This action might not be possible to undo. Are you sure you want to continue?
by Quentin Docter SYBEX Inc.. (c) 2003. Copying Prohibited.
Reprinted for Abhishak K. Gangapur, IBM firstname.lastname@example.org Reprinted with permission as a subscription benefit of Books24x7, http://www.books24x7.com/
All rights reserved. Reproduction and/or distribution in whole or in part in electronic,paper or other forms without written permission is prohibited.
Table of Contents
Chapter 5: Files, Directories, and Security...................................................................................1 Overview................................................................................................................................1 Understanding File and Directory Concepts..........................................................................1 Reviewing File Types.......................................................................................................1 Using the File System......................................................................................................2 Using Default Directories.................................................................................................6 Working with Links...........................................................................................................7 Controlling and Monitoring System Access...........................................................................8 File and Directory Permissions........................................................................................8 Access Control Lists and Role Based Access Control ..................................................14 . Summary ..............................................................................................................................15 Exam Essentials..................................................................................................................15 Key Terms ............................................................................................................................16 Commands Used in This Chapter........................................................................................16 Review Questions and Answers..........................................................................................17
file components. the most critical concept of this chapter.com. features. Table 5. which are analogous to file systems.ibm. of course. and hard links in the Solaris directory hierarchy. Directories.1: Solaris File Types Symbol Meaning Text or application Reprinted for ibmabhishek. Also. • Explain how to create and remove hard links in a Solaris directory.g@in. or permissions to monitor and control system access. and functions of root subdirectories. Some cabinets have more drawers than others. Copying Prohibited . and a directory is a specialized file that lists filenames. But beyond the login. you will agree that this knowledge is fundamental to understanding system security concepts. and you need to know what they are. Think of a hard disk as a filing cabinet. switch users on a system. (c) 2003. The file types supported in Solaris are shown in Table 5. some directories in Solaris are intended for specific purposes. and arguably one of the most important facilities in a real networking environment. A file system is simply a logical unit of space on the disk and is divided into two basic components: files and directories. Understanding File and Directory Concepts In Solaris. there are folders. Filing cabinets have drawers. is to store files. Good security measures are critical to the safety of your data and your company. Reviewing File Types Solaris 9 employs eight types of files. and Security Overview SOLARIS 9 EXAM OBJECTIVES COVERED IN THIS CHAPTER: • Describe the purpose." you looked at setting up user accounts and learned how passwords are used to protect login access to the network. Inside the drawers. you first need to understand how files and directories are organized in Solaris.Chapter 5: Files. data is stored within a file system located on a hard disk. This is where file and directory security comes into play. These are files themselves.1. this chapter then covers the default directories and their intended purposes. This chapter starts with file and directory concepts. • Identify the procedures and commands. Inside the folders are your documents. even if you are already comfortable with file and directory structure. However. "User and Group Administration. and the same can be true of file systems on a hard disk. you will explore security. In Chapter 4. variables. Finally. The folders play the role of directories in a file system. The most common type is a "regular" text or application file. Some of this information might seem straightforward if you have Solaris experience. The purpose of a filing cabinet. file types. To understand how to set up and manage file and directory security. SYBEX Inc. Moving from core file concepts. Files contain data. IBM Sybex. and restrict access to data in files. additional security measures are needed to ensure that users have access only to the information that they are supposed to have access to.
and printer. Here is a sample directory listing: $ ls -l total 7 -rw-rw-r-drwxr-xr-x drwxr-xr-x -rwxrwxrwx -rw-r--r-$ 1 2 1 1 1 root root root root root other other other other other 35068 512 512 188326 4105 Aug Aug Aug Aug Aug 4 3 3 2 1 13:39 10:01 10:02 19:11 12:21 bookdoc dir1 dir2 fungame textfile The long listing of a directory shows seven fields.com. which are usually hidden). Using the File System Solaris file systems are organized in a hierarchical tree. Copying Prohibited . After the links. Figure 5. The ls command has 26 arguments that you can use to customize your display. (c) 2003. terminal. are considered files. or the root directory.1 illustrates this hierarchical structure. Reprinted for ibmabhishek. last modification date and time. All other files and directories can be thought of in terms of their relationship to the root. The d in front of dir1 and dir2 indicates that they are directories. Commands are essentially programs and are therefore files. On the left. you see the file's permissions.ibm. IBM Sybex. The file size in bytes. type man ls. The number after the permissions indicates the number of links to the file. The base of this tree. such as your hard drive. For a complete listing of ls switches. Even devices on your computer. is called root and is represented with a slash (/). Directories are files that contain other files. Documents and programs are files. and filename end each entry.Solaris 9: Sun Certified System Administrator Study Guide 2 D d b c p l s Door Directory Block special file Character special file Named pipe Symbolic link Socket Solaris regards almost everything on your system as a file. SYBEX Inc. you see the owner of the file (root in this case) and the primary group of the owner.g@in. To show a listing of files in a directory. use the ls command. The most commonly used options for ls are -l (long listing) and -la (long listing and including files that start with a period.
whereas the working directory is the directory you are currently working in. However." One of the basic tenets of file systems is that each object must have a unique absolute pathname. consider the /etc directory.Solaris 9: Sun Certified System Administrator Study Guide 3 Figure 5. Your working directory is the first directory checked by the kernel when you enter a command to execute (if you have .com. Warning Using . SYBEX Inc. you could create a directory called etc. Warning Don't confuse the working directory with the home directory.1: Solaris hierarchical file structure Note The superuser account and the base of the directory structure are both named root. Copying Prohibited . The working directory is also known as the current directory. Your working directory might or might not be your home directory. To avoid potential confusion. in your path can compromise system security. This directory named etc exists right off of the root (/). This can be confusing to new administrators. let's look at creating a directory with the mkdir command. Your home directory is used to store personal files. Therefore. if you were to switch to the /export directory. The absolute pathname of this new directory would be /export/etc. For example. You can change working directories easily with the cd command. Say you execute the following command sequence: $ ls file1 file2 $ mkdir dir1 $ ls dir1 file1 file2 Reprinted for ibmabhishek. Also remember that Solaris is case sensitive. To illustrate the importance of knowing your working directory. such as a Trojan horse. File System Navigation To determine where you are in the file system.g@in. but your home directory does not typically change. (c) 2003. be sure to specify "the root directory" or "the superuser. This path designation can cause you to inadvertently execute a program you did not intend to. the directory /export/dir1 is different from /export/DIR1. use the pwd (print working directory) command. IBM Sybex. you cannot create another directory named etc from within the root directory.ibm. as your $PATH variable) or want to see a directory listing.
