December 3, 2016 | Author: ganesh1895 | Category: N/A
All rights reserved. Reproduction and/or distribution in whole or in part in electronic, paper or other forms without written permission is prohibited.
Working with Korn Shell SkillSoft Corporation. (c) 2003. Copying Prohibited.
Reprinted for Raman Ramachandran, IBM
[email protected] Reprinted with permission as a subscription benefit of Books24x7, http://www.books24x7.com/
i
Table of Contents Chapter 12: System Administration Using the Korn Shell...........................................................1 Customizing the UNIX Environment...............................................................................................2 Setting Permissions for a Newly Created File.........................................................................2 Setting the System Resources................................................................................................3 System Administration.....................................................................................................................6 Adding/Removing a UNIX User..............................................................................................6 Starting and Shutting Down the System...............................................................................10 Disk Management.................................................................................................................12 Disk Monitoring.....................................................................................................................14 Setting the System Security..........................................................................................................16 Securing the Shell Scripts.....................................................................................................16 Securing a Restricted Korn Shell..........................................................................................16 Setting the UNIX User ID......................................................................................................17
Chapter 12: System Administration Using the Korn Shell You can use the Korn shell for system administration to customize the environment in which a UNIX user works. The environment contains the settings that are provided when an end user logs on to the Korn shell. System administration involves ensuring security and monitoring the performance of the system. The goal of system administration is to manage and improve the performance of the system. You should log on to the Korn shell with super user privileges to work with the administration utilities, such as create the file system, and add or remove UNIX users. This chapter explains how to customize the UNIX environment, and add users to or remove users from a UNIX operating system. The chapter describes the disk management and disk monitoring utilities. The chapter also explains how to use the system security tools to secure the Korn shell.
Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Customizing the UNIX Environment You can customize the Korn shell environment using the UNIX operating system profile files. The UNIX operating system provides two profile files, .profile and profile. The .profile file is local for every UNIX user, which implies that the .profile file resides in the home directory of each UNIX user. The profile file resides in the /etc directory and is called the global customization file. Each time a UNIX user logs on to the Korn shell, the operating system reads the global customization file, and runs its commands and statements. Any change to the profile file takes effect when a UNIX user logs off and logs on again to the Korn shell.
Setting Permissions for a Newly Created File The Korn shell command, umask, defines the permissions for a file that you create. The UNIX operating system provides three levels of permissions for each category of UNIX users. A category is the domain to which a UNIX user belongs. The UNIX operating system provides three categories to a UNIX user: • owner (u): The UNIX user who creates the file. • group (g): The domain to which the UNIX user who creates a file belongs. • others (o): The UNIX users who do not belong to the first or second category.
The UNIX operating system represents file permissions in the octal format. In octal, the read permission is assigned a value of four (4), the write permission is assigned a value of two (2), and the executable permission is assigned a value of one (1). For example, an octal representation of 675 on a file means that: • For the owner category, the file contains read and write permissions. • For the group category, the file contains read, write, and executable permissions. • For the others category, the file contains read and executable permissions.
The umask command sets the default permissions for a new file using symbolic or octal number representation. The default permission that a UNIX operating system provides to a file is rw−rw−rw−, for which the octal representation is 666. The default permission that a UNIX operating system provides to a directory is rwxrwxrwx, for which the octal representation is 777. To obtain the permissions that the UNIX operating system grants to a new file, subtract the umask value from the default permissions that the UNIX operating system provides to a file. The umask value resides in the profile file in the /etc directory. To obtain the umask value, type the keyword, umask, on the command line. The default umask value for the UNIX operating system is 022. The default umask value is subtracted from the default file permission to remove the permission that the umask value specifies. Subtracting the umask value, 022, from the system default value, 666, yields 644, which represent the permission of the new file. The permission on a newly created file is rw−r−−r−−, which means that any UNIX user can read the file, only the file owner can write, and no one has the permission to execute the file. Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
3
Figure 12−1 shows the permissions that are granted to a new file:
Figure 12−1: Viewing the Permissions on a File You use the UNIX operating system to change the umask value of the UNIX operating system. The methods to change the umask value are: • Change the umask value in the profile file that resides in the /etc directory. • Use the umask command on the command line along with the parameter representing the new permissions.
