IFN507 Network Systems
P9: Introduction to Linux, File System, Users, and Permissions
Practical 9
Introduction to Linux, File System, Users, and Permissions
Introduction
This practical will introduce some basic Linux commands. It is always a good idea to learn about any commands before you execute them, especially if you are executing a command with root (administrator) privileges. It is recommended that you view the man pages (an online user manual) with the man command to find out what the command does, as well as to lookup the arguments and syntax, so as to ensure your command is successful, and it will achieve the desired outcome.
Preliminary Tasks
This practical and most of the following practical require the use of the Linux virtual lab environment that we have created for this unit. The virtual machines that are required for the practicals in this unit are preinstalled on the lab PC’s in S513, however it is highly recommended that you install these machines onto your own device, so that you can practice your skills at home. You can copy these onto a USB directly from the lab PC and then copy them onto your own device.
Note: It is recommended that you do not run the virtual machines directly from the USB as this will most likely cause performance issues.
Alternatively, you can download them directly to your device using the details on Blackboard.
You will also need to install the latest version VirtualBox and the VirtualBox Extension pack onto your device in order to open the virtual machines:
· Download Link: https://www.virtualbox.org/wiki/Downloads
Practical Lab Activities
· Lab Activity 1: Navigating Ubuntu 18.04 Desktop Environment
· Lab Activity 2: Getting Help
· Lab Activity 3: Privileges and How to become root?
· Lab Activity 4: Navigating Linux File System
· Lab Activity 5: User Management
· Lab Activity 6: Permissions
Lab Activity 1: Navigate Ubuntu 18.04 Desktop Environment
Virtual Lab Environment in S513
For the Linux practicals in this unit, there are five virtual machines that will be used. All the virtual machine images are in the C:
In the VMs folder, there are folders containing four servers and a desktop virtual machine. The server machines are command line only, whereas the desktop machine contains a GUI. To import the machine into VirtualBox, select the required machine folder and open the .vbox file. The selected virtual machine will open in VirtualBox.
All the virtual machines require a username and password to login. Some of the virtual machines have more than one Network Interface Card (NIC). This information is listed in Table 1.
Hostnames
Username
Password
# of NICs
Default Network Connection
ifn507-desktop
ifn507
1qaz2wsx
2
NAT and Internal Network
ifn507-server-1
ifn507
1qaz2wsx
2
Internal Network
ifn507-server-2
ifn507
1qaz2wsx
1
Internal Network
ifn507-server-3
ifn507
1qaz2wsx
2
Internal Network
ifn507-server-4
ifn507
1qaz2wsx
1
Internal Network
Table 1 Virtual machine default passwords and network configuration
Note: VMs with their network interface set to NAT will have internet access. Devices with Internal Network set are isolated from the outside, and as such can only communicate with each other. If you need to install packages from the internet on these machines at a later stage, you will be required to change the configuration in virtual box for that machine.
The Ubuntu 18.04 Desktop Environment
To start the ifn507-desktop virtual machine and get to the desktop:
1. Import the ifn507-desktop virtual machine into VirtualBox as detailed above
2. Start the machine as described above. This may take a moment to load
3. Login using the credentials in Table 1
4. Spend about 10 minutes to navigate around the Ubuntu environment to become familiar with it. Some suggested areas to look include:
· File browser: Files
· Web browser: Firefox
· System monitor
· Text editor
· Ubuntu Software
5. Open the terminal ready for the next exercise. Most of the tasks that we will be performing in Linux throughout the unit will be done inside the terminal.
Figure 1 The Ubuntu login screen.
2
1
Figure 2 Tour of the Ubuntu main desktop 1 = The dash menu containing shortcuts and the ‘show applications icon’ at the bottom. 2 = Menu bar indicators and controls for network, sound and power.
Figure 3 An example of the Ubuntu applications menu. You can toggle between frequent apps and all apps using the buttons at the bottom of the screen.
Lab Activity 2: Getting Help
Linux provides several ways to guide and help you working with the commands. The man pages should always be the first point of reference for explanations of their use. In addition, the man pages contain a lot of the common configuration files that explain values for configuration parameters for the applications in the system. There are also other options available for getting information, such as:
· man COMMAND man (manual) page for the available commands
· COMMAND –h or –help
· whatis COMMAND shows one-line summary of a command
· help show short list of Bash shell commands
· apropos search man pages for a specific functionality or phrase
· info
· The Tab key can be used to complete the command or directory
· Search within the man pages: type a “/”, followed by your query, and press Enter
· Use man –k COMMAND to search for a specific phrase.