But that is a lot of typing. Although listing them all here would be impractical. and it's easy to make a mistake when you type that much. you could have (and should have) used pwd to verify that you were in the right directory before creating a new one. But you created it. Although using relative pathnames can save you time. and . One option is to create it from the root: $ pwd / $ mkdir /export/home/user1/files $ ls /export/home/user1 files $ To create this directory. rename.ibm. To help. However. If you're going to use relative pathnames. move. and when using utilities that require filenames or pathnames.g@in. Relative Pathnames A relative pathname indicates the location of a file based on your current working directory. because they begin with a period. So although you will likely be able to find dir1 eventually. copy. and the second one uses a relative pathname. you typically don't see these entries. using them also increases the probability of creating a directory in the wrong place. The single period represents the directory itself. make sure to use pwd to verify your working directory. When you use the ls command. it might not be where you think it is. or with a tilde (~). Table 5. Absolute pathnames never change. Unfortunately.2: File Commands Reprinted for ibmabhishek. the first one uses an absolute pathname. is a relative pathname. Congratulations! You log out of Solaris and go home for the day. IBM Sybex. Say that you want to create a directory called /export/home/user1/files. Any pathname that does not begin at the root directory. a quick review of some common commands doesn't hurt. Copying Prohibited . display. and modify files. Directories Each directory automatically has two entries: a single period and a double period. you type in the absolute pathname. it's probable that your home directory is /export/home/user1.2 lists some common file-management-based commands. If you are user1. but relative pathnames do. (c) 2003. SYBEX Inc. $ pwd /export/home/user1 $ mkdir files $ ls files $ Both command sequences create the same directory. and by default ls doesn't show entries that begin with a period. There are a couple of ways you can go about it. Useful File Commands There are literally dozens of commands you can use to create. and the double period represents the directory's parent directory. based on where you are in the directory tree structure. and just as likely that it's your default working directory as well. you can't seem to find the dir1 directory.com. you don't remember what your working directory was when you created dir1.. The next day when you get to work. right? So where is it? That's a good question. Note The double period can be especially useful as a shortcut when copying or moving files. Table 5. The .Solaris 9: Sun Certified System Administrator Study Guide 4 $ You have just created a directory called dir1.
Removes empty directories.g@in. Lists files in a directory. links.ibm. If the directory has files in it (other than . To create a directory called myfiles in her home directory. Creates directories. Copies files. use more /etc/passwd. cd /export/home/user1 changes the working directory to /export/home/user1. Removes (deletes) a file. Note The ~ shortcut does not work in the Bourne shell. Here is an example: $ ls -l total 3 drwxrwxr-x 2 root other 512 Aug 10 11:23 docs This section shows how to modify file characteristics other than permissions and links. and you should use care when executing it. The command cp file1 file2 creates a copy of file1 named file2. which copies the directory as well as any files or subdirectories to the desired destination. use cp -r. Modifying File Characteristics When you use the ls -l command to display files in a directory. Changes directories. Filter that enables you to display one screen of information at a time. use the chown command: Reprinted for ibmabhishek. a user can use cd ~.. you see seven fields of information about the file.). The rm -r command can be used to remove a directory and all files within the directory. and .Solaris 9: Sun Certified System Administrator Study Guide 5 Command cat cd cp file find ls mkdir more mv pwd rm rmdir Warning Description Concatenates and displays files. One other handy navigation shortcut is the tilde (~). modification date and time. SYBEX Inc. Determines file type. The command mkdir dir1 creates a directory called dir1 in the current working directory. moves up one directory in the tree. For copying directories. use the $HOME variable. Copying Prohibited .com. The command cd . To reference the home directory in the Bourne shell. To delete file1. and filename. The fields are permissions. size. The owner of the example directory is root. For example. If no directory is specified. delete the files first and then use rmdir to remove the directory. To change to his home directory quickly. IBM Sybex. The tilde is used as a shorthand representation of the user's home directory. Finds files. For example. This is an incredibly powerful command. use rm file1.. To change owners. Just think about what would happen if you ran this command from the root directory. Links are covered two sections from now. owner. to see your /etc/passwd file one page at a time. a user could execute the mkdir ~/myfiles command. The command cat file1 simply displays the contents of file1. regardless of her working directory. considering that the base set of security permissions relates specifically to the owner of the file. The command mv file1 /etc/acct moves file1 to the /etc/acct directory. the working directory is used. Moves or renames files. (c) 2003. and security is covered in the second half of this chapter. This is very important. group. cat file1 file2 >file3 combines files file1 and file2 in a new file named file3. Displays the present working directory. and cd / changes to the root directory. For example. The command mv file1 file2 renames file1 to file2.