The syntax to use the umask command to change the default values is: umask new_permissions
This syntax replaces the earlier permission values with the permission values that the parameter, new_permissions, indicates. You set the permission using the octal or the symbolic representation. Only the current shell reflects the changes to the umask value that you make using the umask command. When you log off, the unmask value reverts to the original value. You can use the −S option of the umask command to change the default umask values using the symbolic representation instead of the octal representation. Figure 12−2 shows how to change the unmask permissions using the symbolic representation:
Figure 12−2: Changing the umask Permissions Using the Symbolic Representation
Setting the System Resources You use the Korn shell command, ulimit, to set a limit for the UNIX operating system resources, such as the memory that a process can use. The ulimit command acts as an interface between a UNIX user and the Korn shell to view and set the system resources for a process or command. Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
4
The ulimit command is usually defined in the .profile file that resides in the home directory of each UNIX user. The system administrator can also save this command in the profile file that resides in the /etc directory, so that every UNIX user works within the restriction that the ulimit command defines. The syntax to implement the ulimit command is: ulimit [ −a | −c | −d | −f | −s | −n | −t | −v | −H
| −S ][ int_value | unlimited ]
This syntax shows how to implement the ulimit command to set the limit for a system resource that is specified with the ulimit command. Along with the specified resource, the ulimit command can contain an integer value that the parameter, int_value, represents. The ulimit command can also use the string, unlimited, which ensures that a process makes unlimited use of the specified resource. If you do not use the integer value or the string, unlimited, the ulimit command displays the current settings for the specified resource. The resources for which you can set a limit using the ulimit command are: • −a: Displays the limit set for all the resources that you can use with the ulimit command. • −c: Displays or sets the limit for the core files. These files are created when a process terminates unconditionally, because of an interrupt signal. You can use the core files to find the reason for the termination of a process. The limit for core files is set in blocks of 512 bytes. • −d: Displays or sets the limit for the data segments of a process. A data segment is a memory area in which the process variables are stored. The limit for data segments is set in blocks of 1024 bytes. • −f: Displays or sets the limit for a file, which is set in blocks of 512 bytes. • −n: Displays or sets the limit for file descriptors, which are integers that are used for the I/O operation of a Korn shell process. • −t: Displays or sets the limit for the CPU time that a process can use, which is set in seconds. • −v: Displays or sets the limit for the virtual memory that a process can use, which is set in blocks of 1024 bytes.
You can also use the −H and −S options with the ulimit command. The −H option represents the hard limit for a particular system resource. Once set, you cannot change the hard limit for a particular resource. However, the −S option represents the soft limit for a particular system resource. Once set, you can change the soft limit for a particular resource, but the soft limit cannot exceed the value of the hard limit. Figure 12−3 shows how to use the ulimit command to set the system resources:
Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
5
Figure 12−3: Using the ulimit Command
Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
System Administration System Administration is managing the system resources. System Administrator performs various functions, such as: • Add/remove UNIX users • Install software • Add hardware devices • Maintain security • Make backups • Manage a disk
Another name of system administrator in UNIX is super user. To log on to the UNIX system, the user id of the system administrator is root and the prompt of the root is #.
