bodhi_zazen | Are we ready to start ? | 00:00 |
---|---|---|
* Snova is here | 00:00 | |
bodhi_zazen | weee hooo | 00:00 |
* tim_sharitt is ready | 00:00 | |
bodhi_zazen | first, sorry about the confusion re time and date | 00:00 |
bodhi_zazen | again, I will do these Q&A sessions every 2 weeks or so | 00:01 |
bodhi_zazen | I was asked to cover permissions today and to make it interesting will add in sticky bits and acl :) | 00:01 |
* RachedTN is ready too :) | 00:01 | |
bodhi_zazen | This is a good time to mention the shared ssh session | 00:02 |
bodhi_zazen | http://paste.ubuntu.com/147955/ | 00:02 |
bodhi_zazen | we can use that for a hands on demo | 00:02 |
bodhi_zazen | but if you are interested , please ssh in when you get a chance | 00:02 |
bodhi_zazen | so you are ready to go when we start | 00:02 |
* Geek`N`Proud thought he'd stick around | 00:02 | |
Pretto | 404 | 00:02 |
bodhi_zazen | if you need help, ask and someone will answer in a PM | 00:02 |
Daisuke-Ido | The requested URL /beginners/ufbt-guest was not found on this server. | 00:02 |
bodhi_zazen | http://paste.ubuntu.com/147955/ | 00:03 |
WastePotato | Am I late? | 00:03 |
Snova | No. | 00:03 |
WastePotato | Ok. | 00:03 |
bodhi_zazen | Ah, my mistake, lol | 00:03 |
bodhi_zazen | http://bodhizazen.net/ufbt/ufbt-guest | 00:03 |
* bodhi_zazen bad | 00:03 | |
WastePotato | Yay. SSHing into bodhi_zazen's computer. \o/ | 00:04 |
bodhi_zazen | sweet :) | 00:04 |
Snova | Or as close to it as you'll ever get... | 00:04 |
bodhi_zazen | OK, lets start with the basics | 00:04 |
bodhi_zazen | permissions often frustrate new users | 00:04 |
bodhi_zazen | and it is a BIG change if you come from Windows | 00:05 |
Daisuke-Ido | i'm going to pop back over to gnome | 00:05 |
bodhi_zazen | Every file and directory has an owner (the one who made it), a group, and "other" | 00:05 |
bodhi_zazen | permission are rwx - read, write, and execute | 00:05 |
bodhi_zazen | and so are listed with ls -l | 00:05 |
bodhi_zazen | as 3 sets : | 00:05 |
bodhi_zazen | rwxrwxrwx | 00:06 |
bodhi_zazen | for owner:group:other | 00:06 |
bodhi_zazen | a - means you do not have the permission | 00:06 |
bodhi_zazen | so r--r--r-- is read only | 00:06 |
bodhi_zazen | You can also see permissions graphically by right clicking a file | 00:07 |
bodhi_zazen | and selecting the permissions tab | 00:07 |
bodhi_zazen | To change permissions from the command line you can use "octals" | 00:07 |
bodhi_zazen | which are listed here : http://www.zzee.com/solutions/linux-permissions.shtml | 00:07 |
bodhi_zazen | or if you can not use the octals, use +rwx | 00:08 |
bodhi_zazen | so, with the chmod command | 00:08 |
bodhi_zazen | chmod o+rwx foo | 00:08 |
bodhi_zazen | chmod g+r foo | 00:08 |
bodhi_zazen | chomd 755 foo | 00:08 |
bodhi_zazen | you change the group with chown or chgrp | 00:09 |
bodhi_zazen | chown owner:group foo | 00:09 |
bodhi_zazen | chown owner.group foo | 00:09 |
bodhi_zazen | period works as well as a : , although it id depreciated >:) | 00:09 |
bodhi_zazen | With the gui tools use the pull down menu | 00:09 |
bodhi_zazen | The thing that is odd, directories | 00:10 |
bodhi_zazen | you need to set the x to list the contents of a directory | 00:10 |
bodhi_zazen | chmod a+x bar | 00:10 |
bodhi_zazen | allows people to ls bar | 00:10 |
bodhi_zazen | again see http://www.zzee.com/solutions/linux-permissions.shtml | 00:10 |
bodhi_zazen | Questions about basic permissions ? | 00:11 |
bodhi_zazen | otherwise I am going to move on to sticky bits >:) | 00:11 |
