Post on 11-Jan-2016
Unix System Administration
Rootly Powers
Chapter 3
Owners Shmoners
Every Unix file has both an owner and a group owner
Only the owner can modify permissions on a file
The owner is always a single person (actually, they can be married too)
The owner can specify which operations the group owners may perform on a file
Where Do These “Owners” Reside? Owners can be found in /etc/passwd Group owners can be found either in
/etc/group or by looking at the GID field of users in /etc/passwd
Hey, Who Owns this Process? Get it off my lawn! Kernel associates 4 numbers with each
process– real and effective UID– real and effective GID
Normally both real and effect numbers are the same
SETUID or SETGID programs can modify them
I Am The Superuser --Step Aside Clark Kent UID 0 Called “root” by convention (but not
required) The superuser can modify any file, file
permission or process The superuser is all knowing, all powerful Hail the superuser!
Don’t Forget To Lock the Store!
Choose a good root password– Only the first 8 characters of a password are
significant– Root password should always be eight
characters– Use a mixture of letters, numbers, symbols
Good Password Hygiene
Change the root password every so often, especially if several people have access it.
Try running “crack” on it for a few days Don’t write it on a Post-It™ and stick it to
your monitor Don’t have it tattooed on your forehead Try using “sudo” instead of giving out the
root password
How do you sudo?
Sudo is a program that allows limited root access to programs
/etc/sudoers contains users or groups of users and the programs they may run as root
Don’t give users access to programs where they can “shell out” to a Unix prompt. The shell will have root access
Users of lesser importance with funny names daemon - owns unprivileged software bin - owner of system commands sys - owner of kernel and memory images nobody - owner of nothing, nada, zippo, zilch They users typically have their account set so
it can’t be logged into. This can be done by entering a * or NP in the password field
Give Me Rootly Powersfor 200 Alex Must be configured as a SETUID program
to allow non-rootly system admins run privileged programs
The finger daemon (fingerd) is usually run as this user
It is the command used to switch to the root account by default or other accounts if a username is given as an argument