Generally, you will use the first three options if you know the command and need to get help on the usage or specific options. Alternatively, you can start with the last three options, if you need to search for the functionality of a command.
Q1. Start getting help for your first command man. What is the correct command and syntax for the first three methods as above?
· man man
· man –-help man –h
· whatis man
Q2. Run the help command to get a short list of the Bash shell commands. What does pwd do?
man pwd
print name of current working directory
Q3. What does the history command do? Provide the command to clear history list.
It display the history list with line numbers with options to manipulate the list
history –c
Lab Activity 3: Privileges and How to become root?
There are two types of user accounts in a Linux system. Accounts are either privileged or unprivileged. All user accounts should be unprivileged, as day to day tasks such as using the system should never be done with root (administrator) privileges. This is to minimise the effect of poorly written programs, malicious code, or user errors that could have negative consequences to the system. Great care and caution should be taken when executing commands with elevated privileges.
Traditionally, in the Unix world, and a number of variants of Linux, the root account was the only privileged account. If system administration tasks needed to be performed, you needed to logout of your normal account, and log back into the system as root. Later, the ability to su (superuser) to root using the su command was made possible. The disadvantage of these two approaches was that it gave the user a full root shell, which was bad from a security perspective. Accountability was also difficult to achieve, as every administrator shared a common root password.
Debian based Linux systems (including Ubuntu) no longer have one powerful root account by default. The root account still exists, but it is disabled by default. This means that users are no longer able to login as root, nor are they able to use su to become root. If a command needs to be executed with root privileges, a user must use the sudo command. If that user has been granted sudo rights then they are able to execute the command as root. For example, to get a list of files in root’s home directory you would need to type:
ifn507@ifn507-desktop:~$ sudo ls /root
sudo would ask you to enter the password of the currently logged in user, and then execute ls as root.
If a lot of tasks need to be run as root, one after the other, you can get the equivalent of a root shell by executing sudo with the -i option. Note that you should only do this when you specifically need to and remember to exit from the root shell as soon as possible (by using exit command). When you execute sudo with the -i option, you may notice the command prompt now looks slightly different. The username is now shown as root and the prompt is now ‘#’ rather than ‘$’. This can be seen in Figure 6.
Figure 4 sudo -i command in the Ubuntu terminal
Q1. Execute the whoami command as a normal user and then as the root user. Compare the results. Are the results different? Why? whoami -> ifn507
sudo whoami -> root
The user privilege is changed. The privilege of the user is escalated from a normal user to a root user.
Lab Activity 4: Navigating Linux File System
Take a look at the man pages and helps for the following commands:
· pwd – ls
· cd – mkdir
· rmdir – cp
· mv – rm
· touch
Q1. Write the command and its output for displaying the current directory in the terminal.
pwd -> /home/vmuser
The change directory command cd does not have a man page as it is built into the command shell (bash). Information on cd is available in the bash man page or using cd –help.
Q2. What is the command to change to /etc directory?
cd /etc
The ls command is useful for getting a list of files in the current directory, or any specified directory. Look at the man pages for the ls command.
Q3. Use the ls command to list files in the /etc/ folder, including hidden files and in a long listing format.ls –al or ls –al /etc/
Q4. Use the ls command to list files in the /etc/ folder, to list file sizes in “human readable” format and sorted by file size from largest to smallest.ls –lhS
Q5. From your home directory, list all files in /etc/ folder, sorted by modification time from newest to oldest.
ls –lat /etc
Working with directories (making, changing, and deleting) are common tasks that must be performed. Examine the man pages for mkdir and rmdir.
Q6. Create a sub directory in your home directory called week4.
cd ~
mkdir ~/week4
· Change into the week4 directory: cd ~/week4
· Displaying the current working directory: pwd
· List the contents of the directory: ls
· Using the .. short cut to change to the parent directory: cd ..
There is no specific command to rename a directory or file, however this behaviour can be achieved by moving the directory from one name to another. The mv utility allows for files and directories to be moved. To copy or move files in Linux, use the cp and mv commands. Browse the man pages for these commands and then create a file, copy it and then move it.
Q7. Rename week4 to practical4.
mv ~/week4 ~/practical4
Q8. Remove practical4 directory.
rm -d ~/practical4 or rm –rf ~/practical4
Q9. Create two directories (dir1 and dir2) under home directory. Create a file named “test” in dir1 using the touch command.
