الصلاحيات في لينكس

الصلاحيات في لينكس

الصلاحيات في لينكس

التوصل إلى فهم أعمق لكيفية عمل نظام التشغيل مع الصلاحيات وكيف يتم تطبيق الأرقام والصلاحيات التي توفرها من  القراءة / الكتابة / التنفيذ .

وهذه الارقام متمثلة وتترواح بين 0-7.

ويبين الجدول التالي ما يمثله كل رقم

Permission

 

Permission bits – Output text – Numbered value

 

All types of access are denied  = 0 

Execute access is allowed only = 1

write access is allowed only = 2

write and execute access are allowed = 3 

read access is allowed only = 4

Read and execute access are allowed = 5 

Read and write access are allowed = 6 

Everything is allowed = 7 

 

الصلاحيات في لينكس

 

الصلاحيات في لينكس

Linux Permissions

Linux Permissions

To get a deeper understanding of how the operating system interprets the permissions we have to dig into how bit numbers represent the read/write/execute permissions. The bits are as mentioned before represented by numbers ranging from 0-7. The table below shows what each number represents.

Permission

 

Permission bits – Output text – Numbered value

 

All types of access are denied  = 0 

Execute access is allowed only = 1

write access is allowed only = 2

write and execute access are allowed = 3 

read access is allowed only = 4

Read and execute access are allowed = 5 

Read and write access are allowed = 6 

Everything is allowed = 7 

 

Linux Permissions

 

Linux Permissions Guide

Linux Permissions Guide

Linux Permissions Guide

Permissions on Plex Media Server

This is a write up of how permissions on Linux systems affect Plex Media Server and how it affects its ability to find you media.

What are permissions

When accessing the filesystem of any Linux system, all files and directories are equipped with a set of permission bits. These bits allow and deny different type of access to files and directories. The bits are made up of numbers ranging from 0-7 (we will get back to those), and can be translated into read/write/execute permissions. Permissions are also categorized into 3 groups. Owner (The user that owns the file), Group (A group of users), Other (everyone else). The combination of these bits and the 3 groups represent the backbone in controlling user throughout the entire Linux system. As we continue we will dig down in how these permissions can be combined and how they affect how Plex can access files.
The table below shows an example of the command ls -al in a directory.

As seen in the table in the permissions bits column, if it is a directory the d bit is set, and if it is a file it is represented by a -. Moving along to the other bits, it is important to understand that the three groups that make up the permissions are represented by three characters for each group. r (read), w (write), x (execute) or – (none). The combination of these and placement define the user/group/other access to our files/directories. Figure 1 shows how these are grouped.



On Linux, as mentioned just before a directory is defined by the directory bit being set to d. To access/open directories, two bits are required, read and execute. Here is a couple of examples  of directory permissions. If a directory has the bit mask drwx—— then the owner of the directory can access and modify it (the write bit allows this). If the bit mask is drwxrwx— then the owner and the group can access and modify it. If the bit mask is drwxrwxrwx anyone with access to the system can access and modify it. To allow only the user to modify the directory and group and others to have access to it, permissions must be set as drwxr-xr-x. This is the sane way to grant external access to a directory. The approach to files is very similar. We start with the directory bit. If directory bit is set to – then access only requires read permissions. This is because the execute bit on files is used to indicate if a files is runnable/executable (you can see this on the Plex Media Server binary file, it has permissions -rwxr-xr-x). To understand file permissions here are a few file examples. Permissions -rw——- grants user full read and write access, -rw-rw—- grants user + group read and write access, and -rw-rw-rw- grants user + group + other access to read and modify files. So please be very aware how you grant your access rights to you files. The sane way is always to allow the user full access and grant read only access to the group and other, unless you require gruops to be able to modify your files.


Permission bits

To get a deeper understanding of how the operating system interprets the permissions we have to dig into how bit numbers represent the read/write/execute permissions. The bits are as mentioned before represented by numbers ranging from 0-7. The table below shows what each number represents.