IBM . Optional mount point.Solaris 9: Sun Certified System Administrator Study Guide 6 # ls -l total 3 drwxrwxr-x 2 userx # chown qdocter docs # ls -l total 3 drwxrwxr-x 2 qdocter other 512 Aug 10 11:23 docs other 512 Aug 10 11:23 docs The ownership group can also be changed.1 root other 512 Aug 10 11:23 docs root root other other 512 Aug 10 11:23 docs 80 Aug 10 11:44 file1 root root other other 512 Aug 10 11:45 docs 80 Aug 10 11:44 file1 Notice how the touch command updated the time on the docs directory and created an empty file named file1. Remember that the file system is a hierarchical tree. Device files that represent configured devices in the system. the touch command can also be used to update the modification date and time without actually opening the file. and the branches expand from there. open the file. If you do want to modify the size of a file. However. Exported files. make changes. If you use touch with a filename that does not exist. These directories provide the basic organization of the Solaris file system and group similar types of files together. generally used for third-party applications. but that is done with the chgrp command: # ls -l total 3 drwxrwxr-x 2 qdocter # chgrp author docs # ls -l total 3 drwxrwxr-x 2 qdocter other 512 Aug 10 11:23 docs author 512 Aug 10 11:23 docs The file size attribute isn't something you typically set out to purposely modify. Using Default Directories During installation. Table 5. The modification date can be updated in the same way.com. The main part of the tree is the root. Contains directories and files critical to system operation. and save the file.g@in. touch will create the file specified: $ ls -l total 3 drwxrwxr-x 2 # touch file1 # ls -l total 4 drwxrwxr-x 2 -rw-r--r-. The /dev and /devices directories are discussed in more detail in Chapter 6. you can see who it is. Copying Prohibited Reprinted for ibmabhishek. It's primarily there for reference. Table 5. make some changes to it. Typically. Some of the more notable files include /etc/passwd and /etc/shadow.3: Solaris 9 Default Directories Directory / (root) /dev and /devices /etc /export /opt Purpose The top of the hierarchical file system tree. "Disk and Device Management. Sybex. (c) 2003.ibm. If someone is storing incredibly large files on your server.3 lists the major default directories and their intended purposes. user home directories are located in /export/home/username. and save it.1 # touch docs # ls -l total 4 drwxrwxr-x 2 -rw-r--r-. SYBEX Inc." Machine-local configuration files. Open the file. Solaris creates several default directories.
Log files. Another reason to create a link is to give another user access to a file that's in your home directory. the filename is linked to the data.ibm. printer spool files. the original permissions remain intact. Copying Prohibited . the root and /usr directories are required. so you might have to modify file and/or directory permissions to get the access permissions you need. if you have seven hard links to one file and change the data in the file. files are stored on hard disks in computers. five isn't a terribly large number of paths to remember. you have five files that you commonly access. All hard links to a file are of equal value to Solaris. which is how humans reference files. Bear in mind that a hard link is not a copy of a file.com. IBM Sybex. SYBEX Inc. all links will reflect the changed data as well. it's possible to create multiple links that point to the same file. then the data is inaccessible. In other words. Then create links in your chosen directory that point to all five files.Solaris 9: Sun Certified System Administrator Study Guide 7 /tmp /usr /var Temporary files and oftentimes swap space. System files and directories that can be shared among users. In other words. Here's an example of creating a link: $ ls file1 file2 $ ln file1 link1 $ ls link1 file1 file2 $ ln file1 seclink $ ls seclink link1 file1 file2 Reprinted for ibmabhishek. Your system will likely have all the directories listed in Table 5. You also know that files have names. To run a system. Links are created with the ln command. However. On the computer. but rather a pointer to the original file. no one link has priority over the others. and link is the name of the link that you wish to create. Granted. you need to remember the specific directory path to each one. the filename points to the specific location on the hard drive where the data is stored. Because of a controlling manager. (c) 2003. and both of you have convenient access to the file. and the disk space is made available for other files. In Solaris. which includes files that change dynamically as the system runs. Now. Each file is in a different directory. and /usr/share contains man pages. Hard Links A hard link is a pointer to a file. that's a topic for later in this chapter.g@in. To open each file. Working with Links As you know by now. the original links to the files are still intact and in their original directories. but it's inconvenient nonetheless. If all hard links to a file are deleted. To get around this. The /usr/bin directory contains user commands. The syntax is as follows: $ ln file link where file is the path to the existing file. pleasing the controlling manager. The other user can create a link in her home directory pointing to the file in your home directory. at a minimum. You could delete any two of the links and still access the data in the file through the third (and now only) link.3 and more. you could create a directory specifically for links or use an existing directory. /usr/sbin holds system administration commands. Even better. If a particular file has three hard links. When you create a link. all five access points (to the data you need) are located in the same directory. all files must remain in their original directories. Variable data. and backup files are often located here. So why would someone want to create hard links? Imagine that on your computer.
The basic set of UNIX permissions allows for three distinct operations on a given file: Read. and the link becomes useless. In the example. The first step to control system access is physical. you need to control access to your computer systems. the inode of the file is displayed. is obviously a different file because it has a different inode. is making sure that users have good passwords and change them frequently. hard links must be created to files and cannot be created to directories. link1. permissions. Soft links are created with the ln -s command. To delete a link. The same is not true of soft links. it's practically impossible to tell which files are links. and everyone else (other). you're not going to get the information you're looking for. you can delete the original file and still access data through another link. Soft Links To address the limitations of hard links. SYBEX Inc. they can either read sensitive data or use brute force to destroy data. like most other UNIX-based operating systems. whereas everyone else (other) can be denied access to the same file. soft links are indirect pointers to a file. Of course. If you delete the original file. it can be used to link to a directory and can span multiple file systems. Second. it's the same command you use to delete regular files. you use the rm command. categorizes users into three classes when it comes to resource access: the owner of the file (owner or user). In any case. Consequently. That is. meaning they all reference the same data. If compromised. This section covers the final step.Solaris 9: Sun Certified System Administrator Study Guide 8 By looking at a basic directory listing. and Execute permissions on a file.ibm.com. Whereas hard links are direct pointers to a file.g@in. Copying Prohibited . Critical data has a variety of forms. the owner can have Read. a member of the group the owner belongs to (group). giving competitors an unfair advantage. This is because inodes are file-system-dependent. First. last access time. The other file. If someone can get to your machine. The second step. and so on. Another way to look at it is that the inode points out the unique location of the data on the hard disk. IBM Sybex. Write. some files could leak trade secrets. The inode contains the complete listing of all information about a file: its owner. file2. The ls -i command helps shed more light on the subject: $ ls -i 5511 seclink $ 5511 link1 5511 file1 242176 file2 When you use ls -i. soft links can point to nonexistent files. group. The 5511 inode in one file system will contain different data than the 5511 inode in another file system. Write. hard links must be in the same file system as the original file. Controlling and Monitoring System Access Now that you understand file system structure. File and Directory Permissions Solaris. Each class and permission combination is considered separately. (c) 2003. If you're using hard links. and hard links cannot. There are two major limitations to using hard links. The last step is setting up proper permissions. A soft link is more flexible than a hard link. seclink. if you open a soft link that is pointing to an imaginary file. Reprinted for ibmabhishek. It's difficult to overestimate the importance of security on your Solaris computer or network. it's time to learn how to protect your files. one that we have talked about. and Execute. and file1 all have the same inode. Other files could cause legal hassles if exposed. the data is gone. so the users who do log in to your network have the appropriate level of file access. All a soft link contains is the absolute pathname to the linked file. soft links (also known as symbolic links) were created.
