alp-ch10-security

alp-ch10-security - 12 0430 CH10 5/22/01 10:42 AM Page 197...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
Security 10 M UCH OF THE POWER OF A GNU/L INUX SYSTEM COMES FROM its support for multiple users and for networking. Many people can use the system at once, and they can connect to the system from remote locations. Unfortunately, with this power comes risk, especially for systems connected to the Internet. Under some circum- stances, a remote “hacker” can connect to the system and read, modify, or remove files that are stored on the machine. Or, two users on the same machine can read, modify, or remove each other’s files when they should not be allowed to do so.When this happens, the system’s security is said to have been compromised . The Linux kernel provides a variety of facilities to ensure that these events do not take place. But to avoid security breaches, ordinary applications must be careful as well. For example, imagine that you are developing accounting software.Although you might want all users to be able to file expense reports with the system, you wouldn’t want all users to be able to approve those reports.You might want users to be able to view their own payroll information, but you certainly wouldn’t want them to be able to view everyone else’s payroll information.You might want managers to be able to view the salaries of employees in their departments, but you wouldn’t want them to view the salaries of employees in other departments.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
198 Chapter 10 Security To enforce these kinds of controls, you have to be very careful. It’s amazingly easy to make a mistake that allows users to do something you didn’t intend them to be able to do.The best approach is to enlist the help of security experts. Still, every application developer ought to understand the basics. 10.1 Users and Groups Each Linux user is assigned a unique number, called a user ID , or UID . Of course, when you log in, you use a username rather than a user ID.The system converts your username to a particular user ID, and from then on it’s only the user ID that counts. You can actually have more than one username for the same user ID.As far as the system is concerned, the user IDs, not the usernames, matter.There’s no way to give one username more power than another if they both correspond to the same user ID. You can control access to a file or other resource by associating it with a particular user ID.Then only the user corresponding to that user ID can access the resource. For example, you can create a file that only you can read, or a directory in which only you can create new files.That’s good enough for many simple cases. Sometimes, however, you want to share a resource among multiple users. For exam- ple, if you’re a manager, you might want to create a file that any manager can read but that ordinary employees cannot. Linux doesn’t allow you to associate multiple user IDs with a file, so you can’t just create a list of all the people to whom you want to give access and attach them all to the file. You can, however, create a
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

This document was uploaded on 08/16/2010.

Page1 / 22

alp-ch10-security - 12 0430 CH10 5/22/01 10:42 AM Page 197...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online