Ubuntu Wiki

   1 [00:00] <bodhi_zazen> Are we ready to start ?
   2 [00:00]  * Snova is here
   3 [00:00] <bodhi_zazen> weee hooo
   4 [00:00]  * tim_sharitt is ready
   5 [00:00] <bodhi_zazen> first, sorry about the confusion re time and date
   6 [00:01] <bodhi_zazen> again, I will do these Q&A sessions every 2 weeks or so
   7 [00:01] <bodhi_zazen> I was asked to cover permissions today and to make it interesting will add in sticky bits and acl :)
   8 [00:01]  * RachedTN is ready too :)
   9 [00:02] <bodhi_zazen> This is a good time to mention the shared ssh session
  10 [00:02] <bodhi_zazen> http://paste.ubuntu.com/147955/
  11 [00:02] <bodhi_zazen> we can use that for a hands on demo
  12 [00:02] <bodhi_zazen> but if you are interested , please ssh in when you get a chance
  13 [00:02] <bodhi_zazen> so you are ready to go when we start
  14 [00:02]  * Geek`N`Proud thought he'd stick around
  15 [00:02] <Pretto> 404
  16 [00:02] <bodhi_zazen> if you need help, ask and someone will answer in a PM
  17 [00:02] <Daisuke-Ido> The requested URL /beginners/ufbt-guest was not found on this server.
  18 [00:03] <bodhi_zazen> http://paste.ubuntu.com/147955/
  19 [00:03] <WastePotato> Am I late?
  20 [00:03] <Snova> No.
  21 [00:03] <WastePotato> Ok.
  22 [00:03] <bodhi_zazen> Ah, my mistake, lol
  23 [00:03] <bodhi_zazen> http://bodhizazen.net/ufbt/ufbt-guest
  24 [00:03]  * bodhi_zazen bad
  25 [00:04] <WastePotato> Yay. SSHing into bodhi_zazen's computer. \o/
  26 [00:04] <bodhi_zazen> sweet :)
  27 [00:04] <Snova> Or as close to it as you'll ever get...
  28 [00:04] <bodhi_zazen> OK, lets start with the basics
  29 [00:04] <bodhi_zazen> permissions often frustrate new users
  30 [00:05] <bodhi_zazen> and it is a BIG change if you come from Windows
  31 [00:05] <Daisuke-Ido> i'm going to pop back over to gnome
  32 [00:05] <bodhi_zazen> Every file and directory has an owner (the one who made it), a group, and "other"
  33 [00:05] <bodhi_zazen> permission are rwx - read, write, and execute
  34 [00:05] <bodhi_zazen> and so are listed with ls -l
  35 [00:05] <bodhi_zazen> as 3 sets :
  36 [00:06] <bodhi_zazen> rwxrwxrwx
  37 [00:06] <bodhi_zazen> for owner:group:other
  38 [00:06] <bodhi_zazen> a - means you do not have the permission
  39 [00:06] <bodhi_zazen> so r--r--r-- is read only
  40 [00:07] <bodhi_zazen> You can also see permissions graphically by right clicking a file
  41 [00:07] <bodhi_zazen> and selecting the permissions tab
  42 [00:07] <bodhi_zazen> To change permissions from the command line you can use "octals"
  43 [00:07] <bodhi_zazen> which are listed here : http://www.zzee.com/solutions/linux-permissions.shtml
  44 [00:08] <bodhi_zazen> or if you can not use the octals, use +rwx
  45 [00:08] <bodhi_zazen> so, with the chmod command
  46 [00:08] <bodhi_zazen> chmod o+rwx foo
  47 [00:08] <bodhi_zazen> chmod g+r foo
  48 [00:08] <bodhi_zazen> chomd 755 foo
  49 [00:09] <bodhi_zazen> you change the group with chown or chgrp
  50 [00:09] <bodhi_zazen> chown owner:group foo
  51 [00:09] <bodhi_zazen> chown owner.group foo
  52 [00:09] <bodhi_zazen> period works as well as a : , although it id depreciated >:)
  53 [00:09] <bodhi_zazen> With the gui tools use the pull down menu
  54 [00:10] <bodhi_zazen> The thing that is odd, directories
  55 [00:10] <bodhi_zazen> you need to set the x to list the contents of a directory
  56 [00:10] <bodhi_zazen> chmod a+x bar
  57 [00:10] <bodhi_zazen> allows people to ls bar
  58 [00:10] <bodhi_zazen> again see http://www.zzee.com/solutions/linux-permissions.shtml
  59 [00:11] <bodhi_zazen> Questions about basic permissions ?
