File Permissions and Access Rights 1

File Permissions and Access Rights 1

File and Directory Access Reviews

In UNIX, all kinds of system resources have the rights to read, write and execute on defined users and groups. The file attributes configuration determines who can read, write, and execute a resource.
 
By default, a user has all rights to all resources under his or her home directory.

A special UNIX user, 'root', has all rights over all system resources.

Above "ls -l" is shown where the owner of the file, the group, and the access authorities are located.

The first character on the left is the file type ("-" ordinary file, "l" link, "d" directory, etc.)

The next 3 characters are the access authority of the owner of the file
The following 3 characters are the access authority of the group of the file
The last 3 characters are the access authorities of the others
 
The * mark on the right side of the file names indicates that the file is executable by the current user. This is a feature of the ls program running under Linux.

As can be understood from the examples, there are three kinds of authority, and these authorities read, write and operate with the order.

If there is a letter in the authorization definition, the corresponding authorization is given. If there is a "-" sign, the authorization is not given.

When three of these definitions of authority come side by side, the authority of the owner, group and others of the file can be determined.

For example:"---------" means that no one has any authority"r --------" means that the owner only has the authority to read, the same group and others have no authority over the file"rw-rw-r--" means that the owner and the group have the authority to read and write, and others are only authorized to read"rwx-r-xr-x" indicates that the owner has read, write and execute authority, the group has authority to read and execute the group, and others have read and execute authority.

The writing authority defines the ability to make changes and delete at the same time. The person who is authorized to write to a file can be deleted.

Access to files and directories is regulated by the "chmod" command.

"chmod u+x hidden_file" - gives the right to run the "hidden_file" file. 

"chmod ug = rw important_file" - only the read and write authority is given to the owner and group of the "important_file" file, and the authority of the other does not change.

Multiple authorizations can be made at the same time, separated by commas.

"chmod ug+rw, ug-x, o-rwx bigfile" - the owner and group of the "bigfile" file are given read and write permissions, the owner of the file and its group are authorized to run, and no authority is given to the others.

The special powers of stick, setuid and setgid will be discussed later.

The access authority of the file can be given in octal numbers for chmod command.

You need to use 4 for "r", 2 for "w", 1 for "x" and finally 0 for "-". The figures corresponding to the authorities are written and collected in groups of 3. The 3-digit number is the number of authority.

For example:

"-rw-r-x---"        means (4+2+0) + (4+0+1) + (0+0+0) = 650
"-rwx-wx--x"     means (4+2+1) + (0+2+1) + (0+0+1) = 731
"-rwxrwxrwx"  means (4+2+1) + (4+2+1) + (4+2+1) = 777

We can change the access rights of any file by both following ways (they both mean the same):

chmod +rwx any_file.ext
chmod 777 any_file.ext

The permissions will be "-rwxrwxrwx".

To read my previous article: File and Directory Commands

File and Directory Commands

File and Directory Commands

UNIX Command Format

In UNIX, commands consist of a single word. The second word that comes next to the command is processed as a parameter. Example: "cd /home/user"

Options are given with the "-" sign. More than one option can be written to a command individually, or it can be written by a single "-" sign.
Example: "ls -l -a" and "ls -la" produce the same result.

The GNU version also supports long option input.
Example: "mail -h" and "mail --help" give the same output.

Option parameters are used immediately after the option with or without spaces. In the GNU version of the commands, the parameters of the long-style options are given after the "=" character after the option.

For example: "ls -w 160", "ls -w160" and "ls --width = 160" are the same. The parameter "-w" is "160".

The parameters of the commands are given after the options.
Example: "ls -w 160 directory1 directory2" The command parameters are "directory1" and "directory2".

To execute the commands at the same time on a single line, you can put a ";" between them.
Example: "configure; make; make install "

"&&" field means "and". If the command on the left is successful, the command on the right is executed, otherwise it is not.
Example: ls directory && cd directory

However, if the "ls" command lists the "directory" directory, it will run "cd directory". Any attempt to enter a non-existent directory will be blocked.

"||" field means "or". If the command on the left is successful, the command on the right is not executed.

Example: ls directory || mkdir directory

If the "ls" command can not list the "directory", the "directory" is defined with "mkdir directory". The directory "directory" may be listed by "ls", but it will not be attempted to be defined with mkdir because the "directory" already exists.

mkdir (MaKe DIRectory) is used to create a new directory, rmdir (ReMove DIRectory) is used to delete an empty directory.
The command 'rm -rf directory_name' can be used to delete a content-rich directory with all content.

If the UNIX commands can run in error-free format, the user will not be informed that they have successfully run and finished. Feedback is given when an error occurs, only.



