book

Learning Modern Linux

by Michael Hausenblas

April 2022

Beginner

260 pages

5h 54m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

About YouHow to Use the BookConventionsUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
What Are Modern Environments?The Linux Story (So Far)Why an Operating System at All?Linux DistributionsResource VisibilityA Ten-Thousand-Foot View of LinuxConclusion
Linux ArchitectureCPU Architecturesx86 ArchitectureARM ArchitectureRISC-V ArchitectureKernel ComponentsProcess ManagementMemory ManagementNetworkingFilesystemsDevice DriverssyscallsKernel ExtensionsModulesA Modern Way to Extend the Kernel: eBPFConclusion
BasicsTerminalsShellsModern CommandsCommon TasksHuman-Friendly ShellsFish ShellZ-shellOther Modern ShellsWhich Shell Should I Use?Terminal MultiplexerscreentmuxOther MultiplexersWhich Multiplexer Should I Use?ScriptingScripting BasicsWriting Portable bash ScriptsLinting and Testing ScriptsEnd-to-End Example: GitHub User Info ScriptConclusion
BasicsResources and OwnershipSandboxingTypes of Access ControlUsersManaging Users LocallyCentralized User ManagementPermissionsFile PermissionsProcess PermissionsAdvanced Permission ManagementCapabilitiesseccomp ProfilesAccess Control ListsGood PracticesConclusion
BasicsThe Virtual File SystemLogical Volume ManagerFilesystem OperationsCommon Filesystem LayoutsPseudo FilesystemsprocfssysfsdevfsRegular FilesCommon FilesystemsIn-Memory FilesystemsCopy-on-Write FilesystemsConclusion
BasicsThe Linux Startup ProcesssystemdUnitsManagement with systemctlMonitoring with journalctlExample: scheduling greeterLinux Application Supply ChainsPackages and Package ManagersRPM Package ManagerDebian debLanguage-Specific Package ManagersContainersLinux NamespacesLinux cgroupsCopy-on-Write FilesystemsDockerOther Container ToolingModern Package ManagersConclusion
BasicsThe TCP/IP StackThe Link LayerThe Internet LayerThe Transport LayerSocketsDNSDNS RecordsDNS LookupsApplication Layer NetworkingThe WebSecure ShellFile TransferNetwork File SystemSharing with WindowsAdvanced Network TopicswhoisDynamic Host Configuration ProtocolNetwork Time ProtocolWireshark and tsharkOther Advanced ToolingConclusion
BasicsObservability StrategyTerminologySignal TypesLoggingSyslogjournalctlMonitoringDevice I/O and Network InterfacesIntegrated Performance MonitorsInstrumentationAdvanced ObservabilityTracing and ProfilingPrometheus and GrafanaConclusion
Interprocess CommunicationSignalsNamed PipesUNIX Domain SocketsVirtual MachinesKernel-Based Virtual MachineFirecrackerModern Linux DistrosRed Hat Enterprise Linux CoreOSFlatcar Container LinuxBottlerocketRancherOSSelected Security TopicsKerberosPluggable Authentication ModulesOther Modern and Future OfferingsNixOSLinux on the DesktopLinux on Embedded SystemsLinux in Cloud IDEConclusion

Gathering System InformationWorking with Users and ProcessesGathering File InformationWorking with Files and DirectoriesWorking with Redirection and PipesWorking with Time and DatesWorking with GitSystem Performance

Content preview from Learning Modern Linux

Chapter 4. Access Control

After the wide scope in the previous chapter on all things shell and scripting, we now focus on one specific and crucial security aspect in Linux. In this chapter, we discuss the topic of users and controlling access to resources in general and files in particular.

One question that immediately comes to mind in such a multiuser setup is ownership. A user may own, for example, a file. They are allowed to read from the file, write to the file, and also, say, delete it. Given that there are other users on the system as well, what are those users allowed to do, and how is this defined and enforced? There are also activities that you might not necessarily associate with files in the first place. For example, a user may (or may not) be allowed to change networking-related settings.

To get a handle on this topic, we’ll first take a look at the fundamental relationship between users, processes, and files, from an access perspective. We’ll also review sandboxing and access control types. Next, we’ll focus on the definition of a Linux user, what users can do, and how to manage users either locally or alternatively from a central place.

Then, we’ll move on to the topic of permissions, where we’ll look at how to control access to files and how processes are impacted by such restrictions.

We’ll wrap up this chapter covering a range of advanced Linux features in the access control space, including capabilities, seccomp profiles, and ACLs. To round things off, we’ll ...