Unix System Administration

Rootly Powers

Chapter 3

Owners Shmoners

Every Unix file has both an owner and a group owner

Only the owner can modify permissions on a file

The owner is always a single person (actually, they can be married too)

The owner can specify which operations the group owners may perform on a file

Where Do These “Owners” Reside? Owners can be found in /etc/passwd Group owners can be found either in

/etc/group or by looking at the GID field of users in /etc/passwd

Hey, Who Owns this Process? Get it off my lawn! Kernel associates 4 numbers with each

process– real and effective UID– real and effective GID

Normally both real and effect numbers are the same

SETUID or SETGID programs can modify them

I Am The Superuser --Step Aside Clark Kent UID 0 Called “root” by convention (but not

required) The superuser can modify any file, file

permission or process The superuser is all knowing, all powerful Hail the superuser!

Don’t Forget To Lock the Store!

Choose a good root password– Only the first 8 characters of a password are

significant– Root password should always be eight

characters– Use a mixture of letters, numbers, symbols

Good Password Hygiene

Change the root password every so often, especially if several people have access it.

Try running “crack” on it for a few days Don’t write it on a Post-It™ and stick it to

your monitor Don’t have it tattooed on your forehead Try using “sudo” instead of giving out the

root password

How do you sudo?

Sudo is a program that allows limited root access to programs

/etc/sudoers contains users or groups of users and the programs they may run as root

Don’t give users access to programs where they can “shell out” to a Unix prompt. The shell will have root access

Users of lesser importance with funny names daemon - owns unprivileged software bin - owner of system commands sys - owner of kernel and memory images nobody - owner of nothing, nada, zippo, zilch They users typically have their account set so

it can’t be logged into. This can be done by entering a * or NP in the password field

Give Me Rootly Powersfor 200 Alex Must be configured as a SETUID program

to allow non-rootly system admins run privileged programs

The finger daemon (fingerd) is usually run as this user

It is the command used to switch to the root account by default or other accounts if a username is given as an argument