next up previous
Next: File Archiving and Compression Up: Introduction to the Linux Previous: Searching for People

Security

The username and real name of a user are stored in Linux's password file /etc/passwd, which any user can read. Originally the passwd file included everyone's encrypted passwords, but nowadays this is recognised as A Bad Idea so these are usually stored elsewhere in a secure file, and replaced with a single x in the passwd file.

If you would like to change your password you can use the passwd command

[phasnip@mijpnb1 Linux]$ passwd
Changing password for phasnip
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
and to prevent someone from seeing your password by looking over your shoulder, Linux will not print the characters you type.

Linux takes security and privacy very seriously, and you can restrict access to your files easily. To see how to do this, we'll first look at the ls -l command.

[phasnip@mijpnb1 Linux]$ cd ..
[phasnip@mijpnb1 Teaching]$ ls -l
total 88
drwxrwxr-x    2 phasnip  phasnip      4096 Oct 18 11:50 Linux
-rw-rw-r--    1 phasnip  phasnip     81920 Oct 17 22:31 linux.tar

This lists all the files in the directory but with a lot more information. The first column contains the permissions of each file, which controls what they do and who can look at them. The third and fourth columns show who owns the files and which group the files belong to. Next we have the size of the file, followed by the date and time the file was last modified.

Let's look again at the permissions in the first column. Notice that consists of ten characters. The first tells Linux what kind of file it is - ordinary files have this unset so we just see -, whereas directories have a d here.

The next nine characters are grouped into three threes. The first triplet says what the owner of the file can do. The first character is either r, which means the owner can read the file, or - which means they cannot. Similarly the next character is either w which means they can write to the file (i.e. edit it), or texttt-.

The last character in this triplet is usually either x or - (some system commands have s here, but I'm going to ignore that). x tells Linux that this file can be executed by the owner, i.e. that it contains commands for the computer. All programs should have this set. For a directory it doesn't make sense to be able to execute it, so the x is interpreted as meaning you can change directory to it.

The next triplet is like the previous one, but refers to users in the same group as the files. Use the groups command to see which groups you belong to.

The final triplet is like the previous two, but describes the permissions for all other users on the computer, i.e. people who aren't you and aren't in your group.

To change the permissions of a file you use the change mode command, chmod.

[phasnip@mijpnb1 Teaching]$ cd ~
[phasnip@mijpnb1 ~]$ ls -l minimiser.tex
-rw-rw-r--    1 phasnip  phasnip      1707 Sep 15 21:58 minimiser.tex
[phasnip@mijpnb1 ~]$ chmod u-r minimiser.tex
[phasnip@mijpnb1 ~]$ ls -l minimiser.tex
--w-rw-r--    1 phasnip  phasnip      1707 Sep 15 21:58 minimiser.tex
[phasnip@mijpnb1 ~]$ more minimiser.tex
minimiser.tex: Permission denied

Here we used u-r to remove read permission for the user who owned the file. Notice that this takes precedence over the group permission, which still allows read. To change the permissions for the group, or for others, use g or o instead of u. You can change the permissions for more than one by putting both characters

[phasnip@mijpnb1 ~]$ chmod go-w minimiser.tex
[phasnip@mijpnb1 ~]$ ls -l minimiser.tex
--w-r--r--    1 phasnip  phasnip      1707 Sep 15 21:58 minimiser.tex

Notice that we used w this time, so we were removing the write permissions rather than read. Similarly we could use x to remove executable permission. If we want to change permissions for users, groups and others we could either use chmod ugo or the shortcut chmod a for `all'.

Adding permissions is just as easy as removing them, we simply use + instead of -. What we probably want for this file is to restrict reading to everyone in the group, and only allow the user to modify it.

[phasnip@mijpnb1 ~]$ chmod o-r minimiser.tex
[phasnip@mijpnb1 ~]$ chmod u+r minimiser.tex
[phasnip@mijpnb1 ~]$ !ls
ls -l minimiser.tex
-rw-r-----    1 phasnip  phasnip      1707 Sep 15 21:58 minimiser.tex

It is also sometimes useful to change the user or group that the files belong to. To do this use the commands chown or chgrp.

[phasnip@mijpnb1 ~]$ chgrp cmt minimiser.tex

This changes the group the file belongs to to `cmt' (provided this group is defined on the computer you're using).

You will usually find you cannot create or modify files in most of the directories. There is one user that has special privileges and is able to view or modify any file on the computer. This user is called the superuser or root user, and many of the system processes are run as this user.


next up previous
Next: File Archiving and Compression Up: Introduction to the Linux Previous: Searching for People
Phil Hasnip 2007-08-23