===== Users and groups =====
In Unix-like systems there are users and groups. \\
A user is identified by a numerical __u__ser __id__entifier – **uid**. Uids are mapped to usernames.
\\
A group is identified by a numerical __g__roup __id__entifier – **gid**, that are likewise mapped to group names.
A user must be in one primary group and can be in multiple supplementary groups.
The available users/groups, and the uid/gid to name mapping, are usually read from ''/etc/passwd'' and ''/etc/groups'' files. Depending on the system configuration the information can be retrieved also from other sources.
For instance LDAP server and AD domain controller (through ''winbindd'' program) can be used. Refer to [[https://en.wikipedia.org/wiki/Name_Service_Switch|this]] for further information.
\\
Local user and group passwords are stored in ''/etc/shadow'' and ''/etc/gshadow''.
Filesystems store uids and gids (rather than user and group names), therefore e.g., reattaching a drive to another machine will attribute files to different groups/users provided the id↔name mappings do not match across the machines.
\\ Same goes for containers (sic!).
For a process, the Unix-like systems remember effective, saved and real uid (same goes for gid).
\\
The three uids are equal, unless a process switched user. Fore more, have a look [[https://en.wikipedia.org/wiki/User_identifier|here]].
\\
Uid and gid range in Linux is 0÷(232-2)
The user whose uid equals **0** is referred to as **superuser**. Traditional username of the superuser is **[[https://en.wikipedia.org/wiki/Superuser|root]]**.
To check who you are, you can run the ''**whoami**'' command. \\
The command ''**groups** [//user//]'' lists all groups to which the given user belongs. When the user is not specified the result for current user is returned.
~~Exercise.#~~ Test the ''whoami'' command.
~~Exercise.#~~ Check which group you belong to. Check the groups of user ''student''.
The ''**id** [//user//]'' command displays both numerical identifiers and common names of the user and all its groups.
One can use ''getent passwd //user//'' to get more details on the user, and ''getent group //group//'' to get details on the group.
~~Exercise.#~~ Discover your uid and gid, using both the ''id'' and ''getent'' commands.
To change one's password, one can use the **''passwd''** command.
\\
Root can use ''passwd //user//'' to either set password for any user, or alter password expiry date, or even block the account.
Base commands for administrating users are:
* ''useradd [-m] [-g //group//] //name//'' – create a new user
* ''groupadd //name//'' – creates a new group
* ''gpasswd -a //user// //group//'' – adds user to group
* ''usermod'' / ''userdel'' / ''groupmod'' / ''groupdel'' – changes/deletes user/group
==== [extra] Logged on users, logon history, messaging others ====
List of currently logged on users can be displayed with **''w -n''** and ''who'' commands.
Logon history can be displayed using the ''**last** [-n //how_many_lines//] [//username//]'' command.
~~Exercise.#~~ Log via ssh onto ''polluks.cs.put.poznan.pl''. Chck who is currently logged onto the system..
~~Exercise.#~~ Find out which three users logged on polluks most recently.
~~Exercise.#~~ Find out the most recent date when root logged on polluks.
~~Exercise.#~~ Find out who was logged on polluks at ''2023-03-03 13:30''
The ''**write** //user// [//terminal//]'' command outputs text on target user terminal. To end entering text, generate EOF (by pressing //Ctrl+d//). The recipient sees "message from…" followed by the text.
\\
One may choose to block or accept such messages with the ''**mesg {n|y}**'' command.
The ''wall'' command broadcasts a message to all terminals.
~~Exercise.#~~ Write a message to another user. Observe a message on your terminal.
Some system feature also a ''[[https://en.wikipedia.org/wiki/Talk_(software)|talk]] //user//'' command that lets users exchange messages.
==== Switching to another user ====
One can run commands (including a shell) as another user, provided one has sufficient privileges and/or knows the right password (depending on system configuration).
The ''**su** [-] [//user//]'' command (su stands for substitute user), once authorized, starts as the target user (or root, if no user is specified) the users default shell.
\\
The ''su -c //command// [-] [//user//]'' command, once authorized, runs as the target user the provided command inside the users default shell. \\
''su'' is present in any Unix-like system.
In most Linux systems the ''su'' command by default demands target users password (and in some distros the user invoking ''su'' must belong to a specific group, usually called ''wheel'').
Many Linux distributions come with the ''sudo'' command. Once configured, ''sudo'' allows specified users to run specified binaries with specified arguments as specified users. Usually ''sudo'' requires password either the user invoking ''sudo'' or the target user.
