04 - Advanced file management Flashcards

1
Q

User access rights

A

Control of permissions on files and directories may also be referred to as user access rights.

Access permissions on files and directories allow administrative control over which user (permission classes) can access them and to what level (permission types). File and directory permissions are referred to as standard ugo/rwx permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Permission classes

A

Users are categorized into three unique classes for maintaining file security through access rights. These classes are, user (u), group (g), and other (o, often referred to as public).

There is another special user class called all (a) that represents the three user classes combined.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Permission types

A

Permissions control what actions can be performed on a file or a directory and by whom. There are three types of permission bits - read(r), write (w), and execute (x)- and they behave differently for files and directories.

For files, the permissions allow viewing and copying (read), modifying (write), and running (execute).

For directories, they allow listing contents with ls (read); creating, editing, and renaming files and subdirectories (write); enter (with the cd command) into it (execute)

If a read, write, or execute permission bit is not desired, the hypen character (-) is used to represent its absence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Permission modes

A

A permission mode is used to add (+), revoke (-), or assign (=) a permission type to a permission class.

-rwxrwxrwx

First group of three characters are for the user(owner), the next three characters are for the group, and the last three characters are for other (public) respectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Modifying permission bits

A

The chmod command modifies access rights. It works identically on files and directories. chmod can be used by root or the file owner, and can modify permissions specified in one of two ways; sybmolic or octal.

Symbolic notation uses a combination of letters (ugo/rwx) and symbols (+.-,=) to add, revoke, or assign permissions.

The octal notations (the absolute presentation) uses a three-digit numbering system ranging from 0 to 7 to express permissions for the three user classes.

Octal Binary Symbolic Explanation
==== ====== ======== =============
0 000 — No permissions
1 001 –x Execute only
2 010 -w- Write only
3 011 -wx Write and execute only
4 100 r– Read only
5 101 r-x Read and execute only
6 110 rw- Read and write only
7 111 rwx Read, write and execute

X X X
4 2 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Change permissions command

A

chmod
ex. chmod 444 a.txt -v
wx. chmod o+w a.txt -v

-v = verbose

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Default permissions

A

Linux assigns default permissions to a file or a directory at the time of its creation. Default permissions are calculated based on the umask (user mask) permission value subtracted from a preset initial permissions value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

umask

A

The unmask is a three-digit octal value (also represented in symbolic notations) that refers to read, write, and execute permissions for owner, group, and public. Its purpose is to set default permissions on new files and directories without touching the permissions on existing files and directories.

The default umask value is set to 0022 for the root and 0002 for all normal users. Note the left-most 0 has no significance.

umask
umask -p
umask -S

The predefined initial permission values are 666 (rw-rw-rw-) for files and 777 (rwxrwxrwx) for directories. Even if the umask is set to 000, the new files will always get a maximum of 666 permissions; however, you can add the executable bits explicitly with the chmod command if desired.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

setuid or suid or setgid or sgid

A

Linux offers three types of special permission bites that may be set on binary executable files or directories that respond differently to non-root users for certain operations. These permission bits are:
1. set user identifier bit (setuid or suid)
2. set group identifier bit (setgid or sgid)

The setuid and setguid bits may be defined on binary executable files to provide non-owners and non-group members the ability to run them with the privileges of the owner or the owning group, respectively. The setgid bit may also be set on shared directories for group collaboration. The sticky bit may be set on public directories for inhibiting file erasures by non-owners.

Note: The setuid and sticky bits may be set on directories and files; however, they will have no effect.

ex.

ls -l /ysr/bin/su

-rwsr-xr-x - Notice the s in the permission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

su command

A

The switch user (su) command allows a user to switch to a different user account with the password for the target user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

setuid on executables

A

The setuid flag is set on binary executable files at the file owner level. With this bit set, the file is executed by non-owners with the same privileges as that of the file owner. A common example is the su command that is owned by the root user. This command has the setuid bit enabled on it by default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

setgid on executables

A

The setgid attribute is set on binary executable files at the group level. With this bit set, the file is executed by non owners with the exact same privileges as that of the group members. A common example is the write command that is owned by the root user with tty as the owning group. This command has the setgid bit enabled on it by default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

write command

A

The write command allows users to write a message on another logged-in user’s terminal. By default, normal users are allowed this special elevated privilege because of the presence of setgid flag on the file. When a normal user executes this command to write to the terminal of another user, the command will run as if a member of the tty group is running it, and the user is able to execute it successfully.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

setgid on directories

A

The setgid bit can also be set on group-shared directories to allow files and subdirectories created underneath to automatically inherit the directory’s owning group. This saves group members who are sharing the directory contents from changing the group ID for every new file and subdirectory that they add. The standard behavior for new files and subdirectories is to always receive the creator’s group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

sticky bit on public and shared writable directories

A

The sticky bit is set on public and shared writable directories to protect files and subdirectories owner by normal users from being deleted or moved by other normal users. This attribute is set on the /tmp and /var/tmp directories by default.

