Exploring the UNIX/Linux File

Systems and File Security

Understanding UNIX/Linux File

Systems
File: basic component for data storage
File system: UNIX/Linux systems way of organizing
files on storage devices
Physical file system: section of the hard disk that
has been formatted to hold files

UNIX/Linux consist of multiple file systems that form

virtual storage space for multiple users
UNIX/Linux systems support many file systems
Examples: UNIX file system (ufs), extended file
system (ext or ext fs)

Understanding UNIX/Linux File

Systems (continued)
ufs: original native UNIX file system
Expandable, supports large amounts of storage,
provides excellent security, reliable
Supports journaling
Supports hot fixes

In Linux, the native file system is ext

Installed by default
Modeled after ufs
First version contained some bugs

Newer versions of Linux use ext2, ext3, or ext4

ext4 enables the use of extents

 Every file has a filename. The maximum length of a filename

varies with the type of filesystem; Linux supports several
types of filesystems. Although most of today's filesystems
allow you to create files with names up to 255 characters
long, some filesystems restrict you to shorter names.
The root directory is always named / (slash) and referred to
by this single character.
You can use uppercase and/or lowercase letters within
filenames. Linux is case sensitive, so files named JANUARY,
January, and january represent three distinct files.
you must quote the SPACE on the command line by
preceding it with a backslash or by placing quotation marks
on either side of the filename.
$ lpr my\ file
$ lpr "my file"

Filename with extension

Meaning of extension

compute.c

A C programming language source file

compute.o

The object code for the program

compute

The same program as an executable file

memo.0410.txt

A text file

memo.pdf

A PDF file; view with xpdf under a GUI

memo.ps

A PostScript file; view with gs under a GUI

memo.Z

A file compressed with compress; use

uncompress or gunzip to decompress

memo.tgz or memo.tar.gz

A tar archive of files compressed with gzip

memo.gz

A file compressed with gzip; view with zcat or

decompress with gunzip

memo.bz2

A file compressed with bzip2; view with bzcat

or decompress with bunzip2

memo.html

A file meant to be viewed using a Web

browser, such as Firefox

photo.gif, photo.jpg, photo.jpeg,

photo.bmp, photo.tif, or photo.tiff

A file containing graphical information, such

as a picture

Understanding the Standard Tree

Structure
The treelike structure for UNIX/Linux file systems
starts at the root file system level
Root is denoted by /
Slash represents the root file system directory

Directory: special kind of file that can contain other

files and directories
May have subdirectories
Subdirectory is considered child of parent directory

The hierarchical filesystem frequently takes the

shape of a pyramid

Using UNIX/Linux Partitions

Partition: section of disk that holds a file system
UNIX/Linux partitions identified with names
Examples: hda1, sda1
First two letters tell Linux the device type
Third letter indicates if disk is the primary or
secondary disk
Partitions on a disk are numbered starting with 1

Peripherals connect through electronic interfaces

Examples of hard disk interfaces: IDE, SCSI, EIDE

Setting Up Hard Disk Partitions

Partition to organize space to contain file systems
Some UNIX/Linux vendors recommend that:
Root partition holds the root file system directory
Swap partition acts like an extension of memory
General rule: same size as RAM
A swap partition enables virtual memory

/boot partition to store OS kernel files

Other partitions:
/usr (for utilities), /home, /var

Mount partition to become part of file system

Using Inodes
Information nodes, or inodes
Each directory/file has an inode and is identified by
an inode number
Inode 0 contains the root of the directory structure (/)
Jumping-off point for all other inodes

Contains file/directory name, general information,

pointer to the directory/file on a disk partition

Superblock contains information about the layout

of blocks on a specific partition

Exploring the Root Hierarchy

The root (/) file system is mounted by the kernel
when the system starts
To mount a file system is to connect it to the
directory tree structure
System administrator uses mount command

Root file system contains all essential programs for

file system repair

Restoring from a backup

Starting the system
Initializing all devices and operating resources
Information for mounting other file systems

The /bin Directory

Contains binaries, or executables
Programs needed to start the system and perform
other essential system tasks

Holds many programs that all users need to work

with UNIX/Linux

The /boot Directory

Normally contains:
Files needed by the bootstrap loader
The bootstrap loader is the utility that starts the OS

Kernel (OS) images

The /dev Directory

Files in /dev reference system devices
Devices are managed through device special files
Contain information about I/O devices that are used
by OS kernel when a device is accessed
Two types:
Block special files
Example: for CD/DVD drives
Character special files
Example: for printers

