0403-0406.html

来自「linux-unix130.linux.and.unix.ebooks130 l」· HTML 代码 · 共 592 行

<HTML>
<HEAD>
<TITLE>Developer.com - Online Reference Library - 0672311739:RED HAT LINUX 2ND EDITION:System Security</TITLE>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!-- ISBN=0672311739 //-->
<!-- TITLE=RED HAT LINUX 2ND EDITION //-->
<!-- AUTHOR=DAVID PITTS ET AL //-->
<!-- PUBLISHER=MACMILLAN //-->
<!-- IMPRINT=SAMS PUBLISHING //-->
<!-- PUBLICATION DATE=1998 //-->
<!-- CHAPTER=20 //-->
<!-- PAGES=0395-0410 //-->
<!-- UNASSIGNED1 //-->
<!-- UNASSIGNED2 //-->




<P><CENTER>
<a href="0401-0402.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="0407-0410.html">Next</A>
</CENTER></P>

<A NAME="PAGENUM-403"><P>Page 403</P></A>





<P>the file. First, it tells you the permissions. Next, it tells you how many links the file has. It
then tells you who owns the file (dpitts) and what group is associated with the file
(users). Following the ownership section, the date and timestamp for the last time the file was modified
is given. Finally, the name of the file is listed
(test). The permissions are actually made up of four sections. The first section is a single character that identifies the type of object that is
listed out. Check Table 20.1 to determine what the different options are for this field.
</P>




<P>Table 20.1. Object type identifier.</P>
<TABLE WIDTH="360">
<TR><TD>
<B>Character</B>
</TD><TD>
<B>Description</B>
</TD></TR>
<TR><TD>
-
</TD><TD>
Plain file
</TD></TR>
<TR><TD>
b
</TD><TD>
Block special file
</TD></TR>
<TR><TD>
c
</TD><TD>
Character special file
</TD></TR>
<TR><TD>
d
</TD><TD>
Directory
</TD></TR>
<TR><TD>
l
</TD><TD>
Symbolic link
</TD></TR>
<TR><TD>
p
</TD><TD>
Named pipe
</TD></TR>
<TR><TD>
s
</TD><TD>
Socket
</TD></TR>
</TABLE>




<P>Following the file type identifier are the three sets of permissions:
rwx (owner), r-- (group), and r-- (other).
</P>

<CENTER>
<TABLE BGCOLOR="#FFFF99">
<TR><TD><B>
NOTE
</B></TD></TR>
<TR><TD>
<BLOCKQUOTE>
<BR>A small explanation needs to be made as to what read, write, and execute actually
mean. For files, a user who has read capability can see the contents of the file, a user who
has write capability can write to it, and a user who has execute permission can execute the
file. If the file to be executed is a script, then the user must have read and execute
permissions to execute the file. If the file is a binary, then just the execute permission is required
to execute the file.
</BLOCKQUOTE></TD></TR>
</TABLE></CENTER>
<BR>

<H4>
Directories
</H4>




<P>The permissions on a directory are the same as those used by files: read, write, and
execute. The actual permissions, though, mean different things. For a directory, read access pro-<BR>
vides the ability to list the names of the files in the directory. It does not allow the other
attributes to be seen (owner, group, size, and so on). Write access provides the ability to alter
the directory contents. This means that the user could create and delete files in the directory. <BR>
Finally, execute access lets the user make the directory the current directory.
</P>

<A NAME="PAGENUM-404"><P>Page 404</P></A>






<P>Table 20.2 summarizes the differences between the permissions for a file and those for a
directory.
</P>




<P>Table 20.2. File permissions versus directory permissions.
</P>

<TABLE WIDTH="360">
<TR><TD>
<B>Permission</B>
</TD><TD>
<B>File</B>
</TD><TD>
<B>Directory</B>
</TD></TR>
<TR><TD>
r
</TD><TD>
View the contents
</TD><TD>
Search the contents
</TD></TR>
<TR><TD>
w
</TD><TD>
Alter file contents
</TD><TD>
Alter directory contents
</TD></TR>
<TR><TD>
x
</TD><TD>
Run executable file
</TD><TD>
Make it the current directory
</TD></TR>
</TABLE>




