Chapter 6

Basic file security

ls command:

ls [options] [filenames]

if filenames are not specified, the default is '.'  (the current directory)

-l   long listing
-a   all files (normally .* files are hidden)
-s   size (in blocks)
-t   time sort
-c   catalog times
-a   access time
-r   reverse sort
-C   Columns   -- forces column output (normally only on for output to terminal)
-b   bad chars (forces non-printing characters to be printed as escaped \000
-F   Flag filetypes
*prefix = executable
suffix/  directory
suffix@  symbolic link
-i   Inode #
-R   Recursive listing
-x   across the page (sorts across the page, rather than down columns)
-1   forces one file per line

Other options .. see man pages


grep

uses 'regular expressions'

grep  [options]  pattern [filenames]
if filenames are not specified, reads from standard input (terminal/pipe)

^ at beginning of pattern, matches start of line
$   at end of pattern, matches end of line
 [abce]  matches any one character a, b, c or e
.   matches any character

eg:
^...c$
would match  any 4 character line ending in 'c'
options:
-b   block # where line found
-c   count matching lines
-h   header [supresses file name prefix on output)
-i   ignore case
-l   list filenames only
-n   number lines
-s   silent (supress error messages)
-v   vice versa (only print NON matching lines)
-w   word search  -- only matches if the pattern is surrounded by white spaces, or punctuation

chmod

change mode of the file.

chmod  [options]  mode  filenames
    options
-f   force change (and don't print error on failute)
-R   Recursive (follow changes into subdirectories)

    Modes
absolute or symbolic

absolute
    ddd  where each d is an octal digit.    User,Group,Others
    sum of:
4   Read
2   write
1   execute
     also:
1000  setuid  (set userid on execution)
2000  setgid  (set groupid on execution)
4000  sticky bit

Symbolic:

[ugo]{+|-|=}{[rwxst]...}[,...]

u   users
g   group
o   others

+   add permissions
-   subtract permissions
=   assign permissions

r   read
w   write
x   execute
t    sticky
s   setuid

umask

unmask
what permissions are denied on file creation:

default file permissions:
directory   777   (rwxrwxrwx)
file   666   (rw-rw-rw-)

umask of 0:
    everybody has all access
umask of 077
    group/others have NO access
umask of 022
    group/others denied write access

usually set in .profile file.

ACLs

Access Control List

allow more explicit control of permissions
can set permissions for specific users/groups
NOT STANDARD UNIX
(but it's becomming more common)
some older unix utilities might not handle ACLs properly

getfacl:

getfacl [-ad]   files
-a   acls  doesn't display default ac
-d   default  -- display all, including default acl


output:

[default:]{user|group|other|mask}:[id]:perm

id   if not specified, this applies to the owner group/uid of the file
      (not present for mask and other perms)