On older Linux systems, when running "rm -rf /" as root, all files are deleted from the system until there are no more files left. Current linux systems have been taken care of within the rm command This should be considered as a further indication of the need to work with root identity only when necessary.

Some useful commands combined with parameters:

touch <file_name>: It creates a file named "file_name", if it already exists then it updates the date modified.

rm <file_name>: Deletes file named "file_name".

rm -f <file_name>: Deletes file named "file_name" without asking permission.

rm -i <file_name>: Deletes file named "file_name" with asking permission.

rm -r <directory_name>: Deletes the directory and all the contents of it recursively.

rm -rf <directory_name>: Deletes the directory and all the contents of it recursively without asking permission.

In UNIX, there is no such thing as a file extension like Windows. A file name can have more than one dot ("."), Which is often used to make the file name more meaningful. Parts separated by periods, do not have to carry information about the format of the file.

For this reason, a file ending in ".txt" can be either an executable file or an image file.

Copy, Move and File Commands

The cp command is used to copy files and directories. Common forms of use are:

cp <source> <target>: copies the file/directory specified as "source" to the destination specified as "target"

cp -r <source> <target>: copy the source directory and all files and directories under it to the target directory. If target does not exist, creates it.

cp -r -p <source> <target>: copy the source directory and all files and directories under it to the directory target. If target does not exist, creates it. In addition, copy files and directories with protection of their access rights.

Mv <source> <target>: Moves the file/directory specified as "source" to the location specified as "target". This command is also used to change the file/directory name (mv <old_file_name> <new_file_name>).  

An existing file can be overwritten as a result of cp and mv operations. In some cases unwanted information loss may occur.

With the file command we have information about the type of file. Example:

Pattern Matching

In UNIX, pattern matching is a very useful and powerful feature. In many places it makes operations much easier.

* - replace any character string or nothing.

? - is used in place of any character. 
[] - The characters in the range are used instead of one character.

ls page * - fetch all the directories/files starting with "page" directory/file. 
ls page?.txt - fetch all directories/files starting with "page", continuing with any character and ending with ".txt". 
ls page??.txt - fetch all directories/files starting with "page", followed by any two characters and ending with ".txt".

ls page?[0-2].txt - Fetch all directories/files starting with "page", continuing with any character, continuing with 0, 1, 2 characters and ending with ".txt". 
ls page*[13579].txt - Fetch all directories/files starting with "page", followed by a single odd digit and ending with ".txt".

Example Usage of "file" Command

find /usr/include -name "stdio.h": Search for the file named "stdio.h" in the directory "/usr/include" and all directories under it.

find / home -name "*. [Ii] [Ss] [Oo]": Search all files in .iso, .iso, .iSo ... in all directories under /home.

find / -type l: search all link files from the root

find /home/user -user root: search the files owned by the root user in all directories under the /home/user directory.

find /home -uid 500: Looks for the files owned by the user with user id 500 in all directories below the /home directory.

find /home -size +2048M: Look for files larger than 2 GB in the /home directory and all directories under it.

find /home -size + 10240k: Look for files larger than 10MB in the /home directory and all directories under it.

find / -type f -mmin -90: Search for modified files in the last 90 minutes. 
find / -type f -mmin +90: Searches for files that have been "modified" before the last 90 minutes.

To read my previous article: Change of Active Identity and PAM

Change of Active Identity and PAM

Change of Active Identity and PAM

Commands to Change the Active Identity

• The su command is used to become another user during a login session. Invoked without a username, su defaults to becoming the superuser. The optional argument - may be used to provide an environment similar to what the user would expect had the user logged in directly.
• The sudo command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.
• visudo edits the sudoers file in a safe fashion. visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors.  If the sudoers file is currently being edited you will receive a message to try again later.

PAM (Pluggable Authentication Module)

In the old times of Linux; When a program such as su, passwd, or login wants to authenticate a user, it simply reads the necessary information from the /etc/passwd file. It was enough to edit the file /etc/passwd to change the user's password. This simple but incompetent method confronted system administrators and application developers with problems.






MD5 and shaded passwords have become popular and it has become clear that every program that needs user authentication needs to know how to get the right information. If you want to change the user authentication credentials, you have to recompile all the programs.

PAM removed this complexity from possible security vulnerabilities in addition to programmers' ease of life, allowing programs to authenticate themselves in a transparent manner, independent of how user information is stored.

Today, software that requires user authentication can authenticate users through PAM without knowing the complexity of the user authentication mechanism. 

With PAM, users can be verified not only from the "/etc/passwd" file, but also from the database, directory server, fingerprint, etc. UNIX is very flexible in terms of the user authentication mechanism can be integrated with many different authentication systems.

Any software that uses the PAM application interface can benefit from the flexibility provided by PAM. There are many different PAM modules for Linux. There are already modules for Radius, LDAP, SmartCard, X.509 certificates.