In most cases 0,4,5,6,7 bits are used. So we will focus on those. Starting out with directory access based on the information previously described, we know that to perform access to a directory we have to have read and execute permissions. So for a given folder say /plexmedialibrary we would need to have the bits set to 700 which represents drwx—— permissions for the owner to access that dir. If we want a group of users to access that directory, say all users on a system that reside in a group named users we would have to set the permissions bits to 750 which translates into drwxr-x—. And note here that we are not granting group access to modify the directory, only to access and read it. To permit all users no matter what group they are a member of access to the directory we would set 755 that translates into dwrxr-xr-x. When it comes to files the approach is again similar, but with permissions bits set that suit files. For a given user to get access to a file, say /plexmedialibrary/witwicky.mkv, we would need to set read permissions for the user, this would be permission bit wise be equivalent to 600 which translates into -rw——-.  To provide both user and group access to the file, we would set the bits to 640 which translates into -rw-r—–. Note that again we are not granting the group rights to modify the file. For all users and services on a system to access your file permission bits would have to be 644 which again translates into -rw-r–r–.
Now that we have gone over the basic structure of read write and execute bits for directories and files, we can move on to the tools and how we use them. Linux uses 3 tools to control basic access rights. One for controlling the owner of directories/files: chown. One for controlling what group has access to directories/files: chgrp. And one command for modifying the permission bits: chmod.

How to use the chmod command

To modify the permission bits on linux we use the command chmod. It allows us to modify the bits set on both files and directories. The command can be run as any user, but can only change permissions on files and directories that are owned by the user you are logged in as. So for instance it is not possible to log on to your system as user Optimus and change a file owned by user Megatron, nor is it possible for non-root users to change root owned files.
The way the command works is by setting the read/write/execute permissions with the bit numbers we mentioned above. The easiest way of running this command is by running it as root. Though you should note that when running commands as root it is very important that you are cautious about what you run on what. Doing things incorrectly can end up disrupting your system. To simplify how the command is used, we will use an example of a file and a directory we want permissions set on.
First the file. Say we have a file in /plexmedialibrary named witwicky.mkv and we want a given user, Megatron to be able to read this, but the user is not the owner, the file is owned by Optimus. The file has permissions 640 and therefor only allows for Optimus and his group to access the file. Se below:


We want Megatron to have access, so we need to change permission bits to 644. The command for this is this:


chmod 644 witwicky.mkv


After running the command we ls -al the dir to see what has changed.


As we can see the permission bits now read -rw-r–r– which is the equivalent of 644. Now Megatron can read the video file.


Next example is the directory. We will use the /plexmedialibrary directory as an example for directory access. Again we want Megatron to be able to view files and directories under /plexmedialibrary. As shown below we can see that the file has global (other) readable bit set, but the folder it self has not the global readable and executable bit set, preventing Megatron from seeing content in that folder:


To get the permissions set correctly we again run chmod on the directory. The command would be:


chmod 755 /plexmedialibrary


This results in /plexmedialibrary granting read+execute rights to the folder and thereby permitting Megatron to access the folder, and the files there. The result is shown below:


Note that we are not granting other users the right to modify (write) files and directories, only the rights to read and execute. This is the secure way to grant access without granting everyone on the system to be able to delete the files/directories.
To read more about chmod and its options goto here: http://en.wikipedia.org/wiki/Chmod

How to use the chown command

First of all, to change the ownership of a file, you must be the owner of that file, and also be the owner which you are changing the ownership to. This in it self is a predicament, and can only be solved by using the user root. So when running chown its required that you run it as user root.