To see the list of device files: ls -l /dev

null is a black hole

The /etc Directory

Contains configuration files that the system uses
when the computer starts

fstab
group
inittab
login.defs
motd
passwd
printcap and termcap
profile, bashrc and rc

The /home Directory

Often located on the /home partition
Used to offer disk space for users, such as on a
system that has multiple user accounts
Examples:
/home/jean
/home/tricia
/home/joseph

The /lib Directory

/lib houses:
Kernel modules
Security information
Shared library images
Used by programmers to share code rather than
creating copies in their programs

Many files in this directory are symbolic links to

other library files
Symbolic link: name, file name, or directory name
that contains a pointer to a file/directory in the same
directory or in another directory on your system

The /mnt Directory

Mount points for temporary mounts by the system
administrator reside in /mnt
A temporary mount is used to mount a removable
storage medium
Example: CD/DVD or USB/flash storage

/mnt is often divided into subdirectories to clearly

specify device types
Example: /mnt/cdrom

The /media Directory

In newer distributions of UNIX/Linux, mount points
for removable storage are in /media
Relatively new recommendation of the Filesystem
Hierarchy Standard (FHS)

Modern Linux distributions include both /mnt

and /media directories
Users and programmers are often encouraged to
use /media

The /proc Directory

/proc occupies no space on the disk
Virtual file system allocated in memory only

Files in /proc refer to various processes running on

the system as well as details about the OS kernel

The /root Directory

Home directory for the root user
The system administrator

The /sbin Directory

Reserved for the system administrator
Stores:
Programs that start the system
Programs needed for file system repair
Essential network programs

The /tmp Directory

Many programs need a temporary place to store
data during processing cycles
The traditional location for these files is /tmp

The /usr Directory

Houses software offered to users
Software might be:

Accounting programs
Manufacturing programs
Programs for research applications
Office software

Frequently located on the /usr partition

The /var Directory

Located on the /var partition
Holds subdirectories that often change in size
These subdirectories contain files such as error logs
and other system performance logs
Common subdirectories are:
/var/spool/mail for incoming mail
/var/spool/lpd for temporarily holding print files

Using the mount Command

Use mount to connect the file system partitions to
the directory tree when the system starts

Example:
mount -t iso9660 /dev/cdrom /media/cdrom

Use umount before removing the storage media

umount /media/cdrom

Using Paths, Pathnames, and Prompts

Files are stored in directories in the file system,
starting from the root file system directory
To specify a file or directory, use its pathname
Follows the branches of the file system to the
desired file

A forward slash (/) separates each directory name

Example: /home/jean/source/phones.502

 An absolute pathname always starts with a slash (/), the

name of the root directory
In another form of absolute pathname, the shell expands
the characters ~/ (a tilde followed by a slash) at the start
of a pathname into the pathname of your home directory.
Using this shortcut, you can display your .bashrc startup
file with the following command, no matter which
directory is your working directory:
$ less ~/.bashrc
A relative pathname traces a path from the working
directory to a file. The pathname is relative to the
working directory. Any pathname that does not begin
with the root directory (/) or a tilde (~) is a relative
pathname

Using and Configuring Your

Command-Line Prompt
~ is shorthand for the home directory

The pwd Command

pwd prints the working directory

Useful for regular users, system administrators,

and in scripts

 When you first log in on a Linux system or start a

terminal emulator window, your working directory is
your home directory. To display the pathname of
your home directory, use pwd just after you log in.
Startup files, which appear in your home directory,
give the shell and other programs information about
you and your preferences.
The working directory is not the same as your home
directory. Your home directory remains the same for
the duration of your session and usually from
session to session. Immediately after you log in, you
are always working in the same directory: your
home directory.

Navigating the File System

cd stands for change directory

Provide an absolute or relative path to the directory

Absolute path: begins at the root level and lists all
subdirectories to the destination file
Example: cd /home/jean/source

Relative path: takes a shorter journey

Example: cd source or cd

Using Dot and Dot Dot Addressing

Techniques
A single dot character means the current working
directory
Dot dot means the parent directory
These addressing mechanisms are useful when
navigating the file system
Example: cd ../tricia/source

The . is synonymous with the pathname of the

working directory and can be used in its place;
the .. is synonymous with the pathname of the
parent of the working directory.

Listing Directory Contents

Use the ls (list) command to display a directorys
contents, including files and other directories

Appear with a dot at the beginning

The F option to ls displays a slash after the name of each

directory and an asterisk after each executable file (shell script,
utility, or application).

