Working with Users, Groups, and Permissions – Part IV

UnderstandingtheAuthenticationProcess

•When a user authenticates to your server, the local user database as defined in the files /etc/passwd and /etc/shadowis used on adefault configuration

•If you've used one of the tools described in the previous sectionto configure authentication against an external authentication server, the sssd service is involved aswell.

•Apart from sssd, PAM and /etc/nsswitch.confalso play a role

•You will learn how these are used in the upcoming sections

Understandingsssd:

•The sssd service provides information about all available authentication sources, and it is also capable of providing offline authentication

•This means that if you 're on a laptop that is temporarily disconnectedfromthenetwork,youcanstillauthenticateagainstthe external authentication service using the "sssd"cache

•Using "sssd" doesn't require much information

  • The configuration parameters specified are written to theconfiguration file"/etc/sssd/sssd.conf"

LDAP authentication parameters in /etc/sssd/sssd.conf

•This example shows the part of the configuration that was writtento this file when LDAP authentication wasenabled

•You won't need to modify the "sssd" configuration manually very often

•But if you do, don't forget to restart the "sssd" service after this modification;otherwise,itwon'twork!

Understandingnsswitch

•The "/etc/nsswitch" files is used to determine where different services on a computer are looking for configurationinformation

•The different sources of information are specified in thisfile

Specifying sources of information /etc/nsswitch.conf

•The example provides an overview of the most relevant parameters used in thisfile

•Thepasswdandshadowfilesarerelevantforauthentication.

  • They specify that the local files are always checked first, prior to the authentication mechanism that is offered through "sssd"

Understanding Pluggable AuthenticationModules(PAM)

•On Linux, PAM are what is used to make authentication pluggable

•Every modern service that needs to handle authentication passes throughPAM

There are 2 parts in PAM:

  • 1st,therearetheconfigurationfilesinuse
  • Every service has its own configuration file in thedirectory "/etc/pam.d"

The PAM file for login defines how to handle login:

•Theloginserviceusestheconfigurationfile"/etc/pam.d/login" (shownbelow)

  • In this sample PAM file, you can see that 3 columns are used to define what shouldhappen
  • 1st co1umn: the authentication process is split into 4different

phases:auth,account,password,andsession

•These are the stages that are typically passed through in the authentication process ,but in the end , the writer of the PAM module decides which of these to implement

  • A PAM module is called on each line in a PAM configuration file .

The PAM module define exactly what should happen while authenticating.

•Forexample:ifyouneedtheauthenticationprocedureto

useanLDAPserver,youcanincludethe"pam_ldap.so" module that tells the service how to contactLDAP

•The 2nd co1umn specifies how this PAM module should be handled.

  • To use PAM, it is important to know which modules are available

and what exactly is the purpose of each of these modules

•You can find out all this information in the LinuxPAM_SAG.txt file inthe directory

/usr/shar/doc/pam<version>(show file inLinux}

•This file contains an extensive description of all the default PAMmodules

•Asyoucansee,the“/etc/pam.d/1ogin”fileincludessome common parameters that are found in “/etc/pam.d/systemauth". (show file in Linux)

•This file contains generic parameters that should be included by other services that are related to authentication ,such as the PAM files for su and sudo

•The general system-auth file is useful for servicesthat

need to be included by manyprograms.

•Imagine that you want to have your server authenticate throughLDAP..just put a line in "etc/pam.d/system-auth" that calls the LDAP module, and it will be included by all login-related services, such as login, passwd, su, and many more.

Exercise:

  • Configuring PAM -

ManagingPermissions :

•So far, you learned how to create users andgroups.

•Now, you'll learn how to apply permissions to these users and groups

Understanding the Role ofOwnership:

•File and directory ownership is vital for working with permissions .

DisplayingOwnership:

•Every file and directory has an owner on Linux

•To determine whether you, as a user ,have permissions to a file or a directory, the kernel checksownership

  • 1st itwill see whether you are the user owner, which is also referred to as the user of thefile
  • If you are the user, you will get the permissions that areset fortheuser,andtheshelllooksnofurther
  • If you are not the user owner, the shell will check whether you are a member of the group owner ,which is also referred to as the group of the file

•If you are a member of the group ,you will get access to the file with the permissions of the group, and the shell looks nofurther

  • If you are neither the user owner nor the group owner, you'll get the permissions of others

•To see current ownership assignments ,you can use the "ls -1" command o This command shows the user as well as the group owner

•The example below shows the ownership settings for directories in the directory "/home" on a system that uses the public group approach, where all users are members of the same group called users

•Occasionally,itmaybeusefultogetalistofallfilesthathavea given user or group asowner

  • Todoso,usethe"find"commandwiththeargument"-user"
  • For example:thecommand"findI-userlinda"showsallfiles that have user lindaas theirowner
  • Forinstance,thecommand"findI-groupusers"searchesall

files that are owned by the groupusers .

