04 Accounts Permissions

7/31/2019 04 Accounts Permissions

1/27

Ti khon NSD v phn quyn

truy cp tp


2/27


3/27

Khi nim ngi s dng

NSD thng thng

Qun tr

Nhm NSD

To mt ngi s dng

Tn, Mt khu, home ca ngi s dng (/home/tn)

Nhm (mt ngi s dng c th thuc mt hoc nhiu

nhm, tuy nhin cn phi xc nh mt nhm chnh)Tt c cc thng tin v ngi s dng c lu trong file:/etc/passwd


4/27

/etc/passwd

Username:password:UID:GID:Info:Home:Shell

Username: It is used when user logs in. It should be between 1 and 32 characters in length.

Password: An x character indicates that encrypted password is stored in /etc/shadow file.

User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for rootand UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved

by system for administrative and system accounts/groups. Group ID (GID): The primary group ID (stored in /etc/group file)

User ID Info: The comment field. It allow you to add extra information about the users suchas user's full name, phone number etc. This field use by finger command.

Home directory: The absolute path to the directory the user will be in when they log in. If

this directory does not exists then users directory becomes /

Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is ashell. Please note that it does not have to be a shell.

9/5/2011 @ Ha Quoc Trung 2009 4


5/27

/etc/shadow

User:Pwd:Last pwd change :Minimum:Maximum:Warn:Inactive :Expire

User name : It is your login name

Password: It your encrypted password. The password should be minimum 6-8 characters longincluding special characters/digits

Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed

Minimum: The minimum number of days required between password changes i.e. thenumber of days left before the user is allowed to change his/her password

Maximum: The maximum number of days the password is valid (after that user is forced tochange his/her password)

Warn : The number of days before password is to expire that user is warned that his/herpassword must be changed

Inactive : The number of days after password expires that account is disabled Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when

the login may no longer be used

9/5/2011 @ Ha Quoc Trung 2009 5


6/27

Nhm ngi s dng

Mi ngi s dng c th thuc v mt hoc nhiunhm

Mt nhm = tn nhm + danh sch cc thnh vinKh nng chia s cc file gia nhng ngi s dng trong

cng mt nhm.

Danh sch cc nhm c lu tr trong file: /etc/group

root c kh nng to ra cc nhm b xung, ngoi cc nhmm h iu hnh ngm nh


7/27

/etc/group

group_name:Password:Group ID (GID): Group List group_name: It is the name of group. If you run ls -l

command, you will see this name printed in the group field. Password: Generally password is not used, hence it is

empty/blank. It can store encrypted password. This isuseful to implement privileged groups. X means passwd isstored in /etc/gshadow

Group ID (GID): Each user must be assigned a group ID. Youcan see this number in your /etc/passwd file.

Group List: It is a list of user names of users who aremembers of the group. The user names, must be separatedby commas.

9/5/2011 @ Ha Quoc Trung 2009 7


8/27

/etc/gshadow

Group name The name of the group. Used by various utility programsas a human-readable identifier for the group.

Encrypted password The encrypted password for the group. If set, non-members of the group can join the group by typing the password for thatgroup using the newgrp command. If the value of this field is !, then nouser is allowed to access the group using the newgrp command. A value of

!! is treated the same as a value of ! however, it also indicates that apassword has never been set before. If the value is null, only groupmembers can log into the group.

Group administrators Group members listed here (in a commadelimited list) can add or remove group members using the gpasswdcommand.

Group members Group members listed here (in a comma delimited list)are regular, non-administrative members of the group.

9/5/2011 @ Ha Quoc Trung 2009 8


9/27

Cng c

useradd/mod/del

passwd

groupadd/mod/del

gpasswd sg/newgrp

su

users/groups

id

9/5/2011 @ Ha Quoc Trung 2009 9


10/27

Cc quyn

Mi file lun thuc v mt ngi s dng vmt nhm xc nhNgi to ra file hoc th mc s l ngi s hu,

nhm cha ngi to ra file hoc th mc s lnhm s hu i vi file/th mc.

S phn quyn cho php xc nh r ccquyn m ngi s dng c i vi mt file

hoc mt th mc.


11/27

Quyn truy cp

r : c

Cho php hin th ni dung ca file hoc th mc

w : ghi

Cho php thay i ni dung ca fileCho php thm hoc xa cc file trong mt th mc

x : thc thi

Cho php thc thi file di dng mt chng trnh

Cho php chuyn n th mc cn truy cp


12/27

Cc nhm ngi s dng

C 3 nhm ngi s dng i vi 1 file/ th mc:

u (ngi s hu) : ngi s hu duy nht ca file

g (group) : nhng ngi s dng thuc nhm cha fileo (others) : nhng ngi s dng khc, khng phi l

ngi s hu file cng nh khng thuc nhm cha file.

