[00:00] <bodhi_zazen> Are we ready to start ?
[00:00]  * Snova is here
[00:00] <bodhi_zazen> weee hooo
[00:00]  * tim_sharitt is ready
[00:00] <bodhi_zazen> first, sorry about the confusion re time and date
[00:01] <bodhi_zazen> again, I will do these Q&A sessions every 2 weeks or so
[00:01] <bodhi_zazen> I was asked to cover permissions today and to make it interesting will add in sticky bits and acl :)
[00:01]  * RachedTN is ready too :)
[00:02] <bodhi_zazen> This is a good time to mention the shared ssh session
[00:02] <bodhi_zazen> http://paste.ubuntu.com/147955/
[00:02] <bodhi_zazen> we can use that for a hands on demo
[00:02] <bodhi_zazen> but if you are interested , please ssh in when you get a chance
[00:02] <bodhi_zazen> so you are ready to go when we start
[00:02]  * Geek`N`Proud thought he'd stick around
[00:02] <Pretto> 404
[00:02] <bodhi_zazen> if you need help, ask and someone will answer in a PM
[00:02] <Daisuke-Ido> The requested URL /beginners/ufbt-guest was not found on this server.
[00:03] <bodhi_zazen> http://paste.ubuntu.com/147955/
[00:03] <WastePotato> Am I late?
[00:03] <Snova> No.
[00:03] <WastePotato> Ok.
[00:03] <bodhi_zazen> Ah, my mistake, lol
[00:03] <bodhi_zazen> http://bodhizazen.net/ufbt/ufbt-guest
[00:03]  * bodhi_zazen bad
[00:04] <WastePotato> Yay. SSHing into bodhi_zazen's computer. \o/
[00:04] <bodhi_zazen> sweet :)
[00:04] <Snova> Or as close to it as you'll ever get...
[00:04] <bodhi_zazen> OK, lets start with the basics
[00:04] <bodhi_zazen> permissions often frustrate new users
[00:05] <bodhi_zazen> and it is a BIG change if you come from Windows
[00:05] <Daisuke-Ido> i'm going to pop back over to gnome
[00:05] <bodhi_zazen> Every file and directory has an owner (the one who made it), a group, and "other"
[00:05] <bodhi_zazen> permission are rwx - read, write, and execute
[00:05] <bodhi_zazen> and so are listed with ls -l
[00:05] <bodhi_zazen> as 3 sets :
[00:06] <bodhi_zazen> rwxrwxrwx
[00:06] <bodhi_zazen> for owner:group:other
[00:06] <bodhi_zazen> a - means you do not have the permission
[00:06] <bodhi_zazen> so r--r--r-- is read only
[00:07] <bodhi_zazen> You can also see permissions graphically by right clicking a file
[00:07] <bodhi_zazen> and selecting the permissions tab
[00:07] <bodhi_zazen> To change permissions from the command line you can use "octals"
[00:07] <bodhi_zazen> which are listed here : http://www.zzee.com/solutions/linux-permissions.shtml
[00:08] <bodhi_zazen> or if you can not use the octals, use +rwx
[00:08] <bodhi_zazen> so, with the chmod command
[00:08] <bodhi_zazen> chmod o+rwx foo
[00:08] <bodhi_zazen> chmod g+r foo
[00:08] <bodhi_zazen> chomd 755 foo
[00:09] <bodhi_zazen> you change the group with chown or chgrp
[00:09] <bodhi_zazen> chown owner:group foo
[00:09] <bodhi_zazen> chown owner.group foo
[00:09] <bodhi_zazen> period works as well as a : , although it id depreciated >:)
[00:09] <bodhi_zazen> With the gui tools use the pull down menu
[00:10] <bodhi_zazen> The thing that is odd, directories
[00:10] <bodhi_zazen> you need to set the x to list the contents of a directory
[00:10] <bodhi_zazen> chmod a+x bar
[00:10] <bodhi_zazen> allows people to ls bar
[00:10] <bodhi_zazen> again see http://www.zzee.com/solutions/linux-permissions.shtml
[00:11] <bodhi_zazen> Questions about basic permissions ?
