the CD must also
be the one to unmount the CD. OR Select the tab Misc.
and add to Other options: users if you want to allow
anyone to be able to unmount the CD regardless of who
mounted it.
For more information see the man pages for mount and fstab.
2. Create group cdrom :
o Manual method:
 Add the line cdrom::<unique group
number>:root,<userid> to the file /etc/group where <user
id> is the user to be granted use of the CD-ROM. (For
example: cdrom::25:root,user1")
OR
 Add a group with the command: groupadd <group name>
in this case groupadd cdrom .
o Linuxconf GUI method: (Admin tool linuxconf is no longer
included with Red Hat 7.3+.)
 Start linuxconf.
 Select Config + User Accounts + Normal + Group



Definitions + Add .
Group Name: cdrom
Alternate Members (opt): root <user name> : (Add space
delimited user ids here)
Accept
For more information see the man pages for groupadd, groupmod and
groupdel.
3. Allow use of device by group cdrom .
o Manual method:
 Use the command: chown owner:group <device> to
assign the device to a user and group. For example:
chown root.cdrom /dev/hdd . (Use hdd if cdrom is the
slave device on the 2nd IDE controller.)
 Allow group access to the device: chmod 660 /dev/hdd
o GUI method:
 Start the File Manager and right click the file representing
the cdrom device. Select Properties . Then select the tab
Permissions . Set the Owner to root and the Group to
cdrom. Allow Read and Write privileges for the user and
group by selecting the appropriate buttons.
4. Add user to group cdrom : At this point, adding users to the group
cdrom will grant them access to the device.
o Manual method: The user id s specified in /etc/group is a
comma separated list.
 Use the command usermod -G <comma separated group
list> <user id> . Be sure to list all groups as this is an
absolute list and not an addition. To list all groups to
which a user is a member use the command groups
<user id> .
o Linuxconf GUI method: Step two allowed you to assign users to
the group. If users still need to be assigned use the following
method:
 After starting Linuxconf, select options Config + User
Accounts + Normal + User Accounts .
 Next to supplementary groups add the group cdrom.
Groups should be delimited by spaces.
OR for a completely different method that steps 1 to 4, use the one step
approach:

: Allow read use to all users of the CD-ROM
device (hdd is just the example, your device name can vary). This
method is quick, unelegant and can be used for your own desktop
chmod 664 /dev/hdd
system but definitely don t do this on a server.
Using CD-ROM:
You must mount and un-mount each CD-ROM individually. Do not switch CDs
without un-mounting and re-mounting the new CD. (The GNOME desktop
interface has features to do this for you. Covered later)
Command method:

mount -t iso9660 /dev/hdd /mnt/cdrom : This generates amount
for CD-ROM (or mount -t iso9660 /dev/cdrom /mnt/cdrom . The
point
device name /dev/cdrom is a symbolic link to the actual device)
Note: Only root user may execute the mount command. Users must use the
tool usermount.
Desktop GUI method:



RH 5.2: Start + Programs + Administration + Disk Management .
RH 6.0/6.1: Select Gnome icon (located lower left corner) + System +
Disk Management .
The gui tool can also be started using the shell command
/usr/bin/usermount.
After mounting the CD-ROM one can view its contents from the directory
/mnt/cdrom.

Use the command: cd /mnt/cdrom
OR

GNOME toollbar Start icon File manager and select the appropriate
folders.
Group Interrogation and Verification:
Check the group membership of a user: groups user-id
This will list all the groups to which user-id is a member.
Verification Commands:


pwck: verify integrity of password files
grpck: verify integrity of group files
User admin and other commands:







useradd: Create a new user or update default new user information
usermod: Modify a user account
userdel: Delete a user account and related files
chage: change user password expiry information
pwconv: convert to and from shadow pass- words and groups.
pwunconv: convert to and from shadow pass- words and groups.
grpconv: creates gshadow from group and an optionally existing

gshadow
grpunconv: creates group from group and gshadow and then removes
gshadow
Links and Info:

id man page - Use this command to display groups to which a user
belongs.
Download