PAM Configurations

The PAM configuration files are located in the /etc/pam.d/ directory. Although the files included in this directory vary according to the services and applications running on your system, you will see a file in this directory for each program that needs user authentication in your system. Each file in this directory contains the PAM authentication configuration for the respective program.

The configuration files have the following syntax:
type control module-path module-arguments 

• type: specifies which type of authentication to perform. Account, auth, password, session
• control: specifies what to do if the proof fails. Requisite, required, sufficent, optional
• module-path: specifies which module to use and where.
• module-arguments: parameters to be added to the module.

The type attribute tells PAM what type of authentication to use for this module. PAM identifies four different types: Account determines whether the user is allowed to access the service, whether the password expires or not. Auth controls whether a user is a claimed user, usually by a password. Password provides a mechanism for the user to change the password used for authentication. Session what to do after the user has been authenticated and / or done before. These could be things like connecting / unlocking the home directory of the user, keeping a record of the sessions that you turned on and off, and restricting the services that the user could use.

We see in the login configuration file that there is at least one entry for each type, but all are there because login is above the entire user structure. You can not see the whole thing in customized services.

Control tells PAM what to do when a module fails authentication. PAM recognizes four different types of control: Requisite if authentication fails through this module, the authentication is immediately rejected. Required PAM continues to call other modules listed for this service before rejecting authentication, but failure also results in denial of authentication. Sufficient if authentication with this module succeeds, PAM will accept authentication even if it fails in a previous required module. Optional the success or failure of this module is important if it is the only module in its kind for a service. Module-path knows which module PAM will use and where to find the modules.


To read my previous article: Monitoring of Work

 

Monitoring of Work

Monitoring of Work

The groupadd command is used to create a new working group and the groupdel command is used to delete an existing working group.

The gpasswd command is used to add or remove a user to a particular working group.

• "gpasswd -a <user><group>" adds user to the group
• "gpasswd -d <user><group>" removes user from the group

Although the user is a member of more than one group, he or she can only work as a member of a group.
 
It is possible for the user to use the id and groups programs to query the active user and group IDs.
 
The newgrp program must be used to change the active group.

• id - print real and effective user and group IDs
• groups - print the groups a user is in

• newgrp <newgroup> - allows the user to change the active group identity to another group that he or she is a member of.
• newgrp - allows the user to change the active group identity as his or her main group. 

Users can only operate as a member of one group at any time.
 
The user is able to monitor the working user and group identity and change the active group membership via the id and newgrp commands.

It was previously stated that the UNIX operating system is a multi-user system. There are several commands in UNIX to monitor other users who are actively using the system at any given time.

who - lists the users working on the system, along with the system entry times. 

w - lists the users running on the system and which programs they are running.

whoami - shows you which user ID you are using and when you log in.


In all command outputs, PTSs mean pseudo terminals (virtual terminals). This indicates that the user is not using a cable-connected terminal directly. pts/0 is the first virtual terminal and pts/1 is the second virtual terminal.

Password and shell change

The user changes his/her password with the "passwd" program. If the password is not complicated enough, "passwd" will alert the user. For security reasons, the old password is asked once and the new password is asked twice.

The user can change the used shell with the "chsh" program. The list of existing shells is also written in the file "/etc/shells". With "chsh", only the shells written in this file are allowed to be used. User is asked for password for security reasons before shell change.

To read my previous article: User Concept and User Groups

User Concept and User Groups

User Concept and User Groups

The UNIX operating system is a multi-user operating system. Every real person who makes use of the system has a "user account" and a "user ID" defined on the system. The user ID is used for the authorization of the users (who is authorized for which transaction) and transaction records (who made what transaction when).

Users log in to UNIX systems with their usernames and passwords. The operating system asks for the username and password of the user requesting the login, and compares these two entries with the user authentication system and confirms or rejects the user's login.

Each user has a user number (user ID) assigned by the operating system. Any user's actions on the system are followed by this user number. During user identification, this number is automatically selected and assigned by the system if the system administrator does not specifically select a user number.

File, directory and device access controls are made with the user number. In UNIX context, there is a proprietor of all sorts of resources and ownership information is structured by user numbers.

"root" User

'Root' refers to the most authoritative user of the system and the owner of all the files.

The 'root' user owns all rights to the files and directories of the system. You should never be logged in as 'root' because it is not possible to recover from accidental changes. You must have root privileges by entering the password with the command su - (switch user) when necessary during operation.

The user number of the 'root' user is '0'. It is sufficient for the user number of that user to be changed to "0" in the /etc/passwd file so that a registered user on the system has the same rights as root. In this case, this user will have all rights over the system without using the 'su' command.