<P>Combinations of these permissions also allow certain tasks. For example, I already
mentioned that it takes both read and execute permission to execute a script. This is because the shell
must first read the file to see what to do with it. (Remember that
#! /local/bin/perl tells it to execute the
/local/bin/perl executable, passing the rest of the file to the executable.) There
are other combinations that allow certain functionality. Table 20.3 describes the different
combinations of permissions and what they mean, both for a file and for a directory.
</P>




<P>Table 20.3. Comparison of file and directory permission combinations.
</P>

<TABLE WIDTH="360">
<TR><TD>
<B>Permission</B>
</TD><TD>
<B>File</B>
</TD><TD>
<B>Directory</B>
</TD></TR>
<TR><TD>
---
</TD><TD>
Cannot do anything with it.
</TD></TD>
Cannot access it or any of its
subdirectories.
</TD></TR>
<TR><TD>
r--
</TD><TD>
Can see the contents.
</TD><TD>
Can see the contents.
</TD></TR>
<TR><TD>
rw-
</TD><TD>
Can see and alter the contents.
</TD><TD>
Can see and alter the contents.
</TD></TR>
<TR><TD>
rwx
</TD><TD>
Can see and change the contents,
as well as execute the file.
</TD><TD>
Can list the contents, add or
remove files, and make the direc-
tory the current directory (cd to it).
</TD></TR>
<TR><TD>
r-x
</TD><TD>
If a script, can execute it.
Otherwise, provides read and
execute permission.
</TD><TD>
Provides ability to change to
directory and list contents, but
cannot delete or add files to
directory.
</TD></TR>
<TR><TD>
--x
</TD><TD>
Can execute if a binary.
</TD><TD>
User can execute a binary that he or
she already knows about.
</TD></TR>
</TABLE>




<P>As stated, the permissions can also be manipulated with a numeric coding system. The
basic concept is the same as the letter coding system. As a matter of fact, the permissions look
exactly alike. The difference is the way the permissions are identified. The numeric system uses
binary
</P>

<A NAME="PAGENUM-405"><P>Page 405</P></A>





<P>counting to determine a value for each permission and sets them. Also, the
find command can accept the permissions as an argument
using the -perm option. In that case, the
permissions must be given in their numeric form.
</P>




<P>With binary, you count from the right to the left. Therefore, if you look at a file, you can
easily come up with its numeric coding system value. The following file has full permissions for
the owner and read permissions for the group and the world:
</P>


<!-- CODE SNIP //-->
<PRE>
shell:/home/dpitts$ ls -la test
-rwxr--r--   1 dpitts   users          22 Sep 15 00:49 test
</PRE>
<!-- END CODE SNIP //-->





<P>This would be coded as 744. Table 20.4 explains how this number was achieved.
</P>




<P>Table 20.4. Numeric permissions.</P>
<TABLE WIDTH="360">
<TR><TD>
<B>Permission</B>
</TD><TD>
<B>Value</B>
</TD></TR>
<TR><TD>
Read
</TD><TD>
4
</TD></TR>
<TR><TD>
Write
</TD><TD>
2
</TD></TR>
<TR><TD>
Execute
</TD><TD>
1
</TD></TR>
</TABLE>



<P>Permissions use an additive process. Therefore, a person with read, write, and execute
permissions to a file would have a 7 (4+2+1). Read and execute would have a value of
5. Remember, there are three sets of values, so each section would have its own value.
</P>




<P>Table 20.5 shows both the numeric system and the character system for the permissions.
</P>




