1AuthorizationAuthorizationSeptember 19, 2014Administrative Administrative ––submittal instructionssubmittal instructions answer the lab assignment’s questions. This week the Word document answer file is supplied. Download (from the instructions), fill in, submit. email to [email protected] exact subject title must be “authorizationlab” deadline is start of your lab session the following week reports not accepted (zero for lab) if– late– you did not attend the lab (except DEN or prior arrangement)– email subject title deviates2Administrative Administrative ––DETER accountsDETER accounts I will create them this week expect to receive an auto-generated email message with information and instructions checkhttp://www-scf.usc.edu/~csci530l/instructions/lab-deter-account.htmif you have timeReviewReview authentication: accepting identification of a user account authorization: allowing a process running “as that user” (with that account embedded) to access certain resources the technical means of access control3Access controlAccess control administrative– organizational policy who should access what technical– cyber mechanisms, our focus physical– building and room accessGovernment authorizationGovernment authorization documents have “classifications” employees have “clearances”– confidential– secret– top secretaccess decision = = f ( document’s classification, clearance )z = f ( x , y )4Computer auth not so different Computer auth not so different linux– files have permissions for particular user accounts– processes (the true file “users”)carry a user account identity Windows– resource security policies– processes carry user and group affiliationaccess decision = = f ( file’s permissions, user )Linux usersLinux users system keeps a list of user accounts system usage demands a user identification– supplied at login… no login, no usage a user id is implicit in all session activities– all session activities are performed by processes– every process has some user id as an attribute– helps determine access to resources by that process users can be grouped5The files of recordThe files of record /etc/passwd – holds list of recognized users /etc/shadow – holds their passwords /etc/group – holds list of recognized groups,names of member users for each/etc//etc/passwdpasswdentries holdentries holduser informationuser informationcraig:x:507:507:Craig Smith:/home/craig:/bin/bashofficialnamepassword(placeholder)UID GID realnamehomedirectoryloginshell6/etc/shadow entries hold/etc/shadow entries holdancillary user informationancillary user informationcraig:$1$2YL52jhL$:11992:60:75:3:14:12417:134550548usernamehashedpasswordvarious values all relating to password agingreserved/etc/group entries hold/etc/group entries holdgroup informationgroup informationchildren:x:522:hansel, pinochio,gretel,heidiofficialnamepassword(not used)GIDmemberlist7Adding and deleting usersAdding and deleting users adding– “useradd” command– then set password with “passwd” command deleting– “userdel -r” command( -r removes home directory )Adding users in 2 stepsAdding users in 2 steps[root@EMACH1 /root]# useradd charlie[root@EMACH1 /root]# passwd charlieChanging password for user charlieNew UNIX password:Retype new UNIX password:passwd: all authentication tokens updated successfully[root@EMACH1 /root]# su charlie[charlie@EMACH1 /root]$ cd[charlie@EMACH1 charlie]$ pwd/home/charlie[charlie@EMACH1 charlie]$ ls -a. .Xdefaults .bash_profile .kde .screenrc.. .bash_logout .bashrc .kderc Desktop[charlie@EMACH1 charlie]$ cat /etc/passwd | grep charliecharlie:x:531:539::/home/charlie:/bin/bashstep 1become charliestep 2enter his home directoryidentify home directorydirectory is populatedcharlie’s in the list alrightNow find out what happened!8Deleting usersDeleting users[root@EMACH1 /root]# userdel -r charlie[root@EMACH1 /root]# su charliesu: user charlie does not exist[root@EMACH1 /root]# ls -a /home/charliels: /home/charlie: No such file or directory[root@EMACH1 /root]# cat /etc/passwd | grep charlie[root@EMACH1 /root]#gone. really!doesn’t live here anymorehome directory who??GroupsGroups Purpose– Let a set of users share files by extending common permissions to them Mechanism– Files have a group affiliation– Users have group memberships– Separate access to a file can be extended to members of its group9There are groupsThere are groups..administrators:x:542:socrates,royteachers:x:543:platostudents:x:544:aristotle..Groups are defined in /etc/groupfile /etc/groupGroupsComposing a groupComposing a group assign groups to users– use usermodusermod -G employees,salesmen willie or, assign users to groups– use gpasswdgpasswd –a willie employeesgpasswd –a willie salesmengpasswd –M willie,billy,milly foolssameresult10Files have (1) a user affiliationFiles have (1) a user affiliation[root@EMACH1 schools]# ls -ltotal 12-rw-r--r-- 1 root students 121 Dec 8 17:15 assignments-rw-rw---- 1 root teachers 119 Dec 8 17:13 grades-rw-r----- 1 root administ 95 Dec 8 17:10 salariesFilesTheir affiliated usersFiles’ user affiliations are shown by the ls –l command:Files have (2) a group affiliationFiles have (2) a group affiliation[root@EMACH1 schools]# ls -ltotal 12-rw-r--r-- 1 root students 121 Dec 8 17:15 assignments-rw-rw---- 1 root teachers 119 Dec 8 17:13 grades-rw-r----- 1 root administ 95 Dec 8 17:10 salariesFilesTheir affiliated groupsFiles’ group affiliations are shown by the ls –l command:11Files have (3) a permissions settingFiles have (3) a permissions setting[root@EMACH1 schools]# ls -ltotal 12-rw-r--r-- 1 root students 121 Dec 8 17:15 assignments-rw-rw---- 1 root teachers 119 Dec 8 17:13 grades-rw-r----- 1 root administ 95 Dec 8 17:10 salariesFilesTheir permissions settingsFiles’ permissions settings are shown by the ls –l command:Where? : Where? : inodeinodestructure of a filestructure of a filefound in found in inodeinodetable of an table of an extextfilesystemfilesystem**fieldsize start end Item2 1 2 File type and access rights2 3 4 Owner identification4 5 8 File length in bytes4 9 12 Time of last file access4 13 16 Time that inode last changed4 17 20 Time that file
View Full Document