©brooks/cole, 2001 chapter 4 security and file permission 보안과 파일 접근권한
TRANSCRIPT
©Brooks/Cole, 2001
Chapter 4
Security and
File Permission
보안과 파일 접근권한
©Brooks/Cole, 2001
In this chapter, we will discuss security in UNIX. The security system in UNIX, like any other operating system, is designed to control the access to resources. First we introduce the users and how they are grouped together. Then we present different levels of security. Finally, we discuss commands used to change the permissions of files and directories.
©Brooks/Cole, 2001
Figure 4-1
4.1 Users: 사용자 계층 ( 사용자 / 그룹 )
user
In UNIX, not every user is created equal. Some users have more capabilities than others. These users are known as superusers. Also known as system administrators, superusers have maximum set of capabilities in the system.
©Brooks/Cole, 2001
Figure 4-2
The groups Command
$ groups
Staff
$ groups forouzan
instructor
©Brooks/Cole, 2001
Figure 4-3
4.2 Security Levels( 보안 수준 )
There are 3 levels of security in UNIX: system, directory and file. The system security is controlled by the system administrator, a superuser. The directory and file securities are controlled by the users who own them.
©Brooks/Cole, 2001
Figure 4-4
A Typical Password File Entry
시스템 보안/etc/passwd
System security controls who is allowed to access the system. It begins with your login id and password.
You can’t change the /etc/passwd file unless you are a superuser.
©Brooks/Cole, 2001
File Permissions (Security)
• File permissions are the basis for file security. They are given in three clusters. In the example, the permission settings are “rw-r--r--”:
• 1 -rw-r--r-- 1 glass cs 213 Jan 31 00:12 heart.final
User (owner) Group Others
rw- r-- r--
Each cluster of three letters has the same format:
Read permission Write permission Execute permission r w x
clusters
©Brooks/Cole, 2001
Figure 4-5
Directory and File Permission
©Brooks/Cole, 2001
• The meaning of the read, write, and execute permissions depends on the type of file:
정규 파일 디렉토리 특수파일
Read(r)
읽기read or copy contents
of files in the directory.
(cat, cp)
read the directory
(list the names of files that it contains)
파일이름 나열
read from the using the read() system
call.
Write(w)
쓰기Change or delete files.
파일 내용 변경 , 삭제Add or remove files to/from the directory
디렉토리에 ( 의 ) 파일 추가 / 삭제
write to the file using the write() system calls.
Execute(x)
실행하기execute the file
if the file is a program
프로그램의 실행
access files in the directory. Reference or move to directory.
디렉토리의 파일 접근 . 디렉토리의 참조 , 이동
No meaning.
접근권한표 4.1 접근권한규칙
©Brooks/Cole, 2001
디렉토리 수준의 접근권한• Read 권한 / 디렉토리 When users have read permission for a directory, they can
read the directory, which contains the names of files and subdirectories and all of their attributes.
They can then display the names and attributes with the list command. As a general rule, everyone is given read permissions for directories. However, if for some reason you don’t want other users to see what files you have in a directory, you can set its permission to remove the read permission.
$ ls Dir
drwxr-xr-xdrwx--x--x
©Brooks/Cole, 2001
디렉토리 수준의 접근권한• Write 권한 / 디렉토리 When users have write permission for a directory, they can
add or delete entries in a directory. This means that they can copy a file from another directory, move a file to or from the directory, or remove(delete) a file.
Obviously, this is a much more dangerous level of permissions. If you grant others permission to write to your directory, they can change its contents. Since its contents are your files, this means that they can delete any or all of your files. For security reasons, therefore, you generally don’t grant others write permission to your directories.
On the other hand, if you are maintaining a group directory within your account, it is reasonable to give group members write permission. Others are very seldom gives write permission.
©Brooks/Cole, 2001
디렉토리 수준의 접근권한• Execute 권한 / 디렉토리 디렉토리 수준에서 실행권한은 탐색 권한이라 불리며 ,
경로명 내에서나 파일읽기 또는 cd 명령을 통한 디렉토리 이동 시에 디렉토리를 참조하는 것을 허용한다 .
어떠한 경우이던 디렉토리 밑의 하위 디렉토리나 파일에 접근하기 위해서는 그 하위 디렉토리나 파일의 절대경로명 내에 있는 모든 디렉토리가 실행 권한을 가져야 한다 .
디렉토리에 대한 접근 권한은 일반적으로 읽기와 실행 양쪽을 포함한다 . 실행 권한 없이 읽기권한은 어떠한 이유이던 그 디렉토리에 접근할 수 없기 때문에 모순이다 .
