Unix : Name Resolution quick user overview Users and Groups - - PowerPoint PPT Presentation

Unix: quick user overview

Calcolatori Elettronici e Sistemi Operativi

Name Resolution

Calcolatori Elettronici e Sistemi Operativi

Users and Groups

Users information are in /etc/passwd Groups information are in /etc/group

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh user:x:5084:4214:regular user:/home/user:/bin/bash

username userID groupID description user home directory user shell encrypted password ('x' indicates that it is in /etc/shadow)

root:x:0: daemon:x:1: usergroup1:x:4214: usergroup2:x:4215:user,user2

group name groupID list of users of the group encrypted group password ('x' indicates that it is in /etc/gshadow)

user with id=0: special user (for system administration) – has privileged rights on the system

Each user has a current group associated

change the current user group:

newgrp <group name>

if group is not one of the user's groups, the group password is required

Show information on user:

id [username]

example:

id uid=5084(user) gid=4214(usergroup1) groups=4214(usergroup1),4215(usergroup2) id root uid=0(root) gid=0(root) groups=0(root)

Users and Groups

Users and Groups

Passwords can be in /etc/shadow

not readable by regular users

root:$1$abcdefgh$sftjbP9Enm3qjnYVfbhrW.:15432:0:99999:7::: daemon:*:15223:0:99999:7::: bin:*:15223:0:99999:7::: user:abfdATwZM2ZO6:15551:0:79:7:::

username days since Jan 1, 1970 that password was last changed encrypted password days before password may be changed days after which password must be changed days before password is to expire that user is warned days after password expires that account is disabled days since Jan 1, 1970 that account is disabled reserved field

Users and Groups

Passwords can be in /etc/shadow

not readable by regular users

root:$1$abcdefgh$sftjbP9Enm3qjnYVfbhrW.:15432:0:99999:7::: daemon:*:15223:0:99999:7::: bin:*:15223:0:99999:7::: user:abfdATwZM2ZO6:15551:0:79:7:::

salt data = crypt(salt, password) based on DES algorithm salt data = crypt(salt, password) based on MD5 algorithm

Salt is used to mitigate dictionary attacks

Hostnames

/etc/hosts

format (plain text):

<ip address> <hostname> [aliases]

example 127.0.0.1 localhost 10.0.2.21 host1.localnet.org host1 10.0.2.22 host2.localnet.org h2 159.65.34.8 www.opensource.org 147.75.44.153 www.kernel.org

Networks

/etc/networks

format (plain text):

<network name> <ip number> [aliases]

example default 0.0.0.0 loopback 127.0.0.0 link-local 169.254.0.0 localnet 10.0.2.0

Internet network services list

/etc/services

format (plain text):

<service name> <port/protocol> [aliases]

example ftp 21/tcp ssh 22/tcp ssh 22/udp telnet 23/tcp

entr = getservbyname("ftp", "tcp"); s_name s_aliases s_port: 21 s_proto ftp s_proto entr

Name Service Switch

configuration file: /etc/nsswitch.conf

format (plain text):

<database> <sources list>

database:

passwd | group | shadow | hosts | networks | services | rpc | initgroups | netgroup | protocols | publickey

examples:

passwd:

User passwords

shadow:

Shadow user passwords

group:

Groups of users

hosts:

Host names and numbers more info: man nsswitch.conf

Name Service Switch

format (plain text):

sources list: <source> <source> <source> ... source:

files | nis | db | dns | ...

examples:

files:

read from file (/etc/passwd, /etc/shadow, /etc/group, /etc/hosts, ...)

nis:

query a NIS (Network Information Service) server

db:

read from file (/var/db/passwd.db, ...) in "Berkeley Databases" format

dns:

query a DNS (Domain Name System) server

compat:

similar to files, but some information is read from a NIS server

(for hosts) (for passwd, group, shadow)

Name Service Switch

/etc/nsswitch.conf example:

passwd: compat group: compat shadow: compat hosts: files dns networks: files ethers: db files protocols: files rpc: files services: files netgroup: nis

gethostbyname("www.host.dom");

• 1. Search in /etc/hosts
• 2. Query a DNS server

Files

Calcolatori Elettronici e Sistemi Operativi

File information

Show file info:

ls -l drwxr-xr-x 4 root root 4096 2010-06-08 20:20 apt

• rw-r--r-- 1 root root 351 2008-03-25 09:38 arpwatch.conf
• rw-r--r-- 1 root root 2286 2011-12-11 12:57 asound.names
• rw-r----- 1 root daemon 144 2008-10-20 07:34 at.deny

} } }

permissions for others permissions for group permissions for owner type

• wner

group size mtime

} } }

number of hard links

Type:

• regular file

d directory l symbolic link b block special file c character special file p FIFO (named pipe) s socket ? some other file type

