Rootly Powers Chapter 3.

Slides:



Advertisements
Similar presentations
Linux Users and Groups Management
Advertisements

Basic Unix system administration
Operating Systems for Administrators Instructor: Mr. Ahmed Al Astal ITGD4104 Department Requirement for senior student University of Palestine Faculty.
1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Passwords in Unix/Linux Systems.
Chapter 3 Rootly Powers. Computer Center, CS, NCTU 2 The Root  Root Root is God, also called super-user. UID is 0  UNIX permits the superuser to perform.
User Account Management WeeSan Lee. Roadmap Add An Account Delete An Account /etc/{passwd,shadow} /etc/group How To Disable An Account? Root Account Q&A.
Unix Systems Administration 1Y. K. Chang root: the super user 4 The UNIX semigod who can perform privileged tasks: controlling processes, adding devices,
Linux+ Guide to Linux Certification, Second Edition
Getting Started with Linux Linux System Administration Permissions.
1. This presentation covers :  User Interface Administration  Files System and Services Management 2.
Workbook 3 Users and Groups
O.S security Ge Zhang Karlstad University. Outline Why O.S. security is important? Security schemes in Unix/Linux system Security schemes in windows system.
Introduction to Linux Installing Linux User accounts and management Linux’s file system.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Unix System Administration Rootly Powers Chapter 3.
CIS 191 – Lesson 2 System Administration. CIS 191 – Lesson 2 System Architecture Component Architecture –The OS provides the simple components from which.
1 Advanced Unix Administrative Tools. 2 VMWare Image Setup We all need to check out the VMWare FC6 image that you’ll be using We all need to check out.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Adding New Users User as an entity - username(UID), GID. UID - typically a number for system to identify the user. GID – a number that recognizes a set.
IT2204: Systems Administration I 1 6b). Introduction to Linux.
ITI-481: Unix Administration Meeting 3 Christopher Uriarte, Instructor Rutgers University Center for Applied Computing Technologies.
Users Greg Porter V1.0, 26 Jan 09. What is a user? Users “own” files and directories Permission based on “ownership” Every user has a User ID (UID) 
Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
Introduction to System Admin Sirak Kaewjamnong. 2 The system administration’s job  Adding a new user  Doing backup and restoring files from backups.
PacNOG 6: Nadi, Fiji UNIX ™/ /Linux Permissions Hervey Allen Network Startup Resource Center.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 21 Administering User Accounts and Groups 1.
Privileges: who can control what Introduction to Unix June 16, 2009 Papeete, French Polynesia Hervey Allen.
UNIX Unit 1- Architecture of Unix - By Pratima.
Privileges: who can control what Introduction to Unix May 24, 2008 Rabat, Morocco Hervey Allen.
Manually Creating a New User Account Presented by Carl South.
© 2006 ITT Educational Services Inc. Linux Operating System :: Unit 3 :: Slide 1 Downloading and Installing Software yum pirut Bit Torrent rmp.
1 Day 2 Logging in, Passwords, Man, talk, write. 2 Logging in Unix is a multi user system –Many people can be using it at the same time. –Connections.
SCSC 455 Computer Security Chapter 3 User Security.
CSC414 “Introduction to UNIX/ Linux” Lecture 6. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.
SUSE Linux Enterprise Desktop Administration Chapter 9 Manage Users, Groups, and Permissions.
Jozef Goetz, expanded by Jozef Goetz, 2008 Credits: Parts of the slides are based on slides created by UNIX textbook authors, Syed M. Sarwar, Robert.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Managing Users CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.
Basic UNIX system administration CS 2204 Class meeting 14 *Notes by Doug Bowman and other members of the CS faculty at Virginia Tech. Copyright
Company LOGO Security in Linux PhiHDN - VuongNQ. Contents Introduction 1 Fundamental Concepts 2 Security System Calls in Linux 3 Implementation of Security.
Course : PGClass : MCA Subject: Operating SystemSub.Code : 3CT11 Staff Name : S.SomasundaramYear & Sem : II nd & III rd.
Privileges: who can control what
Permissions: who can control what Unix/IP Preparation Course July 19, 2009 Eugene, Oregon, USA
SYSTEM ADMINISTRATION PART I by İlker Korkmaz and Kaya Oğuz
...looking a bit closer under the hood
Rootly Powers and Controlling Processes
Chapter 11: Managing Users
Hands On UNIX AfNOG 2010 Kigali, Rwanda
Module 4 Remote Login.
Chapter 3 Rootly Powers.
Hands On UNIX AfNOG X Cairo, Egypt
Chapter 2 User Management
Privileges: who can control what
Linux Users and Groups Management
Adding New Users, Storage, File System
Unix Access Control Basic CE 2
Mumtaz Ali Rajput +92 – INFORMATION SECURITY – WEEK 5 Mumtaz Ali Rajput +92 – 301-
(Chapter 2) John Carelli, Instructor Kutztown University
OPS235 Lab4: Investigations 5 – 9
The Linux Command Line Chapter 9
Chapter Introduction 3.2 The UNIX Model of Ownership
The Attack and Defense of Computers
Periodic Processes Chapter 9.
Module 13 System and User Security
Adding New Users.
Preventing Privilege Escalation
Access Control and Audit
Presentation transcript:

