Overview of Permission
As Unix/linux is a multiuser operating system, every files is associated with permission. The permission determines whether a particular user or group have read, write or execute permissions or not.
mywbut.com 1 Permission Types
Four symbols are used when displaying permissions: r : permission to read a file or list a directory's contents w : permission to write to a file or create and remove files from a directory x : permission to execute a program or change into a directory and do a long listing of the directory - : no permission (in place of the r, w, or x)
mywbut.com 2 Examining Permissions
File permissions may be viewed using ls -l $ ls -l /bin/login -rwxr-xr-x 1 root root 19080 Apr 1 18:26 /bin/login
File type and permissions represented by a 10- character string
mywbut.com 3 Interpreting Permissions
-rwxr-x--- 1 andersen trusted 2948 Oct 11 14:07 myscript
Read, Write and Execute for the owner, andersen Read and Execute for members of the trusted group No access for all others
mywbut.com 4 Changing File Ownership
Only root can change a file's owner Only root or the owner can change a file's group
Ownership is changed with chown: chown [-R] user_name file|directory
Group-Ownership is changed with chgrp: chgrp [-R] group_name file|directory
mywbut.com 5 Changing Permissions – Symbolic Method
To change access modes: chmod [-R] mode file Where mode is: u,g or o for user, group and other + or - for grant or deny r, w or x for read, write and execute Examples: ugo+r: Grant read access to all o-wx: Deny write and execute to others
mywbut.com 6 Changing Permissions – Numeric Method
Uses a three-digit mode number first digit specifies owner's permissions second digit specifies group permissions third digit represents others' permissions Permissions are calculated by adding: 4 (for read) 2 (for write) 1 (for execute) Example: chmod 640 myfile
mywbut.com 7 What is a Process?
A process is a set of instructions loaded into memory Numeric Process ID (PID) used for identification UID, GID and SELinux context determines filesystem access Normally inherited from the executing user There are three distinct phases in the creation of a process using three important system calls. fork() exec() wait()
mywbut.com 8 Listing Processes
View Process information with ps Shows processes from the current terminal by default -a includes processes on all terminals -x includes processes not attached to terminals -u prints process owner information -f prints process parentage -o PROPERTY,... prints custom information: pid, comm, %cpu, %mem, state, tty, euser, ruser
$ ps f : visual representation of process tree
mywbut.com 9 init process and the login shell
init is the system process which have a pid=1. init is the parent of almost all the processes in your unix or linux system. According to the classical theory , when the system startsup and moves to multiuser mode, init forks and execs a getty process at every port connected to a terminal. When a user attempts to login getty wakes up and execs a the login process to verify the login name and the password. Generally on successful login login fork and execs shell process, and getty and login have now extinguished them selves by overlaying
mywbut.com 10 Sequence of process leading to shell
init getty login shell
The pid of the login shell is stored in a special variable $$ . To know the pid of the current login shell : $ echo $$
• The pid of your login shell does not change as long as you are logged in. When you log out and login again your login shell will be assigned a different pid.
mywbut.com 11 Running jobs in background
The & is the shells operator used to run a process in the background $ sort –o emp.lst emp.lst &
The nohup (no hangup) command when prefixed to a command , permits the execution of the process even after the user has logged out. $ nohup sort emp.lst &
mywbut.com 12 Job Control
Run a process in the background Append an ampersand to the command line: firefox &
Temporarily halt a running program Use Ctrl-z or send signal 17 (STOP)
mywbut.com 13 Job Control
To push a current foreground job to run in background First suspend the foreground job by pressing ctrl+z. Then use the bg command.
To view list of jobs running in background use $ jobs
To bring the most recent background jobs to the foreground use fg command fg %1 First job brought to foreground fg %sort Brings sort job to foreground bg %2 Sends second job to background
mywbut.com 14 Finding Processes
Most flexible: ps options | other commands ps axo comm,tty | grep ttyS0 By predefined patterns: pgrep $ pgrep -U root $ pgrep -G student By exact program name: pidof $ pidof bash
mywbut.com 15 Signals
A signal is an interrupt generated by the shell or even the another process in response to some error condition. This error condition can be a floating point exception, illegal instruction, memory violation or even the press of an interrupt key. A signal is represented by an integer that represents a particular event. The complete list of signals applicable to your machine can be found in the file /usr/include/sys/signal.h Sent directly to processes, no user-interface required Programs associate actions with each signal Signals are specified by name or number when sent
mywbut.com 16 List of commonly used signal
Signal Signal Function Number Name
1 SIGHUP Hangup- Modem connection is broken 2 SIGINT Terminal interrupt- user hits the interrupt key 3 SIGQUIT Quit from terminal 9 SIGKILL Surest kill – Can not be trapped 15 SIGTERM Default termination signal used by kill 17 SIGTSTP Suspend Process- User hits(ctrl+z)
mywbut.com 17 Sending Signals to Processes
By PID: kill [signal] pid ... By Name: killall [signal] comm …
mywbut.com 18 Scheduling Priority
Scheduling priority determines access to the CPU Priority is affected by a process‘s nice value Values range from -20 to 19 but default to 0 Lower nice value means higher CPU priority Viewed with ps -o comm,nice
mywbut.com 19 Altering Scheduling Priority
Nice values may be altered... When starting a process: $ nice -n 5 command After starting: $ renice 5 PID
Only root may decrease nice values
mywbut.com 20 Interactive Process Management Tools
CLI: top GUI: gnome-system-monitor Capabilities Display real-time process information Allow sorting, killing and re-nicing
mywbut.com 21 Scheduling a Process to Execute Later
One-time jobs use at, recurring jobs use crontab
mywbut.com 22 At and batch Command
The at and batch command provides a mechanism to schedule less urgent jobs at a time when the system overheads are low. The at command takes its argument the time the job is to be executed. $ at 14:02 abc.sh [ctrl-D]
The batch command also schedules jobs for latter execution, but unlike at jobs are executed as soon as the system load permits $ batch < abc.sh
mywbut.com 23 Scheduling System Tasks using at
The at facility is designed to run jobs at specific times. Jobs you submit are spooled in the directory /var/spool/at, awaiting execution by the at daemon atd. The file /etc/at.allow contains a list of users who are granted access, and the file /etc/at.deny contains a similar list of those who may not submit at jobs
mywbut.com 24 Viewing scheduled jobs
You can use the atq command (effectively the same as at -l) to view a list of your pending jobs in the at queue, showing each job’s sequence number, the date and time the job is scheduled to run, and the queue in which the job is being run.
