In the /etc/group file, after kernel is boot. If we cat /etc/group file, we see that there are some default group names like haldaemon, shadow, sshd ....
Does everyone know who creates these groups in /etc/group file?
Many processes on your system use their own usernames and groups, to intentionally restrict their permissions to only files they should be modifying. This is a security and data integrity feature. The vendor of your OS added these to your system during it's installation, or another software package added them to facilitate it's operation.
Related
I am new to ansible and work on my setup. I see that the list of hosts is per default in /etc/anisble/hosts and changed with root privileges. In tutorials I have seen solutions with the host file in user space.
I would prefer to have all ansible setup under my home directory. What is the advantage of putting the hosts file in /etc respective the reason that the default location is there?
Thank you for clarification!
From a security perspective, putting it in the /etc directory is the safest initial option for a few reasons.
If Ansible defaulted to using an inventory file in the 'current directory' the playbook is executed in, then it would be easy for a bad actor to place an inventory file in other commonly used directories that are accessed by multiple people (such as /tmp, /var/tmp, etc). If they succeeded in getting someone to execute a playbook in that directory, it could perform additional actions the user didn't expect.
If Ansible default to using an inventory file in your home directory, this could open up that user to exploits by someone sending them a malicious email attachment or other method to write a file in their home directory that they weren't expecting.
I installed Cygwin on USB stick. I'm going to use Cygwin on two computers. (My laptop and a desktop computer.)
Unfortunately, those two computer have a different user name. (user and ryang). So every time I switch those two computers, the location of user's home directory chages.
If I use Cygwin with ryang, the home directory is /home/ryang. If I use Cygwin with user, the home directory is in /home/user. But I want to use only one user, "sohnryang".
I don't want to change those two computer's settings. Any good solution for this?
The problem is not just that the two users are different for Cygwin, they are also different from Windows point of view.
To rename a cygwin user you can use the file /etc/passwd
mkpasswd -c > /etc/passwd
sed -e "s/ryang:/sohnryang:/g" -i /etc/passwd
and you can repeat it in the second computer
mkpasswd -c >> /etc/passwd
sed -e "s/user:/sohnryang:/g" -i /etc/passwd
so now both will share the same cygwin name.
The : is needed to change only the first and sixth fields; leaving untouched the fifth.
However the two users are different also for Windows as you can verify with
C:\Users\myself>whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
my_computer\myself S-1-5-21-531030479-1339336681-3415091201-1009
The two SID's are different in the two computer also if the user names were the same in Windows.
The Windows User Name and SID are merged in the 5th field of /etc/passwd
The SID difference could cause authorization issue between files created on the two computer, depending on the type of system. Windows Home versions are usually more puzzling than Professional ones.
Another quick solution -- if you are the only Cygwin user on each machine -- is to edit the file /etc/nsswitch.conf and set db_home to the desired home directory location:
db_home: /home/MyName
This does not actually change the user name itself. If the directory is hardcoded in this manner, ALL users who log in to Cygwin will be set to use this same directory. But for single-user systems, it's quick, easy, and works like a charm.
I have made a script for installing a control panel.
I've uploaded the script to a server so people can wget it to their machines.
The only issue is that you have to chmod it after download. Is there a way to remove this step? How would I go about keeping 755 perms on the downloaded script?
When a user downloads the file, the file will automatically get some default permission. In UNIX, each user will have a default set of permissions which apply to all files created by that user, unless you explicitly set it to something else.
This default is called the umask, after the command used to change it. It is either inherited from the login process, or set in the .shrc or .login file which configures an individual account, or it can be run manually.
Typically the default configuration is equivalent to typing 'umask 22' which produces permissions of:
-rw-r--r-- for regular files, or
drwxr-xr-x for directories.
In other words, user has full access, everyone else (group and other) has read access to files, lookup access to directories. As you see above, the execution access is not default for files.
Hence you need to explicitly change it.
I have a shared directory. The directory's groupid is dev and many users are members of the group dev.
Now I need to give all the files created under the folder to have the same permission say, rwxrwxr--.
How would I do that? One solution that came to my mind is:
I would need a 2 shell scripts executable by all members of the group. One script should change the umask after checking that the current directory's groupID is dev. The other should change the umask to the previous default value.
Please let me know how to do this in shell script.
You can avoid the use of shell scripts by applying a default POSIX ACL (Access Control List) to the shared directory. e.g. On linux:
setfacl -m d:u::rwx,d:g::rwx,d:o::r,d:g:dev:rwx /shared/dir
The default ACL applied to /shared/dir above overrides the user's umask setting when new files are subsequently created in /shared/dir. The following is cut from the acl(5) man page on linux:
OBJECT CREATION AND DEFAULT ACLs
The access ACL of a file object is initialized when the object is
created
with any of the creat(), mkdir(), mknod(), mkfifo(), or open()
functions.
If a default ACL is associated with a directory, the mode parameter
to
the functions creating file objects and the default ACL of the
directory
are used to determine the ACL of the new object:
The new object inherits the default ACL of the containing directory
as its access ACL.
The access ACL entries corresponding to the file permission
bits are modified so that they contain no permissions that are not
contained
in the permissions specified by the mode parameter.
Create a single shell script to copy files into the shared directory. In that shell script, set the permissions on the file after copying. Make sure the directory has the SGID bit set; all files created in the directory will automatically belong to the group that owns the directory - dev in your scenario. Note that MacOS X effectively always has the SGID bit set on directories; that is, when a file is created, its group is the group that owns the directory.
Chastise anyone who self-evidently does not use the shell script, leaving files with the incorrect permissions.
Worry about whether all files should be executable; documents should not.
Worry about whether all files should be writable; where is the version control system in all this?
(I'd be happier with 444 permissions on the files - except for the few programs where 554 might be sensible.)
The question of the title doesn't seem related to the question in the body, but to answer the question in the title:
id=$( stat -f %g directory )
We have two users:
user1
user2
They both belong to the group 'admin'.
We have a directory that has been set to 775. The directory's group has been changed to 'admin'. Each user has full access to write into that directory, though when a user writes a new file to the directory, the group permissions of the folder are not persisted to the file that was written.
How should we make it so that files inherit the directory's group permissions?
Clarification: when a new file or directory is written, it uses the users' group as the group of the new file, rather than that of the directory, which makes sense - but how do I not make that happen?
You can propagate group permissions by setting the directory's setgid bit (chmod g+s). This may not be portable across all *nixes and all file systems.
http://en.wikipedia.org/wiki/Setuid#setgid_on_directories
http://www.gnu.org/software/coreutils/manual/html_node/Directory-Setuid-and-Setgid.html
If you are using ext3 or ReiserFS, this page about creating a Linux file server may help. Specifically step 7 suggests the following command.
setfacl -d -m g:sales:rw /groups/sales
I think you should look here.
As the site says, "Unix doesn't support the idea of inherited permissions."
However, there is a section on ACLs (Access Control Lists), which I think is what you are looking for. By setting up an ACL, you can have your files inherit the same ACL from the directory, which I think is what you are asking for. setfacl is the shell command that will be what you need to look into.
Hope that helps!