The simplest example of using chown is by running it on a single file. Say we have a file: /plexmedialibrary/witwicky.mkv and its owned by Optimus but we want Megatron to own it. An ls -al of /plexmedialibrary would before we change ownership for Megatron be:



To change the ownership from Optimus to Megatron, as root run the command:


chown megatron witwicky.mkv



The same applies for directories. When changing ownership of users, its important to note that you can also define a change of group ownership at the same time. So if you wanted to change ownership of witwicky.mkv from optimus:autobots to megatron:deceptacons the command would be:


chown megatron:deceptacons witwicky.mkv



If you want to change ownership on a directory, all its subdirectories and files included, the command would be:


chown -R megatron /plexmedialibrary


And if you want to add a group into the mix again its:


chown -R megatron:deceptacons /plexmedialibrary



To read more about chown and its options goto here: http://en.wikipedia.org/wiki/Chown


How to use the chgrp command


In addition to the chown command, it has a sibling chgrp (Change Group). This is used to change only the group ownership on files and directories. Though not used as much as chown, it can be handy when wanting to grant groups of users access to files instead of just changing who owns them. All users on a Linux system have to be part of a group. Most users are created as part of the group users, or on creation they get their username autoadded as groupname too. In the above examples we have used two groups, autobots and deceptacons. This was to help understand how groups might look on a system. To give a quick example of how chrgp works, we will use a file + directory example.


Starting where we left off with the /plexmedialibrary directory and the autobot and deceptacons groups, everything including the directory will be group owned by autobots, and we will make a video file accessible for user megatron while being part of his group, deceptacons. We will here change the group ownership from autobots to deceptacons. The command to run for the directory /plexmedialibrary is:


chgrp -R deceptacons /plexmedialibrary


This results in the following change:
Note that the global (other) permissions in this example are set to — so its ensured that only the user optimus and group deceptacons can access the directory and file.


We used the -R option to recursively change the group permissions from /plexmediaserver and all the files included in it. The -R option is not needed but without it, it would only have changed the group ownership on /plexmedialibrary and Megatron would not have had access to the video file witwicky.mkv, only the directory.


How permissions affect Plex Media Server


Plex Media Server on Ubuntu/Fedora/CentOS systems runs in context of user plex. On some of the other NAS releases this varies, as in the case of unRAID the username is unraid-plex, simply replace the username in these descriptions with the one that applies for you PMS version. Since the Plex Media Server runs in the context of a restricted user and not root (normally ReadyNAS is an exception), it is very important that de directories it uses for storing its metadata, bundles and logs is writable from that very user. Default for the main linux OS’s is /var/lib/plexmediaserver but can be customized via the variable $PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR. Also the media that you want to add to plex also has to be readable by this user.


Say you have an Ubuntu installation and you installed it with the user Optimus Prime (optimus). Your home directory and everything configuration related to the user will be placed here /home/optimus. Default permissions on this is normally 755 and everything you place under here, say /home/optimus/movies, will be readable for the user plex. But if you have added security features during install (a small checkbox selected when installing) permissions will be 700 instead, and nothing will be able to access /home/optimus/movies except for the user optimus, even if you grant 777 on your movies folder. This is because on Linux for every directory you dive into, permissions are checked, so if your parent folder won’t let you access it, you will not have access to anything under that folder, no matter what permissions you set. So you would need to change permissions on /home/optimus first so that others can access it.


The default permissions setting on CentOS/Fedora for users 700, so anything you create as your user under here will also be inaccessible for the user plex. So its a good idea to put your media in another place than your home folder, and set permissions accordingly. A good practice in permissions for media is 755 for directories and 644 for media files. Go to the quickquide to se how this can be achieved.


The main thing to understand here, is if plex cant write to its config directory it wont start. If it cant read you media files, it can’t process them.


Quickguide


To get fast access to changing permissions, here are some quick examples on how to control permissions.


chmod
The command used to change the permission bits on files.


