Access Control Dr. John Yoon How do you know yours? Finding about - - PowerPoint PPT Presentation

access control
SMART_READER_LITE
LIVE PREVIEW

Access Control Dr. John Yoon How do you know yours? Finding about - - PowerPoint PPT Presentation

Jan 23, 2024 272 likes •532 views

Advanced Linux File Permission Access Control Dr. John Yoon How do you know yours? Finding about you and the system $ who $ hostname $ whoami $ uname $ id $ date $ ps -aux Environment Variables Environment Settings of a

slide-1
SLIDE 1

Advanced Linux

File Permission

Access Control

  • Dr. John Yoon
slide-2
SLIDE 2

How do you know yours?

  • Finding about you and

the system

$ who $ hostname $ whoami $ uname $ id $ date $ ps -aux

slide-3
SLIDE 3

Environment Variables

  • Environment
  • Settings of a Linux

Shell

  • Printing
  • Setting

$ printenv $ printenv TERM $ py3=python3 $ export py3 $ echo $py3 $ unset py3

slide-4
SLIDE 4

Commands for Systems/Sessions

  • lpr : prints a file
  • alias : creates an alias for a command.
  • Aliases can be placed in your .cshrc login script.
  • Example: alias rm ‘rm –i’.
slide-5
SLIDE 5

The UNIX Pipe (|)

  • The pipe (|) creates a channel from one command to another.

Think of the pipe as a way of connecting the output from one command to the input of another command.

  • The pipe can be used to link commands together to perform

more complex tasks that would otherwise take multiple steps (and possibly writing information to disk).

  • Examples:
  • Count the number of users logged onto the current system.
  • The who command will give us line by line output of all the current users.
  • We could then use the wc -l to count the number of lines...
  • who | wc –l
  • Display long listings in a scrollable page.
  • The lpq command will give us a list of the waiting print jobs.
  • lpq | less
slide-6
SLIDE 6

Commands for Processes

  • ps : lists the processes running on the machine.
  • ps -u username lists only your processes.
  • ps -a : lists all processes running on the machine.
  • The PID column of the listing, provides the information

required by the kill command.

  • kill : terminates a process
  • kill process_id : sends a terminate signal to the process

specified by the process_id (PID).

  • In cases where the terminate signal does not work, the

command "kill -9 process_id" sends a kill signal to the process.

  • nice : runs a process with a lower priority.
slide-7
SLIDE 7

Try ls() -l

  • See what it displays
slide-8
SLIDE 8

Access Permissions

  • Limiting unauthorized access to your directories and

files is a very important concern for ALL Linux (Unix) users.

  • Consequences of Unauthorized Access:
  • Copying your assignments (cheating)
  • Using your account for illegal activity
  • Using your account to send obscene messages
  • Tampering with files
slide-9
SLIDE 9

Access Control Check

  • Given an access request, return an access control

decision based on the policy

  • allow / deny

Access Control Check

A Request Allow / Deny The Policy

slide-10
SLIDE 10

File / Directory Permissions

  • The Linux (Unix) OS can allow the user to specify read, write

and execute permissions to the user (owner of file), group (same group members) or all others (different group members)

  • Directory Permissions:
  • Read (r) – View directory contents (filenames only)
  • Write (w) – Create / Remove subdirectories and files
  • Execute (x) – Access directory contents
  • File Permissions
  • Read (r) – View contents (inside) of file
  • Write (w) – Make changes to file’s contents
  • Execute (x) – Run program or shell script
slide-11
SLIDE 11

chmod Command (Relative Method)

Used to change the access permissions of a file or directory Format:

chmod [who] [operation] [permission] file

  • who relates to user (u), group (g), others (o), or all (a)
  • operation relates to adding (+), removing (-), or

setting (=) permissions

  • permissions are read (r), write (w), or execute (x)
slide-12
SLIDE 12

Type Enforcement [BoebertKain84]

User User User Type (Subject) Type (Object) Object Object Object Permission Assignment Subject Type Can Access Object Type To Perform Operations On Objects

slide-13
SLIDE 13

chmod Command (Relative Method)

Examples:

  • Add Permission

chmod g+rw file.name chmod o+x file.name

  • Remove Permission

chmod g-w file.name chmod a-w file.name (removes write for ug)

  • Set Permission

chmod o=rx file.name chmod go=rx filename

Note: you can use wildcard symbols (eg *) to match particular files

slide-14
SLIDE 14

Privileges

  • Three Identities
  • Owner, Group, Worlds
  • Three Privileges
  • Read, Write, Execute
  • 4 2 1 in sticky bit
  • Command
  • $ chmod
  • # chgrp
  • $ chown
  • $ ch

Possible additive bits 1 2 1+2 = 3 4 1+4 = 5 2+4 = 6 1+2+4 = 7

Can execute Can write Can execute and write Can read Can execute and read Can write and read Cal do all

slide-15
SLIDE 15

chmod - Example (Absolute Method)

Applying octal values of rwx using the absolute chmod command:

chmod ___ file - r w x r w x r w x chmod ___ file - r w x r - x r - x chmod ___ file - r w x - - x - - x chmod ___ file - r w - r - - r - -

Q: Fill in the number

slide-16
SLIDE 16

Practical Applications of chmod

  • Directory Pass-Through Permission (x)
  • Pass-through permission allows users to pass-

through a directory in order to access the contained files and subdirectories

  • To deny access to your files by other users, you

can remove group and other pass-through permissions on your home directory (rwx------)

slide-17
SLIDE 17

Creating a User Mask

  • The Unix / Linux OS allows “masks” to be created to

set default permissions for “newly-created” directories and files.

  • The umask command automatically sets the

permissions when the user creates directories and files (umask stands for “user mask”).

  • This process is useful, since user may sometimes

forget to change the permissions of newly-created files or directories.

slide-18
SLIDE 18

umask Command

Used to automatically establish file permission upon creation

umask [mask] where mask represents a 3-digit octal number for permissions to be denied for UGO.

  • Think of a mask as “hiding” permissions that are available

from the system.

slide-19
SLIDE 19

Setting Directory Mask

To change directory mask:

  • Determine octal number that would set directory

permission

  • Subtract octal number determined above from
  • ctal number 777 to get result
  • issue the command :

umask [octal number]

slide-20
SLIDE 20

Setting Directory Mask

Example:

  • To set mask for newly-created directories to:

r w x r - - r - -

  • Determine octal number

1 1 1 1 0 0 1 0 0 = 744

  • Subtract 744 from 777 = 033
  • Issue command umask 033
  • Issue command umask to verify change

Why 777? Because the system wants to give full permissions for user, group and others. The mask 033 takes away the specified permissions.

slide-21
SLIDE 21

Default Directory Permissions

Example:

  • With umask of 033 from previous example:
  • Subtract 033 from 777 = 744
  • Convert to permissions:

r w x r - - r - -

slide-22
SLIDE 22

umask for Files

  • When creating new regular files, the system can
  • nly provide read and write permissions (i.e. no

execute permissions).

  • Thus there is no way to have execute permission

as a default for files.

  • Note that there is only one umask setting, which

determines default permissions for newly created files and directories.

slide-23
SLIDE 23

Determining Default File Permissions

Example:

  • With umask of 033 from previous example:
  • Subtract 033 from 777 = 744
  • Convert to permissions:

r w x r - - r - -

  • Remove any “x” permissions remaining:

r w - r - - r - -

slide-24
SLIDE 24
slide-25
SLIDE 25