Failed to Upload a File to the Guest Vm via Scp Due to a Permissions File Already Exists
The control of users and groups is a core chemical element of Red Hat Enterprise Linux system administration. This chapter explains how to add together, manage, and delete users and groups in the graphical user interface and on the command line, and covers avant-garde topics, such every bit creating grouping directories.
four.1. Introduction to Users and Groups
While users can be either people (meaning accounts tied to concrete users) or accounts that exist for specific applications to use, groups are logical expressions of organization, tying users together for a common purpose. Users within a group share the same permissions to read, write, or execute files endemic by that grouping.
Each user is associated with a unique numerical identification number chosen a user ID ( UID ). Likewise, each grouping is associated with a grouping ID ( GID ). A user who creates a file is as well the possessor and grouping owner of that file. The file is assigned dissever read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be inverse only by root, and access permissions tin be changed by both the root user and file owner.
Additionally, Blood-red Hat Enterprise Linux supports admission control lists ( ACLs ) for files and directories which allow permissions for specific users exterior of the owner to be gear up. For more data almost this feature, see Chapter 5, Admission Control Lists.
Reserved User and Group IDs
Red Hat Enterprise Linux reserves user and grouping IDs beneath g for system users and groups. By default, the User Director does not display the system users. Reserved user and group IDs are documented in the setup package. To view the documentation, utilize this command:
cat /usr/share/doc/setup*/uidgid
The recommended practice is to assign IDs starting at 5,000 that were not already reserved, as the reserved range tin increase in the future. To make the IDs assigned to new users by default start at 5,000, change the UID_MIN and GID_MIN directives in the /etc/login.defs file:
[file contents truncated] UID_MIN 5000 [file contents truncated] GID_MIN 5000 [file contents truncated]
For users created earlier you changed UID_MIN and GID_MIN directives, UIDs will still start at the default 1000.
Even with new user and group IDs get-go with v,000, it is recommended not to raise IDs reserved by the system above 1000 to avoid conflict with systems that retain the 1000 limit.
4.1.i. User Private Groups
Cerise Hat Enterprise Linux uses a user individual group ( UPG ) scheme, which makes UNIX groups easier to manage. A user private group is created whenever a new user is added to the arrangement. It has the same proper name as the user for which it was created and that user is the just member of the user private group.
User private groups make it safe to set default permissions for a newly created file or directory, allowing both the user and the group of that user to brand modifications to the file or directory.
The setting which determines what permissions are applied to a newly created file or directory is chosen a umask and is configured in the /etc/bashrc file. Traditionally on UNIX-based systems, the umask is gear up to 022, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, including members of the creator's grouping , are not allowed to make whatsoever modifications. Yet, under the UPG scheme, this "group protection" is not necessary since every user has their own individual grouping. See Section 4.three.v, "Setting Default Permissions for New Files Using umask" for more information.
A list of all groups is stored in the /etc/group configuration file.
four.ane.2. Shadow Passwords
In environments with multiple users, information technology is very important to use shadow passwords provided by the shadow-utils package to enhance the security of system authentication files. For this reason, the installation plan enables shadow passwords past default.
The following is a list of the advantages shadow passwords take over the traditional fashion of storing passwords on UNIX-based systems:
- Shadow passwords improve organization security by moving encrypted countersign hashes from the globe-readable
/etc/passwdfile to/etc/shadow, which is readable but by therootuser. - Shadow passwords store information about password aging.
- Shadow passwords let to enforce some of the security policies set in the
/etc/login.defsfile.
About utilities provided by the shadow-utils package work properly whether or not shadow passwords are enabled. However, since password aging information is stored exclusively in the /etc/shadow file, some utilities and commands practice not work without showtime enabling shadow passwords:
- The
chageutility for setting password crumbling parameters. For details, see the Password Security section in the Red Hat Enterprise Linux 7 Security Guide . - The
gpasswdutility for administrating the/etc/groupfile. - The
usermodcontrol with the-e, --expiredateor-f, --inactivepick. - The
useraddcommand with the-east, --expiredateor-f, --inactiveoption.