bodhi_zazen | Sticky bits are not hard to understand, but they are odd | 00:12 |
bodhi_zazen | They are also called SUID and SGID | 00:12 |
bodhi_zazen | if you have an executable file or binary | 00:12 |
bodhi_zazen | and you suid it, it runs with the permissions of the OWNER of the file, not the user who runs the script / binary | 00:13 |
bodhi_zazen | so ... | 00:13 |
bodhi_zazen | if the file is owned by root | 00:13 |
bodhi_zazen | and you then chmod 755 | 00:13 |
bodhi_zazen | anyone can run the file | 00:13 |
bodhi_zazen | if you run the script as a use, the process has permissions of the user who called it | 00:14 |
bodhi_zazen | If, however, you chmod u+s foo | 00:14 |
bodhi_zazen | now anyone can run the script and , as it is owned by root, it runs as if root called the script | 00:14 |
bodhi_zazen | no password is required | 00:15 |
bodhi_zazen | do no do this | 00:15 |
bodhi_zazen | any script to be run by root should be owned by root and, IMO, called with sudo | 00:15 |
bodhi_zazen | same thing applies to SGID | 00:15 |
bodhi_zazen | if the SGID bit is set, the script runs with permissions of the group that owns the file | 00:15 |
bodhi_zazen | with me so far ? | 00:16 |
bodhi_zazen | One last bit, +t | 00:16 |
bodhi_zazen | +t is the "sticky bit" | 00:16 |
Spreadsheet | Can I talk? | 00:16 |
bodhi_zazen | in the past it meant keep the script in memory | 00:16 |
bodhi_zazen | Spreadsheet: yes | 00:16 |
bodhi_zazen | anyone can break in at any time | 00:16 |
Spreadsheet | Ok, I have a question | 00:17 |
bodhi_zazen | this is an open session | 00:17 |
bodhi_zazen | please :) | 00:17 |
Spreadsheet | This is sorta related to the topic | 00:17 |
Spreadsheet | Sometimes i use chown, and it doesn't work | 00:17 |
Spreadsheet | Then i use it a couple more times and it does work... | 00:17 |
Spreadsheet | Is this a bug? | 00:17 |
pleia2 | :) | 00:17 |
bodhi_zazen | You can not chown a file or directory you do not own | 00:17 |
bodhi_zazen | hey pleia2 :) | 00:17 |
Spreadsheet | bodhi_zazen: All of the files on this comp belong to me... | 00:18 |
bodhi_zazen | this makes sense in that a user can not chown a file owned by root | 00:18 |
Spreadsheet | Oh wait | 00:18 |
Pretto | never happened to me :D | 00:18 |
bodhi_zazen | LMAO Spreadsheet | 00:18 |
Spreadsheet | Ok, the file is owned by root | 00:18 |
Spreadsheet | So then I use sudo | 00:18 |
bodhi_zazen | to change a file woned by root you need sudo | 00:18 |
bodhi_zazen | but you should not change ownership or permisssions of system files | 00:19 |
Spreadsheet | It's not a system file | 00:19 |
bodhi_zazen | sudo -e /etc/fstab for example | 00:19 |
Spreadsheet | /var/www/ | 00:19 |
bodhi_zazen | yea, that *should* be owned by www-data | 00:19 |
Spreadsheet | ehh... go on | 00:19 |
bodhi_zazen | so, add your user to www-data | 00:19 |
bodhi_zazen | :) | 00:19 |
bodhi_zazen | OK, we were talking sticky bits | 00:20 |
bodhi_zazen | the most common use of a sticky bit is on a directory | 00:20 |
bodhi_zazen | if a sticky pit is set on a shared directory (one with say permissions of 777) | 00:20 |
bodhi_zazen | users can not delete file they do not own | 00:21 |
bodhi_zazen | even though group or other permissions may allow rw access to a file | 00:21 |
bodhi_zazen | There is a very nice review of sticy bits here : http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html | 00:21 |
bodhi_zazen | and here : http://www.linuxdevcenter.com/pub/a/linux/lpt/22_06.html | 00:22 |
bodhi_zazen | questions ? | 00:22 |