Adding/Removing a UNIX User The primary function of a super user is to maintain the login accounts for the UNIX users. The information about a UNIX user, such as the login name, group name, and home directory, is stored in the /etc/passwd file. The super user can change the password of any UNIX user. Every time the super user creates a new UNIX user, an entry that pertains the UNIX user is stored in the /etc/passwd file, which the super user maintains. Figure 12−4 shows how the entries of UNIX users are stored in the /etc/passwd file:
Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
7
Figure 12−4: Contents of the /etc/passwd File The first column in the passwd file is the login name of the UNIX user. The second column is the encrypted password of the UNIX user to prevent unauthorized access. The third column is the user−id of the UNIX users. The user−id of the super user is always zero (0) and user−ids from 1 to 100 are reserved for the built−in users of the UNIX system. The ordinary UNIX users are assigned the user−id from 200 and higher. The fourth column is the group id of the UNIX user. The file, /etc/group, stores information about the users and the groups to which they belong. The fifth column of the /etc/passwd file is the comment column to store additional information about the UNIX user. The sixth column indicates the home directory of the UNIX user. The seventh column is the shell in which the UNIX user works. The super user can add a new UNIX user to the system. The first method to add the UNIX user is to enter the UNIX user in the /etc/passwd file and grant the appropriate permission to the home directory of the new UNIX user. Listing 12−1 shows how to create a new user using the user−defined shell script, adduser: Listing 12−1: Creating a New User Account
# Retrieve the last user id userid='tail −1 /etc/passwd | cut −f3 −d":"' # Increment userid by 1 to create an id for new user userid='expr $userid + 1' echo "Enter the group name" read group # Retrieve the group id of the specified group groupid='grep "^$group" /etc/group | cut −f3 −d":"' grep "^$group" /etc/group ret=$? # Check the status of the last executed command If [ $ret −eq 0 ] then echo "Enter the login name" read login echo "Enter the full name of the user" read name # Add new user's information to the /etc/passwd file Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
8
echo "$login::$userid:$group:$name:/usr/$login:/bin/ksh">>/etc/passwd # create login directory home=/usr/$login mkdir home # Add .profile file to the new user account cp /usr/lib/mkuser/ksh/profile /$home/.profile # Grant permission to the home directory and .profile file chmod 755 $home $home/* chmod 700 $home/.profile # Assign ownership to all files and directories of the new user chown $login $home $home/* $home/.profile chgrp $group $home $home/* $home/.profile else echo "Enter the existing group name" fi
The above listing shows that the script accepts the account name and group name of the newly created UNIX user. The listing finds the user−id and group−id of the new UNIX user, appends the information to the /etc/passwd file, creates the directory with the name of the new user and assigns ownership to the home directory. The newly created account is not given a password. Figure 12−5 shows the output of the script file, adduser:
Figure 12−5: Output of the Script File, adduser An example of implementing the passwd command is: $ passwd
This command changes the password of the currently logged−on UNIX user. Figure 12−6 shows the output of the passwd command:
Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
9
Figure 12−6: Output of the passwd Command The other function of the super user is to delete the accounts of the UNIX users who no longer exist on the network. Listing 12−2 shows how to remove an existing user from a network using the user−defined shell script, removeuser: Listing 12−2: Removing an Existing User
echo "Enter the user name to be deleted" read user # Search the specified user in the file, /etc/passwd list='grep $user /etc/passwd' ret=$? # Check the status of the last executed command If [ $ret −eq 0 ] then # Remove the home directory and subdirectories of the specified user rm −r /usr/$user grep −v "$user" /etc/passwd | tee /etc/passwd echo "User has been deleted" else echo "Invalid UNIX user" fi
The above listing shows that the script accepts the login account of the UNIX user to delete. This listing determines whether the specified UNIX user exists. If the specified user does not exist in the /etc/passwd file, the listing displays the appropriate error message. Otherwise, the listing removes the home directory and subdirectories of the specified UNIX user. Figure 12−7 shows the output of the script file, removeuser:
Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
10
Figure 12−7: Output of the Script File, removeuser
Starting and Shutting Down the System The process of starting the UNIX system is called booting. The UNIX system performs various functions to initialize the boot process. The various functions that the boot process performs are: • Checks the basic hardware parts of the system. • Searches for a boot device. • Loads the kernel and file system. • Initializes the other devices of the system, such as the keyboard and printer. • Starts all the services of the system, such as init, inetd, cron, named, telnetd, ftpd, and httpd. • Starts the other applications of the system, such as mounting the disk and file systems, and the network and mail applications.
When a system boots, the system startup messages appear on the screen, which indicate that the booting process is in progress. If any of the booting functions is not accomplished, the system stops and displays the appropriate message. In a booting process, the run level indicates the running mode of a system. You can change the mode of a system using the run level in the init process. The init process contains seven run levels that range from 0 to 6, and s or S, for a single user mode. The default run level is two (2), which is Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
11
the multi−user mode. The run levels and their functions are: • 0: Shuts down the system and powers−off automatically. • 1: Starts the system in the single user mode. • 2: Starts the system in the multi−user mode. • 3: Starts the system in the multi−user mode and allows remote file sharing. • 4: Starts the system in the multi−user mode and activates the graphical interface. • 5: Shuts down the system but does not power−off automatically. • 6: Shuts down the system and restarts it with a run level 2 or 3. • S/s: Starts the system in the single user mode.
