[00:00] Are we ready to start ? [00:00] * Snova is here [00:00] weee hooo [00:00] * tim_sharitt is ready [00:00] first, sorry about the confusion re time and date [00:01] again, I will do these Q&A sessions every 2 weeks or so [00:01] I was asked to cover permissions today and to make it interesting will add in sticky bits and acl :) [00:01] * RachedTN is ready too :) [00:02] This is a good time to mention the shared ssh session [00:02] http://paste.ubuntu.com/147955/ [00:02] we can use that for a hands on demo [00:02] but if you are interested , please ssh in when you get a chance [00:02] so you are ready to go when we start [00:02] * Geek`N`Proud thought he'd stick around [00:02] 404 [00:02] if you need help, ask and someone will answer in a PM [00:02] The requested URL /beginners/ufbt-guest was not found on this server. [00:03] http://paste.ubuntu.com/147955/ [00:03] Am I late? [00:03] No. [00:03] Ok. [00:03] Ah, my mistake, lol [00:03] http://bodhizazen.net/ufbt/ufbt-guest [00:03] * bodhi_zazen bad [00:04] Yay. SSHing into bodhi_zazen's computer. \o/ [00:04] sweet :) [00:04] Or as close to it as you'll ever get... [00:04] OK, lets start with the basics [00:04] permissions often frustrate new users [00:05] and it is a BIG change if you come from Windows [00:05] i'm going to pop back over to gnome [00:05] Every file and directory has an owner (the one who made it), a group, and "other" [00:05] permission are rwx - read, write, and execute [00:05] and so are listed with ls -l [00:05] as 3 sets : [00:06] rwxrwxrwx [00:06] for owner:group:other [00:06] a - means you do not have the permission [00:06] so r--r--r-- is read only [00:07] You can also see permissions graphically by right clicking a file [00:07] and selecting the permissions tab [00:07] To change permissions from the command line you can use "octals" [00:07] which are listed here : http://www.zzee.com/solutions/linux-permissions.shtml [00:08] or if you can not use the octals, use +rwx [00:08] so, with the chmod command [00:08] chmod o+rwx foo [00:08] chmod g+r foo [00:08] chomd 755 foo [00:09] you change the group with chown or chgrp [00:09] chown owner:group foo [00:09] chown owner.group foo [00:09] period works as well as a : , although it id depreciated >:) [00:09] With the gui tools use the pull down menu [00:10] The thing that is odd, directories [00:10] you need to set the x to list the contents of a directory [00:10] chmod a+x bar [00:10] allows people to ls bar [00:10] again see http://www.zzee.com/solutions/linux-permissions.shtml [00:11] Questions about basic permissions ? [00:11] otherwise I am going to move on to sticky bits >:) [00:12] Sticky bits are not hard to understand, but they are odd [00:12] They are also called SUID and SGID [00:12] if you have an executable file or binary [00:13] and you suid it, it runs with the permissions of the OWNER of the file, not the user who runs the script / binary [00:13] so ... [00:13] if the file is owned by root [00:13] and you then chmod 755 [00:13] anyone can run the file [00:14] if you run the script as a use, the process has permissions of the user who called it [00:14] If, however, you chmod u+s foo [00:14] now anyone can run the script and , as it is owned by root, it runs as if root called the script [00:15] no password is required [00:15] do no do this [00:15] any script to be run by root should be owned by root and, IMO, called with sudo [00:15] same thing applies to SGID [00:15] if the SGID bit is set, the script runs with permissions of the group that owns the file [00:16] with me so far ? [00:16] One last bit, +t [00:16] +t is the "sticky bit" [00:16] Can I talk? [00:16] in the past it meant keep the script in memory [00:16] Spreadsheet: yes [00:16] anyone can break in at any time [00:17] Ok, I have a question [00:17] this is an open session [00:17] please :) [00:17] This is sorta related to the topic [00:17] Sometimes i use chown, and it doesn't work [00:17] Then i use it a couple more times and it does work... [00:17] Is this a bug? [00:17] :) [00:17] You can not chown a file or directory you do not own [00:17] hey pleia2 :) [00:18] bodhi_zazen: All of the files on this comp belong to me... [00:18] this makes sense in that a user can not chown a file owned by root [00:18] Oh wait [00:18] never happened to me :D [00:18] LMAO Spreadsheet [00:18] Ok, the file is owned by root [00:18] So then I use sudo [00:18] to change a file woned by root you need sudo [00:19] but you should not change ownership or permisssions of