In Unix, the kernel is the program that has unrestricted access to the whole machine. All other programs (subjects) run as a specific identity and their access to files and devices (objects) is mediated by the kernel.
User and group id
Access decisions are made on the basis of the userid/groupid associated with the program.
If the user is
root(userid= 0), access is always granted by the kernel.
Users have a primary group which usually have same id ad name as the user id, but they may belong to several additional groups. By joining an existing group, a user inherits the permissions it grants. Command id displays information about user and group id:
alice:~$ id uid=1000(alice) gid=1000(alice) groups=1000(alice),1003(student) alice:~$ groups alice student
Explanation:
uidis the user id, for alice it is number 1000gidis the primary group id, for alice it is the same as uid, i.e., 1000. This group is the one assigned at login and is used when files are created (see below)groupslists all the groups alice belongs to:alice(the default group) andstudent
In the docker container you have three users (alice, bob, carol), plus root. Use su command to switch from one user to the other. You start as alice. Passwords for bob, carol and root are the same as the username, i.e., bob, carol and root, respectively.
alice:~$ su bob Password: bob:/home/alice$ exit exit alice:~$
su bobstarts a shell as bob. Withexityou go back toaliceshell.
Unix permissions
Using the ls -l command we can display the Unix permissions set to a file or a directory:
alice:~$ touch myfile # creates an empty file named myfile alice:~$ ls -l myfile total 0 -rw-rw-r-- 1 alice alice 0 Oct 3 08:08 myfile
Explanation:
- The fields displayed from left to right are:
- file permissions
-rw-rw-r--, - number of links
1, - owner name
alice, - owner group
alice, (the primary group is used when creating a new file) - file size
0, - time of last modification
Oct 3 08:08, and - file/directory name
myfile
- file permissions
- Apart from the first
-(which represents the type of the file), file permissionrw-rw-r--is made of 3 triads defining the permissions granted to the owner, to the group and to all the other users, respectively. Each permission triad is commonly made up of the following characters:r: the file can be read / the directory’s contents can be shownw: the file file can be modified / the directory’s contents can be modifiedx: the file can be executed / the directory can be traverseds: the file isSUIDifsis found in the user triad (SGIDifsis in the group triad). Impliesx. Enables the file to run with the privileges of its owner (or group).
Example 1
In the following example file rootfile1 is owned by root and has group student. It gives read and write permissions to root and only read permission to student:
alice@3545200f0b11:~$ ls -l rootfile1 -rw-r----- 1 root student 39 Oct 3 08:26 rootfile1 alice@3545200f0b11:~$ id uid=1000(alice) gid=1000(alice) groups=1000(alice),1003(student) alice@3545200f0b11:~$ cat rootfile1 # read access This file is readable by student group alice@3545200f0b11:~$ cat > rootfile1 # write access bash: rootfile1: Permission denied
Explanation:
rw-r-----gives read/write permissions to owner (root) and only read permission to group studentcat rootfile1prints the file content (read access) and this is allowed since alice belong to group studentcat > rootfile1writes from stdin into the file (write access) and this is not allowed since student group permissions arer--
Example 2
File rootfile2 has the same permissions as rootfile1 but group is root, so it can only be read by root:
alice@3545200f0b11:~$ ls -l rootfile2 -rw-r----- 1 root root 35 Oct 3 08:26 rootfile2 alice@3545200f0b11:~$ cat rootfile2 # read access cat: rootfile2: Permission denied alice@3545200f0b11:~$ cat > rootfile2 # write access bash: rootfile2: Permission denied
Exercise
Look for a file in /tmp/ that is accessible by alice. It contains the password to Task 2!