This week's book giveaways are in the Java EE and JavaScript forums.
We're giving away four copies each of The Java EE 7 Tutorial Volume 1 or Volume 2(winners choice) and jQuery UI in Action and have the authors on-line!
See this thread and this one for details.
The moose likes Linux / UNIX and the fly likes Linux administration question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Engineering » Linux / UNIX
Bookmark "Linux administration question" Watch "Linux administration question" New topic
Author

Linux administration question

Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9351
    
    2

Guys,

I have some basic question on simple Linux administration related tasks. How can I make sure that the new user that got created does not have permissions to view certain files like /etc/shadow and more over which are the files that I need to protect? Do we have a predefined mechanism or a shell script that by default secures the system for all other users other than root for certain sensitive files.


SCJP 1.4, SCWCD 1.4 - Hints for you, Certified Scrum Master
Did a rm -R / to find out that I lost my entire Linux installation!
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16019
    
  20

Linux comes from Unix and Unix grew up in college computer labs, which means that it very quickly learned to protect itself from student pranks, hackers, and less admirable things.

Every file and directory in the Linux filesystem has a filesystem mask that indicates the permission to read, write, or execute (in the case of directories, to access). These 3 bits are themselves grouped into 3 categories: owner, group, and other.

/etc/shadow has by default the following mask: 400, which means that only the owner (root) can read it, and no else can do anything with it. So it's set up properly right out of the box.

/etc/shadow was, in fact created because people were reading /etc/passwd to get stuff like the list of valid userids, and they didn't want the really critical info to be in that file. So if a password is "x", the actual password is in /etc/shadow.

Ironically, this simple system is a lot less powerful than the ACL system that Windows NT and later versions support, but since security isn't something that can be slapped on top of an insecure system, Windows is infamous for security problems and Unix and Linux are not.

However, the 3-bits system is pretty crude, so more recently the selinux system was developed to allow more precise control of access. That, however, is a topic worthy of an entire book.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
Don't get me started about those stupid light bulbs.
 
subject: Linux administration question