Mkdir ~/dir1
Mkdir ~/dir2
touch ./dir1/test
Q10. Rename/Move the file test from dir1 to dir2 and name it test2.
mv ./dir1/test ./dir2/
mv ./dir2/test ./dir2/test2
or
mv ./dir1/test ./dir2/test2
Q11. Copy and rename ~/dir2/test2 to ~/dir1/test1.
cp ~/dir2/test2 ~/dir1/test1
Lab Activity 5: User Management
Managing user accounts is another necessary system administration task. Typically, in a standalone system all user account information is stored in 3 files /etc/passwd, /etc/shadow and /etc/group. Browse the man page for these three files now. Note that there will be multiple manpages called passwd. You will need to use the appropriate options to view the man page for the passwd file. While it is possible to manipulate these files by hand, several utilities exist to make the process easier. Look at the man pages for the following commands:
· id – getent
· useradd – groupadd
· passwd – usermod
· groupmod – userdel
· groupdel
You should familiarise yourself with concepts such as UID and GID, and the general format of the core account database files. Modifying and manipulating the system account databases will need to be done with root privileges. Ensure you take the necessary precautions before executing commands with root privileges or launching a root shell.
In this exercise we will be creating a new user on the system for Bob Mason. The username we will use is masonb.
Q1. Check if the user exists by using the id or getent commands. Double check this by looking in the /etc/passwd file directly.
getent passwd
Q2. Creating a new group for all new users, named labgroup using groupadd command. Check in /etc/group or use the getent group command to see what the GID of the newly created group was.
sudo groupadd labgroup
getent group
Q3. Add a user with the following command. Break down the individual components of the command and explain their purpose and function.
$ sudo useradd -G labgroup -s /bin/bash -m -c “Bob Mason” masonb
-G a list of supplementary groups which the user is also a member of
-s the name of the user’s login shell
-m create the user’s home directory if does not exist
-c “Bob Mason” a short description of the login
Q4. Use the useradd command to add a new user to the system for yourself, using your family name, first initial as the username like in the above example. Make sure you check that the account was successfully created by whatever means necessary.
sudo useradd -m [username]
Q5. Set a password for the user using the passwd command.
sudo passwd [username]
At times it is often necessary to suspend access to a user’s account. There are numerous ways of accomplishing this. Some examples are:
· Place a * at the start of the password field in the users entry in /etc/passwd.
· Change the user’s default shell to something like /bin/false or /bin/nologin. You cannot edit the /etc/passwd directly as you run the risk of leaving the system password file in an inconsistent state with the shadow password file (/etc/shadow).
· The passwd command with the -l option will lock the account. The -u option will unlock the account
Whenever you want to edit /etc/passwd use the vipw tool.
Deleting user accounts is a common activity and depending on the circumstances may need to be done with rather specific timing. Consider the situation of the termination of an employee and the implications of leaving an account active on the system. In this exercise, we will be deleting the account that you created in the previous exercise.
Q6. Using the userdel tool, delete the users account. Ensure however, that the contents of the user’s home directory will NOT be deleted.
sudo userdel [username]
Q7. Why do you think it would be necessary to preserve contents of a user’s home directory?
It may contain the file related to the business of the company.
The content of a user’s home directory is protected by file system permissions, and by default is accessible to all authenticated users and administrators. Any other user that has been granted administrator privileges has authority to access any protected location on the Filesystem including other users home directories.
Lab Activity 6: Permissions
While the superuser account has complete access to the system, a more granular approach to access control is possible for unprivileged accounts. Every file, directory or device has several Permission Bits associated with it. These bits are represented by a four-digit number.
Perhaps the biggest stumbling block for new people is to understand how the Unix permission bits work. Each file and folder has associated with it a number of permissions. Permissions can apply to:
User The owner of the file.
Group Users in the same group as the file.
Other Other users on the system.
Each class of account (User, Group, Other) can be assigned, Read, Write, and/or Execute privileges. System executables like ls typically have the following permissions bits:
-rwxr-xr-x 1 root root 89824 2012-05-23 08:06 /bin/ls
The permission bits are the first part of the line: -rwxr-xr-x. This means, that the owner (root) has read, write and execute privileges. All the other users on the system only have read and execute rights. The ‘-‘ character means no permission is set for that bit.
In addition to read, write and execute, several other special permissions exist:
SetUID If a file has SetUID, then the file is executed with the inherited rights of the owner of the file. SetUID behaves like an automatic sudo. As such, any file with SetUID rights, especially, SetUID root, should be treated very carefully. SetUID rights should only be given out when necessary. Additionally, regular security scanning for newly created SetUID files should be done.
SetGID Behaves like SetUID but executes with the rights of the group the file belongs to.