4 breaks down the permissions and how they affect what designated users can do to files and directories.ibm. or execute files in the directory Warning Giving someone Write permissions gives them the ability to delete! Displaying and Changing Permissions Permissions are displayed when you use ls -l to show a long directory listing. or execute the file Directory Consequences Can list files in the directory Can add or remove files or links in the directory Can open and execute files in the directory. This command functions in two modes: symbolic mode and absolute mode. Table 5.g@in. The file1 file has Read and Write for the owner. and can make the directory and subdirectories under it current Cannot list. the docs directory has Read. Table 5. The following nine characters define permissions for that file. and Read-only for group and other. and Execute permissions set for the owner and group. write. Copying Prohibited . The first character indicates that the file is either a special type of file or a regular file.com. Write. Write. Here's an example to refresh your memory: $ ls -l total 4 drwxrwxr-x -rw-r--r-- 2 qdocter 1 qdocter author author 512 Aug 10 11:23 docs 80 Aug 10 11:44 file1 Because we're discussing permissions. Write. add. The chmod command is used to set permissions on files. Regardless of permissions set on a file. IBM Sybex. the second cluster is for group permissions. Symbolic Mode When using chmod in symbolic mode.4: Solaris Permissions Permission File Consequences Read (r) Can open and read the contents of the file Write (w) Can modify or delete the file Execute (x) Can execute the program None (-) Cannot read. let's clarify what is meant by Read. and Read and Execute set for other. and Execute. In our example. The syntax for chmod in symbolic mode is as follows: $ chmod options who operator permission file For example. and the last tier is for other. remove. the superuser always has Read. (c) 2003. The first file listed in our example is a directory. the command: $ chmod o+w file21 Reprinted for ibmabhishek. and Execute privileges on every file. Before we look at displaying and changing permissions. is a regular file.Solaris 9: Sun Certified System Administrator Study Guide 9 Note The owner of the file and the superuser are the only two users who can modify permissions on a file. as indicated by the lowercase d. letters designate both whom the permissions will impact and the permissions to effect. the only parts of the directory listing you need to be concerned with right now are the first 10 characters and the name of the file. as indicated by the dash preceding the permissions. The first grouping of three letters (rwx) defines permissions for the owner. named file1. SYBEX Inc. The second file.
and an = sets the permissions to exactly what is specified. then all permissions for the specified who are cleared. "For group permissions. some examples might help.2 qdocter author 874 Aug 10 11:23 textfile Sybex.5: Symbolic Mode Permissions Letter r w x l s t X u g o Description Sets Read permission Sets Write permission Sets Execute permission Enables mandatory locking SetUID/SetGID. separate the who.com.g+r file21 There are four options for the who variable. IBM . SYBEX Inc. it says. remember that o means other. They are described in Table 5. and permission grouping with commas. not owner. If the = is used and no permissions are specified. To specify multiple email@example.com permissions. remove Write on textfile. and other) are set with a. For owner permissions. depending on who is specified by the who variable Enables the sticky bit Execute permission if the file is a directory or if there is execute permission for one of the other user classes. Here's how to do that: $ chmod g-w textfile $ ls -l total 3 -rwxr-xr-x 2 qdocter author 874 Aug 10 11:23 textfile If you read the chmod command literally. other permissions with o. There are 10 options for the permission variable." This next example removes execute permissions for both group and other: $ chmod go-x textfile $ ls -l total 3 -rwxr--r-. use u. such as: $ chmod o+w. group.ibm. Note When using symbolic mode to change permissions. Sets the permissions to those already present for the owner Sets the permissions to those already present for the group Sets the permissions to those already present for others This can be a lot to absorb. The operator variable tells chmod what to do with the permissions specified. a. group permissions are set with g. Table 5. $ ls -l total 3 -rwxrwxr-x 2 qdocter author 874 Aug 10 11:23 textfile For the preceding file. you want to remove the Write permissions for the group. Copying Prohibited Reprinted for ibmabhishek. There are three options for the operator: a + tells chmod to add the permission to existing permissions.5. (c) 2003.Solaris 9: Sun Certified System Administrator Study Guide 10 will add Write permission to the owner for file21. and all permissions (owner. To set user (owner) permissions. use u. Failure to use the proper codes could result in serious security holes. operator.
Absolute Mode Instead of using letter designations to assign permissions. and t works only with u.ibm.2 qdocter author 874 Aug 10 11:23 textfile One final example: $ ls -l total 3 -rwx-----. or else enables mandatory locking Sets the sticky bit Sets owner permissions to Read Sets owner permissions to Write Sets owner permissions to Execute Sets group permissions to Read Sets group permissions to Write Sets group permissions to Execute Sets other permissions to Read Sets other permissions to Write Sets other permissions to Execute To use absolute mode. you add the numbers together to achieve your desired result. you could use the following: $ chmod a= textfile $ ls -l total 3 ---------. (Some die-hard administrators call this ORing the numbers. and Execute permissions. For example. Copying Prohibited .Solaris 9: Sun Certified System Administrator Study Guide 11 Now. IBM Sybex. Absolute mode enables you to assign permissions by using an octal representation instead of a user. (c) 2003. please) is the best way to learn what you can and cannot do. you need to think in terms of net result: what do you want the final permissions to be? Reprinted for ibmabhishek. some administrators prefer to use chmod in absolute mode. the s permission works only with a who of u or g. In absolute mode. if you want to grant the owner Read.com. you often think in terms of adding or subtracting permissions. Table 5.6: Absolute Mode Permission Codes Number 4000 20n0 1000 0400 0200 0100 0040 0020 0010 0004 0002 0001 Description Enables SetUID Enables SetGID when the value of n is odd. playing around with permissions (on a test system. operator.) For example.6. SYBEX Inc.g@in. and permission code.2 qdocter $ chmod go=u textfile $ ls -l total 3 -rwxrwxrwx 2 qdocter author 874 Aug 10 11:23 textfile author 874 Aug 10 11:23 textfile As with everything else in the computer world. Write. and the group Read-only. The numerical values for all permissions are listed in Table 5. members of the author group and everyone else have only Read permission to textfile. Perhaps the biggest philosophical difference between symbolic and absolute modes is that with symbolic mode. To quickly clear all permissions from the file. you would use chmod 740 filename (the value 740 was obtained by adding 400 + 200 + 100 + 40).
