editing (the EDITOR environment variable can be used to specify another editor if you'd prefer).
4.7.3.3. ...checking that the password and group files are properly written?
pwck /etc/passwd /etc/shadow# pwck
user adm: directory /var/adm does not exist
user gopher: directory /var/gopher does not exist
user ident: directory /home/ident does not exist
user torrent: directory /var/spool/bittorrent does not exist
invalid password file entry
delete line \Q'? y
pwck: the files have been updated
grpck performs similar checks on /etc/group and /etc/gshadow :
# grpck
invalid group file entry
delete line \Q'? y
invalid group file entry
delete line \Qascasdcasdarg asdfasdf'? y
grpck: the files have been updated
4.7.4. Where Can I Learn More?
passwd, useradd, usermod, userdel, groupadd, groupmod, groupdel, vipw, vigr, pwconv, grpconv, crypt (3), passwd (5), shadow (5), group (5), gshadow (5)4.8. Control Access to Files
file permissions modesThere are two other mechanisms available for file access control: see Lab 8.2, "Using SELinux" and Lab 8.3, "Using Access Control Lists."
4.8.1. How Do I Do That?
read (r)
Grants permission to access the contents of a file. There are no restrictions on what can be done with the file contents, so read permission includes permission to view or process the contents of the file, as well as permission to copy the file. On a directory, read permission enables the display of the list of files in the directory; without read permission, you can access a file contained in the directory only if you know the exact name of the file.
write (w)
Grants permission to write to a file; this includes overwriting existing information, append to the end of the file, and truncate (shorten) the file. On a directory, write permission enables the creation and deletion of files within that directory.
execute (x)
Grants permission to execute the file. If the file is a binary, it can be executed by the kernel; if it is a text file, it is treated as a script. On a directory, execute permission grants access to the contents of the directory (some people refer to execute permission on a directory as search , or passthrough , permission).
Remember the order: r w x .
Each of these three permissions is granted or denied to users in three different communities :
user (u)
The user who owns the file. Initially, this is the user who created the file; it may be changed by the superuser ( root ).
group (g)
All members of the group that owns the file. Normally, this starts off as the group of the user who created the file. A file's owner may change the group ownership to any group to which she belongs; e.g., if Jane owns the file foo and is a member of the audit and toronto groups, she can make either group own the file.
other (o)
Everyone else.
The order is significant here, too; you'll want to memorize it: u g o .
This gives a total of nine permissions for each file and directory:
read, write, and execute for the user
read, write, and execute for the group
read, write, and execute for other
There are also three special file permissions, as outlined in Table 4-13 .
| Table 4-13. Special file permissions | ||||
|---|---|---|---|---|
| Name | Abbreviation | Appearance in ls -l output | Meaning when applied to a file | Meaning when applied to a directory |
| Set-User-ID | SUID | s in the x column for the user if execute permission is enabled, or S if execute permission is disabled. | When executed, the program takes on the user identity of the file's owner. | (No meaning) |
| Set-Group-ID | SGID | s in the x column for the group if execute permission is enabled, or S if execute permission is disabled. | When executed, the program takes on the group identity of the file's group. | All files and subdirectories created in the directory will be owned by the same group that owns the directory. Subdirectories will automatically have their SGID permission enabled. |
| Sticky bit | Sticky | t in the x column for other if execute permission is enabled, or T if execute permission is disabled. | (No meaning) | Files in the directory can be deleted or removed only by their owner (otherwise, anyone with write permission on the directory can delete or rename files in that directory). |
The SUID and SGID permissions provide critical abilities. For example, /etc/passwd and /etc/shadow are only writable by root , but normal users need to be able to change their passwords. The program /usr/bin/passwd is owned by root and has the SUID permission enabled, so it runs with root privilegeregardless of who executes itand is therefore able to change /etc/shadow .
4.8.1.1. Viewing the current user, group, and mode from the command line
ls$ ls -l /etc/aliases.db
-rw-r----- 1 root smmsp 12288 Oct 6 19:31 aliases.db
The first field displayed is -rw-r----- . The first character is reserved for file type information, and the rest of that field contains the file's mode: rw-r----- .
This mode breaks down into three sets of three characters, representing the permissions granted to each of the three communities: