Codingdomain.com

Introduction

Each operating system has some hidden knowledge, or a different view on things. Some tips regarding Linux are collected here.

User Accounts

Introduction

Every Linux system has a user called root. The root user has the power to change everything, and do everything. The root account should only be used for system administration. Daily activities can be done perfectly well with a normal user account.

Using a normal account

Using a normal user account is the first step to a secure system. Programs inherit the access permissions and restrictions of the user who started them. This includes viruses and other evil software. Those programs are automatically limited to the abilities of the current user.

Using a normal account doesn't mean you're challenged. Normal work can still be done, and all settings can still be changed. Changes that require root access, like changing the system time, simply prompt for the root password before they continue.

Change the date from a normal user account.

Creating a normal account

To create a new user, run these commands as root:

Creating a new user account:

useradd -m username
passwd username

The new account can be used to log into the system. The user has a very simple security settings: only modify files in /home/username and /tmp can be modified from the account.

User settings

User settings are not stored in a Registry, or shared folder. Linux programs store all settings in the personal /home/username folder, as hidden files. KDE programs for example, use /home/username/.kde/ to store their settings. There are some benefits of this solution. Settings can always be changed: personal settings just overrule system settings. Settings never interfere with other users: each user can only access it's own personal home folder.

Running a command as root

One issue remains: how to run commands as root? The solution is quite simple. From a console, either type su or su - to start a temporary root session. The last option starts a full login process. To end the temporary root session, type exit or Ctrl+D.

The su command can also be used to switch to an other user, for example su - diederik. Programs running as another user are not allowed to access the active X11 display. To start these programs as root, type kdesu programname, or use sux instead of su.

File Permissions

Introduction

Root users never worry about file permissions, since they can do everything. Normal users don't have this privilege, which requires some understanding how Linux handles filesystem permissions. The Linux filesystem permissions are crude, but simple and elegant at the same time. The simplicity makes it powerful to use.

Linux distincts between three different access roles for a file: the owner (user), group, and all others. For each role, a few switches can be enabled or disabled. This is displayed in the following image:

Permission switches

The R represents read, W is write, and X is execute. These permissions can be seen in the file manager, or in the result of the ls -l command.

To overwrite a file, the write switch is required, to run a program, the execute switch is required. The R,W and X switches can be changed for both user, group, and others.

Changing permissions

Changing file permissions can be done with the commands:

• chmod (change-mode)
• chown (change-owner)
• chgrp (change-group)

For example:

• chmod g+rw filename enables the R and W switches for the group.
• chmod -x filename removes execute permission for all users.
• chown username filename changes the file owner.
• chgrp groupname filename changes the file group.
• chown username:groupname filename changes file owner and group.

Multiple file names are accepted for these commands off course.

The syntax of the chmod command is not quite difficult to understand. The combination ug-rx means: for user (U) and group (G), remove (-) read (R) and execute (X) permissions.

Changing all permissions at once

The chmod command supports another more complex notation to change all permissions at once. The R,W and X switches also have a numeric representation, hence R=4, W=2 and X=1. A combination like rwxr-xr-x can therefore be written as 755.

The first rwx combination represents the owner permissions. They are equal to 4+2+1=7. The second and third parts represent the group and other permissions. The combination of r-x is identical to 4+1=5 Combined, the end result is indeed 755.

Using the find command the permissions of an entire folder can be reset to default values.

Reset all permissions of the current folder:

chown root:root . -R                 # Changes owner, including subfolders
find . -type f -exec chmod 644 {} \; # Set 'rw-r--r--' for all files.
find . -type d -exec chmod 755 {} \; # Set 'rwxr-xr-x' for all folders.

Special permissions

Linux does not only use these permissions for normal files. Special files like folders, device nodes, sockets and pipes also use the same filesystem permissions.

Enabling the W (write) switch on folders gives users access to create, rename and delete entries (files). Enabling the X switch for a folder means a user can access (browse into) the folder. Enabling the R switch for a device node means a user can read the device, etc...

There are three additional somewhat hidden switches that are used in rare occasions. The set-uid (set-userid) and set-gid (set-groupid) switches can be used to run a program as it's owner. A command like su uses this to have root permissions by default.

The sticky bit is quite useful for folders. When enabled, users can only delete their own files, even if they have write access to the folder. The sticky bit can be set with chmod +t, since the chmod +s was already used for the set-uid and set-gid options.

Giving users access to devices

Devices have a special place in the Linux filesystem. Each node in the /dev folder represents a device. The access permissions for devices doesn't differ from files!