©Brooks/Cole, 2001
Session 4.2. Demonstrate Directory Execute Permission // 디렉토리 실행 권한$ ls -R permissionTestfile1 ptSubDirpermissionTest/ptSubDir:file2
#Permission changed to rw- (no x) for user$ ls -R permissionTestCannot access permissionTest/file1: Permission deniedCannot access permissionTest/ptSubDir: Permission denied$ more permissionTest/file1Cannot open permissionTest/file1: Permission denied
#Permission changed to rwx for user$ ls -Rl permissionTesttotal 2-rw-r--r-- 1 gilberg staff 120 Aug 30 08:28 file1drwxr-xr-x 2 gilberg staff 512 Aug 30 08:50 ptSubDir
permissionTest/ptSubDir:total 1-rw-r--r-- 1 gilberg staff 120 Aug 30 08:40 file2------------------------------------------------------------
Demonstrate directory execute permission
©Brooks/Cole, 2001
파일 수준 접근권한
• Read 권한 User who have file read permission can read or copy a file. Files that
contain public information generally have read permission. Private files, however, should be read only by the user (owner). Of course, group files should be readable by anyone in the group.
• Write 권한 Files with write permission can be changed. They can also be deleted.
As with directories, you generally restrict write permissions to yourself (user) and other users in your group.
• Execute 권한 프로그램 , 명령어 , 스크립트
©Brooks/Cole, 2001
Session 4.3 전형적인 접근권한 (Typical Permissions)$ ls -ltotal 487drwxr-xr-x 11 gilberg staff 1024 Aug 3 1999 C-Programs-rw------- 1 gilberg staff 5782 May 16 14:55 TheRaven-rw-r--r-- 1 gilberg staff 10857 Apr 5 1999 adt3.c++drwxr-xr-x 2 gilberg staff 512 May 29 13:08 backUpDirdrwxr-xr-x 2 gilberg staff 512 Apr 25 16:10 dump.scr------------------------------------------------------------
Checking permission
©Brooks/Cole, 2001
4.3 접근권한 변경
When a directory or a file is created, the system automatically assigns default permissions. The owner of the directory of file can change them. To change the permissions, we use the chmod command.
©Brooks/Cole, 2001
Figure 4-6
The chmod Command:Change mode
©Brooks/Cole, 2001
Figure 4-7
Changing Permissions접근권한 변경
©Brooks/Cole, 2001
Figure 4-8
Symbolic chmod Codes
, 사이에 빈공간 없이
©Brooks/Cole, 2001
r read w write x excute
+ add permissions - remove permissions = assign permissions absolutely
u user's (owner) permissions g group's permissions o other's permissions a all permissions (user, group, other)
who permission(s)op
chmod mod filename
©Brooks/Cole, 2001
Common symbolic chmod commands (Table 4.2)
• chmod u=rwx file 소유자가 읽고 , 쓰고 , 실행할 수 있게
설정 . 그룹과 타사용자는 그대로 둔다 .• chmod g=rx file• chmod g+x file• chmod a+r file• chmod o-w file 타 사용자에게 쓰기 권한을 삭제한다 .
읽기와 실행하기는 그대로 둔다 .
©Brooks/Cole, 2001
파일 접근권한 변경 : 예 요구사항 변경
Add group write permission g+w
Remove user read and write permission u-rw
Add execute permission for user, group, a+xand others.
Give the group read permission only. g=r
Add writer permission for user, and u+w,g-rremove group read permission.
©Brooks/Cole, 2001
파일 접근권한 변경 : 예
• Here’s an example of how to set these permissions:
$ cd --> change to home directory.
$ ls -ld . --> list attributes of home directory.
drwxr-xr-x 45 glass 4096 Apr 29 14:35
$ chmod o-rx --> update permissions.
$ ls -ld . --> confirm.