Change a file to be modifiable for user and readable for group and other.
chmod 644 filename


Change a directory to be modifiable for user and accessible for group and other.
chmod 755 directoryname


Change recursively for all files under a directory to be group and globally readable/executable and modifiable by owner.
chmod -R 755 directoryname


Advanced chmod


To change permissions on directories to 755 and files 644 (replace /plexmedialibrary to fit your requirements):


find /plexmedialibrary -type d -exec chmod 755 {} ;; find /plexmedialibrary -type f -exec chmod 644 {} ;


chown


The command used for chaning ownership on files or directories.


Change a file/directory to be owned by user plex (replace file/directory with the name of you file or directory):
chown plex filename/directory


Change ownership recursively of directory and all files under the directory:
chown -R plex directory


Change user ownership and group ownership on file or directory (replace file/directory with the name of you file or directory):
chown plex:plex file/directory


Change user ownership and group ownership recursively on file or directory (replace file/directory with the name of you file or directory):
chown -R plex:plex file/directory


chgrp


The command used for changing the group ownership of files or directories


Change a file/directory to be owned by user plex (replace file/directory with the name of you file or directory):
chgrp plex filename/directory


Change ownership recursively of directory and all files under the directory:

chgrp plex directory

User and Group Management Tools

source

User and Group Management Tools

3.3. User and Group Management Tools

Managing users and groups can be tiresome; this is why Fedora provides tools and conventions to make this task easier to manage.

The easiest way to manage users and groups is through the graphical application, User Manager(system-config-users). For more information on User Manager, refer to Section 3.2, “User Manager Tool”.

The following command line tools can also be used to manage users and groups:

  • useradd, usermod, and userdel — Industry-standard methods of adding, deleting and modifying user accounts
  • groupadd, groupmod, and groupdel — Industry-standard methods of adding, deleting, and modifying user groups
  • gpasswd — Industry-standard method of administering the /etc/group file
  • pwck, grpck — Tools used for the verification of the password, group, and associated shadow files
  • pwconv, pwunconv — Tools used for the conversion of passwords to shadow passwords and back to standard passwords

3.3.1. Command Line Configuration

 

If you prefer command line tools or do not have the X Window System installed, use following to configure users and groups.

Adding a User

To add a user to the system:

 

  1. Issue the useradd command to create a locked user account:

    useradd username

  2. Unlock the account by issuing the passwd command to assign a password and set password aging guidelines:

    passwd username

Command line options for useradd are detailed in Table 3.1, “useradd Command Line Options”.

[ads1]

Table 3.1. useradd Command Line Options

Option Description
-c ‘comment comment can be replaced with any string. This option is generally used to specify the full name of a user.
-d home_directory Home directory to be used instead of default /home/username/.
-e date Date for the account to be disabled in the format YYYY-MM-DD.
-f days Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not be disabled after the password expires.
-g group_name Group name or group number for the user’s default group. The group must exist prior to being specified here.
-G group_list List of additional (other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here.
-m Create the home directory if it does not exist.
-M Do not create the home directory.
-N Do not create a user private group for the user.
-p password The password encrypted with crypt.
-r Create a system account with a UID less than 500 and without a home directory.
-s User’s login shell, which defaults to /bin/bash.
-u uid User ID for the user, which must be unique and greater than 499.

 

Adding a Group

 

To add a group to the system, use the command groupadd:

groupadd group_name

Command line options for groupadd are detailed in Table 3.2, “groupadd Command Line Options”.

Table 3.2. groupadd Command Line Options

Option Description
-f, --force When used with -g gid and gid already exists, groupadd will choose another unique gid for the group.
-g gid Group ID for the group, which must be unique and greater than 499.
-K, --key key=value Override /etc/login.defs defaults.
-o, --non-unique Allow to create groups with duplicate.
-p, --password password Use this encrypted password for the new group.
-r Create a system group with a GID less than 500.

 

Password Aging

 

For security reasons, it is advisable to require users to change their passwords periodically. This can be done when adding or editing a user on the Password Info tab of the User Manager.

To configure password expiration for a user from a shell prompt, use the chage command with an option fromTable 3.3, “chage Command Line Options”, followed by the username.

