Home CPSC 225

Users, permissions and packages

Overview

One of the benefits of creating virtual machines on the Google Cloud is that you ate the administrator of the VM. That means you are free to install things and configure it however you need. This week we will talk about some of the administration tasks that you should be acquainted with. We will also discuss file permissions, and how to change them.


Users

By default your VM has one user, which we have been logging in with. Your user is created with the same name as your Google account. This is a regular user account - it does not have the ability to do overwrite system files, or do other administrative tasks.

This is a good thing because it prevents you from accidentally breaking the system. For instance, Unix will prevent you from deleting system files:

finlaysoni@myvm:~$ rm /usr/bin/cal
rm: cannot remove '/usr/bin/cal': Permission denied

We are not allowed to delete parts of the system automatically as our regular user, or do anything else to change the system itself. We are allowed to delete files within our home directory, so you must be careful with that.

In order to make administrative changes, we must temporarily request to act as the "root" user. This is done with the sudo command.


Sudo

The sudo command allows you to execute some other command as the root user instead of as our normal user. This is just done by prefixing sudo onto some other command.

To demonstrate this, we can try it with the whoami command. This command simply prints your username. If we try it with and without sudo, we will see this:

finlaysoni@myvm:~$ whoami
finlaysoni
finlaysoni@myvm:~$ sudo whoami
root

What sudo does is take the command you give it and run it as the root user which has the ability to change the system.

Warning: You should be very careful using the sudo command. You can accidentally break the system if you are not careful.

In addition to being able to execute one-off commands, sudo can also be used to interactively execute several commands at a time. To do this, pass sudo the -i flag:

finlaysoni@myvm:~$ sudo -i
root@myvm:~# whoami
root
root@myvm:~#

Notice that this command changed our prompt and allows us to enter several commands as root. When you are done, you exit the same way that you log out of the VM in general, but hitting Control-D, or typing exit:

root@myvm:~# exit
logout
finlaysoni@myvm:~$

Then you will be back at your normal user prompt. You should only use sudo for tasks that actually require root privileges, and use your normal user all other times.


Updating

One common task that requires sudo is keeping the system up to date. When you first log into the VM, you will see something like the following:

Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-1009-gcp x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Jun 27 15:27:09 UTC 2018

  System load:  0.0               Processes:           92
  Usage of /:   15.3% of 9.52GB   Users logged in:     0
  Memory usage: 40%               IP address for ens4: 10.142.0.2
  Swap usage:   0%

 * Meltdown, Spectre and Ubuntu: What are the attack vectors,
   how the fixes work, and everything else you need to know
   - https://ubu.one/u2Know

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

3 packages can be updated.
3 updates are security updates.


Last login: Wed Jun 27 15:17:29 2018 from 192.65.245.88

There is a lot of information here, but probably the most important is the update information. This system currently has 3 packages which can be updated, and they are all security updates.

If any packages can be updated, you can update them. If any are security updates, you really should perform the update. Otherwise, your VM may be vulnerable to attackers.

Warning: Your VM is open to the internet, meaning people will be attempting to hack into it. You should keep your system up to date to minimize the risk of them succeeding. You can see attempted logins by looking in the file /var/log/auth.log

In order to update the system, you perform the command sudo apt upgrade:

finlaysoni@myvm:~$ sudo apt upgrade

This command lists all of the packages which can be updated, and asks you if you want to update them. Type 'y', and hit enter to continue. It will then take a little while to update them (but not nearly so long as Windows updates!).

If you want to force the system to check for updates, you can do so with the sudo apt update command:

finlaysoni@myvm:~$ sudo apt update

apt update checks the internet to see if the system has any updates available for it. apt upgrade applies updates which have previously been found. I normally run them together: first apt update, then apt upgrade.

Lastly, sometimes updates will require the system to reboot. Linux never does this automatically. Instead, when you login, it will display the message:

*** System restart required ***

If you see this, you can enter the following command to reboot:

finlaysoni@myvm:~$ sudo reboot

The VM will then kick you out as it restarts. Wait a minute or so and then log back in.


Installing Packages

In addition to updating packages, apt can be used to install new packages. This is done with sudo apt install.

Note: most of the tools discussed in this course apply to all versions of Unix. The apt command, however, only applies to certain Linux variants. Installing and updating packages is one case where different versions of Unix use different tools.

The VM system already comes with everything we will need for this course. However, it does not come with a version of Java. If you'd like to write Java programs, we can install one.

One helpful thing bash does is to tell you when a command isn't installed. So if we try to run the javac command to compile Java code it tells us:

finlaysoni@myvm:~$ javac

Command 'javac' not found, but can be installed with:

apt install default-jdk
apt install openjdk-11-jdk-headless
apt install ecj
apt install openjdk-8-jdk-headless

Ask your administrator to install one of them.

Luckily we don't have to ask an administrator to install it for us, we have sudo!