Most commercial Linux distributions already provide a reasonable configuration, but distributions like Slackware don't. This is a straight approach to set the access permissions of a webcam in slackware:

1. Find the device node in /dev

   With commands like ls and tree folders can be browsed to find the node in the /dev folder. Fortunately, the first webcam device is always called /dev/video0. More information about device files can be found in /usr/src/linux/Documentation/devices.txt.

2. Find out what permissions the file currently has

   Use ls -l /dev/video0 to see the permissions, owner and group of the file.

3. Deside how to open the permissions

   It is possible to allow everyone. This is the easiest solution, but not the best. It gives virtually everyone at the system access to the webcam, including website visitors, etc.. I often like to create a new group for each object users need to access. I have separate groups for all devices (floppy, cdrom, cdburner, sound, scanner, webcam), and other functions like creating cronjobs, playing games, ssh-access, and access to my Windows XP partition. For the webcam, I use the standard video group, but the common "users" group can also be used instead.

4. Change the permissions

   If the video group doesn't exist already, use groupadd video to create it. Assign users to the new group by modifying the right line in the file /etc/groups. Add multiple users by separating them with a comma. Use chgrp video /dev/video0 to assign the video group to the device node. Use chmod g+r /dev/video0 to give the group members the read permission. Use chmod o-rwx /dev/video0 to assure all other users can't do anything with the webcam at all. These three steps can be combined as chmod 640 to set all permissions at once.

5. Test the results

   You can try to access the webcam from an application. Changes to /etc/group are not active until the user does login again.

Giving users access to your Windows partition

A common question is, "how can I access my Windows files?". If your Linux distribution does not provide access by default, it's useful to know how it can be done.

The file /etc/fstab contains a table of all registered device media. This includes the Linux root partition, swap partition, CD/DVD devices, network shares, and the Windows partitions. Each line in the file represents a different medium.

The following example is used to identify the second disk drive:

A disk drive example: /etc/fstab

/dev/hdb1   /mnt/data-dump/   ext3   defaults   0 0

Each column has a different meaning:

/dev/hdb1

The first column describes the device node. In this case it's /dev/hdb1, the first partition of the second disk drive (hd-b-1).

/mnt/data-dump/

The second column describes the mount point; the location where the files and folders of the device will be visible.

ext3

The third column describes the file system; the method data is structured on the medium.

For disk drives, this is often something like ext3, reiser, ntfs or vfat. For CD/DVD disks, use iso9660. For network shares, use cifs, smbfs or nfs.

detaults

The fourth field contains various mount options, which differ between the various file systems. The options correspond with the -o argument of the mount command. see the mount and smbmount man pages for details.

0 0

The fifth field is used for the dump command, and can be ignored. The sixth field is used for the fsck (file system check) command. To disable the file system check, set the value to zero. To enable it, set it to 1 for the root file system, and 2 for all other file systems.

In the fstab manual page you'll find a technical explaination of the various columns.

Some entries in /etc/fstab use a "virtual/pseudo filesystem". Examples are /proc, /dev/pts and /sys. Their contains correspond with internal system data, represented by different files and folders. Since the data is accessed via files, they can be read from any program, like phpsysinfo does for example. Each file also has access permissions applied!

To give users access to a Windows partition, the partition needs to be added to /etc/fstab. Natually, Linux can't enforce any NTFS permissions. It cannot map the Linux user accounts with the accounts used in Windows. That's why the file system is protected differently.

By default, a NTFS disk can only be read by the root account. To give other users access, it needs to be defined explicitly in the mount options. It's possible to give all users access, but it's more secure to give a specific group access to the device. This can be done in the following way:

Giving users access to a NTFS partition: /etc/fstab

/dev/hda1   /mnt/winxp/   ntfs   gid=xpusers,umask=0227,ro   0 0

The gid option specifies the group the has access. The group can be created with groupadd xpusers, and members can be assigned by modifying /etc/group. Changes to /etc/group are not active until the user does login again!

The umask option is the reverse of a file system permission. Instead of describing permissions, an umask describes the restrictions. The formatting is identical to the numeric format of chmod command described above. In other words, 0 allows all permissions, 2 denies write access, and 7 denies any access.

The ro option ensures the file system is mounted read-only. Since Linux is not able to write NTFS files, we want the umask and ro option to reflect that.

A simular approach can be used for FAT16/FAT32 partitions.

Giving users access to a FAT16/FAT32 partition: /etc/fstab

/dev/hda8   /mnt/games/   vfat   gid=games,umask=0007   0 0

Related articles

• VIM Editor Guide