Some distributions abuse ''sudo'' to replace ''su''.
~~Exercise.#~~ Log on via ssh to a server (you'll be given a target address during classes; most likely it's going to be ''ssh user//N//@fe80::1%br0''). Switch user to ''root''. Switch user to another ''user//N//''.
Root can also use ''runuser'' and ''setpriv'' to run commands with chosen uid/gid/[[https://linux.die.net/man/7/capabilities|capabilities]].
===== File permissions =====
==== Permissions ====
Unix-like system use three modes of accessing files: __**r**__ead, __**w**__rite and e__**x**__ecute.
\\
Permission to use a file in each of these modes can be granted to the __**u**__ser (the file owner), the __**g**__roup (that is, to all users that belong to the same group to which the file belongs) and __**o**__thers.
\\
Additionally, there are three other special permissions: set-user-id (suid, __**s**__), set-group-id (sgid, __**s**__) and sticky (__**t**__).
Upon file access, when the file belongs to the current user, only user's permissions are considered.\\
If the file does not belong to the user but the user belongs to the file's group, only group's permissions are considered.\\
If the file does not belong to the user and the user does not belong to the file's group, only others' permission are considered.\\
Note that if a file has read permission for the group but no read permission for the user, then the owner cannot display the file even if the owner belongs to the file's group.
The execute mode for files stands for running them (e.g., as a program or a script), for directories – entering it.
In case of ordinary files suid/sgid means that once run, the process will run with effective uid/gid of the file owner.
\\
Notice that scripts are interpreted by another program, not run. Hence suid/sgid on a script does not affect its execution.
\\
Suid e.g., lets users set a new password, what requires writing to /etc/shadow file (that is inaccessible for an ordinary user).
\\
Sgid e.g., lets users write messages to terminals of other users (terminal devices let anyone in group ''tty'' write to them).
[[https://en.wikipedia.org/wiki/Sticky_bit|Sticky bit]] attributed to a directory D means that a file X in D can be removed only by the owner of X or the owner of D.
\\
Sticky bit is set e.g., for the ''/tmp'' directory where any user may write, to limit the write permission so that only the owner (or root) can remove files.
Suid/sgid for files other than ordinary and sticky bit for files other than directories do not have a consistent meaning in Unix-like systems.
Upon mounting filesystems an option ''nosuid'' can be enabled to ignore the suid/sgid permission.
File permissions are stored as an integer, so that subsequent bits stand for (starting from MSB): special permissions (in order: suid, sgid, sticky) and modes for user, group and others (in order: read, write, execute).
\\
Permissions expressed as a number are always octal, for instance ''4751''. Subsequent digits stand for the following permissions: special (here: suid), user (here: all), group (here: read and execute) and others (here: execute).
Permissions are often displayed as text following the ''rwxrwxrwx'' pattern, where each three letters stand for allowed modes for the user, group and others. The **''-''** character stands for no right to use file in the specified mode.
\\
Usually a single character denoting file type precedes permissions presented in this form.
\\
Special permissions are presented on the execute mode position, as ''s'' (for suid/sgid) or ''t'' (for sticky) standing for execute and suid/sgid/sticky, and ''S'' or ''T'' as suid/sgid/sticky without the execute permission.
\\
E.g.: ''rw-r--r--'' means that the user can write and read a file, and group and others can only read the file (equivalent to ''644''),
\\
and ''rwx--x--x'' means that the user can read, write and execute, and the group and others can only execute (''711'').
To see detailed information about a file (this includes permissions), one can run the ''**stat** //file//'' command.
\\
Permissions are also presented in the results of ''ls -l'' and ''tree -p'' commands.
\\
All these commands precede file permissions with a character indicating the file type.
~~Exercise.#~~ Check the permissions of the following files:
* your home directory
* the ''.ssh'' subdirectory in your home directory
* the ''.bash_history'' file in your home directory
* the ''/etc/passwd'' and ''/etc/shadow'' files
* ''/tmp'' directory
* the ''/usr/bin/passwd'' and ''/usr/bin/write'' files
~~Exercise.#~~ Check the permissions and tell what kind of file are the following:
* ''/var/run''
* ''/dev/sda'' or ''/dev/nvme0n1''
* ''/dev/null''
* ''/run/initctl''
* ''/run/rpcbind.sock''
==== Changing permissions, group and owner of a file ====
Permissions for newly created files and directories can be displayed with the ''**umask**'' command (and altered for the current shell with the ''umask //octal_mode//'' command).
