MOBILE ITnTSolutions, LLC.

Linux Systems Administrator

Program

Class Notes:

“Working with Users, Groups, and Permissions”Part IV

Working with Users, Groups, and Permissions – Part IV

Understanding the Authentication Process• When a user authenticates to your server, the local user database as

defined in the files /etc/passwd and /etc/shadow is used on a default configuration

• If you've used one of the tools described in the previous section to configure authentication against an external authentication server, the sssd service is involved as well.

• Apart from sssd, PAM and /etc/nsswitch.conf also play a role• You will learn how these are used in the upcoming sections

Understanding sssd:• The sssd service provides information about all available

authentication sources, and it is also capable of providing offline authentication

• This means that if you 're on a laptop that is temporarily disconnected from the network , you can still authenticate against the external authentication service using the "sssd" cache

• Using "sssd" doesn 't require much informationo The configuration parameters specified are written to the

configuration file "/etc/sssd/sssd.conf "

LDAP authentication parameters in /etc/sssd/sssd.conf

• This example shows the part of the configuration that was written to this file when LDAP authentication was enabled

• You won 't need to modify the "sssd" configuration manually very often

• But if you do, don 't forget to restart the "sssd" service after this modification; otherwise , it won 't work !

Understanding nsswitch• The "/etc/nsswitch" files is used to determine where different

services on a computer are looking for configuration information

• The different sources of information are specified in this file

Specifying sources of information /etc/nsswitch.conf

• The example provides an overview of the most relevant parameters used in this file

• The passwd and shadow files are relevant for authentication.o They specify that the local files are always checked first,

prior to the authentication mechanism that is offered through "sssd"

Understanding Pluggable Authentication Modules(PAM)• On Linux, PAM are what is used to make authentication pluggable• Every modern service that needs to handle authentication passes

through PAM• There are 2 parts in PAM :

o 1st, there are the configuration files in useo Every service has its own configuration file in the

directory "/etc/pam .d"

The PAM file for login defines how to handle login:

• The login service uses the configuration file "/etc/pam .d/login" (shown below)

o In this sample PAM file, you can see that 3 columns are used to define what should happen

o 1st co1umn: the authentication process is split into 4 differentphases : auth , account , password, and session

• These are the stages that are typically passed through in the authentication process , but in the end , the writer of the PAM module decides which of these to implement

o A PAM module is called on each line in a PAM configuration file .The PAM module define exactly what should happen while authenticating .• For example : if you need the authentication procedure to

use an LDAP server , you can include the "pam_ldap .so" module that tells the service how to contact LDAP

• The 2nd co1umn specifies how this PAM module should be handled .

o To use PAM, it is important to know which modules are available

and what exactly is the purpose of each of these modules• You can find out all this information in the Linux

PAM_SAG.txt file in the directory/usr/shar/doc/pam<version> (show file in Linux}

• This file contains an extensive description of all the default PAM modules

• As you can see, the “/etc/pam. d/1ogin” file includes some common parameters that are found in “/etc/pam.d/system auth". (show file in Linux )

• This file contains generic parameters that should be included by other services that are related to authentication , such as the PAM files for su and sudo

• The general system-auth file is useful for services thatneed to be included by many programs.

• Imagine that you want to have your server authenticate through LDAP ..just put a line in "etc/pam .d/system- auth" that calls the LDAP module, and it will be included by all login-related services, such as login, passwd, su, and many more .

Exercise : Configuring PAM -

Managing Permissions :• So far, you learned how to create users and groups.• Now, you'll learn how to apply permissions to these users and groups

Understanding the Role of Ownership:• File and directory ownership is vital for working with permissions .

