04 - Advanced file management Flashcards
User access rights
Control of permissions on files and directories may also be referred to as user access rights.
Access permissions on files and directories allow administrative control over which user (permission classes) can access them and to what level (permission types). File and directory permissions are referred to as standard ugo/rwx permissions.
Permission classes
Users are categorized into three unique classes for maintaining file security through access rights. These classes are, user (u), group (g), and other (o, often referred to as public).
There is another special user class called all (a) that represents the three user classes combined.
Permission types
Permissions control what actions can be performed on a file or a directory and by whom. There are three types of permission bits - read(r), write (w), and execute (x)- and they behave differently for files and directories.
For files, the permissions allow viewing and copying (read), modifying (write), and running (execute).
For directories, they allow listing contents with ls (read); creating, editing, and renaming files and subdirectories (write); enter (with the cd command) into it (execute)
If a read, write, or execute permission bit is not desired, the hypen character (-) is used to represent its absence.
Permission modes
A permission mode is used to add (+), revoke (-), or assign (=) a permission type to a permission class.
-rwxrwxrwx
First group of three characters are for the user(owner), the next three characters are for the group, and the last three characters are for other (public) respectively.
Modifying permission bits
The chmod command modifies access rights. It works identically on files and directories. chmod can be used by root or the file owner, and can modify permissions specified in one of two ways; sybmolic or octal.
Symbolic notation uses a combination of letters (ugo/rwx) and symbols (+.-,=) to add, revoke, or assign permissions.
The octal notations (the absolute presentation) uses a three-digit numbering system ranging from 0 to 7 to express permissions for the three user classes.
Octal Binary Symbolic Explanation
==== ====== ======== =============
0 000 — No permissions
1 001 –x Execute only
2 010 -w- Write only
3 011 -wx Write and execute only
4 100 r– Read only
5 101 r-x Read and execute only
6 110 rw- Read and write only
7 111 rwx Read, write and execute
X X X
4 2 1
Change permissions command
chmod
ex. chmod 444 a.txt -v
wx. chmod o+w a.txt -v
-v = verbose
Default permissions
Linux assigns default permissions to a file or a directory at the time of its creation. Default permissions are calculated based on the umask (user mask) permission value subtracted from a preset initial permissions value.
umask
The unmask is a three-digit octal value (also represented in symbolic notations) that refers to read, write, and execute permissions for owner, group, and public. Its purpose is to set default permissions on new files and directories without touching the permissions on existing files and directories.
The default umask value is set to 0022 for the root and 0002 for all normal users. Note the left-most 0 has no significance.
umask
umask -p
umask -S
The predefined initial permission values are 666 (rw-rw-rw-) for files and 777 (rwxrwxrwx) for directories. Even if the umask is set to 000, the new files will always get a maximum of 666 permissions; however, you can add the executable bits explicitly with the chmod command if desired.
setuid or suid or setgid or sgid
Linux offers three types of special permission bites that may be set on binary executable files or directories that respond differently to non-root users for certain operations. These permission bits are:
1. set user identifier bit (setuid or suid)
2. set group identifier bit (setgid or sgid)
The setuid and setguid bits may be defined on binary executable files to provide non-owners and non-group members the ability to run them with the privileges of the owner or the owning group, respectively. The setgid bit may also be set on shared directories for group collaboration. The sticky bit may be set on public directories for inhibiting file erasures by non-owners.
Note: The setuid and sticky bits may be set on directories and files; however, they will have no effect.
ex.
ls -l /ysr/bin/su
-rwsr-xr-x - Notice the s in the permission
su command
The switch user (su) command allows a user to switch to a different user account with the password for the target user.
setuid on executables
The setuid flag is set on binary executable files at the file owner level. With this bit set, the file is executed by non-owners with the same privileges as that of the file owner. A common example is the su command that is owned by the root user. This command has the setuid bit enabled on it by default.
setgid on executables
The setgid attribute is set on binary executable files at the group level. With this bit set, the file is executed by non owners with the exact same privileges as that of the group members. A common example is the write command that is owned by the root user with tty as the owning group. This command has the setgid bit enabled on it by default.
write command
The write command allows users to write a message on another logged-in user’s terminal. By default, normal users are allowed this special elevated privilege because of the presence of setgid flag on the file. When a normal user executes this command to write to the terminal of another user, the command will run as if a member of the tty group is running it, and the user is able to execute it successfully.
setgid on directories
The setgid bit can also be set on group-shared directories to allow files and subdirectories created underneath to automatically inherit the directory’s owning group. This saves group members who are sharing the directory contents from changing the group ID for every new file and subdirectory that they add. The standard behavior for new files and subdirectories is to always receive the creator’s group.
sticky bit on public and shared writable directories
The sticky bit is set on public and shared writable directories to protect files and subdirectories owner by normal users from being deleted or moved by other normal users. This attribute is set on the /tmp and /var/tmp directories by default.
drwxrwxrwt - Notice t in the permission fields