Changing User Ownership:

•When working with permissions ,it is important to know how to change them

•The chowncommand is used to dothis

•The syntax of this command is easy to understand: "chownwhowhat"

  • Example:chownlindaaccount(would change ownershipforthefile account to userlinda

•Thechowncommandhasoneimportantoption:-R o-R allows you to set ownershiprecursively

  • In other words ,it allows you to set ownership of the current directory and everything below it
  • For Ex :chown-R linda /home (changes ownership for the directory /home and everything beneath it to user linda)

Changing GroupOwnership:

•There are 2 ways to change groupownership oYou can do it using"chown"

  • Or the chgrpcommand

•If you want to use the "chown" command ,use a : in front of the group name. .Example: chown:account/home/account (wouldchangethegroup owner of directory " /home/account to group account)

•You can also use chgrpcommand for the same purpose..forexample:chgrp account /home/account can be used to set group ownership for the directory /home/account to the groupaccount

•As is the case for "chown", you use the option -R with "chgrp" to change group ownershiprecursively

Default Ownership:

  • When a user creates a file, default ownership is applied
  • The user who creates the file will automatically become user owner, and the primary group automatically becomes group owner
  • This will normally be the group that is set in the /etc/passwd file as the user’s primary group
  • If, however, the user is a member of more groups, they can change the effective primary group
  • To show the current effective primary group, a user can use the “groups” command as follows:
  • # groups
  • One way to change default group ownership for new files is to change the primary group
  • For Example, if the current user “linda” wants to change the effective primary group, she can use the “newgrp” command followed by the name of the group she wants to set as the new effective primary group

  • After changing the effective primary group, all new files that the user creates will have this group as their group owner
  • To return to the original primary group setting, use “exit”
  • This will bring you back to the previous effective primary group setting
  • Show example

Understanding Read, Write, and Execute Permissions:

  • 3 basic permissions allow you to read, write and execute files
  • The effect of these permissions are different if applied to files vs. directories
  • If applied to a file, the read permission gives you the right to open the file for reading
  • That means you can read its contents, and it also means your computer can open the file to do something with it
  • If applied to a directory, read permissions allows you to list the contents of that directory
  • This permission doesn’t allow you to read files in the directory
  • The Linux permission system does not know about inheritance and the only way to read a file is by using the read permission on that file
  • To open a file for reading, however, you do need read permission for the directory, because you wouldn’t see the file otherwise
  • If applied to a file, the write permission allows you to write to that file. . .stated otherwise, write permission allows you to modify the contents of existing files
  • It does not, however, allow you to create or delete new files
  • To do that, you need write permission on the directory where you want to create the file
  • In directories, this permission also allows you to create and remove new subdirectories and files, but you need “execute” as well to descend into the directory
  • “execute” permission is required to execute a file. . .It is never set by default, which makes Linux almost completely immune to viruses
  • Only someone with administrative rights to a directory will be capable of applying the execute permission
  • Typically this would be the user root
  • However, a user who is owner of a directory also has the right to change permissions in that directory
  • While the execute permission on files means you are allowed to run a program file, when applied to a directory, it indicates that the user can use the “cd” command to go to that directory
  • This means that “execute” is an important permission for directories, and you will see that it is normally applied as the default permission to them
  • Without it, there is no way to change to a particular directory or create files in that directory

Applying Read, Write, and Execute Permissions:

  • Use the “chmod” command to apply permissions
  • When using “chmod”, you can set permissions for user, group, and others
  • You can use this command in two modes:
  • Symbolic (a.k.a the relative notation)
  • Octal (a.k.a the absolute notation)
  • In this mode, 3 digits are used to set the basic permissions (see table below)
  • Additional Information for Breakdown:

Exercise:

  • Setting Permissions for Users and Groups