1z0-821 Oracle Solaris 11 System Administration – System and File Access Part 2

4. Control Access to Systems pt. 2

In part two of Control Access to Systems, we’re actually going to continue our demonstration of roles and authorizations and create a role that can manage a service and provide the authorizations to that role. So let’s go ahead and take a look at how to do this. Okay, we’re back in Solaris Eleven and I’ve opened up the SMF Services Manager because I want to list service here and tell you about it. We’re just going to pick the Oracle Configuration Manager service, so let’s double click on it and we can see what kind of properties it has. We’re looking at the default instance, by the way, and the OCM helps you configure Oracle for sending messages back to Oracle for troubleshooting purposes. By the way. We have some properties here that have some different names and values and some dependencies as well. So it’s a typical service. Now what I want to do is go to a terminal and we’re going to look at this particular service and get some authorization properties.

Now services have management authorizations in here that we’re going to look at. Let’s do a SVC prop. We’re looking at service, so we have to know the service name. This is for OCM. So serviceystemocm, we’re going to look at the default instance and we’re going to pipe that into grip and we’re going to search on manage and what we have is the authorization string for the service. In other words, you would have to have this particular authorization, solaris SMF manage OCM in order to manage that service. And managing means starting, stopping, and restarting. So what we’re going to do is try to give permissions to start and stop and restart this particular service to a role. So now that we’ve done this, we want to create a role. We’re going to do role add and with a capital A to add the role. And we’re going to give the authorization here.

Solaris SMF manage OCM and we’re going to do a dash scene. If you don’t understand these particular switches and options, don’t worry, just look up the command, run a Help or a man page on it, just kind of showing you how it works. We’re going to give it a name or a description rather, and then we’re going to give it a username sort of to speak Ocmmgr. Okay, so we are going to add this role and it added. So now we want to look at this role. We’re going to do auths and Ocmmgr and see it has the default authorizations that a normal user would have and it has that OCM authorization also. Now keep in mind a role is set up almost like a normal user account. It has a password so that when you authenticate to that role, you have to provide a password.

But we’re not there yet. Let’s check Etsy password and make sure that role is in there that we just created because it’ll be stored in there as well. And it’s in there and we want to set a password for it. So we’re going to go password ocmgr. And we’re going to make the password for it and repeat it. And now we have us a role built and it has an authorization. Let’s assign this role to a couple of users. Let’s go user mod.

And to add a role to a user, we do a plus capital r and we’re going to do plus OCM MGR command. And we’re going to add that to the Oscar account. Let’s see what we did wrong here. It’s using my dashr, actually. I’m sorry. Let’s make sure that worked. It looks like it did. Now let’s do a roles for Oscar and we see that he has the OCM MGR role.

Now, let’s verify that Oscar has those authorizations because of his new role. And we see that he has the typical user authorizations that you would see. And the reason is, we have not logged into this role. Oscar has not authenticated this role. Now, when Oscar authenticates to the role, then we will see that they have added this authorization to Oscar, that the role has done this. So we should be able to log out, log back in as Oscar authenticate to the role. And we would have that. You can try this on your own, if you like, using the demonstration we just showed. And that’s basically how to build roles, assign them authorizations and assign them to users. And that’s part of securing the system.

5. Control Access to Files pt. 1

Now let’s talk about controlling access to files. For our next topic, we looked earlier at controlling access to the system. So now it’s time for looking file permissions. Now we have some traditional Unix permissions that we’ll talk about, even though sometimes there’s more permissions that are specialized to different brands of Unix or different flavors of Linux. Now, if you’ve looked at Windows permissions before, they look significantly different. Now we’re only going to look at the traditional Unix permissions that you would find on most Unix or Linux boxes. And those are read, write and execute. Now, sometimes we’ll see them abbreviated using RW and X. You even might see them as things like RX or WX.

And the reason that is, is if a particular individual doesn’t have all those permissions, the dash takes the place of the one they don’t have. So if they have everything, it’s Rwx for read, write and execute. If they only have RW, then they don’t have the execute permission, obviously. So that’s kind of how that works. Another thing that’s sometimes difficult to understand for file permissions are the Octal values. The Octave values also designate the permissions. The same way you have read, which is four, write, which is two, and execute, which is one. Where most people stop, the understanding part is that they’re additive to express combined permissions.

Sometimes that’s hard to get your head wrapped around. If you have just one permission, obviously it’s either four or two or one. But what if you have read and write together? What is it? Well, I’ve given you some examples here on the screen that may help you understand a little bit better, and I’ll go over them. If you have seven, that means you have read, write and execute combined. That’s four plus two plus one, read plus write plus execute. If you have six, you have read and write combined because that’s just four plus two. There’s no execute, so there’s no one. Five is read and execute combined because you have four and one, four is read only.

Obviously, three is right. And execute combined. Two plus one and two by itself will be right. Only one by itself would be execute only and a zero would be no permissions. So you see how that works. So if I say that someone has a six, they obviously have just read and write because read and write four plus two is six. Easy to understand that once you break it out. Now here’s where it gets a little bit muddier. Permissions are typically assigned to groups of users. As a group of three. This is kind of difficult to understand, but just bear with me. Typically you have a user, and in most Unix circles that’s called the owner. You’ll see those terms interchangeably and then you have the group and that’s the group that’s been assigned permissions to that file.

And then you have all others. Anyone who’s not in the group and not the owner. Now, we typically view those as three sets of three permissions in directory listings. One set for each group that we mentioned. And I’ll give you an example of that coming up. But for now, here are some examples that you can use to understand how this works. Okay, for example, let’s say you have six four, four. That’s actually three sets. Six is for the owner, four is for the group, and four is for others. So you have six meaning the owner has read and write. Four meaning the group has right, and four, meaning all others have right. Let’s say you have something like 700. The owner has read, write and execute all permissions. The group has zero, and all others have zero. Let’s look at 755.

