Important files:
/etc/passwd
Contains the list of users available on the computer. Each user is listed in a line with several fields separated with a colon (“:”).
These fields are in the /etc/passwd file:
• login name: the name used for login
• password: the special value “x” indicates that the encrypted password is stored in /etc/shadow
• uid: unique number identifying each user
• gid: unique number for the user’s main group (each user is part of a group by default)
• GECOS: this field usually contains the user’s full name
• home directory: a directory where the user is logged in, and keeps his personal files (the environment variable $HOME points here)
• shell: the shell program to execute upon login, like /bin/bash. (with /bin/false the user cannot login)
/etc/shadow
The /etc/shadow file contains the encrypted passwords. It has these fields:
• login name: the name used for login
• encrypted password
• several fields managing password expiration
/etc/group
Groups are listed in the /etc/group file, in a format similar to the /etc/passwd file. It has these fields:
• group name
• password (optional): This is only used to join a group when one is not a usual member
• gid: unique group identification number
• list of members: list of names of users who are members of the group, separated by commas.
==============================
Managing Rights
Linux is a multi-user system, so it is necessary to control who can access which files and directories. On Linux any device is represented by a file or directory. so controlling file access is important from system resource perspective as well.
Each file or directory has specific permissions for three categories of users:
• its owner (symbolized by u as in “user”)
• its owner group (symbolized by g as in “group”), representing all the members of the group
• the others (symbolized by o as in “other”)
Three types of rights can be combined:
• reading (symbolized by r as in “read”);
• writing (or modifying, symbolized by w as in “write”);
• executing (symbolized by x as in “eXecute”).
For files:
read access allows reading the content (including copying), write access allows changing it, and execute access allows running it.
For directories:
Read access allows to list files and directories in the given dirctory, write access allows creating or deleting files, and execute access allows go into the directory with the cd command).
Two particular rights are relevant to executable files: setuid and setgid (symbolized with the letter “s”). (These are frequently referred to as “bit”, since each of these boolean values can be represented by a 0 or a 1.) These two rights allow any user to execute the program with the rights of the owner or the group, respectively. A setuid root program would run under the super-user identity, so it is very important to ensure it is secured.
The setgid bit also applies to directories. Any newly-created item in such directories is automatically assigned the owner group of the parent directory, instead of inheriting the creator’s main group as usual.
The “sticky” bit (symbolized by the letter “t”) is a permission that is only useful in directories. It is especially used for temporary directories where everybody has write access (such as /tmp/): it restricts deletion of files so that only their owner (or the owner of the parent directory) can do it. Lacking this, everyone could delete other users’ files in /tmp/.
==============================
chown, chgrp, chmod
Three commands control the permissions associated with a file:
• chown <user> <file>: changes the owner of the file
• chgrp <group> <file>: alters the owner group
• chmod <rights> <file>: changes the permissions for the file
There are 2 ways of changing rights: with symbolic representation (u,g, o) or with numeric representation (644):
Symbolic representation:
Involves the letter symbols mentioned above. You can define rights for each category of users (u/g/o), by setting them explicitly (with =), by adding (+), or subtracting (-). Thus the u=rwx,g+rw,o-r means:
- gives the owner read, write, execute rights
- to the owner group adds read and write rights
- removes read rights for other users.
Rights not altered by the addition or subtraction in such a command remain unmodified.
Numneric (octal) represenation:
The numeric representation associates each right with a value: 4 for read, 2 for write, and 1 for execute. The sum of these values will give the final permisson for the owner, group and others (in thise order). For instance: chmod 754 <file> means:
- it will set read, write and execute for the owner (since 7 = 4 + 2 + 1)
- it will set read and execute for the group (since 5 = 4 + 1)
- it will set read-only for others.
The 0 means no rights, so chmod 600 <file> :
- allows for read/write rights for the owner,
- no rights for anyone else.
The most frequent right combinations are 755 for executable files and directories, and 644 for data files.
To represent special rights, you can prefix a fourth digit to this number according to the same principle, where the setuid, setgid and sticky bits are 4, 2 and 1, respectively. chmod 4754 will
associate the setuid bit with the previously described rights. Note that the use of octal notation only allows to set all the rights at once on a file; you cannot use it to simply add a new right, such as read access for the group owner, since you must take into account the existing rights and compute the new corresponding numerical value.
Sometimes we have to change rights for an entire file tree. The commands chown/chgroup/chmod have a -R option to operate recursively in sub-directories.
==============================
umask
When an application creates a file, some permissions will be automatically removed by umask. This can be checked by the command: umask (Issuing this command will show a mask such as 0022). This is an octal representation of the rights to be systematically removed (in this case, the write right for the group and other users). If you give it a new octal value, the umask command modifies the mask, so files will be created with the new permissions.
==============================
id
The id command displays the identity of the user running the session, along with the list of groups they belong to. Since access to some files or devices may be limited to group members, checking available group membership may be useful.
pi@raspberrypi:~ $ id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio)
==============================
sudo
sudo program allows certain users to execute commands with special rights. In the most common use case, sudo allows a trusted user to execute any command as root. To do so, the user puts the word "sudo" in front of the command, like:
sudo apt-get install....
When installed, the sudo package gives full root rights to members of the sudo Unix group. To delegate other rights, the administrator must use the visudo command, which allows them to modify the /etc/sudoers configuration file. Adding a line with username ALL=(ALL) ALL allows the user in question to execute any command as root.
some example from /etc/sudoers:
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
More sophisticated configurations allow authorization of only specific commands to specific users.
==============================
/etc/passwd contains list of users with user parameters (id, description, shell, home dir)
/etc/shadow stores encrypted passwords
/etc/adduser.conf configuration file for the adduser command (default parameters for a new user are stored here)
addgroup/delgroup add or delete a group
groupmod modifies a group’s information (its gid or identifier)
chfn (CHange Full Name), modifies the GECOS field (possible only as root)
chsh (CHange SHell) allows to change their login shell (choose from /etc/shells; root can set it to anything)
chage (CHange AGE) allows the administrator to change the password expiration settings
chage -l <user> list the current password expiartion setting
chown <user>:<group> <file> changes the owner and group for the given file
passwd change the password of a user (it updates the /etc/shadow file)
passwd -g <group> changes the password for the group
passwd -r -g <group> deletes the password for the group
passwd -e <user> the user needs to change their password the next time he logs in
passwd -l user locks the user account (user cannot login)
passwd -u <user> re-enabling the user account (unlock)
adduser <user> create a user account
==============================
Creating a user:
1. create user:
sudo useradd -m -G adm,dialout,cdrom,audio,plugdev,users,lpadmin,sambashare,vchiq,powerdev <username>
2. set password:
sudo passwd <username>
==============================
Login as root without password
(single user mode)
If password is lost and login is needed add below line to cmdline.txt.
init=/bin/sh
This tells the kernel that once its loaded instead of running /sbin/init as usual you should run /bin/sh. You will get a shell with no services configured, just straight from kernel to shell. This can be done on any computer with a SD card reader as you are only modifying a file in the /boot partition (Fat32).
Your userid will be 0 so you will have root permissions, just none of the initd scripts have run. This means you can change passwords, undo modifications that broke your system, etc.
==============================
No comments:
Post a Comment