  60 [00:11] <bodhi_zazen> otherwise I am going to move on to sticky bits >:)
  61 [00:12] <bodhi_zazen> Sticky bits are not hard to understand, but they are odd
  62 [00:12] <bodhi_zazen> They are also called SUID and SGID
  63 [00:12] <bodhi_zazen> if you have an executable file or binary
  64 [00:13] <bodhi_zazen> and you suid it, it runs with the permissions of the OWNER of the file, not the user who runs the script / binary
  65 [00:13] <bodhi_zazen> so ...
  66 [00:13] <bodhi_zazen> if the file is owned by root
  67 [00:13] <bodhi_zazen> and you then chmod 755
  68 [00:13] <bodhi_zazen> anyone can run the file
  69 [00:14] <bodhi_zazen> if you run the script as a use, the process has permissions of the user who called it
  70 [00:14] <bodhi_zazen> If, however, you chmod u+s foo
  71 [00:14] <bodhi_zazen> now anyone can run the script and , as it is owned by root, it runs as if root called the script
  72 [00:15] <bodhi_zazen> no password is required
  73 [00:15] <bodhi_zazen> do no do this
  74 [00:15] <bodhi_zazen> any script to be run by root should be owned by root and, IMO, called with sudo
  75 [00:15] <bodhi_zazen> same thing applies to SGID
  76 [00:15] <bodhi_zazen> if the SGID bit is set, the script runs with permissions of the group that owns the file
  77 [00:16] <bodhi_zazen> with me so far ?
  78 [00:16] <bodhi_zazen> One last bit, +t
  79 [00:16] <bodhi_zazen> +t is the "sticky bit"
  80 [00:16] <Spreadsheet> Can I talk?
  81 [00:16] <bodhi_zazen> in the past it meant keep the script in memory
  82 [00:16] <bodhi_zazen> Spreadsheet: yes
  83 [00:16] <bodhi_zazen> anyone can break in at any time
  84 [00:17] <Spreadsheet> Ok, I have a question
  85 [00:17] <bodhi_zazen> this is an open session
  86 [00:17] <bodhi_zazen> please :)
  87 [00:17] <Spreadsheet> This is sorta related to the topic
  88 [00:17] <Spreadsheet> Sometimes i use chown, and it doesn't work
  89 [00:17] <Spreadsheet> Then i use it a couple more times and it does work...
  90 [00:17] <Spreadsheet> Is this a bug?
  91 [00:17] <pleia2> :)
  92 [00:17] <bodhi_zazen> You can not chown a file or directory you do not own
  93 [00:17] <bodhi_zazen> hey pleia2 :)
  94 [00:18] <Spreadsheet> bodhi_zazen: All of the files on this comp belong to me...
  95 [00:18] <bodhi_zazen> this makes sense in that a user can not chown a file owned by root
  96 [00:18] <Spreadsheet> Oh wait
  97 [00:18] <Pretto> never happened to me :D
  98 [00:18] <bodhi_zazen> LMAO Spreadsheet
  99 [00:18] <Spreadsheet> Ok, the file is owned by root
 100 [00:18] <Spreadsheet> So then I use sudo
 101 [00:18] <bodhi_zazen> to change a file woned by root you need sudo
 102 [00:19] <bodhi_zazen> but you should not change ownership or permisssions of system files
 103 [00:19] <Spreadsheet> It's not a system file
 104 [00:19] <bodhi_zazen> sudo -e /etc/fstab for example
 105 [00:19] <Spreadsheet>  /var/www/
 106 [00:19] <bodhi_zazen> yea, that *should* be owned by www-data
 107 [00:19] <Spreadsheet> ehh... go on
 108 [00:19] <bodhi_zazen> so, add your user to www-data
 109 [00:19] <bodhi_zazen> :)
 110 [00:20] <bodhi_zazen> OK, we were talking sticky bits
 111 [00:20] <bodhi_zazen> the most common use of a sticky bit is on a directory
 112 [00:20] <bodhi_zazen> if a sticky pit is set on a shared directory (one with say permissions of 777)
 113 [00:21] <bodhi_zazen> users can not delete file they do not own
 114 [00:21] <bodhi_zazen> even though group or other permissions may allow rw access to a file
 115 [00:21] <bodhi_zazen> There is a very nice review of sticy bits here : http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html
 116 [00:22] <bodhi_zazen> and here : http://www.linuxdevcenter.com/pub/a/linux/lpt/22_06.html
 117 [00:22] <bodhi_zazen> questions ?