4.2. Managing Users in a Graphical Environment
The Users utility allows you to view, alter, add together, and delete local users in the graphical user interface.
4.2.1. Using the Users Settings Tool
Press the Super primal to enter the Activities Overview, type Users and then printing Enter . The Users settings tool appears. The Super central appears in a variety of guises, depending on the keyboard and other hardware, just ofttimes as either the Windows or Control key, and typically to the left of the Space bar. Alternatively, you lot tin open up the Users utility from the Settings bill of fare after clicking your user name in the top right corner of the screen.
To make changes to the user accounts, first select the push and authenticate yourself as indicated past the dialog box that appears. Note that unless you have superuser privileges, the application will prompt y'all to cosign every bit root. To add and remove users, select the and push button respectively. To add a user to the administrative group wheel, alter the Business relationship Type from Standard to Administrator. To edit a user'south language setting, select the language and a drib-down carte appears.
Figure four.1. The Users Settings Tool
When a new user is created, the account is disabled until a password is prepare. The Password driblet-downwards bill of fare, shown in Figure 4.ii, "The Password Card", contains the options to set a password by the administrator immediately, cull a password by the user at the first login, or create a guest business relationship with no password required to log in. You tin also disable or enable an account from this menu.
Figure 4.ii. The Password Carte
4.3. Using Command-Line Tools
Apart from the Users settings tool described in Section 4.2, "Managing Users in a Graphical Environment", which is designed for bones managing of users, yous can use command line tools for managing users and groups that are listed in Table iv.i, "Command line utilities for managing users and groups".
iv.3.ane. Calculation a New User
To add a new user to the system, blazon the following at a shell prompt equally root:
useradd options username …where options are command-line options as described in Tabular array 4.2, "Mutual useradd control-line options".
By default, the useradd command creates a locked user account. To unlock the account, run the following command as root to assign a password:
passwd username Optionally, you can set a password aging policy. See the Password Security section in the Red Chapeau Enterprise Linux seven Security Guide .
Table iv.ii. Common useradd control-line options
| Option | |
|---|---|
| | comment can exist replaced with any string. This option is generally used to specify the full proper name of a user. |
| | Domicile directory to be used instead of default |
| | Date for the account to be disabled in the format YYYY-MM-DD. |
| | Number of days afterwards the password expires until the business relationship is disabled. If |
| | Group proper name or group number for the user'southward default (primary) group. The group must exist prior to being specified here. |
| | List of additional (supplementary, other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here. |
| | Create the home directory if it does non exist. |
| | Practice non create the home directory. |
| | Do not create a user private group for the user. |
| | The password encrypted with |
| | Create a system account with a UID less than 1000 and without a home directory. |
| | User'south login crush, which defaults to |
| | User ID for the user, which must be unique and greater than 999. |
The default range of IDs for system and normal users has been inverse in Ruby-red Hat Enterprise Linux seven from earlier releases. Previously, UID 1-499 was used for system users and values to a higher place for normal users. The default range for arrangement users is now i-999. This change might cause problems when migrating to Red Hat Enterprise Linux 7 with existing users having UIDs and GIDs between 500 and 999. The default ranges of UID and GID tin can exist changed in the /etc/login.defs file.
-
A new line for
juanis created in/etc/passwd:juan:x:1001:1001::/dwelling/juan:/bin/bash
The line has the following characteristics:
- It begins with the user proper name
juan. - There is an
tenfor the password field indicating that the organization is using shadow passwords. - A UID greater than 999 is created. Nether Red Hat Enterprise Linux 7, UIDs below 1000 are reserved for arrangement use and should non be assigned to users.
- A GID greater than 999 is created. Under Scarlet Lid Enterprise Linux 7, GIDs beneath k are reserved for system use and should not be assigned to users.