Rootly Powers Chapter 3

Chapter 3 - Rootly Powers Introduction Every file and process on a UNIX system is owned by a particular user account. Other users can’t access these objets without the owner’s permission. System files and processes are owned by a fictitious user called “root”, also known as the superuser. To make administrative changes, you’ll need to use one of the methods of accessing the root account described in this chapter. Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers Introduction The root account has several “magic” properties. Root can act as the owner of any file or process. Root can also perform several special operations that are off-limits to other users. The account is both very powerful and, in untrained or malicious hands, very dangerous. This chapter introduces the basics of superuser access for administration. Chapter 21 - Security - describes how to avoid unwanted and embarrassing superuser access by others Chapter 27 - Policy and Politics - covers the relevant political and administrative aspects. Chapter 3 - Rootly Powers

1. Ownership of Files and Processes Every UNIX file has both an owner and a “group owner” The owner of the file enjoys one special privilege that is not shared with everyone on the system The ability to modify the permission of the file. We will take up the subject of permissions in Chapter 5 - The Filesystem. While the owner of a file is always a single person, many people may be group owners of the file, so long as they are all part of a single UNIX group. Groups are defined in the /etc/group file Chapter 3 - Rootly Powers

1. Ownership of Files and Processes UNIX actually keeps track of owners and groups as numbers rather than as text names. UID’s are mapped to user names in the /etc/passwd file GID’s are mapped to group names in /etc/group The text names are only defined for the convenience of the system’s human users. So, when commands such as ls want to display ownership information in a human-readable format, they must look up each name in the appropriate file or database. Chapter 3 - Rootly Powers

1. Ownership of Files and Processes Processes have not two but four identities associated with them A real and effective UID A real and effective GID The real are used for accounting and the effective are used for the determination of access permissions. Normally the real and effective are the same. Chapter 3 - Rootly Powers

1. Ownership of Files and Processes While it is not normally possible for a process to alter its four ownership credentials, there is a special situation in which the effective user and group IDs may be changed. When a command is executed that has its setuid or setgid permission bit set, the effective UID or GID of the resulting process may be set to the UID or GID of the file containing the program rather than the UID or GID of the user that ran the command. The identity of the process is thus “promoted” for that specific command. Chapter 3 - Rootly Powers