The file, /etc/inittab, contains the number of UNIX users and the devices that are available for a specific run level. In the process of booting, the UNIX system uses the /etc/inittab file to start all the services, such as mount a disk, start the terminal devices, /dev/tty. Use the who −r command to check the current run level of the system. In the multi−user mode, the script file, /etc/rc, runs to check all the file systems and start the various background processes, such as cron and at. After the script file, /etc/rc, runs all the terminals that are connected to the system obtain the login prompt. The process of closing the running programs and applications in a safe mode so that the system files are not corrupted is called shutting down the system. Problems arise if you do not shut down the system systematically. The various functions that a system performs while shutting down are: • Complete the running commands. • Unmount the file system. • Unmount the device files.
You use the shutdown command to shut down the system. The /etc/shutdown shell script automatically executes when you run the shutdown command. The shutdown script uses the wall command to inform the UNIX users to save their work and log off, because the system is going to shut down shortly. As you enter the shutdown command, the system initiates the shutdown process within 60 seconds. You can change the waiting time for the shutdown process using the −g option in the shutdown command. To shut down a system, use the command: Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
12
# shutdown −g180
This command shows that the waiting time for the shutdown process is 180 seconds. After 180 seconds, the shutdown command initiates the shutdown process. A shutdown process is an interactive process in which the system prompts you for responses. You can change the interactive process of shutdown using the −y option with the shutdown command.
Disk Management You can secure important and confidential information by making backups in floppy diskettes, CD−ROMs, or on magnetic tapes. Before making backups on a floppy disk, you must format the floppy disk on a UNIX system. All the devices in UNIX are treated as special files. The two methods to use a formatted floppy disk are: • Make a file system on the floppy disk, use the floppy as a directory on the hard disk, and mount the file system at a specific location on the hard disk. • Use the raw disk method, which does not require that you create a file system on the floppy.
Formatting a Disk In UNIX, the /dev directory stores the device−related files and their capacity. For example, rfd0135ds15 is the name of a floppy disk file in which rfd stands for a raw floppy disk, 0 for the floppy is in drive A, and 1 for the floppy is in drive B. The number, 135, indicates the tracks per inch, ds stands for double−sided, and 15 indicates the number of sectors per track. The syntax to format a floppy disk is: $ format /dev/rfd0135ds15
This syntax formats the floppy disk in drive A. If you do not enter the device name, the format command reads the device name in the /etc/default/format file, which contains the name of the device file. After formatting the floppy disk, create a file system on the floppy to use the floppy as a storage medium. Creating a File System When you create a file system on a formatted floppy, the existing data on the floppy is deleted. Use the mkfs command to create a file system on a floppy. The mkfs command creates the Acer Fast FileSystem file system, which is the default file system. Only the super user can use the mkfs command. The syntax to implement the mkfs command is: mkfs device_name device_blocks:i−node
In this syntax, device_name is the name of device in which to create the file system. The second argument indicates the number of 512 KB blocks and number of i−node that is created in the file system. The syntax to calculate the number of 512 KB blocks in the file system is:
Number of tracks per side * number of sides of the disk * number of sectors per track * bytes p
The syntax calculates the number of blocks in the floppy disk. In the double−sided floppy with a 1.44MB capacity, the number of tracks per side is 80. Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
13
The command to use the mkfs command is: # /etc/mkfs /dev/ rfd0135ds15 2400:600
This command shows that the floppy disk with a capacity of 1.44MB contains 2400 blocks and 600 i−nodes after creating the file system on a floppy. Each i−node represents one file in the file system. Mounting a File System The file system of the different storage devices, such as a floppy disk, hard disk, and magnetic tape, is not the same. The mount command links the file system of the floppy disk to the hard disk. You can create directories and files in the new mounted file systems. The mounted file system has a root directory and other directories. The mounting process of a file system is connecting the file system at a particular point in the existing file system. The point of attachment is the mount point for the particular file system. The path of a newly mounted file is the root directory of the existing file system. By default, the mount point is the /mnt directory. This directory is the default directory and is accessible from all UNIX logins, until special restrictions are imposed. The syntax to mount a floppy disk on a system is: # /etc/mount /dev/fd0135ds15 /mnt
This command shows the use of fd, instead of rfd that is the name of the floppy device. The use of fd indicates that the file system is created on the floppy disk. To change the UNIX default mount point, set the mount point of the new file system in another directory. The syntax to mount a file system in a new directory is: $ /etc/mount /dev/fd0135ds15 /usr/temp
This syntax mounts the floppy disk, fd0135ds15, in the /usr/temp directory. The two methods to check whether the file system is successfully mounted are: • Change the current directory to the /mnt directory and create files and directories in it. If the mounting process is successful, these files are created on the floppy disk, otherwise, an error message appears. • Run the mount command without passing any parameter and verify that the mount command displays all the currently mounted file systems to the current file system.