Sticky Bit When applied to a directory, the Sticky Bit only allows the owner of the file, the owner of the directory, or root to delete it. Sticky Bit has no effect when applied to an individual file. This must be applied at folder level.
Numerical Representation of Permission Bits
Unix permission bits are usually represented in octal. While commands like chmod can accept input like u+x (Apply execute privileges for User), it is much easier to read if the numeric representation is used. Unix uses a group of 4 numbers to represent permissions.
Each number represents the combined permissions for the special bits, the User (100’s), the Group (10’s) and the Other (1’s). Each permission has following set of values:
User
Group
Other
Execute
–
100
10
1
Write
–
200
20
2
Read
–
400
40
4
Sticky
1000
–
–
–
SetGID
2000
–
–
–
SetUID
4000
–
–
–
Our earlier example of the ls command had the permissions -rwxr-xr-x, in numeric form this would be 0755. Because the User (Owner) has Read, Write, Execute (100+200+400 = 700) with Group having Read and Execute (10 + 40 = 50), and Other having Read and Execute (1 + 4 = 5). As no special bits apply, the first number is 0.
If ls needed to be SetUID enabled, the permission bits would be 4755.
When viewing the output of ls the special bits are represented as follows:
SetUID The x in the User column becomes s
SetGID The x in the Group column becomes s
Sticky The x in the Other column becomes t
Shell Scripts and SetUID/SetGID root
Because a shell script spawns a new command shell, it would be dangerous and insecure for shell scripts to be SetUID or SetGID to root. The Linux kernel will not apply the SetUID to shell scripts that are owned by root.
Permission Manipulation
Look at the man pages for:
1. chmod
2. chown
3. chgrp
Pay attention to chmod as understanding the way Unix permission bits control how the file system and access control work together is vitally important. The following exercises are designed to show how manipulating the permissions can enforce a particular policy. You will need to do the following exercises with root privileges, it is probably a good idea to use the sudo -i interactive sudo environment.
Q1. Create a new group called accounting as our users belong to the accounting team. Create and add two new users in the accounting group. The new users will be Jane Smith (username smithj) and Andy Lim (username lima). Set a different password for each user.
sudo groupadd accounting
sudo useradd –G accounting -s /bin/bash –m smithj
sudo useradd –G accounting -s /bin/bash -m lima
sudo passwd smithj
sudo passwd lima
Q2. Change directory to /home and do a long listing to examine the user and group permissions.
cd /home
ls -l
Q3. Create a subdirectory in smithj’s home directory called subdir. Do a long listing on smithj’s home directory and examine the permissions for subdir.
sudo mkdir /home/smithj/subdir
ls -l
Q4. Create a new group called payroll and verify that the group was created successfully.
sudo groupadd payroll
getent group
Q5. Change the ownership of subdir to smithj and the group ownership to payroll. Do a long listing on smithj’s home directory to verify that the change has occurred.
sudo chown smithj:payroll /home/smithj/subdir
ls -l /home/smithj/
Q6. Create a new directory called /home/project2. Use a long listing to examine the ownership and permissions of /home/project2.
sudo mkdir /home/project2
ls -l /home
Q7. Change the group ownership of /home/project2 to a group which both employees belong to (accounting). Grant this group read, write and execute access to the directory. Use a long file listing to verify that these changes have occurred.
chgrp accounting /home/project2
chmod g+rwx /home/project2
Q8. Open two new terminal windows. In the first terminal, change to the user smithj and in the second terminal change to the user lima. Hint: use su command to switch user.
su [username]
Q9. As smithj, create a file in /home/project2 called file-js and as lima create a file in /home/project2 called file-al. Use a long file listing to see that the two files have been created. Examine the differences in the permissions assigned to each file.
touch [filename]
Q10. As smithj, try and read lima’s file, and vice versa.
Q11. Using the root terminal, change the permissions on /home/project2 so that a file created by one employee, is not able to be deleted by another employee. Use a long listing to verify the new permissions.cat /home/project2/file-al
Test this by trying to delete file-al using smithj’s account.
chmod +1000 /home/project2
su smithj
rm /home/project2/file-al (should deny)
Q12. smithj is being investigated for fraud. Suspend his account without deleting the account or any files.
sudo usermod –expiredate 1 smithj
OR
sudo usermod –L smithj
Q13. smithj has left the company, and you have received authorisation to remove his access and delete all his files. In one command remove smithj’s access and delete his home directory. What command did you use for this? Confirm that the account has been deleted and the home directory removed.
sudo userdel –f -r smithj
End of the Practical
2