drwxr-x--- 45 glass 4096 Apr 29 14:35
$ _
©Brooks/Cole, 2001
the octal permission setting would be 750, calculated as follows:
User Group Others
setting rwx r-x ---
binary 111 101 000
octal 7 5 0
Octal chmod Commandsdrwxr-x--- 45 glass 4096 Apr 29 14:35
©Brooks/Cole, 2001
Figure 4-9
Octal chmod Commands
©Brooks/Cole, 2001
Common symbolic chmod commands
• chmod 777 file
• chmod 754 directory
• chmod 664 file
• chmod 644 file
• chmod 711 program
©Brooks/Cole, 2001
Octal Permission Octal Permission
Value sets value sets
7 r w x 3 - w x
6 r w - 2 - w –
5 r – x 1 - - x
4 r - - 0 - - -
Octal digits for permission sets
©Brooks/Cole, 2001
Octal modePermissions
777 rwxrwxrwx
644 rw-r--r--
775 rwxrwxr-x
751 rwxr-x--x
©Brooks/Cole, 2001
Session 4.4 Demonstrate Recursive Use of chmod$ ls -lR unix4sectotal 4-rw-r--r-- 1 gilberg staff 120 Aug 30 10:36 file1-rw-r--r-- 1 gilberg staff 120 Aug 30 10:38 file2drwxr-xr-- 2 gilberg staff 512 Aug 30 10:39 subDirAdrwxr-xr-- 2 gilberg staff 512 Aug 30 10:39 subDirB
unix4sec/subDirA:total 1-rw-r--r-- 1 gilberg staff 120 Aug 30 10:39 file1A
unix4sec/subDirB:total 1-rw-r--r-- 1 gilberg staff 120 Aug 30 10:39 file1B
Option –R : use it only with symbolic changes! File, Dir
©Brooks/Cole, 2001
$ chmod -R o-r unix4sec
$ ls -Rl unix4sectotal 4-rw-r----- 1 gilberg staff 120 Aug 30 10:36 file1-rw-r----- 1 gilberg staff 120 Aug 30 10:38 file2drwxr-x--- 2 gilberg staff 512 Aug 30 10:39 subDirAdrwxr-x--- 2 gilberg staff 512 Aug 30 10:39 subDirB
unix4sec/subDirA:total 1-rw-r----- 1 gilberg staff 120 Aug 30 10:39 file1A
unix4sec/subDirB:total 1-rw-r----- 1 gilberg staff 120 Aug 30 10:39 file1B
©Brooks/Cole, 2001
4.4 User mask• The permission are initially set for a directory or file
using a 3-digit octal system variable, the user mask(umask).
• 계정이 만들어질 때 시스템 관리자에 의해 초기에 정의되며 . 마스크는 디렉토리나 파일이 만들어질 때 디폴트로 삭제되는 권한에 대한 8진값을 가진다 .
• 5 장에서 로그인 시 마스크 값을 설정하는 방법을 설명함 .
• 디렉토리나 파일을 만들 때 마스크의 숫자가 디폴트 권한 값을 설정한다 .
디폴트 마스크 : 디렉토리 777, 파일 666
©Brooks/Cole, 2001
Figure 4-10
The umask Command:User mask
©Brooks/Cole, 2001
Umask 사용결과
Mask 디렉토리 접근권한 파일 접근권한0 7 (r/w/x) 6 (r/w)1 6 (r/w) 6 (r/w)2 5 (r/x) 4 (r)3 4 (r) 4 (r)4 3 (w/x) 2 (w)5 2 (w) 2 (w)6 1 (x) 0 (none)7 0 (none) 0 (none)
표 4.4
©Brooks/Cole, 2001
디폴트 접근권한 예
Mask 디렉토리 접근권한 파일 접근권한(777) (666)
000( 공개 ) 777 rwxrwxrwx 666 rw-rw-rw-011( 공개 ) 766 rwxrw-rw- 666 rw-rw-rw-022 755 rwxr-xr-x 644 rw-r--r—( 쓰기방지 )007 770 rwxrwx--- 660 rw-rw----077 700 rwx------ 600 rw-------
©Brooks/Cole, 2001
Figure 4-11
The chown Command
©Brooks/Cole, 2001
Figure 4-12
The chgrp Command
©Brooks/Cole, 2001
Exercise
56. Translate the following permission to octal code: 다음의 접근권한을 팔진코드로 변화하라 . a. --x --x --x c. --xrwx--x 111 b. rwx --x --x d. r-xr-xrwx57. Repeat Exercise 56 using symbolic code. 심볼릭 코드를 사용하여 연습문제 56 을
반복하라 . a. --x --x --x c. --xrwx--x a=x b. rwx --x --x d. r-xr-xrwx
©Brooks/Cole, 2001
58. Translate the following permission into rwx triplets:
59. Repeat Exercise 58 using symbolic code.60. Repeat Exercise 58 using octal code. a. Only read for the owner r-- --- --- u=r,g-rwx,o-rwx 400 b. Read/Write for the owner; nothing for others c. Read for owner; execute only for others d. All for the owner; read for the group; execute
for others
©Brooks/Cole, 2001
66. A file has a 000 (in octal) access permission. How can an owner read this file? How can an owner write to this file? How can an owner execute this file? chmod 명령어를 제시하시오 .
u+r67. George needs to copy a file named report with an absolute
pathname of /usr/john/report to his directory. What permission type is required for each of the following? a) report o+r d) /usr/john b) root e) ~george c) /usr73. The file sample has permission rwx r-x r-x , what are the
permissions after the following command? $ chmod u-x,g+w,o-x sample
74. The file sample has permission rwx --x --x , what are the permissions after the following command?
$ chmod u-x,g=w,o=x sample
©Brooks/Cole, 2001
75. A user issues the following command:$ umask 022
a) What are the default permission for all files created after this command?
b) What are the default permission for all directories created after this command?
76. A user issues the following command:$ umask 111
a) What are the default permission for all files created after this command?
b) What are the default permission for all directories created after this command?