Note
Running the mount command lists all the file systems that are mounted, whether they are in the default /mnt directory or in any other directory.
Unmounting a File System Use the umount command to unmount a file system. The umount command unmounts the new file system that is mounted on the current file system. After unmounting a file system, the files become inaccessible. To make the files accessible, you must remount the file system. If you remove the floppy drive without unmounting it, your system might generate errors, such as linking errors. To unmount a file system and avoid these errors, type the following syntax: $/etc/umount /mnt
Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
14
This syntax unmounts the file system that is mounted in the default directory. To unmount all the mounted file systems in the current file system before you shut down the system, run the unmountall command. Note The unmount command fails when a file on the mounted file system is in use. You need to check that there is no file or directory in use before you unmount the file system.
Disk Monitoring You need to frequently monitor a disk to delete data that are no longer needed. When you work on the UNIX operating system, temporary files are accumulated in the /PDF document object directory. You need to remove these temporary files to improve the performance of the system. The commands that you can use to improve the disk performance are df and du. The df command refers to disk free, and du refers to disk usage. Use the df command to ascertain the free disk blocks on a particular file system. Note
If you do not specify the file system with the df command, the df command displays the free disk blocks for all the mounted file systems. You can find the file systems that are mounted on your computer in the mnttab file in the /etc directory.
The syntax to implement the df command to find the free disk space is: df [option] [file_system]
This syntax finds the free disk space for the file system that the parameter, file_system, represents. The options that are available with the df command define the pattern in which you must obtain the free disk space. The most common options to use with the df command are: • −P: Displays the disk space information, such as the name of the file system, total number of blocks, total number of blocks free, total number of blocks in use, percentage of blocks that are in use, and the directory in which the file systems are mounted • −f: Displays the free disk space on the file systems that are mounted on your computer • −i: Displays the i−node information, such as the total number of i−nodes and total number of i−nodes free. You can also use the options to view the percentage of i−nodes that is used for each file system that is mounted on your computer. • −k: Displays the total number of i−nodes and disk space on each file system on your computer. With the −k option, the size of a block is 1024 bytes; instead of 512 bytes.
Figure 12−8 shows the use of the df command to view the disk space for a particular file system that is mounted on the computer:
Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
15
Figure 12−8: Using the df Command
Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Setting the System Security System security protects the system from unexpected errors. The errors can be scripting errors; for example, setting wrong permissions for a file. You can restrict the Korn shell by invoking the shell using the rksh command. The environment is restricted by allowing a UNIX user limited access to the system resources. You can protect a file using the built−in commands, such as chmod, to set the access permissions for a file.