ACL: Access Control List

Listing Directory Contents (continued)

Group (root)
Owner (root)
Number of links (2)

File type and access

permissions: drwxr-xr-x

Size (4096 bytes)

Date and time of last modification
File or directory name (bin)

 type of file (first column):

hyphen (): ordinary file
d: directory file
l: link
access permissions for the owner, group , and
other users of the file:
r: read
w: write
x: execute
-: no permission

Using Wildcards
Wildcard: special character that can stand for any
other character or a group of characters
* represents any group of characters in a file name
Example: ls *.txt
instructions.txt minutes.txt

? takes the place of only a single character

Example: ls list?
list1 list2

Creating and Removing Directories

mkdir is used to create a new directory

Delete empty directories using rmdir

Use rm -r to delete a directory that is not empty

 Use the p (parents) option to mkdir to create

both the parent and child directories with one
command:
$ mkdir -p p/c
$ mkdir -p /home/alex/p/c
you can use touch to create an empty file:
$ cd
$ pwd
/home/alex
$ touch letter

 The rm utility has a r option (rm r

filename) that recursively deletes files,
including directories, within a directory and
also deletes the directory itself.
Caution: Use rm r carefully, if at all
Although rm r is a handy command, you
must use it carefully. Do not use it with an
ambiguous file reference such as *. It is
frighteningly easy to wipe out your entire
home directory with a single short command.

Copying and Deleting Files

Use cp to copy files and rm to delete them

 use mv to move files from one directory to

another (change the pathname of a file) as well
as to change a simple filename (rename files)
mv existing-file-list directory
$ mv file1 file2 subdir
Just as it moves ordinary files from one
directory to another, so mv can move
directories
mv existing-directory-list new-directory
you can rename directories using mv
you cannot copy their contents with cp unless
you use the r option.

Configuring File Permissions for

Security
Users can set permissions for files/directories
they own so as to establish security
System administrators also set permissions to
protect system and shared files

Permissions manage who can read, write, or

execute files
Original file owner of a file is the account that
created it
File ownership can be transferred to another account

Configuring File Permissions for

Security (continued)

chmod: Changes Access Permissions

chmod uses three sets of permissions or three
octal numbers (one each for the owner, group,
and other users)
The owner of a file controls which users have
permission to access the file and how they can
access it. When you own a file, you can use the
chmod (change mode) utility to change access
permissions for that file. In the following
example, chmod adds (+) read and write
permissions (rw) for all (a) user, group, and
other :
$ chmod a+rw filename

 You must have read permission to execute a shell

script. Because a shell needs to read a shell script
(a text file containing shell commands) before it can
execute the commands within that script, you must
have read permission for the file containing the
script to execute it.
You also need execute permission to execute a
shell script directly on the command line. In
contrast, binary (program) files do not need to be
read; they are executed directly. You need only
execute permission to run a binary (nonshell)
program.

Configuring File Permissions for

Security (continued)

 In addition to a (all) and o (other), you can use g

(group) and u (user, although user refers to the owner
of the file who may or may not be the user of the file
at any given time) in the argument to chmod
When using chmod, many people assume that the o
stands for owner; it does not. The o stands for other,
whereas u stands for owner (user). The acronym UGO
(user-group-other) can help you remember how
permissions are named
You can also use absolute, or numeric, arguments with
chmod
Anyone who knows the root password can log in as
Superuser and gain full access to all files, regardless
of the file's owner or access permissions.

Configuring File Permissions for

Security (continued)
The system administrator assigns group ids when
he or she adds a new user account
A group id (GID) gives a group of users equal
access to files that they all share

Using chmod to change permissions of a file:

chmod ugo+rwx myfile
chmod go-wx account_info
Or, use the octal (0~7) permission format
chmod 711 data
chmod 642 data

 Three-digit format:
read:
4
write:
2
execute:
1
Total could be 0 to 7 for each of UGO permissions
chmod 711 data
chmod u+rwx data
chmod g+x-rw data
chmod o+x-rw data

 Directory Access Permissions :

users can read from or write to a directory;
the directory cannot be executed.
you can cd into the directory and/or
examine files that you have permission to
read from in the directory.
When you have only execute permission
for a directory, you can use ls to list a file
in the directory if you know its name. You
cannot use ls without an argument to list
the entire contents of the directory.