Unix file ownership

Each file has:

• wner: an user of the system

group: a group of users (each user is part of one or more groups)

Changing file ownership (only root):

chown <new_owner>:<new_group> <file> change both owner and group chown <new_owner> <file> change only owner chown :<new_group> <file> change only group

new_owner and new_group can be names or numeric ids

• nly root can change a file's owner

a regular user can assign the file's group only to one of its own groups

Unix file permissions

r w x r – x r - x file

} } }

permissions for others permissions for group permissions for owner

Permissions are three flags:

r: can read w: can write x: can execute (for directories: can search)

Permissions can be expressed as three octal digits (each octal digit is 3-bit)

Examples: rwx r-x r-x 0755 rw- r-- r-- 0644 r-x --- --- 0500 r-- r-- r-- 0444

Unix file permissions

Other flags (globals):

set user id: if executed, the effective user id of the process becomes the id of the file owner set group id: if executed, the effective group id of the process becomes the id of the file group sticky: for directory, files contained can be deleted only by the directory's or the file's owner (or by root)

Changing file permissions (only the owner or root):

chmod <new_permissions> <file> <new_permissions>:

• ctal representation

users[+-]permission Examples: u+r : add read permission for owner (user) u-w : remove write permission for owner (user)

• g+x : add executable permission for group and others

u+s : add set user id flag g-s : remove set group id flag

Access Control List

ACL

each file has a list of users and their related permissions

getfacl: get file access control lists setfacl: set file access control lists

user: user1 group: group1 perms: rw-r----- ACL user: user2 perms: r-- user: user3 perms: rw- user: user4 perms: r-x

Access Control List

$ ls -l /dev/kvm crw-rw----+ 1 root kvm 10, 232 Oct 19 16:59 /dev/kvm $ getfacl /dev/kvm # file: dev/kvm # owner: root # group: kvm user::rw- user:user123:rw- group::rw- mask::rw-

• ther::---

there is some other info from standard permissions from ACL records

Sparse files

#include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <string.h> #include <errno.h> #include <stdio.h> main() { int fd; char c = 'A'; fd = open("sparsefile", O_RDWR | O_CREAT | O_EXCL, S_IRUSR|S_IWUSR | S_IRGRP | S_IROTH); if ( fd <0 ) { printf("Error: cannot open file. Error code is %d (%s)\n", errno, strerror(errno)); return 1; } if ( lseek(fd, 1000000, SEEK_SET) < 0 ) { printf("Error: cannot perform lseek. Error code is %d (%s)\n", errno, strerror(errno)); return 2; } write(fd, &c, 1); close(fd); return 0; }

On some filesystems, unused space is not allocated

Only move the file pointer Write only one byte

ls -ls sparsefile 8 -rw-r--r-- 1 user usergrp 1000001 May 11 21:52 sparsefile

size used blocks

Process I/O and redirections

• n creation, each process has 3 open file descriptors:

0 (stdin), 1 (stdout), 2 (stderr) read(0, buf, n);

Read n bytes from standard input to buf

write(2, buf, n);

Write n bytes from buf to standard error

fprintf(stderr, "Error message\n");

Process I/O and redirections

I/O redirection

standard input

command1 < inputfile.txt

For command1 input data for file descriptor 0 comes from file inputfile.txt

Process I/O and redirections

I/O redirection

standard output

command1 > outfile.txt

Data written by command1 on file descriptor 1 is stored in file outfile.txt

command1 >> outfile.txt

Data written by command1 on file descriptor 1 is stored (appended) in file outfile.txt

Process I/O and redirections

I/O redirection

standard error

command1 2> outerrfile.txt command1 &> outerrfile.txt command1 >& outerrfile.txt

Data written by command1 on file descriptor 2 is stored in file outfile.txt

(bash) (csh and bash)

Process I/O and redirections

I/O redirection

standard error

command1 2>> outerrfile.txt command1 &>> outerrfile.txt command1 >>& outerrfile.txt

Data written by command1 on file descriptor 2 is stored (appended) in file outfile.txt

(bash) (csh)

Process I/O and redirections

I/O redirection

pipeline

command1 | command2

Data written by command1 on file descriptor 1 is sent as input to command2

command1 |& command2

Data written by command1 on file descriptor 2 is sent as input to command2

System initialization

Calcolatori Elettronici e Sistemi Operativi

System initialization

Traditional system initialization

System V init

Emerging new initialization schemes

upstart systemd

System initialization: System V init

First program executed: /sbin/init

configuration: /etc/inittab

configuration of ctrl-alt-del and kbrequest configuration of powerwait, powerokwait, powerfailnow configuration of processes to be executed

actions needed to setup the login interface actions related to runlevels

the runlevel is a small integer associated to the current system state

id:runlevels:action:process

/etc/inittab lines format

# comment (ignored) id:runlevels:action:process id

1-4 characters

runlevels

list of the runlevels interested by this action

action

• ne of:

respawn, wait, once, boot, bootwait, off, ondemand, initdefault, sysinit, powerwait, powerfail, powerokwait, powerfailnow, ctrlaltdel, kbrequest