1. Ownership of Files and Processes The setuid facility allows programs run by ordinary users to make use of the root account in a limited and tightly controlled way. For example: the passwd command is a setuid program. It modifies the /etc/passwd file in a well defined way and then terminates. Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers 2. The Superuser The defining characteristic of the root account is its UID of 0. UNIX does not prevent you from changing the username on this account or from creating additional accounts whose UIDs are 0, but both actions are very bad ideas. Such changes have a tendency to create inadvertent breaches of system security. They also engender confusion and scorn from other people who have to deal with the strange way you’ve configured your system. Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers 2. The Superuser UNIX permits the superuser to perform any valid operation on any file or process. In addition, some system calls may be executed only by the superuser Changing the root directory of a process with chroot Creating device files Setting the system clock Raising resource usage limits and process priorities Setting the system’s hostname Configuring network interfaces Shutting down the system Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers 2. The Superuser An example of superuser powers is the ability of a process owned by root to change its UID and GID. The login program is a case in point. The process that prompts you for your password when you log in to the system is initially run as root. If the password and username that you enter are legitimate, login changes its UID and GID to your UID and GID and executes your shell. Once a root process has changed its ownerships to become a normal user process, it can’t recover its former privileged state. Chapter 3 - Rootly Powers

3. Choosing a Root Password What should be said here…. It should be secure You should change the root password At least every three months or so. Every time someone who knows the password leaves your site Whenever you think security may have been compromised Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers 4. Becoming Root Introduction Logging in directly as root leaves no record no record of what was done or who did it (if multiple people work on the system) or when they did it…. For these reasons, most systems allow root logins to be disabled on terminals and across the network (everywhere except the system console) See secure terminals - Chapter 21 - to find out how to do this. Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers 4. Becoming Root su: substitute user identity a slightly better way to access the root command is the su command without any parameters it asks for the root password. su username asks for the password for username On many systems, you must be a member of the group “wheel” in order to use su Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers 4. Becoming Root sudo: a limited su Since the privileges of the superuser account cannot be subdivided, it is hard to give someone the ability to do one task (backups for example) without giving that person free run of the system. One solution to these problems is a program called sudo sudo checks the user, and the argument (command to run) with the file /etc/sudoers If they are there sudo prompts for the user’s own password. Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers 4. Becoming Root sudo keeps a log of the command lines that were executed the people who requested them the directory they were run in the times at which they were invoked Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers 4. Becoming Root The use of sudo has the following advantages Accountability is much improved Operators can do chores without unlimited root privileges The real root password can be known to only one or two people. It’s faster to use sudo than to run su or to login as root. Privileges can be revoked without the need to change the root password. A canonical list of all users with root privileges is maintained. There is less chance of a root shell being left unattended A single file can be used to control access for an entire network. Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers 5. Other Pseudo-Users Root is the only user that has special status in the eyes of the UNIX kernel, but several other pseudo-users are defined by the system. It is common to replace the encrypted password field of these special users in /etc/passwd with a star (*) so that their accounts cannot be logged in to Let’s look at some of these pseudo-users Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers 5. Other Pseudo-Users daemon: owner of unprivileged system software Usually UID 1 Files and processes that are part of the operating system but that need not be owned by root are often given to daemon. This helps avoid some security hazards. There is also a UNIX group called “daemon” that exists for similar reasons Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers 5. Other Pseudo-Users bin: owner of system commands On some systems, the bin user owns the directories that contain the system’s commands and most of the commands themselves Dedicating a special account to this task is often regarded as superfluous (or perhaps even slightly insecure) most modern systems generally use the root account. Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers 5. Other Pseudo-Users sys: owner of the kernel and memory images On some systems the user sys owns special files such as /dev/kmem - Kernel’s address space /dev/mem - physical memory of the system /dev/drum or /dev/swap - an image of the system’s swap space On some systems, a group called “kmem” or “sys” is used instead of a “sys” user account. Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers 5. Other Pseudo-Users nobody: the generic NFS user Most versions of UNIX define a user called nobody with UID -1 or -2 See Chapter 17 for more info on Nobody Typically used to represent root on other systems Some daemons, such as fingerd, run as nobody nobody should NOT own any files…. Chapter 3 - Rootly Powers

Chapter 3 - Rootly Powers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.