 118 [00:22] <bodhi_zazen> Otherwise I am going to talk about acl , or access control lists
 119 [00:23] <bodhi_zazen> Please, all questions are welcome and it gets boring seeing a wall of bodhi.zazen speaking >:)
 120 [00:23] <Snova> Might want to go into setuid/setgid (though that'd be another wall :P)
 121 [00:23] <Snova> Oh wait
 122 [00:23]  * Snova wasn't here
 123 [00:23] <Snova> Well, in that case, what does the sticky bit do on a file?
 124 [00:23] <bodhi_zazen> lol Snova :)
 125 [00:24] <bodhi_zazen> you mean the -t on a file ?
 126 [00:24] <bodhi_zazen> or the SUID
 127 [00:24] <Snova> Sticky bit... no idea what "-t" means. :P
 128 [00:24] <bodhi_zazen> lol
 129 [00:25] <bodhi_zazen> Snova: take a look at this linky : http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html
 130 [00:25] <Spreadsheet> g2g
 131 [00:25] <bodhi_zazen> I covered the topic just previous and do not want to repeat it ;)
 132 [00:26] <bodhi_zazen> OK , acl stands for access control list
 133 [00:26] <bodhi_zazen> the idea of an acl list comes into play when you have many, perhaps hundreds of users on a system
 134 [00:26] <bodhi_zazen> and so then the "other" permissions get messy
 135 [00:27] <bodhi_zazen> you do not want to create hundreds of groups for all the various user shares
 136 [00:27] <bodhi_zazen> enter acl
 137 [00:27] <bodhi_zazen> acl allows a user to set permissions on a file or directory for each user on the system
 138 [00:28] <bodhi_zazen> acl is the backbone of SELinux, and if you understand acl you understand a lot about SELinux
 139 [00:28] <bodhi_zazen> acl is installed by default on Ubuntu, but you need to "activate" it
 140 [00:28] <bodhi_zazen> it is an option when you mount a file system
 141 [00:28] <bodhi_zazen> so you
 142 [00:29] <bodhi_zazen> mount /dev/sdxy /media/foo -o acl
 143 [00:29] <bodhi_zazen> Or add acl to /etc/fstab in the options column
 144 [00:29] <Pretto> so, acl is just for "others" right?
 145 [00:29] <bodhi_zazen> yes and no Pretto
 146 [00:29] <bodhi_zazen> I will demo it in a sec ...
 147 [00:30] <bodhi_zazen> acl is a command line tool
 148 [00:30] <bodhi_zazen> although there is a very nice gui tool, Eiciel
 149 [00:30] <bodhi_zazen> http://www.linux.com/feature/138169
 150 [00:31] <bodhi_zazen> Eiciel is in the Ubuntu repos , but I could not integrate it with Nautilus as in that link
 151 [00:31] <bodhi_zazen> after you install it it is in the menu under System
 152 [00:31] <bodhi_zazen> want to see acl in action ?
 153 [00:31]  * jgoguen nods
 154 [00:32] <Pretto> yeap
 155 [00:32] <bodhi_zazen> OK, everyone ssh into the shared session ?
 156 [00:32] <bodhi_zazen> let me show a few things ...
 157 [00:33] <bodhi_zazen> OK, permissions of new files are govened by umask
 158 [00:33] <bodhi_zazen> so as you can see , the group is govened by the primary or effective group
 159 [00:33] <bodhi_zazen> Now lest change groups for a sec
 160 [00:34] <bodhi_zazen> the command was newgrp and it spawns a new shell
 161 [00:34] <Pretto> :D
 162 [00:34] <bodhi_zazen> do you see how that changed the group of the new file ?
 163 [00:35] <bodhi_zazen> OK, so if I want a shared directory , I would now need to chmod all those files
 164 [00:35] <bodhi_zazen> chomd -R 770 MAD
 165 [00:35] <bodhi_zazen> or worse, chmod -R 777 MAD
 166 [00:36] <bodhi_zazen> or chgrp and then chown, you get the idea
 167 [00:36] <bodhi_zazen> now let us use ACL
 168 [00:36] <bodhi_zazen> See the +s in the permissions ?
 169 [00:36] <bodhi_zazen> the sgid is set
 170 [00:38] <bodhi_zazen> Do you see how the sgid bit made the file "file.admin" owned by the group guru ?
 171 [00:38] <bodhi_zazen> >:)
 172 [00:38] <bodhi_zazen> OK, now acl ...
 173 [00:38] <bodhi_zazen> You list the access list with getfacl file
 174 [00:39] <bodhi_zazen> we set the acl with setfacl
 175 [00:42] <bodhi_zazen> This changed the behavior of the directory, we set the defaults with -d and the options with -m and long handed rwx permissions
 176 [00:42] <jgoguen> bodhi_zazen: so the default ACL entries will override the existing user/group/other permissions?