System initialization: System V init

System initialization: System V init

id:2:initdefault: si::sysinit:/etc/init.d/rcS ca:12345:ctrlaltdel:/bin/echo ctrl-alt-del is disabled kb::kbrequest:/bin/echo "Keyboard Request--edit /etc/inittab to let this work." pf::powerwait:/etc/init.d/powerfail start pn::powerfailnow:/etc/init.d/powerfail now po::powerokwait:/etc/init.d/powerfail stop l0:0:wait:/etc/init.d/rc 0 l1:1:wait:/etc/init.d/rc 1 l2:2:wait:/etc/init.d/rc 2 l3:3:wait:/etc/init.d/rc 3 l4:4:wait:/etc/init.d/rc 4 l5:5:wait:/etc/init.d/rc 5 l6:6:wait:/etc/init.d/rc 6 1:2345:respawn:/sbin/getty 38400 tty1 2:23:respawn:/sbin/getty 38400 tty2 3:23:respawn:/sbin/getty 38400 tty3 4:23:respawn:/sbin/getty 38400 tty4 5:23:respawn:/sbin/getty 38400 tty5 6:23:respawn:/sbin/getty 38400 tty6

Example of /etc/inittab

default runlevel is 2 during initialization execute rcS how to handle ctrl-alt-del what to do when ALT and UpArrow are pressed when entering on runlevel 0 execute rc with arg 0 [wait: execute once and wait for its termination] when entering on runlevel 1 execute rc with arg 1 [wait: execute once and wait for its termination]

• n runlevels 2, 3, 4, or 5 execute getty [respawn: execute again when it terminates]
• n runlevels 2, or 3 execute getty [respawn: execute again when it terminates]

what to do when power related events occur

Typical use of runlevels

0: halt S, 1: single-user 2-5: multi-user 6: reboot

Changing runlevel

telinit <new_runlevel>

System initialization: System V init System initialization: upstart

First program executed: /sbin/init

configuration: /etc/init.conf /etc/init/*.conf

based on events

kernel sends signals to init init send signals to processes init send events to processes using dbus

System initialization: systemd

First program executed: systemd (link to /sbin/init)

Configuration files:

/etc/systemd/system.conf /usr/lib/systemd/system/<name>.service /etc/systemd/system/<name>.service

Tool:

systemctl

systemctl start unit systemctl stop unit systemctl restart unit ...

Main files and directories

Calcolatori Elettronici e Sistemi Operativi

Main files and dirs

Executables

needed early at system startup

/sbin

administrative tools

e.g.: fsck, fdisk, mkfs, ifconfig, route,

/bin

general purpose tools

e.g.: bash, tcsh, tar, gzip, bzip2, chmod, cp, cat, grep, kill, ls, df

needed after system is up

/usr/sbin administrative tools

e.g.: inetd, sshd, cron, useradd, usermod

/usr/bin general purpose tools

e.g.: find, gcc, ld, ar, cal, du, emacs, less, ssh, w

Main files and dirs

Configuration

System-wide configuration

/etc e.g.:

/etc/inittab /etc/init.d/ /etc/passwd /etc/group /etc/crontab : scheduled commands (executed by crond) /etc/fstab : static information about filesystems and mountpoints /etc/hosts : known hosts /etc/resolv.conf : DNS configuration /etc/bash.bashrc : bash configuration /etc/default/ : default settings of applications /etc/ssh/ : ssh and sshd configuration /etc/X11/ : X server configuration

Main files and dirs

Libraries

Main dynamic libraries

/lib

Other dynamic libraries and development libraries

/usr/lib

User directories

/home /root

Temporary

/tmp

Main files and dirs

Devices

/dev

Spool

/var/spool

System logs

/var/log

System applications data

/var/lib

System applications cache

/var/cache

Devices

Calcolatori Elettronici e Sistemi Operativi

Devices

Device files

in /dev file-like interface to device driver

• pen, close, read, write, seek, ioctl, ...

examples

sda: first SCSI disk sda1: first partition on the firtst SCSI disk tty1: first virtual console null, zero, random: virtual devices

Devices

Identified by:

type

block or character

major number

identify the device class

and the driver which manages the device

minor number

identify the particular device in a class

Names are only conventions

Devices

mknod: create a device file

mknod <name> <type> <major> <minor>

examples:

mknod sda b 8 0 mknod sda1 b 8 1 mknod tty1 c 4 1

Main commands

Calcolatori Elettronici e Sistemi Operativi

Main commands

User identity management

su : change user ID or become superuser passwd : change password

Directory management

ls : list directory contents ln : make links between files cd : change working directory mkdir : make directories