drwxrwxrwt - Notice t in the permission fields

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Searching files - find command

A

The find command recursively searches the directory tree, finds files that match the specified criteria, and optionally performs an action on the files as they are discovered.

The search criteria may include tracking files by name or part of the name, ownership, owning group, permissions, inode number, last access or modification time in days or minutes, size, and file type.

command: find path search option action
. = current directory
~ = home directory

Search option:
-name / -iname
-user / -group
-inum
-atime/amin
-mtime/amin
-size/-type
-maxdepth x
-mindepth x
-not or ! = negation
-perm

action:
-exec cmd {} \;
-ok cmd {}\;
-delete

replace {} with command, such as ls -ld

With find, files that match the criteria are located and their full paths are displayed.

17
Q

ACLs

A

The Access Control Lists (ACLs) provide an extended set of permissions that can be applied on files and directories. There permission are in addition to the standard ugo/rwx permissions and the setuid, setgid, and sticky bit settings. The ACLs define permissions for named users and named groups using either octal or symbolic representation of permissions allocation. The names user may or may not be part of the same group. ACLs are configured and treated the same way on both files and directories.

There are two types of ACLs, Access ACLs and default ACLs.

18
Q

Access ACLs and Default ACLs

A

Access ACLs are set on individual files and directories, whereas default ACLs can be applied at the directory level with files and subdirectories inhering them automatically. The directory to be applied the default ACLs needs to have the execute bit at the public level.

19
Q

ACLS management commands

A

There are two command - getfacl and setfacl to view and manage ACLs on files and directories.

The getfacl command is used to display ACL settings, and the setfacl command can set, modify, substitute, or delete ACL settings.

20
Q

getfacl

A

The getfacl command has several options to see the output as desired; however, it reveal all necessary information without furnishing any flags with it.

ex: getfacl file10getfacl /etc/[

21
Q

setfacl

A

The setfacl command is used to apply, modify, or remove ACL settings.

u[ser]:UID:perms
g[roup]:GID:perms
o[ther]:perms
m[asl]:perms

Switches:
-b = Removes all access ACLs
-d = Applies to default ACLs
-k = Remove all default ACLs
-m = Sets or modifies ACLs
-n = Prevents an automatic recalculation of the mask
-R = Applied recursively to a directory
-x = Removes an access ACL

22
Q

mask value

A

The value of the ACL mask determines the maximum allowable permissions placed for a named user or group on a file or directory. If it is set to rw, for instance, no named user or group will exceed those permissions. The mask value is displayed on a separate line in the getfacl output. Each time ACLs are modified for a file or directory, the mask is recalculated automatically and applied unless an explicit value is input with the setfacl command or the -n option is employed to override this behavior. On aclfile1, there are currently no ACLs set, as it is a new file.

ex: getfacl -c aclfile1

If you want to give read and write permissions to a specific user (user1) and change the mask to read-only at the same time, the setfacl command will allocate the permissions as mentioned; however, the effective permissions for the named user will only be read-only.

setfacl -m u:user1:rwm,:r aclfile1
# getfacl -c aclfile1

23
Q

Default ACLs

A

A group collaboration on a shared directory gives members of the group identical access on files and subdirectories in the directory.

Access ACLs may be applied to the shared directory to give non-group members certain rights. Furthermore, default ACLs can also be set on the shared directory to ensure new files and subdirectories created under the shared directory always have a consistent set of access rights for group and non-group members. This way the users do not have to adjust permissions on each new file and subdirectory they will create. The inheritance works slightly different for files and subdirectories, as indicated below:

  • Files receive the shared directory’s default ACLs as their access ACLs
  • Subdirectories receive both default ACLs and access ACLs as they are

The default ACLs can be described as the maximum discretionary permissions that can be allocated on a directory. Let’s perform the following exercise and see how default ACLs are applied, viewed, and erased.