The owner has read, write and execute. So it’s a seven. The group has read and execute, making it a five, and all others have read and execute, making it a five. And you could have other combinations of this as well. You could have a six, four one, or a six four two or whatever. So you can play with this and make this a little bit any way you want to and assign permissions in various ways depending upon what your security needs are. Now, let’s look at default file permissions. In the umask, there’s a thing called a you mask. And what it does is it masks permissions for the entire system when you create a brand new file. And this gives you the default file permission. So when a brand new file is created, it gets a default permission. Unfortunately, the UMass value doesn’t work the same way file permissions work there. It’s not additive, it’s subtractive.

Let me give you an example. If you have a UMass of zero two, you would subtract that from seven seven seven, and you’d get seven five. So you’re actually almost inversing the number. If you had a umask of 00:27, that would be a little bit more restrictive, seven 50. So the 00:27 gives you seven 50, which means the zero is for others who have nothing. So it’s a little bit more restrictive. So that’s kind of how this works. It is a little bit confusing and typically you don’t mess with the default UMass very much. You can if you work in a very secure environment. But you have to be careful because some of the permissions, if you change them from their defaults, people won’t be able to read, write, or execute files that they should be able to. So you have to be careful. All in all, you may want to assign a more restrictive permission after you’ve changed permissions on the files that exist the way you want them. And also keep in mind that once you change the umask, it only applies to new files, files, not the ones that already exist. So in the next session, we’re going to look at the file permissions and how they look the directory listing, we’ll look at the umask and we’ll look at a few other commands to help you manage permissions as well.

6. Control Access to Files pt. 2

In the second part of our discussion on controlling access to files, we’re going to have a demonstration of changing file access permissions. Now, we’re going to look at a few commands, and we’re going to look at things in the GUI. We’ll look at the UMass command, which we talked about earlier, and two commands which we haven’t talked about at all yet. And that’s the chimod, which is used to change permissions on a file, and the Chone, which is used to change owners. And we’ll discuss those while we’re showing them to you. Okay, we’re in our terminal. A couple of things I want to show you quickly is the umask, and we get 22. Now, we can change the UMAS simply by going umask, 27 if we want, and then we can type umask again, 27. Let’s go ahead and change it back to defaults so we don’t mess up any brand new files. Okay, now let’s see where we’re at. We’re inhome bobbydirectory, let me clear the screen for a bit. I want to go ahead and do a directory.

Now, if you just do an LS, that’s all you get. If you want to see all the files, including the hidden ones, and see their permissions and their owners, you may do an LS dash, let’s say an Al. There are other options available with the LS command, of course. Let’s talk about what we’re seeing here. The first column. If it’s a D in the first character, that means it’s a directory. If there’s a dash in the first character, that means it’s a file. And there are other characters that can be there as well. Now, after that first character, we see our first sets of permissions. We see the Rwx, Rwx, Rwx on the bottom file called test data. So that particular set of file permissions means that the owner has read, write, and execute.

The group has read, write, and execute, and all others have read, write, and execute. If you look up through the rest of the files, you’ll see that you see dashes in the places of the R’s, WS and X’s occasionally. For example, if you look up a little bit to the Xsession errors, you see that the owner has read and write, and there are no other permissions for anyone else. If you look at the permissions on a directory, say, documents, for example, you see the D there in the first character that indicates it’s a directory. And then you see Rwx for the owner. So it has read, write, and execute. And then RX, it is the middle three, meaning it has read and execute. The group does. And if you see the second, the third column, RX, the third three, that means all others have read and execute. So people could read out of that directory and execute any executable files in there, but they can’t write to the directory. Only the owner can. Now, who’s the owner? Well, if you look in the third column, you’ll see the name Bobby.

That’s me, and I’m the owner. That’s the user who’s the owner. If you look in the next column, you’ll see the group that has permissions to that. So it’s that group, that primary group that Bobby belongs to that actually has permission to Bobby’s files. So by default, when a user creates a file, the group they belong to as the primary is the default group profile they create. Let’s go ahead and play around a little bit. Let’s create a file touch. Let’s just say test file and Touch just creates a file. Now let’s do an LS dash al again. And we see that by default, Test File came up with the permissions of read and write for the owner, read for the group, and read for all others. And that’s permissions of six, four, four. Okay? And that’s what the default, umask, gives us. Now, if we want to, we can change the test file. We can change the file permissions. We may want to make them less restrictive, so we may say chamad, and we may make those very, let’s say we won’t make them restrictive at all. We’ll say seven, seven, which is everybody has read, write, and execute. And we say test file. And now let’s do an LS dash L. And now look, test File has read, write, and execute for everyone. Now, right now, since Root created the file, root is the owner. Now, Root can do a chimot on anybody’s files. But as far as being a normal owner, you can only change your own files.

You can’t change other people’s files unless you’re Root. Let’s change the owner of the file to Bobby. Let’s go, Joan. Or change owner Bobby and then test file. Now let’s do Lschl again and we see that the owner has changed. Now, the group didn’t. Why is that? Because the original owner had the group that was Root. And the group can be changed as well. We can change that if we want to, but you kind of get the picture of how this works. So those are changing file permissions in Solaris Eleven using the traditional Unix permissions set. And again, some other implementations have different, more additional permissions and implement them differently. But we’re only talking about the traditional Unix ones here. Read, write, and execute. Four, two and one. Remember that for the exam and remember Umask and how it works. And definitely do some practice with this, just like I did. Practice using the different commands, own Chamod and creating files and so forth, and looking at their permissions. And also practice looking at the examples, determine what permission values will be. So that’s really all there is to controlling access to files.

• Category: Uncategorized