Mi nhm ngi s dng s c mt tp cc quyn (r,

w, x) xc nh.


13/27

V d

$ ls -l

----rw-rw- 1 tuananh user1 16 Feb 10 19:12 test1.txt

-rw-rw-rw- 1 tuananh user1 16 Feb 10 19:12 test2.txt

drw-r--r-- 2 tuananh user1 512 Feb 10 19:14 vanban

$ whoami

tuananh

$ cat test1.txt

cat: test1.txt: Permission denied

$ cat test2.txt

Un fichier de test

$ cp test2.txt vanbancp: vanban: Permission denied


14/27

Cc lu c th thm cc file, cn phi c quyn w i vi th

mc

c th xa, thay i ni dung hoc di chuyn 1 file, ngis dng cng cn phi c quyn w i vi th mc

Vic xa mt file cn ph thuc vo quyn i vi th mccha file

bo mt cc d liu, ngi s hu file thm ch c th bc quyn c r i vi tt c mi ngi s dng khc.

hn ch qu trnh truy cp vo h thng file, ngi s dngc th b quyn thc thi (x) i vi th mc gc ca h thngfile.


15/27

Mt s quyn c bit i vi cc file thcthi

set-uid: -rws --- ---

Chng trnh c chy di quyn ca ngi s hu

set-gid: - --- rws ---

Chng trnh c chy bi cc ngi s dng thuc cngnhm vi ngi s hu

bit sticky

Chng trnh ch c cp pht b nh trong 1 ln


16/27

V d

$ ls -l /etc/passwd

-rw-rw---- 1 root root 568 Feb 10 19:12 passwd

$ ls -l /bin/passwd

-rwsrws--x 1 root root 3634 Feb 10 19:12 passwd

Khi mt ngi s dng thng thng gi lnh/bin/passwd, xem nh ngi c mn quyn root thay i mt khu

trong file /etc/passwd


17/27

Thay i quyn truy cp (1)

$chmod

set_uid set-gid sticky user group other

rwx --x --x

1 1 0 111 001 001

6 7 1 1

$ chmod 6711 test

$ ls -l test

-rws--s--x 1 tuananh user1 Mar 10 10:20 test

$ chmod 711 test

$ ls -l test

-rwx--x--x 1 tuananh user1 Mar 10 10:20 test


18/27

Thay i quyn truy nhp (2)

$chmod

u | g | o | a (all) Operation

+ (thm 1 hoc 1 s quyn vo tp cc quyn file c)

- (b 1 hoc 1 s quyn khi tp cc quyn file c)

= (gn mi 1 hoc 1 s quyn cho file) Quyn = r | w | x | s


19/27

V d

$ ls -l test.txt

-rw-rw-r-- 1 tuananh user1 150 Mar 19 19:12 test.txt

$ chmod o+w test.txt

$ ls -l test.txt-rw-rw-rw- 1 tuananh user1 150 Mar 19 19:12 test.txt

$ chmod a-rw test.txt

$ ls -l test.txt

---------- 1 tuananh user1 150 Mar 19 19:12 test.txt

$ cat test.txtcat: test.txt: Permission denied


20/27

nh ngha cc quyn ngm nh khi to ra1 file

Cc quyn ngm nh ca 1 file khi to ra c thc xc nh bng lnh umask

$umask

022S 0 c ngha l quyn ca ngi s dng khng b hn ch

(rwx)

S 2 c ngha l quyn ghi (w) b hn ch (r-w).

$umask 022


21/27

Thay i ngi s hu v nhm

$chown [-R] Thay i ngi s hu ca file

$chgrp

Thay i nhm ca fileC th s dng ty chnR lp li vic thc hin cclnh (v d thc hin vic thay i quyn s hu hocnhm ca mi file trong cng mt th mc)

Cc lnh trn ch dnh cho nhng ngi s dng cquyn root


22/27

Cc quyn c bit vi tp


Tp chng trnh c chy di quyn ca ngi s hu


Chng trnh c chy di quyn ca nhm s hu

bit sticky

Chng trnh ch c cp pht b nh trong 1 ln

9/5/2011 @ Ha Quoc Trung 2009 22


23/27

Cc quyn c bit vi th mc



Cc tp mi c to ra c nhm ch s hu l nhm cath mc

bit sticky

Ch c root v ch s hu c xa, k c khi c quyn rwx

9/5/2011 @ Ha Quoc Trung 2009 23


24/27

Sticky bit example

9/5/2011 @ Ha Quoc Trung 2009 24


25/27

Sticky bit example

9/5/2011 @ Ha Quoc Trung 2009 25


26/27

Suid bit-example

9/5/2011 @ Ha Quoc Trung 2009 26


27/27

Suid bit-example

9/5/2011 @ Ha Quoc Trung 2009 27

04 Accounts Permissions

Documents

Transcript of 04 Accounts Permissions