File management

cp : copy files and directories mv : move or rename files rm : remove files or directories find : search for files in a directory hierarchy chmod : change file mode bits chown : change file owner and group chgrp : change group ownership

Examples

su user2 passwd ls /etc ln -s destination symlink ln destination hlink cd /bin mkdir /home/user/newdir become user user2 create a symbolic link to destination ; the link is called symlink list the content of the directory /etc create a hard link to destination ; the link is called hlink change the working directory to /bin create the directory newdir in /home/user/ change password for user (interactive)

Examples

cp fileold filenew mv test /home/user/directory/ mv test newname rm filename rm -r /home/user/directory find /home/user/dir -name “test*” find -perm -u=x,g=x -type f find -perm /g=w,o=w make a copy of fileold called filenew move the file test into the directory /home/user/directory remove the file filename remove (recursively) the directory /home/user/directory search in the directory /home/user/dir all the objects with a name that begins with test rename the file test to newname search in the current directory all the files that are executable for user and for group search in the current directory all the objects that are writable for group members or for others

Examples

chmod 0644 filename chown user file chgrp newgrp file change permissions on filename change the group of file change the owner of file

Main commands

File content management

cat : concatenate files and print on the standard output more : file filter for viewing on terminal one page at a time less : similar to more, but allows to move back the viewing point grep : print lines of a file matching a pattern sed : stream editor for filtering and transforming text awk : pattern scanning and processing language dd : convert and copy a file

Packing and compression

tar : tar archiving utility gzip : compress or expand files gunzip : expand files in gzip format bzip2 : compress or expand files using a block-sorting compressor bunzip2 : expand files in bz2 format xz : compress or decompress .xz and .lzma files zip : package and compress (archive) files unzip : list, test and extract compressed files in a ZIP archive

Examples

cat file.txt more file.txt less file.txt grep word file.txt sed -e "s/oldword/newtext/g" file.txt awk -v FS=":" '{print $1}' /etc/passwd dd if=<(echo -n "abc") bs=1 seek=5 of=file conv=notrunc dump the content of file.txt on the standard output print all the lines of the file file.txt that contain the string word show the content of file.txt one terminal screen at a time show the content of file.txt one terminal screen at a time; allow to go back in the visualization dump the content of file.txt, changing all the occurrences

• f the string oldword in the string newtext

print all the usernames change the 6th, 7th, and 8th byte of file to a b and c respectively

Main commands

Disk management

du : estimate file space usage df : report file system disk space usage fdisk : partition table manipulator mkfs : build a file system (generic frontend) mke2fs : build an ext2/ext3 filesystem mount : mount a file system umount : unmount file systems

Process management

uname : print system information ps : report a snapshot of the current processes kill : send a signal to a process nice : run a program with modified scheduling priority time : run programs and summarize system resource usage

Examples

du -m mydir/ df fdisk /dev/sda mke2fs /dev/sda2 mount /dev/sda2 /mnt/ mount -o port=15000,mountport=15001,nolock 10.0.2.2:/server_exported_dir /mnt umount /mnt/ show disk portion used by mydir (-m: unit is megabyte) show disks usage and free space interactively show and manipulate partitions on disk sda create a filesystem of type ext2 on partion 2 of disk sda (any existent data will be destroyed) mount partition 2 of disk sda on directory /mnt/ unmount a filesystem mounted on directory /mnt/

Examples

uname -a ps -ef kill 2345 kill -9 2345 nice -n 10 ./myprogram time ./myprogram show information on the system (-a: all [OS name, kernel name version and release, machine name]) show information on running processes (-e: all process, -f: full format) send signal 15 (SIGTERM) to process with PID 2345 send signal 9 (SIGKILL) to process with PID 2345 run myprogram with a lower priority than default run myprogram and measure execution time

Network file system

Calcolatori Elettronici e Sistemi Operativi

Network file system

/ |-- bin | |-- lib | |-- home | |-- user1 | | | `-- user2 | |-- mnt | | | |-- dir1 | | | `-- dir2 | |-- sbin | |-- tmp | `-- var / |-- bin | |-- lib | |-- home | |-- user1 | | | `-- user2 | |-- mnt | | | |-- dir1 | | | `-- dir2 | |-- sbin | |-- tmp | `-- var / |-- bin | |-- exported_dir | | | |-- dir1 | | | `-- dir2 | `-- var / |-- bin | |-- exported_dir | | | |-- dir1 | | | `-- dir2 | `-- var

NFS server running mount server:/exported_dir /mnt

System1: client System2: server