[00:11] <bodhi_zazen> otherwise I am going to move on to sticky bits >:)
[00:12] <bodhi_zazen> Sticky bits are not hard to understand, but they are odd
[00:12] <bodhi_zazen> They are also called SUID and SGID
[00:12] <bodhi_zazen> if you have an executable file or binary
[00:13] <bodhi_zazen> and you suid it, it runs with the permissions of the OWNER of the file, not the user who runs the script / binary
[00:13] <bodhi_zazen> so ...
[00:13] <bodhi_zazen> if the file is owned by root
[00:13] <bodhi_zazen> and you then chmod 755
[00:13] <bodhi_zazen> anyone can run the file
[00:14] <bodhi_zazen> if you run the script as a use, the process has permissions of the user who called it
[00:14] <bodhi_zazen> If, however, you chmod u+s foo
[00:14] <bodhi_zazen> now anyone can run the script and , as it is owned by root, it runs as if root called the script
[00:15] <bodhi_zazen> no password is required
[00:15] <bodhi_zazen> do no do this
[00:15] <bodhi_zazen> any script to be run by root should be owned by root and, IMO, called with sudo
[00:15] <bodhi_zazen> same thing applies to SGID
[00:15] <bodhi_zazen> if the SGID bit is set, the script runs with permissions of the group that owns the file
[00:16] <bodhi_zazen> with me so far ?
[00:16] <bodhi_zazen> One last bit, +t
[00:16] <bodhi_zazen> +t is the "sticky bit"
[00:16] <Spreadsheet> Can I talk?
[00:16] <bodhi_zazen> in the past it meant keep the script in memory
[00:16] <bodhi_zazen> Spreadsheet: yes
[00:16] <bodhi_zazen> anyone can break in at any time
[00:17] <Spreadsheet> Ok, I have a question
[00:17] <bodhi_zazen> this is an open session
[00:17] <bodhi_zazen> please :)
[00:17] <Spreadsheet> This is sorta related to the topic
[00:17] <Spreadsheet> Sometimes i use chown, and it doesn't work
[00:17] <Spreadsheet> Then i use it a couple more times and it does work...
[00:17] <Spreadsheet> Is this a bug?
[00:17] <pleia2> :)
[00:17] <bodhi_zazen> You can not chown a file or directory you do not own
[00:17] <bodhi_zazen> hey pleia2 :)
[00:18] <Spreadsheet> bodhi_zazen: All of the files on this comp belong to me...
[00:18] <bodhi_zazen> this makes sense in that a user can not chown a file owned by root
[00:18] <Spreadsheet> Oh wait
[00:18] <Pretto> never happened to me :D
[00:18] <bodhi_zazen> LMAO Spreadsheet
[00:18] <Spreadsheet> Ok, the file is owned by root
[00:18] <Spreadsheet> So then I use sudo
[00:18] <bodhi_zazen> to change a file woned by root you need sudo
[00:19] <bodhi_zazen> but you should not change ownership or permisssions of system files
[00:19] <Spreadsheet> It's not a system file
[00:19] <bodhi_zazen> sudo -e /etc/fstab for example
[00:19] <Spreadsheet>  /var/www/
[00:19] <bodhi_zazen> yea, that *should* be owned by www-data
[00:19] <Spreadsheet> ehh... go on
[00:19] <bodhi_zazen> so, add your user to www-data
[00:19] <bodhi_zazen> :)
[00:20] <bodhi_zazen> OK, we were talking sticky bits
[00:20] <bodhi_zazen> the most common use of a sticky bit is on a directory
[00:20] <bodhi_zazen> if a sticky pit is set on a shared directory (one with say permissions of 777)
[00:21] <bodhi_zazen> users can not delete file they do not own
[00:21] <bodhi_zazen> even though group or other permissions may allow rw access to a file
[00:21] <bodhi_zazen> There is a very nice review of sticy bits here : http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html
[00:22] <bodhi_zazen> and here : http://www.linuxdevcenter.com/pub/a/linux/lpt/22_06.html
[00:22] <bodhi_zazen> questions ?