Displaying Ownership:• Every file and directory has an owner on Linux• To determine whether you, as a user , have permissions to a file or a

directory, the kernel checks ownershipo 1st it will see whether you are the user owner , which is

also referred to as the user of the fileo If you are the user, you will get the permissions that are

set for the user , and the shell looks no furthero If you are not the user owner, the shell will check whether you

are a member of the group owner , which is also referred to as the group of the file

• If you are a member of the group , you will get access to the file with the permissions of the group, and the shell looks no further

o If you are neither the user owner nor the group owner, you'll get the permissions of others

• To see current ownership assignments , you can use the "ls -1" command o This command shows the user as well as the group owner

• The example below shows the ownership settings for directories in the directory "/home" on a system that uses the public group approach, where all users are members of the same group called users

• Occasionally , it may be useful to get a list of all files that have a given user or group as owner

o To do so, use the " find " command with the argument " -user "

o For example : the command " find I -user linda " shows all files that have user linda as their owner

o For instance , the command " find I -group users " searches allfiles that are owned by the group users .

Changing User Ownership :• When working with permissions , it is important to know how to change

them• The chown command is used to do this• The syntax of this command is easy to understand: " chown who what "

o Example : chown linda account (would change ownership for the file account to user linda

• The chown command has one important option : -R o -R allows you to set ownership

recursivelyo In other words , it allows you to set ownership of the current

directory and everything below ito For Ex : chown -R linda /home (changes ownership for the

directory /home and everything beneath it to user linda)

Changing Group Ownership:• There are 2 ways to change group

ownership o You can do it using "chown"o Or the chgrp command

• If you want to use the "chown" command , use a : in front of the group name . .Example : chown :account /home/account (would change the group owner of directory " /home/account to group account)

• You can also use chgrp command for the same purpose . .for example : chgrp account /home/account can be used to set group ownership for the directory /home/account to the group account

• As is the case for "chown", you use the option -R with "chgrp" to change group ownership recursively

Default Ownership: When a user creates a file, default ownership is applied The user who creates the file will automatically become user

owner, and the primary group automatically becomes group owner

o This will normally be the group that is set in the /etc/passwd file as the user’s primary group

o If, however, the user is a member of more groups, they can change the effective primary group

o To show the current effective primary group, a user can use the “groups” command as follows:

# groupso One way to change default group ownership for new files

is to change the primary groupo For Example, if the current user “linda” wants to change

the effective primary group, she can use the “newgrp” command followed by the name of the group she wants to set as the new effective primary group

After changing the effective primary group, all new files that the user creates will have this group as their group owner

o To return to the original primary group setting, use “exit”

o This will bring you back to the previous effective primary group setting

o Show example

Understanding Read, Write, and Execute Permissions:

3 basic permissions allow you to read, write and execute files

The effect of these permissions are different if applied to files vs. directories

If applied to a file, the read permission gives you the right to open the file for reading

o That means you can read its contents, and it also means your computer can open the file to do something with it

If applied to a directory, read permissions allows you to list the contents of that directory

o This permission doesn’t allow you to read files in the directory

o The Linux permission system does not know about inheritance and the only way to read a file is by using the read permission on that file

To open a file for reading, however, you do need read permission for the directory, because you wouldn’t see the file otherwise

If applied to a file, the write permission allows you to write to that file. . .stated otherwise, write permission allows you to modify the contents of existing files

o It does not, however, allow you to create or delete new files

o To do that, you need write permission on the directory where you want to create the file

In directories, this permission also allows you to create and remove new subdirectories and files, but you need “execute” as well to descend into the directory

o “execute” permission is required to execute a file. . .It is never set by default, which makes Linux almost completely immune to viruses

o Only someone with administrative rights to a directory will be capable of applying the execute permission

o Typically this would be the user rooto However, a user who is owner of a directory also has the

right to change permissions in that directoryo While the execute permission on files means you are

allowed to run a program file, when applied to a directory, it indicates that the user can use the “cd” command to go to that directory

o This means that “execute” is an important permission for directories, and you will see that it is normally applied as the default permission to them

Without it, there is no way to change to a particular directory or create files in that directory

Applying Read, Write, and Execute Permissions: Use the “chmod” command to apply permissions When using “chmod”, you can set permissions for user, group,

and others You can use this command in two modes:

o Symbolic (a.k.a the relative notation)o Octal (a.k.a the absolute notation)

In this mode, 3 digits are used to set the basic permissions (see table below)

Additional Information for Breakdown:

Exercise: Setting Permissions for Users and Groups