system files [00:19] It's not a system file [00:19] sudo -e /etc/fstab for example [00:19] /var/www/ [00:19] yea, that *should* be owned by www-data [00:19] ehh... go on [00:19] so, add your user to www-data [00:19] :) [00:20] OK, we were talking sticky bits [00:20] the most common use of a sticky bit is on a directory [00:20] if a sticky pit is set on a shared directory (one with say permissions of 777) [00:21] users can not delete file they do not own [00:21] even though group or other permissions may allow rw access to a file [00:21] There is a very nice review of sticy bits here : http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html [00:22] and here : http://www.linuxdevcenter.com/pub/a/linux/lpt/22_06.html [00:22] questions ? [00:22] Otherwise I am going to talk about acl , or access control lists [00:23] Please, all questions are welcome and it gets boring seeing a wall of bodhi.zazen speaking >:) [00:23] Might want to go into setuid/setgid (though that'd be another wall :P) [00:23] Oh wait [00:23] * Snova wasn't here [00:23] Well, in that case, what does the sticky bit do on a file? [00:23] lol Snova :) [00:24] you mean the -t on a file ? [00:24] or the SUID [00:24] Sticky bit... no idea what "-t" means. :P [00:24] lol [00:25] Snova: take a look at this linky : http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html [00:25] g2g [00:25] I covered the topic just previous and do not want to repeat it ;) [00:26] OK , acl stands for access control list [00:26] the idea of an acl list comes into play when you have many, perhaps hundreds of users on a system [00:26] and so then the "other" permissions get messy [00:27] you do not want to create hundreds of groups for all the various user shares [00:27] enter acl [00:27] acl allows a user to set permissions on a file or directory for each user on the system [00:28] acl is the backbone of SELinux, and if you understand acl you understand a lot about SELinux [00:28] acl is installed by default on Ubuntu, but you need to "activate" it [00:28] it is an option when you mount a file system [00:28] so you [00:29] mount /dev/sdxy /media/foo -o acl [00:29] Or add acl to /etc/fstab in the options column [00:29] so, acl is just for "others" right? [00:29] yes and no Pretto [00:29] I will demo it in a sec ... [00:30] acl is a command line tool [00:30] although there is a very nice gui tool, Eiciel [00:30] http://www.linux.com/feature/138169 [00:31] Eiciel is in the Ubuntu repos , but I could not integrate it with Nautilus as in that link [00:31] after you install it it is in the menu under System [00:31] want to see acl in action ? [00:31] * jgoguen nods [00:32] yeap [00:32] OK, everyone ssh into the shared session ? [00:32] let me show a few things ... [00:33] OK, permissions of new files are govened by umask [00:33] so as you can see , the group is govened by the primary or effective group [00:33] Now lest change groups for a sec [00:34] the command was newgrp and it spawns a new shell [00:34] :D [00:34] do you see how that changed the group of the new file ? [00:35] OK, so if I want a shared directory , I would now need to chmod all those files [00:35] chomd -R 770 MAD [00:35] or worse, chmod -R 777 MAD [00:36] or chgrp and then chown, you get the idea [00:36] now let us use ACL [00:36] See the +s in the permissions ? [00:36] the sgid is set [00:38] Do you see how the sgid bit made the file "file.admin" owned by the group guru ? [00:38] >:) [00:38] OK, now acl ... [00:38] You list the access list with getfacl file [00:39] we set the acl with setfacl [00:42] This changed the behavior of the directory, we set the defaults with -d and the options with -m and long handed rwx permissions [00:42] bodhi_zazen: so the default ACL entries will override the existing user/group/other permissions? [00:42] yes jgoguen [00:43] with that last command , I over rode the sgid we set [00:43] the directory is not owned by admin [00:43] default:group:admin:rwx [00:43] watch [00:44] hmm ,not what I expcected, lol [00:44] hhehhehhe. .weird [00:45] so the + means that MAD has an acl? [00:46] yes Pretto [00:46] see how acl changed the group of "file" made by root ? [00:46] from root.root to root.guru ? [00:46] OK, now lest add a user [00:47] see, now I added in the user, bodhi, who has rwx to the file MAD/file.guru [00:48] user:bodhi:rwx [00:48] and on [00:48] Obviously acl is a bit complex [00:48] and I will not claim to be an expert [00:48] :) [00:49] oops, apparmor is preventing me from showing you more