[00:22] <bodhi_zazen> Otherwise I am going to talk about acl , or access control lists
[00:23] <bodhi_zazen> Please, all questions are welcome and it gets boring seeing a wall of bodhi.zazen speaking >:)
[00:23] <Snova> Might want to go into setuid/setgid (though that'd be another wall :P)
[00:23] <Snova> Oh wait
[00:23]  * Snova wasn't here
[00:23] <Snova> Well, in that case, what does the sticky bit do on a file?
[00:23] <bodhi_zazen> lol Snova :)
[00:24] <bodhi_zazen> you mean the -t on a file ?
[00:24] <bodhi_zazen> or the SUID
[00:24] <Snova> Sticky bit... no idea what "-t" means. :P
[00:24] <bodhi_zazen> lol
[00:25] <bodhi_zazen> Snova: take a look at this linky : http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html
[00:25] <Spreadsheet> g2g
[00:25] <bodhi_zazen> I covered the topic just previous and do not want to repeat it ;)
[00:26] <bodhi_zazen> OK , acl stands for access control list
[00:26] <bodhi_zazen> the idea of an acl list comes into play when you have many, perhaps hundreds of users on a system
[00:26] <bodhi_zazen> and so then the "other" permissions get messy
[00:27] <bodhi_zazen> you do not want to create hundreds of groups for all the various user shares
[00:27] <bodhi_zazen> enter acl
[00:27] <bodhi_zazen> acl allows a user to set permissions on a file or directory for each user on the system
[00:28] <bodhi_zazen> acl is the backbone of SELinux, and if you understand acl you understand a lot about SELinux
[00:28] <bodhi_zazen> acl is installed by default on Ubuntu, but you need to "activate" it
[00:28] <bodhi_zazen> it is an option when you mount a file system
[00:28] <bodhi_zazen> so you
[00:29] <bodhi_zazen> mount /dev/sdxy /media/foo -o acl
[00:29] <bodhi_zazen> Or add acl to /etc/fstab in the options column
[00:29] <Pretto> so, acl is just for "others" right?
[00:29] <bodhi_zazen> yes and no Pretto
[00:29] <bodhi_zazen> I will demo it in a sec ...
[00:30] <bodhi_zazen> acl is a command line tool
[00:30] <bodhi_zazen> although there is a very nice gui tool, Eiciel
[00:30] <bodhi_zazen> http://www.linux.com/feature/138169
[00:31] <bodhi_zazen> Eiciel is in the Ubuntu repos , but I could not integrate it with Nautilus as in that link
[00:31] <bodhi_zazen> after you install it it is in the menu under System
[00:31] <bodhi_zazen> want to see acl in action ?
[00:31]  * jgoguen nods
[00:32] <Pretto> yeap
[00:32] <bodhi_zazen> OK, everyone ssh into the shared session ?
[00:32] <bodhi_zazen> let me show a few things ...
[00:33] <bodhi_zazen> OK, permissions of new files are govened by umask
[00:33] <bodhi_zazen> so as you can see , the group is govened by the primary or effective group
[00:33] <bodhi_zazen> Now lest change groups for a sec
[00:34] <bodhi_zazen> the command was newgrp and it spawns a new shell
[00:34] <Pretto> :D
[00:34] <bodhi_zazen> do you see how that changed the group of the new file ?
[00:35] <bodhi_zazen> OK, so if I want a shared directory , I would now need to chmod all those files
[00:35] <bodhi_zazen> chomd -R 770 MAD
[00:35] <bodhi_zazen> or worse, chmod -R 777 MAD
[00:36] <bodhi_zazen> or chgrp and then chown, you get the idea
[00:36] <bodhi_zazen> now let us use ACL
[00:36] <bodhi_zazen> See the +s in the permissions ?