<P>Table 20.5. Comparison of numeric and character permissions.
</P>

<TABLE WIDTH="360">
<TR><TD>
<B>Permission</B>
</TD><TD>
<B>Numeric</B>
</TD><TD>
<B>Character</B>
</TD></TR>
<TR><TD>
Read-only
</TD><TD>
4
</TD><TD>
r--
</TD></TR>
<TR><TD>
Write-only
</TD><TD>
2
</TD><TD>
-w-
</TD></TR>
<TR><TD>
Execute-only
</TD><TD>
1
</TD><TD>
--x
</TD></TR>
<TR><TD>
Read and write
</TD><TD>
6
</TD><TD>
rw-
</TD></TR>
<TR><TD>
Read and execute
</TD><TD>
5
</TD><TD>
r-x
</TD></TR>
<TR><TD>
Read, write, and execute
</TD><TD>
7
</TD><TD>
rwx
</TD></TR>
</TABLE>


<P>Permissions can be changed using the chmod command. With the numeric system, the
chmod command must be given the value for all three fields. Therefore, to change a file to read,
write, and execute by everyone, the following command would be issued:
</P>


<!-- CODE SNIP //-->
<PRE>
$ chmod 777 &lt;filename&gt;
</PRE>
<!-- END CODE SNIP //-->


<A NAME="PAGENUM-406"><P>Page 406</P></A>






<P>To perform the same task with the character system, the following command would be issued:
</P>


<!-- CODE SNIP //-->
<PRE>
$ chmod a+rwx &lt;filename&gt;
</PRE>
<!-- END CODE SNIP //-->





<P>Of course, more than one type of permission can be specified at one time. The following
command adds write access for the owner of the file, and adds read and execute access to the
group and everyone else:
</P>


<!-- CODE SNIP //-->
<PRE>
$ chmod u+w,og+rx &lt;filename&gt;
</PRE>
<!-- END CODE SNIP //-->





<P>The advantage that the character system provides is that you do not have to know what
the previous permissions are. You can selectively add or remove permissions without worrying
about the rest. With the numeric system, each section of users must always be specified. The
downside of the character system is when complex changes are being made. Looking at the
preceding example (chmod u+w,og+rx
&lt;filename&gt;), it might have been easier to use the numeric
system and replace all those letters with three numbers:
755.
</P>




<H4><A NAME="ch20_ 14">


How suid and sgid Fit into This Picture
</A></H4>




<P>The special-purpose access modes suid and sgid add an extra character to the picture.
Before looking at what a file looks like with the different special access modes, check Table 20.6
for the identifying characters for each of the modes and a reminder as to what they mean.
</P>




<P>Table 20.6. Special-purpose access modes.</P>

<TABLE WIDTH="360">
<TR><TD>
<B>Code</B>
</TD><TD>
<B>Name</B>
</TD><TD>
<B>Meaning</B>
</TD></TR>
<TR><TD>
s
</TD><TD>
suid
</TD><TD>
Sets process user ID on execution
</TD></TR>
<TR><TD>
s
</TD><TD>
sgid
</TD><TD>
Sets process group ID on execution
</TD></TR>
</TABLE>


<P>suid and sgid are used on executables. Therefore, the code is placed where the code for
the executable would normally go. The following file has
suid set:
</P>



<!-- CODE SNIP //-->
<PRE>
$ ls -la test
-rwsr--r--   1 dpitts   users          22 Sep 15 00:49 test
</PRE>
<!-- END CODE SNIP //-->






<P>The difference between the suid being set and the
sgid being set is the placement of the code. The same file with
sgid active would look like this:
</P>


<!-- CODE SNIP //-->
<PRE>
$ ls -la test
-rwxr-sr--   1 dpitts   users          22 Sep 15 00:49 test
</PRE>
<!-- END CODE SNIP //-->





<P>To set the suid with the character system, the following command would be executed:
</P>


<!-- CODE SNIP //-->
<PRE>
$ chmod u+s &lt;filename&gt;
</PRE>
<!-- END CODE SNIP //-->





<P>To set the sgid with the character system, the following command would be executed:
</P>


<!-- CODE SNIP //-->
<PRE>
$ chmod g+s &lt;filename&gt;
</PRE>
<!-- END CODE SNIP //-->


<P><CENTER>
<a href="0401-0402.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="0407-0410.html">Next</A>
</CENTER></P>





</td>
</tr>
</table>
<!-- begin footer information -->



</body></html>