Users and Groups
Administration
- Why have users and groups?
- What is the difference between authentication and authorization?
User accounts
Consist of:
- USername
- UID
- Primary GID
- GECOS
- HOME
- Shell
- Encrypted Password (/etc/shadow)
Other items can be seen in
/etc/passwd
Group Accounts
Consist of:
- Group name
- GID
- List of members
cat /etc/group
Primary group vs other Group membership
- WHen a file/dir is created, who owns it? What are its’ permissions?
- UID comes from process that created it
- GID comes from process that created it
- Permissions come from umask of process that created it.
Review
- Changing UID/GID and permissions
- How to change defaults associated with an account
- How are permissions applied?
Review
- Files we should make sure we know:
/etc/shadow/etc/passwd/etc/group/etc/skel
Command review
| Command | Command |
| passwd | chfn |
| chsh | umask |
| id | groups |
| who | finger |
Command review
| Command | ~ |
| adduser | addgroup |
| chmod | chgrp |
| chown | ~ |
Permissions review (Files)
- read = r = 4 (view)
- write = w = 2 (modify)
execute = x = 1 (run)
Examples?
Permissions review (Directories)
- Same as for files except
- r = view list of directory contents
- w = modify list of directory
- add, delete, rename files in dir
- x = enter directory, or cd into dir
Permissions review
Mode layers:
- User (UID) - mode applied to processes with matching UID
- Group (GID) - mode applied to processes with matching GID
- Other (world)
Each mode can be set for r,w,x
Permissions
If a process wants to read, it will be allowed if the UID matches and user-read is set, or if GID matches and group-read is set, or if other read is set. Same for write and execute.
Special Permissions
In addition to other bits:
- 4 = setuid bit = s or S
- 2 = setGID bit = s or S
- 1 = sticky bit = t
SetUID
- Files
- When the program is run, the process will have the UID of the file, instead of inheriting from parent process. Same for GID
- Directories:
- No effect
ls -l /usr/bin/passwd
SetGID
- Files
- Same as SetUID described previously
- Directories
- New contents of directory will have GID of directory instead of inheriting from creating process.
Sticky Bit
- Files
- no effect
- Directories
- only root and file owners can delete and rename files in the directory
Full file mode examples
- 2750?
- 6755?
- 1777?
- 0644?
- r-sr-sr-x?
- rwsr-Sr–?
- rwxrwxrwt?
Tidbit
Why the difference between s and S when setting SetUID or SetGID bits? If the file is NOT executable, you have S, otherwise s.
Umask
Each process has a mask that defines permission bits that should be removed from newly created files and directories.
- 0002
- 0027
Umask inherited from parent process. Processes can change their umask with a system call. Shell usually gets default umask from a shell init file.
KAHOOT
Last Updated 05/08/2023