[00:36] <bodhi_zazen> the sgid is set
[00:38] <bodhi_zazen> Do you see how the sgid bit made the file "file.admin" owned by the group guru ?
[00:38] <bodhi_zazen> >:)
[00:38] <bodhi_zazen> OK, now acl ...
[00:38] <bodhi_zazen> You list the access list with getfacl file
[00:39] <bodhi_zazen> we set the acl with setfacl
[00:42] <bodhi_zazen> This changed the behavior of the directory, we set the defaults with -d and the options with -m and long handed rwx permissions
[00:42] <jgoguen> bodhi_zazen: so the default ACL entries will override the existing user/group/other permissions?
[00:42] <bodhi_zazen> yes jgoguen
[00:43] <bodhi_zazen> with that last command , I over rode the sgid we set
[00:43] <bodhi_zazen> the directory is not owned by admin
[00:43] <bodhi_zazen> default:group:admin:rwx
[00:43] <bodhi_zazen> watch
[00:44] <bodhi_zazen> hmm ,not what I expcected, lol
[00:44] <Pretto> hhehhehhe. .weird
[00:45] <Pretto> so the + means that MAD has an acl?
[00:46] <bodhi_zazen> yes Pretto
[00:46] <bodhi_zazen> see how acl changed the group of "file" made by root ?
[00:46] <bodhi_zazen> from root.root to root.guru ?
[00:46] <bodhi_zazen> OK, now lest add a user
[00:47] <bodhi_zazen> see, now I added in the user, bodhi, who has rwx to the file MAD/file.guru
[00:48] <bodhi_zazen> user:bodhi:rwx
[00:48] <bodhi_zazen> and on
[00:48] <bodhi_zazen> Obviously acl is a bit complex
[00:48] <bodhi_zazen> and I will not claim to be an expert
[00:48] <bodhi_zazen> :)
[00:49] <bodhi_zazen> oops, apparmor is preventing me from showing you more with acl at the moment
[00:49] <bodhi_zazen> lol
[00:50] <bodhi_zazen> see : http://www.suse.de/~agruen/acl/linux-acls/online/
[00:50] <bodhi_zazen> for more info on acl
[00:50] <bodhi_zazen> and man acl
[00:50] <bodhi_zazen> and Eiciel
[00:51] <bodhi_zazen> Eiciel gives you a gui tool to manage acl
[00:51] <bodhi_zazen> Sorry if I rambled on too long about permissions
[00:51] <bodhi_zazen> :)
[00:51] <bodhi_zazen> we have 10 min left
[00:51] <bodhi_zazen> questions ?
[00:52] <bodhi_zazen> you like the shared ssh session ?
[00:53] <bodhi_zazen> I can demo apparmor if you want :)
[00:54] <bodhi_zazen> See how the /tmp directory has +t set ?
[00:54] <bodhi_zazen> you should now know what that means :)
[00:55] <bodhi_zazen> you should now understand why root kits search for files with the suid bit set
[00:58] <jgoguen> bodhi_zazen: back to setuid/setgid...should setgid necessarily be avoided the same as setuid?
[00:59] <bodhi_zazen> probably jgoguen
[00:59] <bodhi_zazen> although it is not working as I expected
[01:00] <bodhi_zazen> if you need to run a script as root, use sudo
[01:00] <bodhi_zazen> If you need to give a user limited root access, use sudo and configure with visudo >:)
[01:00] <bodhi_zazen> Ah, apparmor is restricting me from further demos :)
[01:01] <bodhi_zazen> you will have to check out suid on your own , lol
[01:01] <jgoguen> I was thinking more along the lines of having a script write to a log file...but I suppose ACL would also handle that quite nicely :)
[01:01] <bodhi_zazen> acl FTW :)
[01:02] <bodhi_zazen> Once you learn acl , and you have a multiuser system, you will make good use of it
[01:02] <bodhi_zazen> acl does not make sense, however, on a single user system
[01:03] <Pretto> thank you for your explanations bodhi_zazen
[01:03] <bodhi_zazen> np Pretto :)
[01:03] <bodhi_zazen> thank you for coming
[01:03] <bodhi_zazen> anyone have a suggestion for next time ?