$ who am I
jenny pts/7 Aug 21 10:02
$ ls -ld /home/alex/info
drwx-----x 2 alex pubs 512 Aug 21 09:31 /home/alex/info
$ ls -l /home/alex/info
ls: /home/alex/info: Permission denied
$ ls -l /home/alex/info/financial /home/alex/info/notes
-rw------- 1 alex pubs 34 Aug 21 09:31 /home/alex/info/financial
-rw-r--r-- 1 alex pubs 30 Aug 21 09:32 /home/alex/info/notes
$ cat /home/alex/info/notes
This is the file named notes.
$ cat /home/alex/info/financial
cat: /home/alex/info/financial: Permission denied
Alex can give others read access to his info directory:
$ chmod o+r /home/alex/info

Configuring File Permissions for

Security (continued)
Sticky bit: t (used in place of x)
Before: caused executable program to stay resident
in memory after it was exited
Now: enables file to be executed, but only the files
owner or root have permission to delete or rename it

Set user id (SUID) bit: s (used in place of x)

Gives current user temporary permissions to execute
program-related files as though they are the owner

Set group ID (SGID) bit: s (used in place of x)

Similar to SUID, but applies to groups

Setuid and Setgid Permissions

When you execute a file that has setuid (set user ID)
permission, the process executing the file takes on
the privileges of the file's owner. For example, if you
run a setuid program that removes all files in a
directory, you can remove files in any of the file
owner's directories, even if you do not normally
have permission to do so.
Executable files that are setuid and owned by root
have Superuser privileges when they are run, even if
they are not run by root. This type of program is
very powerful because it can do anything that
Superuser can do (and that the program is designed
to do). Similarly executable files that are setgid and
belong to the group root have extensive privileges.

 setgid (set group ID) permission means that the

process executing the file takes on the privileges of the
group the file is associated with.
Because of the power they hold and their potential for
destruction, it is wise to avoid indiscriminately
creating and using setuid and setgid programs owned
by or belonging to the group root. Because of their
inherent dangers, many sites minimize the use of these
programs on their systems. One necessary setuid
program is passwd. Security: Minimize use of setuid
and setgid programs owned by root.
Never give shell scripts setuid permission. Several
techniques for subverting them are well known.
Security: Do not write setuid shell scripts.

$ ls -l program1
-rwxr-xr-x 1 alex pubs 15828 Nov 5 06:28 program1
$ chmod u+s program1
$ ls -l program1
-rwsr-xr-x 1 alex pubs 15828 Nov 5 06:28 program1
$ chmod g+s program1
$ ls -l program1
-rwsr-sr-x 1 alex pubs 15828 Nov 5 06:28 program1

ACLs: Access Control Lists

Caution: Most utilities do not preserve ACLs
When used with the p (preserve) or a (archive) option, cp
preserves ACLs when it copies files. Another utility that is
supplied with Red Hat Linux that preserves ACLs is mv.
When you use cp with the p or a option and it is not able
to copy ACLs, and in the case where mv is unable to
preserve ACLs, the utility performs the operation and issues
an error message:
$ mv report /tmp
mv: preserving permissions for '/tmp/report': Operation not supported

You can never copy ACLs to a filesystem that does not

support ACLs or to a filesystem that does not have ACL
support turned on.

setfacl
setfacl uses a single set of permissions or a single
octal number to represent the permissions being
granted to the user or group represented by ugo and
name
The setfacl -modify (or m) option adds or modifies
one or more rules in a file's ACL using the following
format:
setfacl --modify ugo:name:permissions file-list
-name: name of the user or group that permissions are
being set for; omitted when specify permissions for
other users (o)
-permissions: permissions in either symbolic (rwx ) or
absolute format (octal number)

$ setfacl -m u:sam:rw- report

$ setfacl --modify u:sam:6 report
After having an ACL, the + indicated to the right of
the permissions
$ls -la
total 137716
drwxr-xr-x
2
drwxr-xr-x 27
-rw-rwxr--+ 1
-rwxrwxrwx+ 1

oracle
oracle
oracle
oracle

oinstall
oinstall
oinstall
oinstall

4096
4096
1570
8072

2008-01-30
2008-01-29
2008-01-30
2008-01-30

15:06
15:29
13:22
15:06

.
..
file1
file2

getfacl
the getfacl utility displays a file's ACL
$ getfacl report
# file: report
# owner: max
# group: max
user::rwuser:sam:rwgroup::r-mask::r-other::r- The -omit-header (or just -omit) option causes getfacl
not to display the header

Summary
In UNIX/Linux, a file is the basic component for data
storage
A file system is the UNIX/Linux systems way of
organizing files on storage devices
The standard tree structure starts with the root (/) file
system directory
The section of the disk that holds a file system is
called a partition
A path, as defined in UNIX/Linux, serves as a map to
access any file on the system

Summary (continued)
You can customize your command prompt to display
useful information
The ls command displays the names of files and
directories contained in a directory
Wildcard characters can be used in a command and
take the place of other characters in a file name
Use mkdir to create a new directory
Use cp to copy a source file to a destination file
Use chmod to set permissions for files that you own

Command Summary

Command Summary (continued)