Red Hat ENTERPRISE LINUX 3 - INTRODUCTION TO SYSTEM ADMINISTRATION Administration Manual page 138

126
and execute the file. The next set of
the last set of symbols define the types of access permitted for all other users. Here, all other users
may read and execute the file, but may not modify it in any way.
One important point to keep in mind regarding permissions and user accounts is that every application
run on Red Hat Enterprise Linux runs in the context of a specific user. Typically, this means that if
user launches an application, the application runs using user
juan
cases the application may need a more privileged level of access in order to accomplish a task. Such
applications include those that edit system settings or log in users. For this reason, special permissions
have been created.
There are three such special permissions within Red Hat Enterprise Linux. They are:
setuid — used only for applications, this permission indicates that the application is to run as the
•
owner of the file and not as the user executing the application. It is indicated by the character
place of the in the owner category. If the owner of the file does not have execute permissions, the
x
is capitalized to reflect this fact.
S
setgid — used primarily for applications, this permission indicates that the application is to run as
•
the group owning the file and not as the group of the user executing the application.
If applied to a directory, all files created within the directory are owned by the group owning the
directory, and not by the group of the user creating the file. The setgid permission is indicated by
the character in place of the
s
does not have execute permissions, the
sticky bit — used primarily on directories, this bit dictates that a file created in the directory can
•
be removed only by the user that created the file. It is indicated by the character
in the everyone category. If the everyone category does not have execute permissions, the
x
capitalized to reflect this fact.
Under Red Hat Enterprise Linux, the sticky bit is set by default on the
this reason.
6.3.1.1. Usernames and UIDs, Groups and GIDs
In Red Hat Enterprise Linux, user account and group names are primarily for peoples' convenience.
Internally, the system uses numeric identifiers. For users, this identifier is known as a UID, while for
groups the identifier is known as a GID. Programs that make user or group information available to
users translate the UID/GID values into their more human-readable counterparts.
Important
UIDs and GIDs must be globally unique within your organization if you intend to share files and
resources over a network. Otherwise, whatever access controls you put in place may fail to work
properly, as they are based on UIDs and GIDs, not usernames and group names.
Specifically, if the
in the UIDs or GIDs they contain, improper application of permissions can lead to security issues.
For example, if user
will be created with owner UID 500. However, if user
some other computer), and
files, and vice versa.
Therefore, UID and GID collisions are to be avoided at all costs.
Chapter 6. Managing User Accounts and Resource Access
symbols define group access (again, with full access), while
rwx
in the group category. If the group owner of the file or directory
x
S
and
/etc/passwd /etc/group
has a UID of 500 on a desktop computer, files
juan
's account also has a UID of 500,
bob
is capitalized to reflect this fact.
files on a file server and a user's workstation differ
logs in locally to the file server (or even
bob
's context. However, in some
juan
in place of the
t
directory for exactly
/tmp/
creates on a file server
juan
will have full access to
bob
in
s
is
T
's
juan