Securing the Shell Scripts You should design the script structure before writing it in the editor. You need to include error−handling code in your script to handle errors. You must also check the commands that can generate errors under the influence of other commands. For example, if two shell scripts share the same environment variable at the same time, an error can occur. Your script needs to check the arguments that are passed at run time. For example, if the script requires numeric arguments, the script should have a check on the arguments passed. If a passed value is not the same as what an application requires, the script must exit or prompt you to re−enter the value. The scripts must keep track of the operations that commands perform. For example, the syslog command automatically generates a log using the logger() function. If the syslog command is not on your system, you can make a log file. Listing 12−3 shows the syntax to update a log file: Listing 12−3: The syntax to update a log file # Adds the process number in the file print −r "$$" >> /usr/jack/adam/log # Adds the login name of the end user print −r $LOGNAME >> /usr/jack/adam/log # Adds the current date of the computer print −r 'date' >> /usr/jack/adam/log
In the above syntax, the "$$" command provides the current process number, and the output redirection operator, >>, redirects the output in the log file, /usr/jack/adam/log. You need to enclose the input from the end user in double quotes (""). For example, the input is used as "$1" or "$3"; so that the application does not further process any wrong input from the end user. When an end user enters data, the eval command is not used. If the end user discovers that the script uses the eval command, the end user can manipulate the processing of data by altering the input and replacing it with variable names. Note To learn more about the eval command, see Appendix C. The script that alters the PATH variable of the UNIX environment should not contain a dot (.). The dot (.) signifies the path of the current working directory. When the PATH variable includes a dot (.), it is interpreted as the path of the end users current working directory. The end user can use a dot (.) in the PATH variable to manipulate the functionality of the script.
Securing a Restricted Korn Shell The restricted Korn shell is a shell in which a UNIX user has restricted permission to access the resources. Use this version of a shell for the guest accounts in UNIX. The two methods to invoke the restricted Korn shell are: • Using the rksh command at the command prompt Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
17
• Assigning the set −r option to a shell
You can restrict the login session of the guest account by setting the PATH variable to the path of the Restricted Korn shell. The Restricted Korn shell does not support the: • Change directory, cd command • Output redirection operators • Reassignment of the environment variables • Addition of new built−in commands using the built−in command • Commands that contain a backslash (\)
You must have system administrator privileges to set the values for these features in the .profile file. These restrictions are applied to set the restricted environment after reading the .profile file. You need to safeguard the .profile file from unauthorized updating. The two methods to protect the .profile file are: • Make the .profile file read−only so that a UNIX user can only read the contents of the file; not modify them. • Change the path of the .profile file; so that a UNIX user cannot find the .profile file.
Note
You need to confirm that no other session of any other shell contains the same value for the PATH variable. If any other session shares the same value for the PATH variable, a UNIX user can easily escape the restricted features of the restricted environment.
Setting the UNIX User ID In UNIX, a process has two user IDs, real and effective. The setuid command in UNIX checks the value of the effective user ID. According to the value of the effective user ID, the values of the real user ID are set as: • Zero if the value of the effective uid is zero. • Value of the effective user ID to real user ID if the value of the effective uid is nonzero.
Every Korn shell script file has a setuid that is associated with it. You can protect your script file from any unauthorized updating by changing the setuid of the script file to a user ID that you define. This method prevents any program with a different user ID from updating your script file. This Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
18
feature checks the user ID of the current login session and then updates the file. You can use the setuid command to set the root user ID as the super user. The syntax to set the user ID using the setuid command: chmod 4755 file_name
In this syntax, the number, 4, is the bit for the setuid command. The setgid command sets the uid for a group of UNIX users. The syntax to set the group permissions is: chmod 2755 file_name
In this syntax, number 2 is the bit for the setgid command. The change of permissions appears in the ls −l command when the x permission is changed to the s permission. Figure 12−9 shows the changing mode for the setuid and setgid commands:
Figure 12−9: Access Modes The Korn shell provides the option of a privileged mode. You can set the shell option to the privileged mode in two ways: • set −o privileged • set −p
The privileged mode runs the file, /etc/suid_profile, by default. You need to update this file with the new value of the PATH variable to restrict the new end user. Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
Working with Korn Shell
Note
19
The end user can turn off the privileged mode using the set +p command, but this syntax does not affect the security of the system; because the set +p command turns off the setuid command. As the end user turns off the privileged mode, the shell automatically assigns new values to the effective uid and real uid.
Any shell script should not start with the binary interpreter command line, #! /bin/ksh, in the restricted shell. This syntax causes a run−time error when the script runs in the restricted environment. The ksh interpreter tries to run the script in the binary mode in the /bin/ksh directory when it reads the command, #! /bin/ksh. Since the shell does not allow the program to run in this directory, an error is generated.
Reprinted for
[email protected], IBM
SkillSoft, SkillSoft Corporation (c) 2003, Copying Prohibited