To change the file permissions (__ch__ange __mod__e bits) one can use the ''**chmod** //permissions// //file//'' command.
\\
''chmod'' accepts either an octal (as in ''chmod 644 file'') or a symbolic representation of the permissions. \\
The symbolic representation is a list of comma-separated expressions that consist of:
* a letter ''u'', ''g'', ''o'' or ''a'' (user, group, others or __**a**__ll)
* an operation ''+'', ''-'' lub ''='' (add, remove or set exactly)
* modes ''r'', ''w'', ''x'', ''s'' or ''t'' .
For instance, ''chmod u+x,o= //file//'' grants the user the execute permission (leaving the read and write bits unchanged), and will revoke all permissions from others (and will leave permissions for the group unchanged).
''chmod go-r //file//'' will revoke read permission from both the group and others.
\\
Skipping the ''[ugoa]'' letter is also well-defined, see the manual for more information.
Provided the file owner (user) is in multiple groups, the file owner can use the ''**chgrp** //group// //file//'' command to change group of the file.
Only the superuser can change the owner (and the group) freely, usually using the ''**chown** [//user//][:[//group//]] //file//'' command.
The ''chmod'', ''chgrp'' and ''chown'' commands accept switches ''-R'' (''--recursive'') and ''--reference=//file//'' (to clone the permission/group/owner from the referenced file).
//Do the exercises on the SSH server indicated during classes. \\ To create files, you may use e.g., the // ''fortune > //file//'' //command.//
~~Exercise.#~~ Create a file. Set the file permissions so that only the user can read the file.
Verify correctness by switching user.
~~Exercise.#~~ Create a file. Set, using the octal representation, the file permissions so that the user can modify and read the file, the group can only read the file, and others have no permissions. Verify correctness.
~~Exercise.#~~ Create a file. Modify, using the symbolic representation, the file permissions so that they match the permissions in the previous exercise.
~~Exercise.#~~ Change group of the file created in the previous exercise.
~~Exercise.#~~ Create a file. Set the file permissions so that only the user and others can read the file. Verify whether one being in the same group as the file can read it.
~~Exercise.#~~ Create a directory with a file inside. Revoke the permission to execute the directory. Try to list the directory, enter the directory, and display the file contents (without entering the directory).
~~Exercise.#~~ Change permissions of a directory to ''u=rwx,go=rx''. Create in the directory a file. Print its contents as another user. List the directory as another user. \\ Then change the permissions of the directory to ''u=rwx,go=x''. Try, as the other user, to print the file and list the directory again.
~~Exercise.#~~ Create a directory with ''777'' permissions and create two files within. Set the permissions of one of the files to ''000''. As other user try to remove the files.
~~Exercise.#~~ In a directory with permissions ''777'', owned by user A, create as user B two directories: one empty, one containing a file. Try to remove the directories as user A.
~~Exercise.#~~ Can you change the name of the directory K that you were unable to remove in the previous exercise? Can you move the K directory to another directory? Can you move the directory containing K to another directory?
~~Exercise.#~~ Create a new file, a new directory and a new file within the directory. Revoke all permissions from the three. Change user to root and try to print the files.
~~Exercise.#~~ As root change owner of a file. Then, change group of another file to ''www-data''.
===== Change, modify and access date =====
Linux filesystems usually store for each file three dates: change time (ctime) that stands for changing file metadata, modify time (mtime) that stands for modifying file contents, and last access time (atime). Some filesystems also store the birth date of a file.
\\
Upon mounting a filesystem, updating access time is often disabled by specifying the ''noatime'' mount option, or by setting the ''relatime'' option the updates are done only in specific conditions. The commands ''mnt'' and ''findmnt'' reveal the effective mount options.
The commands ''**stat** //file//'' display the times.
The ''**touch** //file//'' command sets access and modification times of a file, by default to current time.
\\
The ''-d //date//'' or ''--reference=//file//'' switch selects another date, while the ''-a'', ''-c'' and ''-m'' switches choose whitch time should be set.
\\
When ''touch'' is asked to set date of a non-existent file, it creates the file. This is commonly used whenever creating an empty file is desired.
~~Exercise.#~~ Check times for the ''/var/log/wtmp'' file.
~~Exercise.#~~ Change times for your home directory.
~~Exercise.#~~ Change time of modifying contents of a selected file to ''13:30 PDT Saturday month ago''.
~~META:
language = en
~~