with acl at the moment [00:49] lol [00:50] see : http://www.suse.de/~agruen/acl/linux-acls/online/ [00:50] for more info on acl [00:50] and man acl [00:50] and Eiciel [00:51] Eiciel gives you a gui tool to manage acl [00:51] Sorry if I rambled on too long about permissions [00:51] :) [00:51] we have 10 min left [00:51] questions ? [00:52] you like the shared ssh session ? [00:53] I can demo apparmor if you want :) [00:54] See how the /tmp directory has +t set ? [00:54] you should now know what that means :) [00:55] you should now understand why root kits search for files with the suid bit set [00:58] bodhi_zazen: back to setuid/setgid...should setgid necessarily be avoided the same as setuid? [00:59] probably jgoguen [00:59] although it is not working as I expected [01:00] if you need to run a script as root, use sudo [01:00] If you need to give a user limited root access, use sudo and configure with visudo >:) [01:00] Ah, apparmor is restricting me from further demos :) [01:01] you will have to check out suid on your own , lol [01:01] I was thinking more along the lines of having a script write to a log file...but I suppose ACL would also handle that quite nicely :) [01:01] acl FTW :) [01:02] Once you learn acl , and you have a multiuser system, you will make good use of it [01:02] acl does not make sense, however, on a single user system [01:03] thank you for your explanations bodhi_zazen [01:03] np Pretto :) [01:03] thank you for coming [01:03] anyone have a suggestion for next time ? [01:04] In the long run, we will bring up a moodle site and content will be available for review pre and post sessions [01:04] the BT is working on it [01:04] If you have suggestions, add it here [01:05] https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals [01:05] thank you everyone for coming [01:05] please spread the word [01:06] you should all have been disconnected from the shared session as I closed it :) [01:06] see you again in 2 weeks [01:06] \o/ ty bodhi_zazen [01:06] you are most welcome jgoguen [01:06] I hope I learned you something [01:08] I always miss it. ): [01:08] ermm, you're just done now ? [01:08] ? [01:09] I had a shower. [01:09] root@jaunty64:~# date -u [01:09] Fr 10. Apr 00:05:07 UTC 2009 [01:09] root@jaunty64:~# [01:09] Wut/ [01:09] gnarf... [01:10] Hey bodhi_zazen, what was that thing on your shell with the quote and and the calendar? I want it. o: [01:13] DasEi: Oh I get it. [01:13] I recently got a email saying friday, 00.00 utc.. two thirds of every meeting slip through the time-gap [01:13] Daylight savings time, maybe? [01:14] WastePotato: on a linux-trml? , lol; WastePotato [01:14] Hmm. [01:15] sad enough, and I even was on and checked time before-- lets all go home and cry then ;-) [01:16] Wait a sec. [01:16] sure [01:17] any of the others, did someone log that seession ? [01:18] http://pastebin.com/f153ef8b5 ('pastebin - collaborative debugging tool') [01:18] It's the best I can do. ): [01:18] Damn. I really need to sort out my log folder. [01:19] WastePotato: very nice thank you, no I can rest in peace in again [01:20] DasEi And all of the stuff that happened in his ssh session is here: http://pastebin.com/m1aa9b669 ('pastebin - collaborative debugging tool') [01:23] so permissions, nothing completly new to me, though always nice to rexerise; funny, the date I got was european - one day [01:24] WastePotato: did you want me to wait for the log or still something else ? [01:30] Eh? [01:32] The channel log and the ssh log are all that I have/ [01:34] Does anyone want me to paste the log on the site? [01:34] !log [01:34] Channel logs can be found at Channel logs can be found at http://irclogs.ubuntu.com/ - See also !OpenWeek - See also !OpenWeek [01:34] ): [01:34] WastePotato: that was very nice, I just refelcted your upper Wait a sec, gripping acl rightnow:) [01:34] reflected* [01:35] Oh. :) [01:40] is there anyone around practising some ssh with me tomorrow/saturday.. whenever ? [01:44] enough to read and try myself for now, see you around and thanks again === F4ilure is now known as Default_User === Andre123 is now known as AndreSTC [04:38] looking for #ubuntuforums-beginners something like this, any help would be appreciated [04:38] can't get the exact chat room name correctly [04:42] schwinn434: It is #ubuntuforums-beginners, I don't know why it isn't working for you === yamen_ is now known as Myamen === _Purple_ is now known as _Purple_away === cavalierski is now known as cav === _Purple_away is now known as _Purple_