- The optional GECOS data is left blank. The GECOS field can exist used to provide additional information near the user, such as their full proper name or phone number.
- The dwelling directory for
juanis set to/home/juan/. - The default crush is set to
/bin/bash.
- It begins with the user proper name
-
A new line for
juanis created in/etc/shadow:juan:!!:14798:0:99999:7:::
The line has the following characteristics:
- It begins with the user proper noun
juan. -
Two exclamation marks (
!!) appear in the countersign field of the/etc/shadowfile, which locks the account.If an encrypted password is passed using the
-pflag, it is placed in the/etc/shadowfile on the new line for the user. - The password is set to never expire.
- It begins with the user proper noun
-
A new line for a group named
juanis created in/etc/group:juan:x:1001:
A group with the same name every bit a user is called a user private group . For more information on user private groups, see Department 4.1.1, "User Private Groups".
The line created in
/etc/grouphas the following characteristics:- It begins with the group name
juan. - An
xappears in the password field indicating that the system is using shadow group passwords. - The GID matches the one listed for
juan'south primary group in/etc/passwd.
- It begins with the group name
-
A new line for a group named
juanis created in/etc/gshadow:juan:!::
The line has the following characteristics:
- It begins with the grouping name
juan. - An assertion mark (
!) appears in the password field of the/etc/gshadowfile, which locks the grouping. - All other fields are blank.
- It begins with the grouping name
-
A directory for user
juanis created in the/homedirectory:~]# ls -ld /domicile/juan drwx------. 4 juan juan 4096 Mar 3 18:23 /dwelling house/juan
This directory is owned past user
juanand groupjuan. Information technology has read , write , and execute privileges only for the userjuan. All other permissions are denied. -
The files within the
/etc/skel/directory (which contain default user settings) are copied into the new/dwelling house/juan/directory:~]# ls -la /domicile/juan full 28 drwx------. four juan juan 4096 Mar 3 18:23 . drwxr-xr-x. five root root 4096 Mar iii xviii:23 .. -rw-r--r--. 1 juan juan 18 Jun 22 2010 .bash_logout -rw-r--r--. one juan juan 176 Jun 22 2010 .bash_profile -rw-r--r--. 1 juan juan 124 Jun 22 2010 .bashrc drwxr-xr-x. iv juan juan 4096 Nov 23 15:09 .mozilla
At this signal, a locked account chosen juan exists on the system. To activate it, the administrator must next assign a password to the business relationship using the passwd command and, optionally, prepare password aging guidelines (see the Password Security department in the Red Hat Enterprise Linux seven Security Guide for details).
4.3.2. Adding a New Group
To add together a new group to the organisation, blazon the following at a shell prompt equally root:
groupadd options group_name
…where options are command-line options as described in Table 4.three, "Mutual groupadd command-line options".
Table four.3. Common groupadd command-line options
| Choice | Description |
|---|---|
| | When used with |
| | Group ID for the group, which must be unique and greater than 999. |
| | Override |
| | Allows creating groups with duplicate GID. |
| | Employ this encrypted countersign for the new grouping. |
| | Create a organization group with a GID less than 1000. |
4.three.3. Adding an Existing User to an Existing Group
Utilise the usermod utility to add an already existing user to an already existing group.
Various options of usermod have different impact on user'southward master group and on his or her supplementary groups.
To override user's chief grouping, run the following command as root:
~]# usermod -1000 group_name user_name
To override user's supplementary groups, run the post-obit command as root:
~]# usermod -One thousand group_name1 , group_name2 ,... user_name
Note that in this example all previous supplementary groups of the user are replaced by the new group or several new groups.
To add together one or more than groups to user's supplementary groups, run one of the post-obit commands as root:
~]# usermod -aG group_name1 , group_name2 ,... user_name
~]# usermod --append -G group_name1 , group_name2 ,... user_name
Note that in this case the new group is added to user's current supplementary groups.
