# Users, permissions and packages

### Overview

One of the benefits of creating virtual machines on the Google Cloud is that you ate the administrator of the VM. That means you are free to install things and configure it however you need. This week we will talk about some of the administration tasks that you should be acquainted with. We will also discuss file permissions, and how to change them.

### Users

By default your VM has one user, which we have been logging in with. Your user is created with the same name as your Google account. This is a regular user account - it does not have the ability to do overwrite system files, or do other administrative tasks.

This is a good thing because it prevents you from accidentally breaking the system. For instance, Unix will prevent you from deleting system files:

finlaysoni@myvm:~$rm /usr/bin/cal rm: cannot remove '/usr/bin/cal': Permission denied We are not allowed to delete parts of the system automatically as our regular user, or do anything else to change the system itself. We are allowed to delete files within our home directory, so you must be careful with that. In order to make administrative changes, we must temporarily request to act as the "root" user. This is done with the sudo command. ### Sudo The sudo command allows you to execute some other command as the root user instead of as our normal user. This is just done by prefixing sudo onto some other command. To demonstrate this, we can try it with the whoami command. This command simply prints your username. If we try it with and without sudo, we will see this: finlaysoni@myvm:~$ whoami
finlaysoni
finlaysoni@myvm:~$sudo whoami root What sudo does is take the command you give it and run it as the root user which has the ability to change the system. Warning: You should be very careful using the sudo command. You can accidentally break the system if you are not careful. In addition to being able to execute one-off commands, sudo can also be used to interactively execute several commands at a time. To do this, pass sudo the -i flag: finlaysoni@myvm:~$ sudo -i
root@myvm:~# whoami
root
root@myvm:~#

Notice that this command changed our prompt and allows us to enter several commands as root. When you are done, you exit the same way that you log out of the VM in general, but hitting Control-D, or typing exit:

root@myvm:~# exit
logout
finlaysoni@myvm:~$Then you will be back at your normal user prompt. You should only use sudo for tasks that actually require root privileges, and use your normal user all other times. ### Updating One common task that requires sudo is keeping the system up to date. When you first log into the VM, you will see something like the following: Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-1009-gcp x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed Jun 27 15:27:09 UTC 2018 System load: 0.0 Processes: 92 Usage of /: 15.3% of 9.52GB Users logged in: 0 Memory usage: 40% IP address for ens4: 10.142.0.2 Swap usage: 0% * Meltdown, Spectre and Ubuntu: What are the attack vectors, how the fixes work, and everything else you need to know - https://ubu.one/u2Know Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 3 packages can be updated. 3 updates are security updates. Last login: Wed Jun 27 15:17:29 2018 from 192.65.245.88 There is a lot of information here, but probably the most important is the update information. This system currently has 3 packages which can be updated, and they are all security updates. If any packages can be updated, you can update them. If any are security updates, you really should perform the update. Otherwise, your VM may be vulnerable to attackers. Warning: Your VM is open to the internet, meaning people will be attempting to hack into it. You should keep your system up to date to minimize the risk of them succeeding. You can see attempted logins by looking in the file /var/log/auth.log In order to update the system, you perform the command sudo apt upgrade: finlaysoni@myvm:~$ sudo apt upgrade

This command lists all of the packages which can be updated, and asks you if you want to update them. Type 'y', and hit enter to continue. It will then take a little while to update them (but not nearly so long as Windows updates!).

If you want to force the system to check for updates, you can do so with the sudo apt update command:

finlaysoni@myvm:~$sudo apt update apt update checks the internet to see if the system has any updates available for it. apt upgrade applies updates which have previously been found. I normally run them together: first apt update, then apt upgrade. Lastly, sometimes updates will require the system to reboot. Linux never does this automatically. Instead, when you login, it will display the message: *** System restart required *** If you see this, you can enter the following command to reboot: finlaysoni@myvm:~$ sudo reboot

The VM will then kick you out as it restarts. Wait a minute or so and then log back in.

### Installing Packages

In addition to updating packages, apt can be used to install new packages. This is done with sudo apt install.

Note: most of the tools discussed in this course apply to all versions of Unix. The apt command, however, only applies to certain Linux variants. Installing and updating packages is one case where different versions of Unix use different tools.

The VM system already comes with everything we will need for this course. However, it does not come with a version of Java. If you'd like to write Java programs, we can install one.

One helpful thing bash does is to tell you when a command isn't installed. So if we try to run the javac command to compile Java code it tells us:

finlaysoni@myvm:~$javac Command 'javac' not found, but can be installed with: apt install default-jdk apt install openjdk-11-jdk-headless apt install ecj apt install openjdk-8-jdk-headless Ask your administrator to install one of them. Luckily we don't have to ask an administrator to install it for us, we have sudo! It lists a couple of options, but we can go with "openjdk-8-jdk-headless" which is the latest stable version currently. Here "headless" just means that it comes without any GUI, which is OK. We can install this package using apt: finlaysoni@myvm:~$ sudo apt install openjdk-8-jdk-headless

The system will then list all the other things that must be installed along with openjdk-8-jdk-headless, and ask if that's OK. Type 'y' and hit enter to continue. After some time, the command will complete, and then we have javac installed:

finlaysoni@myvm:~$javac Hello.java finlaysoni@myvm:~$ java Hello
Hello World!

As I said, we have most of what we need for the course already installed. However, if you'd like to practice installing another command, you can try to repeat these steps on the command sl. Run it and see what happens.

### File Permissions

Another important administration topic is file permissions. These govern which users are, and are not allowed to access files.