Shadow passwords must be enabled to use chage

Shadow passwords must be enabled to use the chage command. For more information, see Section 3.7, “Shadow Passwords”.

Table 3.3. chage Command Line Options

Option Description
-d days Specifies the number of days since January 1, 1970 the password was changed.
-E date Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used.
-I days Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after the password expires.
-l Lists current account aging settings.
-m days Specify the minimum number of days after which the user must change passwords. If the value is 0, the password does not expire.
-M days Specify the maximum number of days for which the password is valid. When the number of days specified by this option plus the number of days specified with the -d option is less than the current day, the user must change passwords before using the account.
-W days Specifies the number of days before the password expiration date to warn the user.

[ads2]

 

chage interactivity

If the chage command is followed directly by a username (with no options), it displays the current password aging values and allows them to be changed interactively.

You can configure a password to expire the first time a user logs in. This forces users to change passwords immediately.

  1. Set up an initial password — There are two common approaches to this step: the administrator can assign a default password, or he can use a null password.

    To assign a default password, type the following at a shell prompt:

    passwd username

    To assign a null password instead, use the following command:

    passwd -d username

    Avoid using null passwords whenever possible

    Using a null password, while convenient, is a highly insecure practice, as any third party can log in first and access the system using the insecure username. Always make sure that the user is ready to log in before unlocking an account with a null password.

  2. Force immediate password expiration — Type the following command:

    chage -d 0 username

    This command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.

Upon the initial log in, the user is now prompted for a new password.

3.3. User and Group Management Tools

3.3. User and Group Management Tools

[ads1]

3.3. User and Group Management Tools

3.3. User and Group Management Tools

source

3.3. User and Group Management Tools

Managing users and groups can be tiresome; this is why Fedora provides tools and conventions to make this task easier to manage.
The easiest way to manage users and groups is through the graphical application, User Manager(system-config-users). For more information on User Manager, refer to Section 3.2, “User Manager Tool”.
The following command line tools can also be used to manage users and groups:
  • useradd,usermod, anduserdel— Industry-standard methods of adding, deleting and modifying user accounts
  • groupadd,groupmod, andgroupdel— Industry-standard methods of adding, deleting, and modifying user groups
  • gpasswd— Industry-standard method of administering the/etc/groupfile
  • pwck,grpck— Tools used for the verification of the password, group, and associated shadow files
  • pwconv,pwunconv— Tools used for the conversion of passwords to shadow passwords and back to standard passwords

3.3.1. Command Line Configuration

If you prefer command line tools or do not have the X Window System installed, use following to configure users and groups.

Adding a User

To add a user to the system:
  1. Issue theuseraddcommand to create a locked user account:
    useradd username
  2.  Unlock the account by issuing thepasswdcommand to assign a password and set password aging guidelines:
    passwd username
Command line options foruseraddare detailed in Table 3.1, “useraddCommand Line Options”.
Table 3.1. useraddCommand Line Options
OPTION DESCRIPTION
-c ‘comment commentcan be replaced with any string. This option is generally used to specify the full name of a user.
-d home_directory Home directory to be used instead of default/home/username/.
-e date Date for the account to be disabled in the format YYYY-MM-DD.
-f days Number of days after the password expires until the account is disabled. If0is specified, the account is disabled immediately after the password expires. If-1is specified, the account is not be disabled after the password expires.
-g group_name Group name or group number for the user’s default group. The group must exist prior to being specified here.
-G group_list List of additional (other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here.
-m Create the home directory if it does not exist.
-M Do not create the home directory.
-N Do not create a user private group for the user.
-p password The password encrypted withcrypt.
-r Create a system account with a UID less than 500 and without a home directory.
-s User’s login shell, which defaults to/bin/bash.
-u uid User ID for the user, which must be unique and greater than 499.