It lists a couple of options, but we can go with "openjdk-8-jdk-headless" which is the latest stable version currently. Here "headless" just means that it comes without any GUI, which is OK.

We can install this package using apt:

finlaysoni@myvm:~$ sudo apt install openjdk-8-jdk-headless

The system will then list all the other things that must be installed along with openjdk-8-jdk-headless, and ask if that's OK. Type 'y' and hit enter to continue. After some time, the command will complete, and then we have javac installed:

finlaysoni@myvm:~$ javac Hello.java
finlaysoni@myvm:~$ java Hello
Hello World!

As I said, we have most of what we need for the course already installed. However, if you'd like to practice installing another command, you can try to repeat these steps on the command sl. Run it and see what happens.


File Permissions

Another important administration topic is file permissions. These govern which users are, and are not allowed to access files.

When we discussed the ls command, we looked at the "-l" flag which gives detailed file listings. The output might look something like this:

finlaysoni@myvm:~$ ls -l
total 16
-rw-rw-r-- 1 finlaysoni finlaysoni    2 Jun 25 12:33 a.txt
-rw------- 1 finlaysoni finlaysoni    2 Jun 25 12:25 b.txt
-rw------- 1 finlaysoni finlaysoni    2 Jun 25 12:25 c.txt
drwxrwxr-x 2 finlaysoni finlaysoni 4096 Jun 25 15:19 files

The portion on the far left is the file permission info. This consists of 10 characters:

Each of these is explained below:

Each group of three characters (called a triad) indicates whether the given people can read, write, or execute the file:


Changing File Permissions

Changing file permissions is done using the chmod command. The basic usage of this command is to pass a mode as the first argument, and then the file or files to change as the second argument.

The mode consists of:

For example, we can set a file to be unreadable by anybody but the owner with the command chmod go-r:

finlaysoni@myvm:~$ ls -l file 
-rw-r--r-- 1 finlaysoni finlaysoni 0 2018-06-26 09:52 file
finlaysoni@myvm:~$ chmod go-r file 
finlaysoni@myvm:~$ ls -l file 
-rw------- 1 finlaysoni finlaysoni 0 2018-06-26 09:52 file

Multiple mode changes can be combined up when separated by commas. For example, If I wished to allow myself to execute a file, allow those in the group to write it, and re-allow all other users to read it, I could use the following command:

finlaysoni@myvm:~$ ls -l file 
-rw------- 1 finlaysoni finlaysoni 0 2018-06-26 09:52 file
finlaysoni@myvm:~$ chmod u+x,g+w,o+r file 
finlaysoni@myvm:~$ ls -l file 
-rwx-w-r-- 1 finlaysoni finlaysoni 0 2018-06-26 09:52 file

The chmod command also supports a "-R" recursive flag. As usual, "recursive" means to apply the operation to the entire contents of a directory. For instance the command:

finlaysoni@myvm:~$ chmod -R go-r projects

Will remove the read permission for everybody but the owner from the projects directory, but also from all files and directories located anywhere under projects.


Octal Modes

There is another way of using chmod which is to specify the permissions of the file using octal (base-8) codes.

This method sets the entire permission for a file, while the method described above modifies the current permission.

The octal codes are three octal digits. Each digit maps to one of the three triads: one for each of the user, group and other permissions. Each of these triads contains the three permissions, r, w, and x.

If the permission is enabled, that is a binary one, and if not, it is a binary 0. There are eight possibilities for each triad:

PermissionBinary RepresentationOctal Code
---0000
--x0011
-w-0102
-wx0113
r--1004
r-x1015
rw-1106
rwx1117

The full octal code consists of three of these octal digits.

For example, if we want to set a file so that we can read and write it, those in our group can only read it, and others cannot read or write it, we would use the code "640". The 6 is for the user's "rw-" permission. The 4 is for the group's "r--" permission and the 0 is for the others "---" permission:

finlaysoni@myvm:~$ chmod 640 file 
finlaysoni@myvm:~$ ls -l file 
-rw-r----- 1 finlaysoni finlaysoni 0 2018-06-26 09:52 file

Using octal codes is usually not as convenient as using the method described above. It is covered here because sometimes online instructions use octal permissions, and it is useful in scripting. The reason for this is that using octal codes sets the permissions exactly, in a way that does not depend on the existing permissions of a file.


Changing Ownership and Group

Changing the owner or the group of a file requires using sudo. This isn't something that is needed very often, but is covered here for completeness.

The command to change ownership of a file is chown. The first argument is the new user and the second is the file or files to modify the ownership of. For instance, to change file1.txt to be owned by the root user we could do:

finlaysoni@myvm:~$ chown root file1.txt
finlaysoni@myvm:~$ ls -l file1.txt 
-rw-r--r-- 1 root finlaysoni 0 Jun 26 11:45 file1.txt

The command to change the group of a file is chgrp which works the same way except the first argument is the new group.

Copyright © 2018 Ian Finlayson | Licensed under a Creative Commons Attribution 4.0 International License.