bodhi_zazen | Otherwise I am going to talk about acl , or access control lists | 00:22 |
bodhi_zazen | Please, all questions are welcome and it gets boring seeing a wall of bodhi.zazen speaking >:) | 00:23 |
Snova | Might want to go into setuid/setgid (though that'd be another wall :P) | 00:23 |
Snova | Oh wait | 00:23 |
* Snova wasn't here | 00:23 | |
Snova | Well, in that case, what does the sticky bit do on a file? | 00:23 |
bodhi_zazen | lol Snova :) | 00:23 |
bodhi_zazen | you mean the -t on a file ? | 00:24 |
bodhi_zazen | or the SUID | 00:24 |
Snova | Sticky bit... no idea what "-t" means. :P | 00:24 |
bodhi_zazen | lol | 00:24 |
bodhi_zazen | Snova: take a look at this linky : http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html | 00:25 |
Spreadsheet | g2g | 00:25 |
bodhi_zazen | I covered the topic just previous and do not want to repeat it ;) | 00:25 |
bodhi_zazen | OK , acl stands for access control list | 00:26 |
bodhi_zazen | the idea of an acl list comes into play when you have many, perhaps hundreds of users on a system | 00:26 |
bodhi_zazen | and so then the "other" permissions get messy | 00:26 |
bodhi_zazen | you do not want to create hundreds of groups for all the various user shares | 00:27 |
bodhi_zazen | enter acl | 00:27 |
bodhi_zazen | acl allows a user to set permissions on a file or directory for each user on the system | 00:27 |
bodhi_zazen | acl is the backbone of SELinux, and if you understand acl you understand a lot about SELinux | 00:28 |
bodhi_zazen | acl is installed by default on Ubuntu, but you need to "activate" it | 00:28 |
bodhi_zazen | it is an option when you mount a file system | 00:28 |
bodhi_zazen | so you | 00:28 |
bodhi_zazen | mount /dev/sdxy /media/foo -o acl | 00:29 |
bodhi_zazen | Or add acl to /etc/fstab in the options column | 00:29 |
Pretto | so, acl is just for "others" right? | 00:29 |
bodhi_zazen | yes and no Pretto | 00:29 |
bodhi_zazen | I will demo it in a sec ... | 00:29 |
bodhi_zazen | acl is a command line tool | 00:30 |
bodhi_zazen | although there is a very nice gui tool, Eiciel | 00:30 |
bodhi_zazen | http://www.linux.com/feature/138169 | 00:30 |
bodhi_zazen | Eiciel is in the Ubuntu repos , but I could not integrate it with Nautilus as in that link | 00:31 |
bodhi_zazen | after you install it it is in the menu under System | 00:31 |
bodhi_zazen | want to see acl in action ? | 00:31 |
* jgoguen nods | 00:31 | |
Pretto | yeap | 00:32 |
bodhi_zazen | OK, everyone ssh into the shared session ? | 00:32 |
bodhi_zazen | let me show a few things ... | 00:32 |
bodhi_zazen | OK, permissions of new files are govened by umask | 00:33 |
bodhi_zazen | so as you can see , the group is govened by the primary or effective group | 00:33 |
bodhi_zazen | Now lest change groups for a sec | 00:33 |
bodhi_zazen | the command was newgrp and it spawns a new shell | 00:34 |
Pretto | :D | 00:34 |
bodhi_zazen | do you see how that changed the group of the new file ? | 00:34 |
bodhi_zazen | OK, so if I want a shared directory , I would now need to chmod all those files | 00:35 |
bodhi_zazen | chomd -R 770 MAD | 00:35 |
bodhi_zazen | or worse, chmod -R 777 MAD | 00:35 |
bodhi_zazen | or chgrp and then chown, you get the idea | 00:36 |
bodhi_zazen | now let us use ACL | 00:36 |
bodhi_zazen | See the +s in the permissions ? | 00:36 |
bodhi_zazen | the sgid is set | 00:36 |
bodhi_zazen | Do you see how the sgid bit made the file "file.admin" owned by the group guru ? | 00:38 |
bodhi_zazen | >:) | 00:38 |
bodhi_zazen | OK, now acl ... | 00:38 |
bodhi_zazen | You list the access list with getfacl file | 00:38 |
