420-422.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<HTML>
<HEAD>
<TITLE>Using Linux:Managing Users and Groups</TITLE>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!--ISBN=0789716232//-->
<!--TITLE=Using Linux//-->
<!--AUTHOR=William Ball//-->
<!--PUBLISHER=Macmillan Computer Publishing//-->
<!--IMPRINT=Que//-->
<!--CHAPTER=25//-->
<!--PAGES=420-422//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="417-420.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="422-424.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P>When you combine these values, you get three numbers that make up the file&#146;s permission. Common permission combinations are:
</P>
<TABLE WIDTH="100%"><TR>
<TH WIDTH="25%" ALIGN="LEFT">Permission
<TH WIDTH="15%" ALIGN="LEFT">Value
<TH WIDTH="60%" ALIGN="LEFT">Meaning
<TR>
<TD VALIGN="TOP">-rw-------
<TD VALIGN="TOP">600
<TD>The owner has read and write permissions. This is what you want set on most of your files.
<TR>
<TD VALIGN="TOP">-rw-r--r--
<TD VALIGN="TOP">644
<TD>The owner has read and write permissions. The group and world has read only permissions. Be sure you want to let other people read this file.
<TR>
<TD VALIGN="TOP">-rw-rw-rw-
<TD VALIGN="TOP">666
<TD>Everybody has read and write permissions on a file. This is bad. You don&#146;t want other people to be able to change your files.
<TR>
<TD VALIGN="TOP">-rwx------
<TD VALIGN="TOP">700
<TD>The owner has read, write, and execute permissions. This is what you want for programs that you wish to run.
<TR>
<TD VALIGN="TOP">-rwxr-xr-x
<TD VALIGN="TOP">755
<TD>The owner has read, write, and execute permissions. The rest of the world has read and execute permissions.
<TR>
<TD VALIGN="TOP">-rwxrwxrwx
<TD VALIGN="TOP">777
<TD>Everyone has read, write, and execute privileges. Like the 666 setting, this is bad. Allowing others to edit your files is a cookbook formula for disaster.
<TR>
<TD VALIGN="TOP">-rwx--x--x
<TD VALIGN="TOP">711
<TD>The owner has read, write, and execute privileges. The rest of the world has execute only permissions. This is useful for programs that you want to let others run, but not copy.
<TR>
<TD VALIGN="TOP">drwx------
<TD VALIGN="TOP">700
<TD>This is a directory created with the <TT><B>mkdir</B></TT> command. Only the owner can read and write into this directory. Note that all the directories must have the executable bit set.
<TR>
<TD VALIGN="TOP">drwxr-xr-x
<TD VALIGN="TOP">755
<TD>This directory can be changed only by the owner, but everyone else can view its contents.
<TR>
<TD VALIGN="TOP">drwx--x--x
<TD VALIGN="TOP">711
<TD>A handy trick to use when you need to keep a directory world readable, but you don&#146;t want people to be able to see a directory listing via the ls command. Only if the person knows the filename they wish to retrieve will they be allowed to read it.
</TABLE>
<P>Now that you&#146;re fluent with permissions, learning <TT>chmod</TT> is easy. To change the permissions on a file, log in as the root user and enter the following command:</P>
<!-- CODE SNIP //-->
<PRE>
[root&#64;insoc /root]# chmod <I>permissions file</I>
</PRE>
<!-- END CODE SNIP //-->
<P>where <TT><I>permissions</I></TT> is a numeric value (three digits), which we discussed above, and <TT>file</TT> is the name of the file for which you want this to affect.</P>
<P>For example, to set the <TT>index.html</TT> file to be changeable by the owner, but only readable by the file&#146;s group and the world, the command would be:</P>
<!-- CODE SNIP //-->
<PRE>
[root&#64;insoc /root]# <B>chmod 644 index.html</B>
</PRE>
<!-- END CODE SNIP //-->
<P>To recursively change the permissions on all the files in a specific directory, use the <TT>-R</TT> option in <TT>chmod</TT>. For example, to make all the files in <TT>/usr/bin</TT> set to the permissions 755, you would use:</P>
<!-- CODE SNIP //-->
<PRE>
[root&#64;insoc /root]# chmod -R 755 /usr/bin
</PRE>
<!-- END CODE SNIP //-->
<H3><A NAME="Heading27"></A><FONT COLOR="#000077">Advanced Concepts: Password Authentication Module</FONT></H3>
<P>The Password Authentication Module (PAM) is for those who want to modify the security model that comes with Red Hat. By default, the model is reasonably strict about who may enter the system and in most instances, does not need to be adjusted. Like the password and group configuration files, though, understanding this subsystem will better prepare you for troubleshooting problems.
</P>

<TABLE BORDER="2" BORDERCOLOR="#0000" ALIGN="CENTER">
<TR><TD><FONT SIZE="+1"><B>What are SetUID programs</B></FONT>
<BR>SetUID is a special permission applied to programs. Remember how everything in Linux has an owner? This concept of ownership applies to programs in execution (processes) as well. Each process is owned by the person who invoked it. For example, if you log in as yourself, start the program <TT><B>xtetris</B></TT>, and then list the running processes using the <TT><B>ps</B></TT> command, you'll see that you are the owner of the <TT><B>xtetris</B></TT> process. But if you do a directory listing on the <TT><B>xtetris</B></TT> program using <TT><B>ls -l</B></TT>, you'll see that the file itself is owned by the root user.
<P>Under normal circumstances, this is good. You want to make programs available to your users to run without giving away the privilege to change them. However, you occasionally run across a need for the program to run not as the user who invokes it, but as the user the file is owned by. The <TT><B>ping</B></TT> command is a common instance of this. For <TT><B>ping</B></TT> to work, it must be run as the root user. To allow normal users of the system to use <TT><B>ping</B></TT>, you can make it SetUID.</P>
<P>To make a file SetUID, prefix the permissions with the number 4. For example:</P>
<!-- CODE SNIP //-->
<PRE>
[root&#64;insoc /root] # chmod 4755 /bin/ping
</PRE>
<!-- END CODE SNIP //-->
</TABLE>

<P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="417-420.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="422-424.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


</td>
</tr>
</table>
<!-- begin footer information -->



</body></html>