you can use a three-digit number to specify permissions. you have convinced management to upgrade all servers to Solaris 9. and examining environment initialization files. it's likely that you'll prefer one to the other and you'll use that method almost exclusively. Although it's an excellent idea to be familiar with both methods (especially for the test). Real World Scenario: Easing the Security Administration Burden You have been the systems administrator at your company for just over a year. when you use absolute mode.com. SYBEX Inc. you can use the following: $ chmod 000 textfile $ ls -l total 3 ---------. However. and execute—1). you want to remove the Write permissions for the group.Solaris 9: Sun Certified System Administrator Study Guide 12 Tip Unless you are specifying SetUID or SetGID.2 qdocter author 874 Aug 10 11:23 textfile You might have noticed that I used the same examples in absolute mode as I did in symbolic mode. If you want to clear all permissions for the file. You need something or someone to help you out. The company is growing quickly. and you are the only network administrator! One of your biggest problems has been keeping track of security. something slips by you. (c) 2003. Since you started working at the company. but the IT budget does not provide for another network administrator. or enabling the sticky bit. it isn't because cutting and pasting is less work than thinking of new examples. You might want to consider using the Automated Security Enhancement Tool (aset). checking the integrity of the /etc/passwd and /etc/group files. As with symbolic mode. This tool is a set of security utilities shipped standard with Solaris 9. verifying system file contents. you need to think in terms of end result. members of the author group and everyone else have only Read permission to textfile. In the following example. but aset can be set to run periodically and to e-mail a report to any user specified.2 qdocter author 874 Aug 10 11:23 textfile Now. you find that every once in a while. and most of your workstations have been upgraded as well. you remove Execute permissions for both group and other: $ chmod 744 textfile $ ls -l total 3 -rwxr--r-. It can automate security settings. Here's how to do that in absolute mode: $ chmod 755 textfile $ ls -l total 3 -rwxr-xr-x 2 qdocter author 874 Aug 10 11:23 textfile Again.g@in. No. Removing Write permissions for the group means that your second number (group) is going to be 5 (read—4. and you worry that your network security might someday be compromised. Copying Prohibited . Not only that. In that time. You have set up good security measures and have educated users on secure operational procedures. IBM Sybex. The Reprinted for ibmabhishek. the number of client machines has grown from about 50 to well over 300. let's use some examples to clarify: $ ls -l total 3 -rwxrwxr-x 2 qdocter author 874 Aug 10 11:23 textfile For the preceding file.ibm. It is to show that you can perform the exact same permissions modifications with either method. including checking permissions and ownership on system files.
By enabling SetUID.g@in. or the superuser. medium. the only people who can delete or rename files in the directory are the owner of the file.ibm. SetUID and SetGID When an application with SetUID (Set User ID) is opened. it will be a lowercase t. a capital T will appear. If the execution bit for others is on. you should be very. you run the risk of a security breach. In fact. This program deletes all temporary files from the system and cleans up any outdated log files and print spool files. IBM Sybex. Start using aset and you will find your security burden eased significantly. Here's an example: $ chmod 1745 bookdir $ ls -l Reprinted for ibmabhishek. Similarly. And this can be done without giving them the root password or adding them to the sysadmin group. If the execution bit for others is off. very careful about the use of SetUID and SetGID. and high. When the sticky bit is set. Unfortunately. you will no longer have any superuser rights. and you should closely monitor those that do.Solaris 9: Sun Certified System Administrator Study Guide 13 aset tool is capable of detecting possible security holes and fixing security problems as well. you will assume the identity of the superuser (we're assuming that root is the owner of the application) in order to carry out the program. SetUID and SetGID are enabled through the chmod command. the administrator. When the program is completed. the owner of the directory. if the SetGID bit is enabled. Say there is a program that you need to run to perform your weekly job duties. can give users the ability to run applications that might require more access to resources than they would normally have. the executing process will assume the identity of the group owner for execution of the process. You can set and clear the SetGID bit for files in absolute mode. This functionality can be extremely handy. Sticky Bit A sticky bit is used to prevent the deletion of files in public directories. Essentially. You can use the level that most closely matches your network's security needs. where users might have the opportunity to maliciously (or accidentally) delete common files. (c) 2003. Most applications don't require their use. a T or t will appear in the directory's other Execute permission slot. many companies won't run software that requires enabling SetUID or SetGID. any time you give regular users superuser privileges. After the sticky bit is set on a directory. The following example shows two files. type man aset. This can be both a good and a bad thing. For more information. Another useful feature of aset is that it has three security levels: low. Sticky bits are particularly useful in public directories. you. the executing process assumes the privileges of the owner of that application. The first one (app1) has SetUID enabled. deleting these files requires that you have superuser privileges. which you don't have. Copying Prohibited . Consequently. and the second one (app2) has SetGID enabled (look for the s): $ ls -l -rwsr-xr-x -rwxr-sr-x 2 qdocter 1 qdocter author author 38604 Aug 10 11:23 app1 19124 Aug 10 11:44 app2 SetUID and SetGID can be very useful but also pose an incredibly dangerous inherent security risk. when you (or anyone else for that matter) execute this cleanup program. It must be set or cleared in symbolic mode by using g+s or g-s. Of course.com. Note You cannot set or clear the SetGID bit for directories in absolute mode. SYBEX Inc.
