Вы находитесь на странице: 1из 9

10 October 2012

Configuration of users, groups and file/directory permissions

Since this is my first foray into Linux I had no idea what to write about in relation to being a Unix Administration. After looking at the topics I chose configuration of users, group, and file/directory permissions for several reasons. The first is that I did spend some time many years ago setting up an active directory infrastructure so I am hoping to relate how to set up users in Linux to mirror that structure; if that is at all possible. The second reason is that one of the first thing an server administrator would have to do after booting and loading a file system would be to define permissions to allow people to get access to either the application or data on the server. I suspect that a lot of thought would have to be put into doing this, if it is not done correctly it will be ad hoc or have to be redone multiple times to get it right. Having to redo it might require all of the users to lose access while it is being redone. I think explaining how to set up the file/directory permissions relating to the access capabilities of the user/groups will also be interesting to learn. Finally the other reason that I chose this topic is that it has the most words so I in my thinking if it took that long to describe the topic hopefully there will be enough material to fill up a research paper. My goal in doing the research is to gain an understanding on these topics and pass that information on to anyone that is as clueless as I currently am on Linux. I will accomplish this by separating the two topics into individual sections and then finally tying them all together to show how they interrelate. By focusing on how to implement them in an enterprise perspective I will be looking at scalability and ability to change without impacting a large number of people. First I will focus on how to set up users and some considerations about how the users should be defined in groups. For the file directories and permissions I will try to

10 October 2012

Configuration of users, groups and file/directory permissions

research and write about considerations and alternatives for setting up directories and permissions in a server environment that supports peoples Home directories.

In my paper I am assuming that I am building a server from scratch without any knowledge on how to do so. The server purpose will be to be a repository for the companies Home directories, where the employees will save most of their information that is either work related or personal. From my research it appears that the first thing I should do is to set up the users. The users in turn will set up directories based on the permissions I have given them. Generally speaking I am thinking that the user groups should somewhat replicate the organizational structure. I would be careful with some of the names of the organizations and not be as concerned about them as I have known, through time, that organizations change their names and therefore the structure of the directories will get dirty fairly quickly given this. I would be hesitant to use the specific names but if I didnt do that in the beginning everyone will wonder how to navigate to get to their specific data. Also, one of the critical pieces that I need to focus on are the types of users to create useful group names and then I have to be sure to only give those users and groups access to the directories that will be necessary for them to perform their jobs and nothing more. There are several groups predefined in Linux but none other than the user group named user really fit the business needs for any particular business. The group naming structure really needs to be thought out so that it makes sense and is consistent throughout the server environment. I am going to use my team as an example of the types of groups I would create. I manage a team that is subdivided by technology. My first thought is to create an overall group called IntOps for my management

10 October 2012

Configuration of users, groups and file/directory permissions

team and I to be located in. Next I would create groups based called Network, Distributed, and Voice for each of the technology areas. I would also create a group called Private that would house information that each team member might need but shouldnt be opened to the general populace. The first thing that needs to be kept in mind is when a user is added to Linux the default group that the user is added to using the same name as the user name, unless otherwise specified ( Ippolito ). The first command below sets up a group name called network and the second command creates a userid called Dave and places that userid in the Network group as well as a supplemental group Private. (The m creates a home directory for Dave):

Groupadd Network Useradd m g Network G Private Dave According to the article below from Dartmouth.edu, Every user on a Unix system has a unique username, and is a member of at least one group (the primary group for that user).

Every directory and file on the system has an owner, and also an associated group. It also has a set of permission flags which specify separate read, write and execute permissions for the 'user' (owner), 'group', and 'other' (everyone else with an account on the computer) (Dartmouth)

Given the information above, once a user is added then that user can create a directory structure that inherits that users attributes by using the mkdir command. The directory structure will be created under whatever directory group the user is currently in. Assume for the example below that there is already a group called IntOps and that the user Dave has write permissions for that group. If I logged on as Dave and changed the directory to /IntOps, I could create a directory called / by performing the $ mkdir Network command. This directory then inherits

10 October 2012

Configuration of users, groups and file/directory permissions

the group that I belong to, in this case Network. Anyone else in the Network group should be able to access the directory with the same permissions as I have. Another useful command I saw was using the p option on the mkdir command; that option will create a directory tree under the parent directory that I am in. As an example, suppose I was in my /IntOps/Network directory and wanted to create a nested directory called /class/cis206/notes/commands. Instead of creating each directory individually, I could use the command $ mkdir p /class/cis206/notes/commands and assuming that none of the directories all ready exist this command will create them.