mywbut.com 25 Deleting scheduled jobs
If you decide that you’d like to cancel a particular job, you can use the atrm command (equivalent to at -d) with the job number (or more than one) as reported by the atq command.
mywbut.com 26 Cron Running jobs periodically
Another way to run commands unattended is via the cron facility The file /etc/cron.allow contains a list of users who are granted access, and the file /etc/cron.deny contains a similar list of those who may not submit cron jobs. If neither file exists (or if cron.deny is empty), all users are granted access to cron.
mywbut.com 27 Cron Running jobs periodically There are four places where a job can be submitted for execution by the cron daemon crond: The /var/spool/cron/username file — This method, where each individual user (indicated by username) controls his or her own separate file, is the method used on UNIX System V systems. The /etc/crontab file — This is referred to as the system crontab file, and was the original crontab file from BSD UNIX and its derivatives. Only root has permission to modify this file. The /etc/cron.d directory — Files placed in this directory have the same format as the /etc/crontab file. Only root is permitted to create or modify files in this directory. The /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly directories — Each file in these directories is a shell script that runs at the times specified in the /etc/crontab file (by default, at one minute after the hour every hour; at 4:02 a.m. every day; Sunday at 4:22 a.m.; and 4:42 a.m. on the first day of the month, respectively).
mywbut.com 28 Crontab File Format
Entry consists of five space-delimited fields followed by a command line One entry per line, no limit to line length Fields are minute, hour, day of month, month, and day of week Comment lines begin with #
mywbut.com 29 Modifying scheduled tasks with crontab
The files in /var/spool/cron should not be edited directly. They should only be accessed via the crontab command.
To list the current contents of your own personal crontab file, type the following command:
mywbut.com 30 Exit Status
Processes report success or failure with an exit status 0 for success, 1-255 for failure $? stores the exit status of the most recent command exit [num] terminates and sets status to num Example: $ ping -c1 -W1 station999 &> /dev/null $ echo $? 2
mywbut.com 31 Restricted shell
To restrict the activities of a user you should set up the user account with a special restricted shell. Example : rbash, rksh. Either of them have to be specified in the last field of /etc/passwd A user with restricted shell can’t do any of the following: Use the cd Command. Redefine the PATH variable. Redefine the shell as non-restricted shell. Use a path name containing a /, that means commands can’t be executed with either a relative or absolute pathname. Use the > or >> operators to create or append a file.
mywbut.com 32 locate command
Queries a pre-built database of paths to files on the system Database must be updated by administrator Full path is searched, not just filename
May only search directories where the user has read and execute permission
mywbut.com 33 locate Examples
locate foo Search for files with "foo" in the name or path locate -r '\.foo$' Recursively search for files ending in ".foo" Useful options -i performs a case-insensitive search -n X lists only the first X matches
mywbut.com 34 find command
find [directory...] [criteria...] Searches directory trees in real-time Slower but more accurate than locate CWD is used if no starting directory given All files are matched if no criteria given Can execute commands on found files May only search directories where the user has read and execute permission
mywbut.com 35 Basic find Examples
find -name snow.png Search for files named snow.png find -iname snow.png Case-insensitive search for files named snow.png, Snow.png, SNOW.PNG, etc find -user joe -group joe Search for files owned by the user joe and the group joe
mywbut.com 36 find and Logical Operators
Criteria are ANDed together by default. Can be OR'd or negated with -o and -not Parentheses can be used to determine logic order, but must be escaped in bash. find -user joe -not -group joe find -user joe -o -user jane find -not \( -user joe -o -user jane \)
mywbut.com 37 find and Permissions
Can match ownership by name or id find / -user joe -o -uid 500 Can match octal or symbolic permissions find -perm 755 matches if mode is exactly 755 find -perm +222 matches if anyone can write find -perm -222 matches if everyone can write find -perm -002 matches if other can write
mywbut.com 38 find and Numeric Criteria
Many find criteria take numeric values find -size 1024k Files with a size of exactly 1 megabyte find -size +1024k Files with a size over 1 megabyte find -size -1024k Files with a size less than 1 megabyte
mywbut.com 39 find and Access Times
find can match by inode timestamps -atime when file was last read -mtime when file data last changed -ctime when file data or metadata last changed Value given is in days find -ctime -10
Files modified less than 10 days ago
mywbut.com 40