Note The Korn shell supports symbolic mode arguments with the umask -S command. but how would you set permissions for another user who might or might not be part of the owner's group? Security issues such as this became difficult to deal with. which is like a user account. For example. the default permissions are 777 (Read. To permanently change your umask. they don't need to be Reprinted for ibmabhishek.com. The default umask is 022. with a default umask. Suppose that you want one of your users to be able to reset user passwords or to back up files they might otherwise not be able to access. ACLs and RBAC are vital big-picture security concepts in Solaris. One option is to give the user the root password. Access Control Lists (ACLs) were developed to enhance security flexibility. These default permissions are modified by the umask specified in either the user's initialization file or a global initialization file. Therefore. a logged-in user can assume a role for temporary administrative purposes and still not have more access than they need. it will default back to the mask specified in your initialization file after you log out and back in.Solaris 9: Sun Certified System Administrator Study Guide 14 total 3 drwxr--r-t 2 qdocter $ chmod 1744 bookdir $ ls -l total 3 drwxr--r-T 2 qdocter author 874 Aug 11 14:20 bookdir author 874 Aug 11 14:20 bookdir Note The sticky bit can be set through absolute mode or symbolic mode. However. with increased networking capabilities and more extensive computer use. use the umask command: $ umask 022 $ umask 077 $ umask 077 Note If you change your umask with the umask command.g@in. and assign the role certain administrative tasks. the umask value is subtracted from the default (full access) values. "Security hole!" Role Based Access Control (RBAC) enables you to create a role. and Execute. To increase security on your network. and Execute for all). new directories will have effective permissions of 755 (777 . (c) 2003. SYBEX Inc. umask When a new file is created in Solaris. IBM Sybex. but this solution screams. giving the owner Read. you can make the umask more restrictive. and when a directory is created. you must modify your initialization file. Then. Access Control Lists and Role Based Access Control During the initial development stages of UNIX. Write.ibm. the existing permission structure became a bit limited. but the Bourne and C shells do not. Many companies prefer a umask setting of 077 or 027. you could set permissions for the owner of the file.022). But because ACLs and RBAC are not tested until the second Solaris Certified System Administrator exam. thereby restricting (masking) permissions. Copying Prohibited . and giving the group and other Read and Execute. the default permissions are 666 (Read and Write for all). When new files are created. Newly created files will have permissions of 644. To display your current umask or to change your current umask value. the basic permission structure was sufficient for most users' needs. Another security issue is the assignment of administrative duties. Write.
respectively. A sticky bit prevents the file from being deleted by anyone other than the owner of the file. Permissions are Read. you examined the base security system of Solaris 9: file permissions. You also examined SetUID and SetGID permissions. They are covered extensively in Chapter 13. The umask restricts the default permissions on new files and directories. Solaris considers nearly everything on your computer a file. the application assumes the identity of the owner or group owner. or files within them. Understand the basic Solaris security structure. and Execute for the owner. as well as how to manage links within the Solaris file system. Understand what SetUID and SetGID do. Understand what a sticky bit does. Understand the limitations of hard links. Hard links cannot point to a directory. and Execute. you would use chmod g+x file1. Know how to set file permissions by using absolute mode. increasing security. as well as setting them in both absolute and symbolic modes.com. and the umask. must point to an existing file. A file's absolute pathname describes its place in the hierarchical file system. a member of the group owner of the file. Read and Execute for group. sticky bits. Know the difference between an absolute pathname and a relative pathname. The base of the file system is the root directory (/). you would use chmod 750 dir1. To enable Read. IBM Sybex. being a member of the owner's group.ibm. Then. Permissions can be set by using the chmod command with symbolic arguments. Know what the umask does. Permissions can be set by using the chmod command with an octal argument. Write. Every directory other than root has a parent directory. to add group Execute permission on file1. and no access for other on dir1. SYBEX Inc. A relative pathname describes the path to the file in relation to the current working directory. For example. and must be located in the same file system as the linked file. Users are classified as being the owner. Exam Essentials Understand the hierarchical file system structure. called subdirectories. Copying Prohibited . or belonging to the other group." Summary You started this chapter by looking at the hierarchical file system structure of Solaris.Solaris 9: Sun Certified System Administrator Study Guide 15 covered in depth at this time. You should be comfortable with reading permissions. of the file in order to run the application properly. or the superuser. Each parent can have one or more child directories. When either SetUID or SetGID are enabled.g@in. (c) 2003. you looked at navigating the file system and file modification commands. Reprinted for ibmabhishek. It's also important to know the default directories and their intended purposes. Know how to set file permissions by using symbolic mode. and all files must have an owner and a group. Finally. Write. "Advanced Security Concepts.
ibm. be certain you are familiar with the following terms: • absolute mode • absolute pathname • hard link • inode • relative pathname • soft link • sticky bit • symbolic mode • umask • working directory Commands Used in This Chapter The following list contains a summary of all the commands introduced in this chapter: Command cat cd chgrp chmod chown cp file find ln ls mkdir more mv pwd rm rmdir Description Concatenates and displays files Changes directories Changes the ownership group for a file Modifies access permissions for a file Changes the owner of a file Copies files Determines file type Finds files Creates a link to a file Lists files in a directory Creates directories Enables you to display one screen of information at a time Moves or renames files Displays the present working directory Removes (deletes) a file Removes empty directories Sybex.firstname.lastname@example.org.Solaris 9: Sun Certified System Administrator Study Guide 16 Key Terms Before you take the exam. IBM . SYBEX Inc. Copying Prohibited Reprinted for ibmabhishek. (c) 2003.