bodhi_zazen | we set the acl with setfacl | 00:39 |
bodhi_zazen | This changed the behavior of the directory, we set the defaults with -d and the options with -m and long handed rwx permissions | 00:42 |
jgoguen | bodhi_zazen: so the default ACL entries will override the existing user/group/other permissions? | 00:42 |
bodhi_zazen | yes jgoguen | 00:42 |
bodhi_zazen | with that last command , I over rode the sgid we set | 00:43 |
bodhi_zazen | the directory is not owned by admin | 00:43 |
bodhi_zazen | default:group:admin:rwx | 00:43 |
bodhi_zazen | watch | 00:43 |
bodhi_zazen | hmm ,not what I expcected, lol | 00:44 |
Pretto | hhehhehhe. .weird | 00:44 |
Pretto | so the + means that MAD has an acl? | 00:45 |
bodhi_zazen | yes Pretto | 00:46 |
bodhi_zazen | see how acl changed the group of "file" made by root ? | 00:46 |
bodhi_zazen | from root.root to root.guru ? | 00:46 |
bodhi_zazen | OK, now lest add a user | 00:46 |
bodhi_zazen | see, now I added in the user, bodhi, who has rwx to the file MAD/file.guru | 00:47 |
bodhi_zazen | user:bodhi:rwx | 00:48 |
bodhi_zazen | and on | 00:48 |
bodhi_zazen | Obviously acl is a bit complex | 00:48 |
bodhi_zazen | and I will not claim to be an expert | 00:48 |
bodhi_zazen | :) | 00:48 |
bodhi_zazen | oops, apparmor is preventing me from showing you more with acl at the moment | 00:49 |
bodhi_zazen | lol | 00:49 |
bodhi_zazen | see : http://www.suse.de/~agruen/acl/linux-acls/online/ | 00:50 |
bodhi_zazen | for more info on acl | 00:50 |
bodhi_zazen | and man acl | 00:50 |
bodhi_zazen | and Eiciel | 00:50 |
bodhi_zazen | Eiciel gives you a gui tool to manage acl | 00:51 |
bodhi_zazen | Sorry if I rambled on too long about permissions | 00:51 |
bodhi_zazen | :) | 00:51 |
bodhi_zazen | we have 10 min left | 00:51 |
bodhi_zazen | questions ? | 00:51 |
bodhi_zazen | you like the shared ssh session ? | 00:52 |
bodhi_zazen | I can demo apparmor if you want :) | 00:53 |
bodhi_zazen | See how the /tmp directory has +t set ? | 00:54 |
bodhi_zazen | you should now know what that means :) | 00:54 |
bodhi_zazen | you should now understand why root kits search for files with the suid bit set | 00:55 |
jgoguen | bodhi_zazen: back to setuid/setgid...should setgid necessarily be avoided the same as setuid? | 00:58 |
bodhi_zazen | probably jgoguen | 00:59 |
bodhi_zazen | although it is not working as I expected | 00:59 |
bodhi_zazen | if you need to run a script as root, use sudo | 01:00 |
bodhi_zazen | If you need to give a user limited root access, use sudo and configure with visudo >:) | 01:00 |
bodhi_zazen | Ah, apparmor is restricting me from further demos :) | 01:00 |
bodhi_zazen | you will have to check out suid on your own , lol | 01:01 |
jgoguen | I was thinking more along the lines of having a script write to a log file...but I suppose ACL would also handle that quite nicely :) | 01:01 |
bodhi_zazen | acl FTW :) | 01:01 |
bodhi_zazen | Once you learn acl , and you have a multiuser system, you will make good use of it | 01:02 |
bodhi_zazen | acl does not make sense, however, on a single user system | 01:02 |
Pretto | thank you for your explanations bodhi_zazen | 01:03 |
bodhi_zazen | np Pretto :) | 01:03 |
bodhi_zazen | thank you for coming | 01:03 |
bodhi_zazen | anyone have a suggestion for next time ? | 01:03 |
bodhi_zazen | In the long run, we will bring up a moodle site and content will be available for review pre and post sessions | 01:04 |
bodhi_zazen | the BT is working on it | 01:04 |
bodhi_zazen | If you have suggestions, add it here | 01:04 |