The next part of my research paper I am going to talk through basic file and directory permissions and what each field means when looking at them. After executing a ls l command the following output is shown: Drwxr-x--- 2 Dave Network 12050 Oct 10 2012 /home/info The information below provided the definitions for the fields in the line above.

Field 1: a set of ten permission flags.

Position Meaning 1 directory flag, 'd' if a directory, '-' if a normal file, read, write, execute permission for User (Owner) of file = Dave can read, write and 2,3,4 execute out of this directory 5,6,7 8,9,10 read, write, execute permission for Group = group Network can read and execute read, write, execute permission for Other = others can neither read, nor write, nor

10 October 2012

Configuration of users, groups and file/directory permissions

execute

Field 2: link count Field 3: owner of the file = Dave Field 4: associated group for the file = Network Field 5: size in bytes = 12050 Field 6-8: date of last modification = Oct 10 2012 Field 9: name of file = /home/info ("Dartmouth.edu")

In order to build a server from scratch with user groups and directories matching it will take a lot of time and studying to understand organizational structure or other logical grouping of those users. The structure that I have attempted above tries to align the user group names to the directory structure names so that it is easy for an administrator to debug an issue that might be occurring. If I had a new user in Network that couldnt access a file in Voice and I thought I had given them permission to do so, I could go to the /IntOps/Voice directory and look to confirm that the user permissions were set correctly.

Where I work the security team wont allow people to use a workstation version of Linux so starting this class everything was new to me. Having had no previous experience in Linux this research project has done a lot for me in providing a basic understanding of how to set up user/groups and how setting these up tie back to file and directory permissions. In the beginning when I started the research I had lofty goals of understanding LDAP and setting up a

10 October 2012

Configuration of users, groups and file/directory permissions

pseudo active directory structure in Linux but the more I learned I figured out that Linux natively has some advantages and disadvantages of trying to fit into a Windows permissions structure. The specific scenario of setting up a new server with new users has to be one of the easiest for a new person research and implement. As I continue to gain experience in Linux and get more knowledgeable I am sure I will look back at this paper and realize how silly I was in setting up the structure with people/groups/files/permissions but right now I think what I have proposed has some merit. In conclusion this research exercise has been quite fruitful and worth the extra effort to gain deeper knowledge in Linux administration.

10 October 2012

Configuration of users, groups and file/directory permissions

References: Lngstedt, Nana. "Linux's Directory Structure." tuxtfiles.org. N.p., 22 2005. Web. 26 Oct 2012. <http://www.tuxfiles.org/linuxhelp/linuxdir.html>.

"Understanding File Permissions on Unix: A Brief Tutorial." Dartmouth.edu. Dartmouth College. Web. 26 Oct 2012. <http://www.dartmouth.edu/~rc/help/faq/permissions.html>.

Ippolito , Greg. "Managing Group Access." Yolinux.com Tutorial. N.p.. Web. 26 Oct 2012. <http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html>.

10 October 2012

Configuration of users, groups and file/directory permissions

Supplemental information: The default directory structure for Linux is below: / = the root directory, this is the starting point in the directory structure /boot = the directory that Linux uses to store what it needs to boot up /etc = where the configuration files for Linux are stored /bin = where Linux stores its binary files that the system needs to operate such as shell, ls and grep /usr = directory where user applications are stored, typically this is the largest directory /home = directory for personal files /root = super user root directory ( Lngstedt) After doing some research on the subject it appears that it is necessary to run a product called Samba on the file server. According to the Fedora Project, link below, Samba allows me to share files to the Windows environment. I realize that that it is necessary to do this but in reality most environments wont be exclusively Linux so it is wise to consider the broader user base when setting up a file and/or print server. Samba comes with three Daemons that allow it to communicate correctly with the Windows environment they are SMDB, RMDB and WINBINDD. The last service allows Windows users to appear as Unix users. The Samba distribution allows the Linux server to communicate using Microsoft proprietary proctocols

10 October 2012

Configuration of users, groups and file/directory permissions

including MS-RPC and Netbios. Once it is setup correctly simply do a net use command on the client to attach (mount) the Linux systems files to the Windows client.

Оценить