(c) 2003. SYBEX Inc.com. You want to ensure that employees can post files to the directory but cannot delete files unless they are the owner.ibm. What is the easiest way to accomplish this? A. chmod u+t forsale D. IBM Sybex. You want to combine the two reports into a file named finalreport. One of your junior administrators was instructed by a support agent to look for a named pipe file in one of his directories. Solaris does support named pipes. B. cat report1 report2 =finalreport C. cat report1 report2 >finalreport B.Solaris 9: Sun Certified System Administrator Study Guide 17 touch umask Creates a file or updates the file's last modification time Displays or changes the umask value Review Questions and Answers 1. Type ls -l in the directory and look for a p as the first character. One of your servers has a public directory named forsale. You are the Solaris administrator for your network. containing classified ads posted by employees.g@in. is the group owner. The junior administrator is confused and wants to know how to identify a named pipe. chmod 1666 forsale B. which contains all employees. E. Solaris does not support named pipes. Type ls -l in the directory and look for a file named pipe. What do you tell him? A. Copying Prohibited . report1 and report2. You are the Solaris administrator for your company. C. Type ls -l in the directory and look for an n as the first character. 3. chmod u+s forsale 2.) A. Two of your administrative reports. Which commands can you execute to accomplish your goal? (Choose all that apply. cat finalreport Reprinted for ibmabhishek. chmod 4666 forsale C. A user named jsmith is the owner of the directory. contain similar information. cat finalreport >report1 report2 D. but they are not considered files. You are the senior Solaris administrator for your company. and the employee group. D.
ren finreport reportaug02 6.ibm. mv finreport reportaug02 E.Solaris 9: Sun Certified System Administrator Study Guide 18 E. On your Solaris workstation. touch finalreport 4. cp finreport reportaug02 C. Copying Prohibited . You are the Solaris administrator for your company. What command do you use to accomplish this? A. chmod g= o= personal B.g@in. mv reportaug02 finreport D. ownfiles Reprinted for ibmabhishek. and a replacement has been hired. Consider the following directory listing: $ ls -l drwxrwxr-x -rw-r--r-2 userx 1 userx finance finance 512 Aug 10 11:23 personal 80 Aug 10 11:44 file1 You want to ensure that you are the only one who has access to the personal directory.com. SYBEX Inc. One of your project managers recently left the company. chmod g-rwx o-rx personal 5. How do you accomplish this? A. ren reportaug02 finreport F. giveown B. chgrp D. cp reportaug02 finreport B. IBM Sybex. (c) 2003. Which commands could you use to accomplish this? (Choose all that apply. chown C. chmod g-rwx.) A. You need to give ownership of the old project manager's files to the new manager. chmod go= personal C.o-rx personal D. you need to rename a file from finreport to reportaug02.
ibm.com. The group owner of dir1 has read permissions. IBM Sybex. Mandatory locking is enabled. SYBEX Inc.) A. The SetUID bit for dir1 is enabled. B. You are the Solaris administrator for your company. root (/) B. chmod 770 personal C. The SetGID bit for dir1 is enabled. C. (c) 2003.Solaris 9: Sun Certified System Administrator Study Guide 19 7. /local D. chmod 777 personal B. You have just installed a new Solaris workstation with default settings. chmod 000 personal 8. chmod 700 personal D. You are the Solaris administrator for your network.g@in. D. Which command should you execute to accomplish this? A. Consider the following directory listing: $ ls -l drwxrwxr-x -rw-r--r-2 userx 1 userx finance finance 512 Aug 10 11:23 personal 80 Aug 10 11:44 file1 You want to ensure that you are the only one who has access to the personal folder. /etc C. /usr 9. /opt E. Which directory on the computer will contain machine-local configuration files? A. You execute the following command: # chmod 2744 dir1 Which of the following effects are enacted by your command? (Choose all that apply. Reprinted for ibmabhishek. Copying Prohibited .
g@in. displayed with a symbol other than -? (Choose all that apply. and execute permissions. 12. Directory C. Hard link E. Copying Prohibited .) A. (c) 2003. 10. Door D. A user with write permissions to the file C. B. In Solaris 9. Consider the following directory listing: $ ls -l drwxrwxrwt -rw-r--r-2 userx 1 userx employee employee 512 Aug 10 11:23 stuff 80 Aug 10 11:44 file1 Which of the following statements are true regarding the files listed? (Choose all that apply. which of the following are valid special file types. D. C.ibm.) A. The owner of the file B.com. who has the ability to change the ownership of a file? (Choose all that apply. The superuser Reprinted for ibmabhishek. Employees can delete their own files from the stuff directory. In Solaris 9. write. The other execute bit is on for the stuff directory.) A. Symbolic link G. SYBEX Inc. Socket 11. Named pipe F. The other execute bit is off for the stuff directory. Boot B. The owner of dir1 has read. IBM Sybex. Employees can delete any files from the stuff directory.Solaris 9: Sun Certified System Administrator Study Guide 20 E.
(c) 2003.) A. /usr/home 14. Which of the following are requirements for hard links? (Choose all that apply. C.ibm. /export/usr D. Copying Prohibited . IBM Sybex. Consider the following directory listing: $ ls -l drwxrwxr-x -rw-r--r--rwxr--r-2 userx 1 userx 1 userx finance finance finance 512 Aug 10 11:23 personal 80 Aug 10 11:44 file1 818 Aug 13 12:01 program1 You want members of the finance group to have the same permissions as the owner has to program1. You are the Solaris administrator for your company. /export/home C. A member of the group that owns the file 13. chmod g=wx program1 Reprinted for ibmabhishek. D. B.Solaris 9: Sun Certified System Administrator Study Guide 21 D. chmod g=u program1 C. You are training new users on the use of hard links. chmod g=userx program1 B. Hard links must be on the same file system as the linked-to file.g@in. One of the server's responsibilities will be to host user home directories. /usr/export B.) A. You are the Solaris administrator for your company. SYBEX Inc. You are installing a new server. When creating hard links. Which command could be executed to accomplish this? (Choose all that apply. chmod g=o program1 D. In which directory does Sun recommend placing user home directories? A. There cannot be more than five hard links to any file. Hard links must be linked to a directory. chmod g+wx program1 E. 15. the inode of the linked-to file must be specified.com.
chmod 600 phonelist Reprinted for ibmabhishek. ln -h access file1 18. You are the security administrator for your company.com. ln -s access file1 E. ln -s file1 access D. You are the Solaris administrator for your network.g@in. (c) 2003. Which command should you execute to create this link? A. Copying Prohibited . 000 B. What absolute mode command would you would need to execute in order to affect these security settings? A. SYBEX Inc.ibm. You want to create a hard link to file1 named access. 022 C.Solaris 9: Sun Certified System Administrator Study Guide 22 16. You create a new directory and you have this directory listing: # ls -l drwxr-xr-x 2 root other 512 Aug 15 15:51 newdir What is the umask currently in use on your computer? A. 555 E. No one else is to access the file. IBM Sybex. The only person who should be able to delete the file is the owner. ln file1 access B. ln -h file1 access F. 755 17. chmod 660 phonelist C. ln access file1 C. You are the Solaris administrator for your network. as do members of the owner's group. chmod 666 phonelist B. You have a file named file1. 044 D. The owner of this file needs read and write permissions. There is a public file named phonelist.