 177 [00:42] <bodhi_zazen> yes jgoguen
 178 [00:43] <bodhi_zazen> with that last command , I over rode the sgid we set
 179 [00:43] <bodhi_zazen> the directory is not owned by admin
 180 [00:43] <bodhi_zazen> default:group:admin:rwx
 181 [00:43] <bodhi_zazen> watch
 182 [00:44] <bodhi_zazen> hmm ,not what I expcected, lol
 183 [00:44] <Pretto> hhehhehhe. .weird
 184 [00:45] <Pretto> so the + means that MAD has an acl?
 185 [00:46] <bodhi_zazen> yes Pretto
 186 [00:46] <bodhi_zazen> see how acl changed the group of "file" made by root ?
 187 [00:46] <bodhi_zazen> from root.root to root.guru ?
 188 [00:46] <bodhi_zazen> OK, now lest add a user
 189 [00:47] <bodhi_zazen> see, now I added in the user, bodhi, who has rwx to the file MAD/file.guru
 190 [00:48] <bodhi_zazen> user:bodhi:rwx
 191 [00:48] <bodhi_zazen> and on
 192 [00:48] <bodhi_zazen> Obviously acl is a bit complex
 193 [00:48] <bodhi_zazen> and I will not claim to be an expert
 194 [00:48] <bodhi_zazen> :)
 195 [00:49] <bodhi_zazen> oops, apparmor is preventing me from showing you more with acl at the moment
 196 [00:49] <bodhi_zazen> lol
 197 [00:50] <bodhi_zazen> see : http://www.suse.de/~agruen/acl/linux-acls/online/
 198 [00:50] <bodhi_zazen> for more info on acl
 199 [00:50] <bodhi_zazen> and man acl
 200 [00:50] <bodhi_zazen> and Eiciel
 201 [00:51] <bodhi_zazen> Eiciel gives you a gui tool to manage acl
 202 [00:51] <bodhi_zazen> Sorry if I rambled on too long about permissions
 203 [00:51] <bodhi_zazen> :)
 204 [00:51] <bodhi_zazen> we have 10 min left
 205 [00:51] <bodhi_zazen> questions ?
 206 [00:52] <bodhi_zazen> you like the shared ssh session ?
 207 [00:53] <bodhi_zazen> I can demo apparmor if you want :)
 208 [00:54] <bodhi_zazen> See how the /tmp directory has +t set ?
 209 [00:54] <bodhi_zazen> you should now know what that means :)
 210 [00:55] <bodhi_zazen> you should now understand why root kits search for files with the suid bit set
 211 [00:58] <jgoguen> bodhi_zazen: back to setuid/setgid...should setgid necessarily be avoided the same as setuid?
 212 [00:59] <bodhi_zazen> probably jgoguen
 213 [00:59] <bodhi_zazen> although it is not working as I expected
 214 [01:00] <bodhi_zazen> if you need to run a script as root, use sudo
 215 [01:00] <bodhi_zazen> If you need to give a user limited root access, use sudo and configure with visudo >:)
 216 [01:00] <bodhi_zazen> Ah, apparmor is restricting me from further demos :)
 217 [01:01] <bodhi_zazen> you will have to check out suid on your own , lol
 218 [01:01] <jgoguen> I was thinking more along the lines of having a script write to a log file...but I suppose ACL would also handle that quite nicely :)
 219 [01:01] <bodhi_zazen> acl FTW :)
 220 [01:02] <bodhi_zazen> Once you learn acl , and you have a multiuser system, you will make good use of it
 221 [01:02] <bodhi_zazen> acl does not make sense, however, on a single user system
 222 [01:03] <Pretto> thank you for your explanations bodhi_zazen
 223 [01:03] <bodhi_zazen> np Pretto :)
 224 [01:03] <bodhi_zazen> thank you for coming
 225 [01:03] <bodhi_zazen> anyone have a suggestion for next time ?
 226 [01:04] <bodhi_zazen> In the long run, we will bring up a moodle site and content will be available for review pre and post sessions
 227 [01:04] <bodhi_zazen> the BT is working on it
 228 [01:04] <bodhi_zazen> If you have suggestions, add it here
 229 [01:05] <bodhi_zazen> https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals
 230 [01:05] <bodhi_zazen> thank you everyone for coming
 231 [01:05] <bodhi_zazen> please spread the word
 232 [01:06] <bodhi_zazen> you should all have been disconnected from the shared session as I closed it :)
 233 [01:06] <bodhi_zazen> see you again in 2 weeks
 234 [01:06] <jgoguen> \o/ ty bodhi_zazen
 235 [01:06] <bodhi_zazen> you are most welcome jgoguen
 236 [01:06] <bodhi_zazen> I hope I learned you something