4.3.4. Creating Group Directories
System administrators usually like to create a grouping for each major project and assign people to the group when they need to access that project's files. With this traditional scheme, file management is hard; when someone creates a file, it is associated with the principal group to which they belong. When a single person works on multiple projects, it becomes difficult to associate the right files with the right grouping. However, with the UPG scheme, groups are automatically assigned to files created within a directory with the setgid flake set. The setgid fleck makes managing group projects that share a common directory very elementary because any files a user creates inside the directory are owned by the group that owns the directory.
For example, a group of people need to work on files in the /opt/myproject/ directory. Some people are trusted to alter the contents of this directory, but not anybody.
-
As
root, create the/opt/myproject/directory by typing the following at a shell prompt:mkdir /opt/myproject -
Add the
myprojectgroup to the organisation:groupadd myproject -
Acquaintance the contents of the
/opt/myproject/directory with themyprojectgroup:chown root:myproject /opt/myproject -
Allow users in the grouping to create files within the directory and set up the setgid flake:
chmod 2775 /opt/myprojectAt this indicate, all members of the
myprojectgroup can create and edit files in the/opt/myproject/directory without the administrator having to change file permissions every fourth dimension users write new files. To verify that the permissions accept been set correctly, run the following command:~]# ls -ld /opt/myproject drwxrwsr-x. 3 root myproject 4096 Mar 3 eighteen:31 /opt/myproject
-
Add users to the
myprojectgroup:usermod -aG myproject username
four.three.five. Setting Default Permissions for New Files Using umask
When a process creates a file, the file has sure default permissions, for example, -rw-rw-r--. These initial permissions are partially defined by the file mode creation mask , also called file permission mask or umask . Every process has its own umask, for instance, bash has umask 0022 by default. Process umask can exist changed.
What umask consists of
A umask consists of bits respective to standard file permissions. For case, for umask 0137, the digits mean that:
-
0= no pregnant, it is always0(umask does non affect special bits) -
1= for possessor permissions, the execute bit is set -
3= for group permissions, the execute and write bits are set -
vii= for others permissions, the execute, write, and read bits are set
Umasks can be represented in binary, octal, or symbolic notation. For example, the octal representation 0137 equals symbolic representation u=rw-,g=r--,o=---. Symbolic notation specification is the opposite of the octal notation specification: information technology shows the allowed permissions, non the prohibited permissions.
How umask works
Umask prohibits permissions from being set for a file:
- When a bit is prepare in umask , it is unset in the file.
- When a scrap is non set in umask , it can be set in the file, depending on other factors.
The post-obit figure shows how umask 0137 affects creating a new file.
Figure four.iii. Applying umask when creating a file
For security reasons, a regular file cannot take execute permissions by default. Therefore, even if umask is 0000, which does non prohibit whatsoever permissions, a new regular file all the same does not have execute permissions. All the same, directories can be created with execute permissions:
[john@server tmp]$ umask 0000 [john@server tmp]$ touch file [john@server tmp]$ mkdir directory [john@server tmp]$ ls -lh . total 0 drwxrwxrwx. two john john xl Nov two 13:17 directory -rw-rw-rw-. one john john 0 November 2 xiii:17 file
4.3.5.1. Managing umask in Shells
For popular shells, such as bash, ksh, zsh and tcsh, umask is managed using the umask shell builtin. Processes started from shell inherit its umask.
Displaying the current mask
To show the electric current umask in octal note:
~]$ umask 0022 To prove the current umask in symbolic notation:
~]$ umask -S u=rwx,g=rx,o=rx Setting mask in shell using umask
To set up umask for the current crush session using octal annotation run:
~]$ umask octal_mask
Substitute octal_mask with 4 or less digits from 0 to 7. When three or less digits are provided, permissions are set equally if the command contained leading zeros. For instance, umask 7 translates to 0007.
