Jan Kończak

In Unix-like systems there are users and groups.
A user is identified by a numerical user identifier – uid. Uids are mapped to usernames.
A group is identified by a numerical group identifier – gid, that are likewise mapped to group names.

A user must be in one primary group and can be in multiple supplementary groups.

Filesystems store uids and gids (rather than user and group names), therefore e.g., reattaching a drive to another machine will attribute files to different groups/users provided the id↔name mappings do not match across the machines.
Same goes for containers (sic!).

The user whose uid equals 0 is referred to as superuser. Traditional username of the superuser is root.

To check who you are, you can run the whoami command.
The command groups [user] lists all groups to which the given user belongs. When the user is not specified the result for current user is returned.

Exercise 1 Test the whoami command.

Exercise 2 Check which group you belong to. Check the groups of user student.

To change one's password, one can use the passwd command.
Root can use passwd user to either set password for any user, or alter password expiry date, or even block the account.

One can run commands (including a shell) as another user, provided one has sufficient privileges and/or knows the right password (depending on system configuration).

The su [-] [user] command (su stands for substitute user), once authorized, starts as the target user (or root, if no user is specified) the users default shell.
The su -c command [-] [user] command, once authorized, runs as the target user the provided command inside the users default shell.
su is present in any Unix-like system. In most Linux systems the su command by default demands target users password (and in some distros the user invoking su must belong to a specific group, usually called wheel).

Many Linux distributions come with the sudo command. Once configured, sudo allows specified users to run specified binaries with specified arguments as specified users. Usually sudo requires password either the user invoking sudo or the target user. Some distributions abuse sudo to replace su.

Exercise 9 Log on via ssh to a server (you'll be given a target address during classes; most likely it's going to be ssh userN@fe80::1%br0). Switch user to root. Switch user to another userN.

Unix-like system use three modes of accessing files: read, write and execute.
Permission to use a file in each of these modes can be granted to the user (the file owner), the group (that is, to all users that belong to the same group to which the file belongs) and others.
Additionally, there are three other special permissions: set-user-id (suid, s), set-group-id (sgid, s) and sticky (t).

Upon file access, when the file belongs to the current user, only user's permissions are considered.
If the file does not belong to the user but the user belongs to the file's group, only group's permissions are considered.
If the file does not belong to the user and the user does not belong to the file's group, only others' permission are considered.
Note that if a file has read permission for the group but no read permission for the user, then the owner cannot display the file even if the owner belongs to the file's group.

The execute mode for files stands for running them (e.g., as a program or a script), for directories – entering it.

In case of ordinary files suid/sgid means that once run, the process will run with effective uid/gid of the file owner.
Notice that scripts are interpreted by another program, not run. Hence suid/sgid on a script does not affect its execution.
Suid e.g., lets users set a new password, what requires writing to /etc/shadow file (that is inaccessible for an ordinary user).
Sgid e.g., lets users write messages to terminals of other users (terminal devices let anyone in group tty write to them).

File permissions are stored as an integer, so that subsequent bits stand for (starting from MSB): special permissions (in order: suid, sgid, sticky) and modes for user, group and others (in order: read, write, execute).
Permissions expressed as a number are always octal, for instance 4751. Subsequent digits stand for the following permissions: special (here: suid), user (here: all), group (here: read and execute) and others (here: execute).

Permissions are often displayed as text following the rwxrwxrwx pattern, where each three letters stand for allowed modes for the user, group and others. The - character stands for no right to use file in the specified mode.
Usually a single character denoting file type precedes permissions presented in this form.
Special permissions are presented on the execute mode position, as s (for suid/sgid) or t (for sticky) standing for execute and suid/sgid/sticky, and S or T as suid/sgid/sticky without the execute permission.
E.g.: rw-r--r-- means that the user can write and read a file, and group and others can only read the file (equivalent to 644),
and rwx--x--x means that the user can read, write and execute, and the group and others can only execute (711).

To see detailed information about a file (this includes permissions), one can run the stat file command.
Permissions are also presented in the results of ls -l and tree -p commands.
All these commands precede file permissions with a character indicating the file type.

Exercise 10 Check the permissions of the following files:

• your home directory
• the .ssh subdirectory in your home directory
• the .bash_history file in your home directory
• the /etc/passwd and /etc/shadow files
• /tmp directory
• the /usr/bin/passwd and /usr/bin/write files

Permissions for newly created files and directories can be displayed with the umask command (and altered for the current shell with the umask octal_mode command).

To change the file permissions (change mode bits) one can use the chmod permissions file command.
chmod accepts either an octal (as in chmod 644 file) or a symbolic representation of the permissions.
The symbolic representation is a list of comma-separated expressions that consist of:

• a letter u, g, o or a (user, group, others or all)
• an operation +, - lub = (add, remove or set exactly)
• modes r, w, x, s or t .

For instance, chmod u+x,o= file grants the user the execute permission (leaving the read and write bits unchanged), and will revoke all permissions from others (and will leave permissions for the group unchanged). chmod go-r file will revoke read permission from both the group and others.
Skipping the [ugoa] letter is also well-defined, see the manual for more information.

The chmod, chgrp and chown commands accept switches -R (--recursive) and --reference=file (to clone the permission/group/owner from the referenced file).

Do the exercises on the SSH server indicated during classes.
To create files, you may use e.g., the fortune > file command.

Exercise 12 Create a file. Set the file permissions so that only the user can read the file. Verify correctness by switching user.

Exercise 13 Create a file. Set, using the octal representation, the file permissions so that the user can modify and read the file, the group can only read the file, and others have no permissions. Verify correctness.

Exercise 14 Create a file. Modify, using the symbolic representation, the file permissions so that they match the permissions in the previous exercise.

Exercise 16 Create a file. Set the file permissions so that only the user and others can read the file. Verify whether one being in the same group as the file can read it.

Exercise 17 Create a directory with a file inside. Revoke the permission to execute the directory. Try to list the directory, enter the directory, and display the file contents (without entering the directory).

Exercise 18 Change permissions of a directory to u=rwx,go=rx. Create in the directory a file. Print its contents as another user. List the directory as another user.
Then change the permissions of the directory to u=rwx,go=x. Try, as the other user, to print the file and list the directory again.

Exercise 19 Create a directory with 777 permissions and create two files within. Set the permissions of one of the files to 000. As other user try to remove the files.

Exercise 20 In a directory with permissions 777, owned by user A, create as user B two directories: one empty, one containing a file. Try to remove the directories as user A.

Linux filesystems usually store for each file three dates: change time (ctime) that stands for changing file metadata, modify time (mtime) that stands for modifying file contents, and last access time (atime). Some filesystems also store the birth date of a file.
Upon mounting a filesystem, updating access time is often disabled by specifying the noatime mount option, or by setting the relatime option the updates are done only in specific conditions. The commands mnt and findmnt reveal the effective mount options.

The commands stat file display the times.

The touch file command sets access and modification times of a file, by default to current time.
The -d date or --reference=file switch selects another date, while the -a, -c and -m switches choose whitch time should be set.
When touch is asked to set date of a non-existent file, it creates the file. This is commonly used whenever creating an empty file is desired.

Exercise 24 Check times for the /var/log/wtmp file.

Exercise 25 Change times for your home directory.