When we discussed the ls command, we looked at the "-l" flag which gives detailed file listings. The output might look something like this:

finlaysoni@myvm:~$ls -l total 16 -rw-rw-r-- 1 finlaysoni finlaysoni 2 Jun 25 12:33 a.txt -rw------- 1 finlaysoni finlaysoni 2 Jun 25 12:25 b.txt -rw------- 1 finlaysoni finlaysoni 2 Jun 25 12:25 c.txt drwxrwxr-x 2 finlaysoni finlaysoni 4096 Jun 25 15:19 files The portion on the far left is the file permission info. This consists of 10 characters: • The first character identifies what type of file it is. This is a "-" for regular files, and a "d" for directories. • The next three characters indicate the user permissions on the file. • The next three characters indicate the group permissions for the file. • The final three characters indicate the other permissions for the file. Each of these is explained below: • User This lists the permissions of the owner of the file. ls -l lists the owners of files as well as the permissions. The "finlaysoni" in the output above indicates that I own those files. • Group This lists the permissions of the group of the file. The "finlaysoni" in the output from ls -l indicates that the group of those files is the "finlaysoni" group. Some servers have special groups setup which allow giving access to several users at once. On the VM, the default is to just have one group for each user by themselves. • Other Other is all other users who are not the owner or in the group of the file. Each group of three characters (called a triad) indicates whether the given people can read, write, or execute the file: • Read This permission is 'r' if read access is allowed, and '-' otherwise. Permission to read a file indicates that the contents can be read. Permission to read a directories indicates that the listing of the directory is available. • Write This permission is 'w' if write access is allowed, and '-' otherwise. Permission to write a file indicates that the file may be edited or deleted. Permission to write a directory indicates that files can be created inside of the directory. • Execute This permission is 'x' if executable access is allowed and '-' otherwise. Permission to execute a file indicates that the file may be executed as a binary program or as a script. Permission to execute a directory indicates that files in the directory can be accessed. This is different from the read permission. For instance if there is a directory called "foo" with a file called "bar" in it, and you are allowed to "execute" foo, but not read it, then you can still access the file "foo/bar", even if you cannot read the full listing of foo. ### Changing File Permissions Changing file permissions is done using the chmod command. The basic usage of this command is to pass a mode as the first argument, and then the file or files to change as the second argument. The mode consists of: • a set of letters indicating which user or users the change should affect. These can be chosen from: • u - the user. • g - the group. • o - the other users. • a - change for all three. • an operator which is either +, or -. • a set of letters indicating which permission(s) are begin modified. These can be chosen from: • r - read permission. • w - write permission. • x - execute permission. For example, we can set a file to be unreadable by anybody but the owner with the command chmod go-r: finlaysoni@myvm:~$ ls -l file
-rw-r--r-- 1 finlaysoni finlaysoni 0 2018-06-26 09:52 file
finlaysoni@myvm:~$chmod go-r file finlaysoni@myvm:~$ ls -l file
-rw------- 1 finlaysoni finlaysoni 0 2018-06-26 09:52 file

Multiple mode changes can be combined up when separated by commas. For example, If I wished to allow myself to execute a file, allow those in the group to write it, and re-allow all other users to read it, I could use the following command:

finlaysoni@myvm:~$ls -l file -rw------- 1 finlaysoni finlaysoni 0 2018-06-26 09:52 file finlaysoni@myvm:~$ chmod u+x,g+w,o+r file
finlaysoni@myvm:~$ls -l file -rwx-w-r-- 1 finlaysoni finlaysoni 0 2018-06-26 09:52 file The chmod command also supports a "-R" recursive flag. As usual, "recursive" means to apply the operation to the entire contents of a directory. For instance the command: finlaysoni@myvm:~$ chmod -R go-r projects

Will remove the read permission for everybody but the owner from the projects directory, but also from all files and directories located anywhere under projects.

### Octal Modes

There is another way of using chmod which is to specify the permissions of the file using octal (base-8) codes.

This method sets the entire permission for a file, while the method described above modifies the current permission.

The octal codes are three octal digits. Each digit maps to one of the three triads: one for each of the user, group and other permissions. Each of these triads contains the three permissions, r, w, and x.

If the permission is enabled, that is a binary one, and if not, it is a binary 0. There are eight possibilities for each triad:

 Permission Binary Representation Octal Code --- 000 0 --x 001 1 -w- 010 2 -wx 011 3 r-- 100 4 r-x 101 5 rw- 110 6 rwx 111 7

The full octal code consists of three of these octal digits.

For example, if we want to set a file so that we can read and write it, those in our group can only read it, and others cannot read or write it, we would use the code "640". The 6 is for the user's "rw-" permission. The 4 is for the group's "r--" permission and the 0 is for the others "---" permission:

finlaysoni@myvm:~$chmod 640 file finlaysoni@myvm:~$ ls -l file
-rw-r----- 1 finlaysoni finlaysoni 0 2018-06-26 09:52 file

Using octal codes is usually not as convenient as using the method described above. It is covered here because sometimes online instructions use octal permissions, and it is useful in scripting. The reason for this is that using octal codes sets the permissions exactly, in a way that does not depend on the existing permissions of a file.

### Changing Ownership and Group

Changing the owner or the group of a file requires using sudo. This isn't something that is needed very often, but is covered here for completeness.

The command to change ownership of a file is chown. The first argument is the new user and the second is the file or files to modify the ownership of. For instance, to change file1.txt to be owned by the root user we could do:

finlaysoni@myvm:~$chown root file1.txt finlaysoni@myvm:~$ ls -l file1.txt
-rw-r--r-- 1 root finlaysoni 0 Jun 26 11:45 file1.txt

The command to change the group of a file is chgrp which works the same way except the first argument is the new group.