Adding a Group

To add a group to the system, use the commandgroupadd:
groupadd group_name
Command line options forgroupaddare detailed in Table 3.2, “groupaddCommand Line Options”.
Table 3.2. groupaddCommand Line Options
OPTION DESCRIPTION
-f,--force When used with-g gidandgidalready exists,groupaddwill choose another uniquegidfor the group.
-g gid Group ID for the group, which must be unique and greater than 499.
-K,--key key=value Override/etc/login.defsdefaults.
-o,--non-unique Allow to create groups with duplicate.
-p,--password password Use this encrypted password for the new group.
-r Create a system group with a GID less than 500.

Password Aging

For security reasons, it is advisable to require users to change their passwords periodically. This can be done when adding or editing a user on the Password Info tab of the User Manager.
To configure password expiration for a user from a shell prompt, use thechagecommand with an option fromTable 3.3, “chageCommand Line Options”, followed by the username.

Shadow passwords must be enabled to use chage

Shadow passwords must be enabled to use thechagecommand. For more information, see Section 3.7, “Shadow Passwords”.
Table 3.3. chageCommand Line Options
OPTION DESCRIPTION
-d days Specifies the number of days since January 1, 1970 the password was changed.
-E date Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used.
-I days Specifies the number of inactive days after the password expiration before locking the account. If the value is0, the account is not locked after the password expires.
-l Lists current account aging settings.
-m days Specify the minimum number of days after which the user must change passwords. If the value is0, the password does not expire.
-M days Specify the maximum number of days for which the password is valid. When the number of days specified by this option plus the number of days specified with the-doption is less than the current day, the user must change passwords before using the account.
-W days Specifies the number of days before the password expiration date to warn the user.

chage interactivity

If thechagecommand is followed directly by a username (with no options), it displays the current password aging values and allows them to be changed interactively.
You can configure a password to expire the first time a user logs in. This forces users to change passwords immediately.
  1. Set up an initial password — There are two common approaches to this step: the administrator can assign a default password, or he can use a null password.
    To assign a default password, type the following at a shell prompt:
    passwd username
    To assign a null password instead, use the following command:
    passwd -d username

    Avoid using null passwords whenever possible

    Using a null password, while convenient, is a highly insecure practice, as any third party can log in first and access the system using the insecure username. Always make sure that the user is ready to log in before unlocking an account with a null password.
  2. Force immediate password expiration — Type the following command:
    chage -d 0 username
    This command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.
Upon the initial log in, the user is now prompted for a new password.
3.3. User and Group Management Tools
3.3. User and Group Management Tools

تحرير

Delete user, remove user on Linux Fedora, using userdel command

Delete user, remove user on Linux Fedora, using userdel command


Delete user, remove user on Linux Fedora, using userdel command


The deluser command can be very useful to remove user account or todelete user account on Linux Fedora machine.  The article below show the step by step to remove user or some say to delete user for Linux Fedora machine.
Command use:
# finger [username] <– Verify user account on the Linux system
# userdel [username] <– Remove user account from Linux system
# userdel -r [username] <– Delete user account, remove home directory including their files and remove mail spool
Verify the existents of user with username john on the system:
Verify Linux user account exist on the system
[root@fedora ~]# finger john
Login: john Name: (null)
Directory: /home/john Shell: /bin/bash
Never logged in.
No mail.
No Plan.
[root@fedora ~]#
Remove user account or delete user account.
Romove user account from Linux system
[root@fedora ~]# userdel john
[root@fedora ~]#
Remove user or delete user account along with their user home directory and user mail spool.
Delete user account from Linux system
[root@fedora ~]# userdel -r john
[root@fedora ~]#
Verify the user deleted from the system.
View information of user account
[root@fedora ~]# finger john
finger: john: no such user.
[root@fedora ~]#
Sorry mate:   No deluser command available right now… maybe soon…
[root@fedora ~]# deluser
-bash: deluser: command not found
[root@fedora ~]#