There are also a number of special users to run system services outside of root. The user shell of these users is defined as /sbin/nologin and it is not possible to access the system with username/password mapping.

User Groups

UNIX has user groups. UNIX users are members of these groups. Groups are treated as a group ID (gid) in UNIX in a manner similar to user identities in UNIX. Computer resources also have group access rights. It is possible to give a gratuity to the right of access to a resource on this account.

The group ID of each user in the /etc/passwd file is the identity of the primary group that the user is a member of.

Users can also be a member of other groups from their main group. Other groups where the user is a member are kept in the /etc/group file.

Group information is kept in / etc / group file. Each line of the / etc / group file has the following format:

group_name:group_password:gid:user1,user2,user3

The last section in this line is given in the form of a list of members of the group "user1, user2, user3".

To read my previous article: Manual Pages and Communication Commands
 

Manual Pages and Communication Commands

Manual Pages and Communication Commands

Online Manual Pages

The online guide pages library should be installed with every UNIX variant, unless an option is entered otherwise. The guide pages are usually located under the /usr/share/man/ directory and are prompted as "man <command_name>".

You can use 'F' to go forward one page, 'B' to go backward one page, 'Return' to read line by line, and 'Q' to exit the grid from an online guide page.

Multiple manual pages related to a keyword may be encountered while accessing the manual pages. For example, there are pages in both the first section and the second section regarding the time word. The man program may be displaying the first one it finds in such cases or both in order. The manual pages can be viewed in the "man 2 time" format by first giving the manual section followed by the keyword.

Communication Commands

The "mesg y" command can be run to accept messages from other users. The "mesg n" command closes the message communication channel. If this command is given, no message will be accepted from other users in the system.

With the "write user_name" command, a message can be sent to the user who has logged in to the system at that time. To send a message to an uninitiated user, an e-mail can be sent with the command "mail user_name".

After the "write user_name" command is issued, the message to be transmitted can be written. The "Ctrl + D" key combination can be used to end the message application.

With the "wall" command, messages can be sent to all users who have logged in to the system at that time.

After the "wall" command is issued, the message to be transmitted can be written. The "Ctrl + D" key combination can be used to end the message application.

/etc/motd

When users log on, the "/etc/motd" file is displayed. By submitting announcement messages to this file, you can make sure everyone who logs in to the system can see the message (motd = Message Of The Day).

To read my previous article: Interaction with Linux - Shells
 

Interaction with Linux: Shells

Interaction with Linux: Shells

Shell is the interface software between the user and the operating system kernel. The user passes all commands to the operating system via the shell.

The shell program is intended to receive the user's commands and pass them to the operating system. An interface program controlled by the mouse can be used as the shell program. The essential mission is to allow the user to express his wishes. 

Under UNIX, there are many different shell programs for general and special purposes. Bash, ksh, and csh are among the more common general-purpose shell programs. The main difference between these programs is their syntax. In this sense, it can be argued that the shell programs allowed communication with different languages. 

Each user may be using a different shell program. User shells are defined in the /etc/passwd file. 

The most commonly used shell program under Linux is Bash (Bourne Again Shell). This shell, which is preferred due to its advanced features and ease of use, will be examined in more detail as a separate article.

Login and Logout to the System

A computer system running a UNIX operating system can be accessed via the computer's keyboard and screen, or if the computer system provides telnet and/or ssh services, it can also be accessed over the network.

When logged into the system, the shell program satisfies the user and prompts the user to issue commands. The commands issued by the user are executed via the shell.

There is no difference between local access and remote access to a UNIX system. All operations, which can be done in local access and does not require physical action (pressing the power button to open a closing system, etc) can be done remotely.

Users have to inform the system that they are finished using the system. Otherwise the connections will remain open. Exit or logout commands are used at the exit from the system.

New versions of many Linux distributions, if installed with graphical interface support, can meet the user with a graphical user interface rather than text mode.

System Access and Virtual Consoles

On UNIX systems, the system-connected keyboard and display are called "consoles". Each UNIX system has only one console.

Under Linux, "virtual consoles" have been defined to make it easier for users to work through the console. Virtual consoles offer the infrastructure to allow parallel operation even across multiple screens, even when using the same keyboard and screen. For example six Red Hat Linux virtual consoles come pre-defined.

In Linux, Alt + FX key combination can be used to switch between virtual consoles. In this context, Alt + F1 allows the first virtual console, Alt + F3 to pass the third virtual console.

On a Linux system predefined by xwindows, the CTRL + ALT + FX key combination is used to access the console. In this context, CTRL + ALT + F1 allows the first virtual console, CTRL + ALT + F3 to switch to the third virtual console.

Use the Alt + F7 key combination to return to xwindows while in the virtual console.   

To read my previous article: File Hierarchy and Home Directory