Example iv.1. Setting umask Using Octal Annotation
To prohibit new files from having write and execute permissions for owner and group, and from having whatsoever permissions for others:
~]$ umask 0337 Or merely:
~]$ umask 337 To prepare umask for the current trounce session using symbolic note:
~]$ umask -S symbolic_mask
Example 4.2. Setting umask Using Symbolic Notation
To set up umask 0337 using symbolic notation:
~]$ umask -South u=r,g=r,o= Working with the default trounce umask
Shells ordinarily take a configuration file where their default umask is set. For bash, it is /etc/bashrc. To testify the default bash umask:
~]$ grep -i -B 1 umask /etc/bashrc The output shows if umask is fix, either using the umask command or the UMASK variable. In the following case, umask is set to 022 using the umask command:
~]$ grep -i -B ane umask /etc/bashrc # By default, we want umask to become set. This sets it for non-login shell. -- if [ $UID -gt 199 ] && [ "id -gn" = "id -un" ]; so umask 002 else umask 022
To change the default umask for bash, change the umask control call or the UMASK variable assignment in /etc/bashrc. This example changes the default umask to 0227:
if [ $UID -gt 199 ] && [ "id -gn" = "id -un" ]; then umask 002 else umask 227 Working with the default beat umask of a specific user
Past default, bash umask of a new user defaults to the one defined in /etc/bashrc.
To change bash umask for a detail user, add together a call to the umask control in $HOME/.bashrc file of that user. For case, to alter bash umask of user john to 0227:
john@server ~]$ echo 'umask 227' >> /home/john/.bashrc Setting default permissions for newly created domicile directories
To change permissions with which user home directories are created, change the UMASK variable in the /etc/login.defs file:
# The permission mask is initialized to this value. If non specified, # the permission mask will be initialized to 022. UMASK 077
four.four. Boosted Resources
For more than data on how to manage users and groups on Blood-red Chapeau Enterprise Linux, see the resources listed below.
Installed Documentation
For data virtually diverse utilities for managing users and groups, run across the following transmission pages:
-
useradd(8) — The manual page for theuseraddcommand documents how to utilise it to create new users. -
userdel(viii) — The manual page for theuserdelcommand documents how to utilize it to delete users. -
usermod(8) — The manual page for theusermodcommand documents how to use information technology to modify users. -
groupadd(8) — The manual page for thegroupaddcommand documents how to use it to create new groups. -
groupdel(8) — The transmission folio for thegroupdelcommand documents how to use it to delete groups. -
groupmod(8) — The manual folio for thegroupmodcontrol documents how to use it to modify group membership. -
gpasswd(1) — The manual page for thegpasswdcommand documents how to manage the/etc/groupfile. -
grpck(8) — The manual page for thegrpckcommand documents how to employ it to verify the integrity of the/etc/groupfile. -
pwck(eight) — The transmission folio for thepwckcommand documents how to use information technology to verify the integrity of the/etc/passwdand/etc/shadowfiles. -
pwconv(8) — The manual page for thepwconv,pwunconv,grpconv, andgrpunconvcommands documents how to convert shadowed data for passwords and groups. -
id(one) — The manual page for theidcommand documents how to brandish user and grouping IDs. -
umask(2) — The transmission page for theumaskcommand documents how to work with the file mode creation mask.
For information near related configuration files, run into:
-
group(5) — The transmission page for the/etc/groupfile documents how to use this file to define system groups. -
passwd(5) — The transmission page for the/etc/passwdfile documents how to use this file to define user information. -
shadow(5) — The manual page for the/etc/shadowfile documents how to apply this file to set passwords and account expiration data for the organization.
Online Documentation
- Ruby-red Hat Enterprise Linux seven Security Guide — The Security Guide for Red Hat Enterprise Linux 7 provides additional data how to ensure countersign security and secure the workstation by enabling password aging and user business relationship locking.
See Also
- Chapter 6, Gaining Privileges documents how to gain administrative privileges by using the
suandsudocommands.
Source: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-managing_users_and_groups
0 Response to "Failed to Upload a File to the Guest Vm via Scp Due to a Permissions File Already Exists"
Post a Comment