May 19th, 9:00AM-4:30PM,Sunday, Room 304, YangBang Shanghai
1 Understanding fields in /etc/passwd
The /etc/passwd contains one entry per line for each user(or user account) of the system. All fields are separated by a colon (:)symbol. Total seven fields as follows.
1. Username: It is used when user logs in. It should be between 1and 32 characters in length.
2. Password: An x character indicates that encrypted password isstored in /etc/shadow file.
3. UserID (UID): Each user must be assigned auser ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved forother predefined accounts. Further UID 100-999 are reserved by system foradministrative and system accounts/groups.
4. GroupID (GID): The primary group ID (storedin /etc/group file)
5. UserID Info: The comment field. It allowyou to add extra information about the users such as user's full name, phonenumber etc. This field use by finger command.
6. Homedirectory: The absolute path to thedirectory the user will be in when they log in. If this directory does notexists then users directory becomes /
7. Command/shell: The absolute path of a command or shell (/bin/bash).Typically, this is a shell. Please note that it does not have to be a shell.
2 Understandingfields in /etc/shadow
/etc/shadow file stores actual password in encrypted format for user'saccount with additional properties related to user password i.e. it stores secure user account information. All fields are separated by a colon (:)symbol. It contains one entry per line for each user listed in /etc/passwd. Generally, shadow file entry looks as follows:
1. Username : It is your login name
2. Password:It your encrypted password. The password should be minimum 6-8 characters longincluding special characters/digits
3. Lastpassword change (lastchanged): Days since Jan 1, 1970 that password was lastchanged
4. Minimum:The minimum number of days required between password changes i.e. the number ofdays left before the user is allowed to change his/her password
5. Maximum:The maximum number of days the password is valid (after that user is forced tochange his/her password)
6. Warn :The number of days before password is to expire that user is warned thathis/her password must be changed
7. Inactive: The number of days after password expires that account is disabled
8. Expire: days since Jan 1, 1970 that account is disabled i.e. an absolute datespecifying when the login may no longer be used
3 chown/chgrp
chown allen testfile / chgrp swteam testfile
chown allen:swteam testfile
4 stat
allen@cisco-Lenovo-Product:/share2/allen$ stat back_20130516
File: `back_20130516'
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 803h/2051d Inode: 11562422 Links: 4
Access: (0755/drwxr-xr-x) Uid: ( 1001/ allen) Gid: ( 1001/ allen)
Access: 2013-05-23 11:06:20.000000000 +0800
Modify: 2013-05-16 14:49:26.000000000 +0800
Change: 2013-05-16 14:49:26.000000000 +0800
Modify stamp: when the content of file changes.
Change stamp: when the content of file or attribute change.
5 -- option
How to access the file whose name looks like "-test".
cat -- -test
ls -- -l -test
6 umask
When user create a file or directory under Linux, she create it with a default set of permissions. In most case the system defaults may be open or relaxed for file sharing purpose. For example, if a text file has 666 permissions, it grants read and write permission to everyone.Similarly a directory with 777 permissions, grants read, write and execute permission to everyone.
The user file-creation mode mask (umask) is use to determine the file permission for newly created files. It can be used to control the default file permission for new files. It is a four-digit octal number. A umask can be setor expressed using:
Symbolic valuesOctal values We can setup umask in
/etc/bashrc or/etc/profile file for all users.
By default most Linux distro set it to 0022 (022) or 0002(002). Open /etc/profile or ~/.bashrc file, enter: # vi /etc/profile
OR $ vi ~/.bashrc
Append/modify following line to setup a new umask: umask 022
Save and close the file. Changes will take effect after next login.
All LINUX users can override the system umask defaults in their /etc/profile file,~/.profile (Korn / Bourne shell) ~/.cshrc file (C shells), ~/.bash_profile(Bash shell) or ~/.login file (defines the user's environment at login).
7 usermod
How to add the firstaffiliated group. --> usermod -G sw_team1 allen
How to modify the first
affiliated group. --> usermod -g sw_team2 allen
How to add the second affilliated group-->usermod -a -G dirver_team allen
8 Advanced file permissions- SUID, SGID and Sticky Bit
Suid - 4, file, flag:‘s' or 'S'
Sgid - 2, file, flag:‘s' or 'S'
Sticky-1, directory, flag:'t' or 'T'
$ ls -ld /tmp
drwxrwxrwt 29 root root 36864 Mar 21 19:49 /tmp
$ which passwd
/usr/bin/passwd
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 22984 Jan 6 2007 /usr/bin/passwd
What is this "s" and "t"bit? The vector of permission bits is really 4 * 3 bits long. Yes, there are 12permission bits,not just 9.The first
three bits are special and arefrequently zero. And we almost always learn about the trailing 9 bits first. Some people stop there and never learn those first three bits.
SUID
By default, when a user executes a file,the process which results in this execution has the same permissions as thoseof the user. In fact,the process inherits his default group and useridentification.
If you set the SUID attribute on anexecutable file, the process resulting in its execution doesn't use the user'sidentification but the user identification of the file owner.
The SUID mechanism,invented by DennisRitchie,is a potential security hazard. It lets a user acquire hidden powers byrunning such a file owned by root.
SGID
The set-group-id (SGID) is similar to SUID except that a program with SGID setallows the user to have the same power as the group which owns the program.
It is really useful in case you have a real multi-user setup where users accesseach others files. As a single homeuser I haven't really found a lot of use forSGID. But the basic concept is the same as the SUID,Similar to SUID, SGID alsogrants privileges and access rights to the process running the command, butinstead of receiving those of the file's owner it receives those of the file'sgroup. In other words,the process group owner will be set to the file's group.
Sticky Bit
The sticky bit(also called the savedtext bit) is the last permission bit remaining to be discussed. It applies toboth regular files and directories. When applied to a regular file, it ensuresthat the text image of a program with the bit set is permanently kept in theswap area so that it can be reloaded quickly when the program's turn to use theCPU arrives. Previously, it made sense to have this bit set for programs likevi and emacs. Today,machines with ultra-fast disk drives and lots of cheapmemory don't need this bit for ordinary files and that is also useless.
However,the sticky bit become a useful security feature when used with a directory. TheUNIX/Linux system allows users to create files in /tmp, but none can deletefiles not owned by him. That's possible because sticky bit set for /tmpdirectory.