bodhi_zazen | https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals | 01:05 |
bodhi_zazen | thank you everyone for coming | 01:05 |
bodhi_zazen | please spread the word | 01:05 |
bodhi_zazen | you should all have been disconnected from the shared session as I closed it :) | 01:06 |
bodhi_zazen | see you again in 2 weeks | 01:06 |
jgoguen | \o/ ty bodhi_zazen | 01:06 |
bodhi_zazen | you are most welcome jgoguen | 01:06 |
bodhi_zazen | I hope I learned you something | 01:06 |
WastePotato | I always miss it. ): | 01:08 |
DasEi | ermm, you're just done now ? | 01:08 |
WastePotato | ? | 01:08 |
WastePotato | I had a shower. | 01:09 |
DasEi | root@jaunty64:~# date -u | 01:09 |
DasEi | Fr 10. Apr 00:05:07 UTC 2009 | 01:09 |
DasEi | root@jaunty64:~# | 01:09 |
WastePotato | Wut/ | 01:09 |
DasEi | gnarf... | 01:09 |
WastePotato | Hey bodhi_zazen, what was that thing on your shell with the quote and and the calendar? I want it. o: | 01:10 |
WastePotato | DasEi: Oh I get it. | 01:13 |
DasEi | I recently got a email saying friday, 00.00 utc.. two thirds of every meeting slip through the time-gap | 01:13 |
WastePotato | Daylight savings time, maybe? | 01:13 |
DasEi | WastePotato: on a linux-trml? , lol; WastePotato | 01:14 |
WastePotato | Hmm. | 01:14 |
DasEi | sad enough, and I even was on and checked time before-- lets all go home and cry then ;-) | 01:15 |
WastePotato | Wait a sec. | 01:16 |
DasEi | sure | 01:16 |
DasEi | any of the others, did someone log that seession ? | 01:17 |
WastePotato | http://pastebin.com/f153ef8b5 ('pastebin - collaborative debugging tool') | 01:18 |
WastePotato | It's the best I can do. ): | 01:18 |
WastePotato | Damn. I really need to sort out my log folder. | 01:18 |
DasEi | WastePotato: very nice thank you, no I can rest in peace in again | 01:19 |
WastePotato | DasEi And all of the stuff that happened in his ssh session is here: http://pastebin.com/m1aa9b669 ('pastebin - collaborative debugging tool') | 01:20 |
DasEi | so permissions, nothing completly new to me, though always nice to rexerise; funny, the date I got was european - one day | 01:23 |
DasEi | WastePotato: did you want me to wait for the log or still something else ? | 01:24 |
WastePotato | Eh? | 01:30 |
WastePotato | The channel log and the ssh log are all that I have/ | 01:32 |
WastePotato | Does anyone want me to paste the log on the site? | 01:34 |
WastePotato | !log | 01:34 |
ubot2 | Channel logs can be found at Channel logs can be found at http://irclogs.ubuntu.com/ - See also !OpenWeek - See also !OpenWeek | 01:34 |
WastePotato | ): | 01:34 |
DasEi | WastePotato: that was very nice, I just refelcted your upper Wait a sec, gripping acl rightnow:) | 01:34 |
DasEi | reflected* | 01:34 |
WastePotato | Oh. :) | 01:35 |
DasEi | is there anyone around practising some ssh with me tomorrow/saturday.. whenever ? | 01:40 |
DasEi | enough to read and try myself for now, see you around and thanks again | 01:44 |
=== F4ilure is now known as Default_User | ||
=== Andre123 is now known as AndreSTC | ||
schwinn434 | looking for #ubuntuforums-beginners something like this, any help would be appreciated | 04:38 |
schwinn434 | can't get the exact chat room name correctly | 04:38 |
nhandler | schwinn434: It is #ubuntuforums-beginners, I don't know why it isn't working for you | 04:42 |
=== yamen_ is now known as Myamen | ||
=== _Purple_ is now known as _Purple_away | ||
=== cavalierski is now known as cav | ||
=== _Purple_away is now known as _Purple_ |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!