You are the Solaris administrator for your company. C. (c) 2003. Named pipes are one of the special types of files supported in Solaris. and with chmod u+t in symbolic mode. You have a public directory and are worried about people deleting files that aren't theirs. The cat command can be used to display files or. The sticky bit is enabled with chmod 1000 in absolute mode. 4. chgrp admin docs D. Copying Prohibited Reprinted for ibmabhishek. The docs directory on your server is currently owned by the staff group. You want to give the admin group ownership of the directory. Based on the information provided. B.) A. and they can be used to access the data that filex previously accessed. file2 and file4 will not be deleted.g@in. 3. alternately. Consider the following directory listing: $ ls -i 5150 filex 5150 file2 9906 5150 file3 file4 122800 filea 53102 filel You execute the command rm filex. How do you accomplish this? A. B. C. The correct usage of cat to combine files is cat file1 file2 >newfile. file2 and file4 will not be deleted.com. A. SYBEX Inc. Named pipe files are indicated by a p in the first character space before the file's permissions. D. chmod 1660 phonelist F. chmod 1600 phonelist 19. 20. chown admin docs B. chmod 1666 phonelist E. A. chown docs admin C. IBM .ibm. but they will be inaccessible.Solaris 9: Sun Certified System Administrator Study Guide 23 D. file2 and file4 will be deleted. combine two or more files into a new file. which of the following statements are true? (Choose all that apply. filex will be deleted. chgrp docs admin Answers 1. 2. The question describes a situation in which the sticky bit comes in handy. Sybex.
6. The giveown and ownfiles commands do not exist. One is to set permissions for the group equal to those of the owner. and socket. B. 19. B. and man pages. D. Sybex. The /etc directory contains machine-local configuration files. use chmod g=u (group = owner). including user-based commands. To ensure that you are the only one with access. in theory. the ln command creates a hard link. The 7 in the second position gives the owner of dir1 read. All together. nor does it matter. write. (c) 2003. then the SetGID bit would. E. Remember. meaning the umask is 022. E. you set up permissions for the directory as drwx------. of course). E. The chown command is used to change ownership of files and directories.Solaris 9: Sun Certified System Administrator Study Guide 24 5. Copying Prohibited 20. B. use the mv command. The filename is specified first. The special file types. It must be set through symbolic mode. B. If the third number were odd. To change the ownership of a file. file2. If used with no arguments. and the 4 in the third position gives the group owner read permissions to dir1. 17. The first and last answers do not work because they both call for multiple groups. indicating that the other execute bit for the stuff directory is on. Therefore. o means other. The chmod command is used to set security permissions. Because the sticky bit is set. SYBEX Inc. and file3 are all hard links to the same file. A.com. The root is the base of the directory structure. The /opt directory holds optional files. you want your permission structure for the directory to look something like drwx------. they would modify the group permissions but not the other permissions. 8. and execute permissions. 10. as in the third answer. administrative commands. not a space. typically third-party applications. and read and write for the group has a value of 60. but inodes are not required to create hard links. A. A. 9. B. character. In this case. The -s option creates symbolic (or soft) links. 13. as in the second answer. which has a value of 1000. It's impossible to tell which one existed first. If you delete filex. If you were to execute these answers as listed. The sticky bit is set for the stuff directory. symbolic link. To do that. Hard links must be on the same file system as the file they are linking to. 18. it does not affect the other links to the data. However. as in the fourth answer. which corresponds to 777 in octal code. that would mean adding Write and Execute to the group's existing permissions. Essentially. Because the third number is even. file2 and file4 still exist and can be used to access the data that filex was used to access. The umask is subtracted from the default permissions. B. which the rm filex command does. 12. not individual ownership. The default permissions for a new directory are drwxrwxrwx. Hard links are created with the ln command. 7. C. 14. 15. Also. and multiple groups need to be separated with a comma. named pipe.ibm. that adds up to 1660. C. not owner. There is no limit to the number of hard links. which are displayed with an alternate character. you must remove permissions for all other users. The effective permissions are 755 for the directory listed. when it comes to setting permissions in symbolic mode! The second way is to modify the permissions to match those of the user. then the link name. User home directories should be placed in the /export/home directory. B. hard links must be linked to files and cannot be linked to directories. B. You can use the = with no permissions listed to clear permissions for group and other. Read and write for the owner has a value of 600. A. G. you need to set the sticky bit. C. D. C. A. 16. filex. the 2000 value enables mandatory locking on the directory. The t is lowercase. The other directories do not exist by default. Reprinted for ibmabhishek. The /usr directory contains many things. The correct syntax for renaming files is mv oldfile newfile. The chgrp command is used to change group ownership. F. Based on their inode numbers. Looking at inode numbers can help determine whether a file is a hard link. The owner of the file will be the only one able to access it (other than the superuser. as evidenced by the t at the end of the permissions list. be set. The /usr directory holds information such as commands and man pages. the SetGID bit cannot be set on a directory when using absolute mode. block. By executing chmod 700 personal. You could also remove the assigned permissions. To move or rename files. C. There are two ways you can accomplish your goal. Because you don't want anyone except the owner deleting the file. employees can delete only files that they own. are door. 11. IBM . D. directory. Boot files and hard links are considered regular files.g@in. A. you must be either the owner of the file or the superuser.
SYBEX Inc.g@in. use the chgrp command. To change group ownership of a file or directory. Copying Prohibited . (c) 2003. Reprinted for ibmabhishek. The proper syntax for this command is chgrp newgroup file. IBM Sybex.Solaris 9: Sun Certified System Administrator Study Guide 25 C.ibm.com.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.