[01:04] <bodhi_zazen> In the long run, we will bring up a moodle site and content will be available for review pre and post sessions
[01:04] <bodhi_zazen> the BT is working on it
[01:04] <bodhi_zazen> If you have suggestions, add it here
[01:05] <bodhi_zazen> https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals
[01:05] <bodhi_zazen> thank you everyone for coming
[01:05] <bodhi_zazen> please spread the word
[01:06] <bodhi_zazen> you should all have been disconnected from the shared session as I closed it :)
[01:06] <bodhi_zazen> see you again in 2 weeks
[01:06] <jgoguen> \o/ ty bodhi_zazen
[01:06] <bodhi_zazen> you are most welcome jgoguen
[01:06] <bodhi_zazen> I hope I learned you something
[01:08] <WastePotato> I always miss it. ):
[01:08] <DasEi> ermm, you're just done now ?
[01:08] <WastePotato> ?
[01:09] <WastePotato> I had a shower.
[01:09] <DasEi> root@jaunty64:~# date -u
[01:09] <DasEi> Fr 10. Apr 00:05:07 UTC 2009
[01:09] <DasEi> root@jaunty64:~#
[01:09] <WastePotato> Wut/
[01:09] <DasEi> gnarf...
[01:10] <WastePotato> Hey bodhi_zazen, what was that thing on your shell with the quote and and the calendar? I want it. o:
[01:13] <WastePotato> DasEi: Oh I get it.
[01:13] <DasEi> I recently got a email saying friday, 00.00 utc.. two thirds of every meeting slip through the time-gap
[01:13] <WastePotato> Daylight savings time, maybe?
[01:14] <DasEi> WastePotato: on a linux-trml? , lol; WastePotato
[01:14] <WastePotato> Hmm.
[01:15] <DasEi> sad enough, and I even was on and checked time before-- lets all go home and cry then ;-)
[01:16] <WastePotato> Wait a sec.
[01:16] <DasEi> sure
[01:17] <DasEi> any of the others, did someone log that seession ?
[01:18] <WastePotato> http://pastebin.com/f153ef8b5 ('pastebin - collaborative debugging tool')
[01:18] <WastePotato> It's the best I can do. ):
[01:18] <WastePotato> Damn. I really need to sort out my log folder.
[01:19] <DasEi> WastePotato: very nice thank you, no I can rest in peace in again
[01:20] <WastePotato> DasEi And all of the stuff that happened in his ssh session is here: http://pastebin.com/m1aa9b669 ('pastebin - collaborative debugging tool')
[01:23] <DasEi> so permissions, nothing completly new to me, though always nice to rexerise; funny, the date I got was european - one day
[01:24] <DasEi> WastePotato: did you want me to wait for the log or still something else ?
[01:30] <WastePotato> Eh?
[01:32] <WastePotato> The channel log and the ssh log are all that I have/
[01:34] <WastePotato> Does anyone want me to paste the log on the site?
[01:34] <WastePotato> !log
[01:34] <ubot2> Channel logs can be found at Channel logs can be found at http://irclogs.ubuntu.com/ - See also !OpenWeek - See also !OpenWeek
[01:34] <WastePotato> ):
[01:34] <DasEi> WastePotato: that was very nice, I just refelcted your upper Wait a sec, gripping acl rightnow:)
[01:34] <DasEi> reflected*
[01:35] <WastePotato> Oh. :)
[01:40] <DasEi> is there anyone around practising some ssh with me tomorrow/saturday..  whenever ?
[01:44] <DasEi> enough to read and try myself for now, see you around and thanks again
[04:38] <schwinn434> looking for #ubuntuforums-beginners something like this, any help would be appreciated
[04:38] <schwinn434> can't get the exact chat room name correctly
[04:42] <nhandler> schwinn434: It is #ubuntuforums-beginners, I don't know why it isn't working for you