After a few sessions around Emacs I started to continue with Linux.
Every process on an operating system must belong to somebody to define
which privileges this process can have. Which means a very important
task of the OS is the user management.
In Linux the first entry point is
/etc/nsswitch.conf provided by the
glibc package. As everything builds on top of the Linux kernel and
glibc you can see how important that part is.
In the Name Service Switch config file you have multiple options to
define where the OS should look for the users.
If you run big networks you might use Network Information Service or
LDAP. On most Linux systems you will rely on plain text files. It
sounds old fashioned but remember: For every process which gets
started the system has to do a lookup. Any latency will influence the
complete computer. If you need some kind of centralization using a
configuration management system like CFEngine or Puppet is a wise
decision as you will have the best of both worlds: semi-central user
management and no performance impact.
We have to distinguish between user authorization and authentication. The authorization is about what a user can do. Either by direct privileges or by belonging to a group of users. Giving a group the permissions is easier for the administrator.
/etc/passwd is the next step after nsswitch if you rely on files.
Most privileges are about being able to access files and
directories. The filesystem doesn’t know anything about users. Instead
we have a user id (uid) and a group id (gid) stored with the files.
The passwd files contains the uid and the primary gid for a
user. Everybody on the system needs that information. For example if
you list a directory you don’t want to see a uid but the username.
Thus everybody requires permissions to read the passwd file.
Wait a second: Everybody is allowed to read the passwd file?
Your concern is right! That’s why we have nowadays another sibling of
/etc/shadow. This file is only accessible for the root
user and programs running with his privileges.
Of course a user might need more than one group. That’s why we have
/etc/group containing a list of group members.
Above files are managed with either
useradd depending on
your flavour of Linux. Isn’t it nice that we have options? In theory
you could as well directly edit those files or write your own programs
to do it. If you ask me I wouldn’t do that. Some people spend a lot of
time to write
groupdel. Other people took the passion to review those programs.
If you write you own incarnation you might break the system and nobody
is able to login to that computer.
Most permisssions are about file access rights.
In the unix world a file is primarily owned by a user and a group. And
then we have all others. Depending on your file systems or extensions
like SELinux there might be more. For now let’s keep it simple.
A few bits contain the information of file and directory permissions.
ls -l and
chmod you can see and modify them.
Have a look in the man pages by running
man chmod to learn more about
During our session we had the question about directory access. Here you have a real world example:
Among other information every file and directory contains a last modified timestamp. That last modified timestamp of the directory gets updated if content in that directory gets modified or a file in that same directory gets updated.
By now you should know how important the files in your
If you care about those files as much as i do you might want to
configure something like etckeeper to keep track of changes.