04 - Advanced file management

Question 1

User access rights

Answer 1

Control of permissions on files and directories may also be referred to as user access rights.

Access permissions on files and directories allow administrative control over which user (permission classes) can access them and to what level (permission types). File and directory permissions are referred to as standard ugo/rwx permissions.

Question 2

Permission classes

Answer 2

Users are categorized into three unique classes for maintaining file security through access rights. These classes are, user (u), group (g), and other (o, often referred to as public).

There is another special user class called all (a) that represents the three user classes combined.

Question 3

Permission types

Answer 3

Permissions control what actions can be performed on a file or a directory and by whom. There are three types of permission bits - read(r), write (w), and execute (x)- and they behave differently for files and directories.

For files, the permissions allow viewing and copying (read), modifying (write), and running (execute).

For directories, they allow listing contents with ls (read); creating, editing, and renaming files and subdirectories (write); enter (with the cd command) into it (execute)

If a read, write, or execute permission bit is not desired, the hypen character (-) is used to represent its absence.

Question 4

Permission modes

Answer 4

A permission mode is used to add (+), revoke (-), or assign (=) a permission type to a permission class.

-rwxrwxrwx

First group of three characters are for the user(owner), the next three characters are for the group, and the last three characters are for other (public) respectively.

Question 5

Modifying permission bits

Answer 5

The chmod command modifies access rights. It works identically on files and directories. chmod can be used by root or the file owner, and can modify permissions specified in one of two ways; sybmolic or octal.

Symbolic notation uses a combination of letters (ugo/rwx) and symbols (+.-,=) to add, revoke, or assign permissions.

The octal notations (the absolute presentation) uses a three-digit numbering system ranging from 0 to 7 to express permissions for the three user classes.

Octal Binary Symbolic Explanation
==== ====== ======== =============
0 000 — No permissions
1 001 –x Execute only
2 010 -w- Write only
3 011 -wx Write and execute only
4 100 r– Read only
5 101 r-x Read and execute only
6 110 rw- Read and write only
7 111 rwx Read, write and execute

X X X
4 2 1

Question 6

Change permissions command

Answer 6

chmod
ex. chmod 444 a.txt -v
wx. chmod o+w a.txt -v

-v = verbose

Question 7

Default permissions

Answer 7

Linux assigns default permissions to a file or a directory at the time of its creation. Default permissions are calculated based on the umask (user mask) permission value subtracted from a preset initial permissions value.

Question 8

umask

Answer 8

The unmask is a three-digit octal value (also represented in symbolic notations) that refers to read, write, and execute permissions for owner, group, and public. Its purpose is to set default permissions on new files and directories without touching the permissions on existing files and directories.

The default umask value is set to 0022 for the root and 0002 for all normal users. Note the left-most 0 has no significance.

umask
umask -p
umask -S

The predefined initial permission values are 666 (rw-rw-rw-) for files and 777 (rwxrwxrwx) for directories. Even if the umask is set to 000, the new files will always get a maximum of 666 permissions; however, you can add the executable bits explicitly with the chmod command if desired.

Question 9

setuid or suid or setgid or sgid

Answer 9

Linux offers three types of special permission bites that may be set on binary executable files or directories that respond differently to non-root users for certain operations. These permission bits are:
1. set user identifier bit (setuid or suid)
2. set group identifier bit (setgid or sgid)

The setuid and setguid bits may be defined on binary executable files to provide non-owners and non-group members the ability to run them with the privileges of the owner or the owning group, respectively. The setgid bit may also be set on shared directories for group collaboration. The sticky bit may be set on public directories for inhibiting file erasures by non-owners.

Note: The setuid and sticky bits may be set on directories and files; however, they will have no effect.

ex.

ls -l /ysr/bin/su

-rwsr-xr-x - Notice the s in the permission

Question 10

su command

Answer 10

The switch user (su) command allows a user to switch to a different user account with the password for the target user.

Question 11

setuid on executables

Answer 11

The setuid flag is set on binary executable files at the file owner level. With this bit set, the file is executed by non-owners with the same privileges as that of the file owner. A common example is the su command that is owned by the root user. This command has the setuid bit enabled on it by default.

Question 12

setgid on executables

Answer 12

The setgid attribute is set on binary executable files at the group level. With this bit set, the file is executed by non owners with the exact same privileges as that of the group members. A common example is the write command that is owned by the root user with tty as the owning group. This command has the setgid bit enabled on it by default.

Question 13

write command

Answer 13

The write command allows users to write a message on another logged-in user’s terminal. By default, normal users are allowed this special elevated privilege because of the presence of setgid flag on the file. When a normal user executes this command to write to the terminal of another user, the command will run as if a member of the tty group is running it, and the user is able to execute it successfully.

Question 14

setgid on directories

Answer 14

The setgid bit can also be set on group-shared directories to allow files and subdirectories created underneath to automatically inherit the directory’s owning group. This saves group members who are sharing the directory contents from changing the group ID for every new file and subdirectory that they add. The standard behavior for new files and subdirectories is to always receive the creator’s group.

Question 15

sticky bit on public and shared writable directories

Answer 15

The sticky bit is set on public and shared writable directories to protect files and subdirectories owner by normal users from being deleted or moved by other normal users. This attribute is set on the /tmp and /var/tmp directories by default.

drwxrwxrwt - Notice t in the permission fields

Question 16

Searching files - find command

Answer 16

The find command recursively searches the directory tree, finds files that match the specified criteria, and optionally performs an action on the files as they are discovered.

The search criteria may include tracking files by name or part of the name, ownership, owning group, permissions, inode number, last access or modification time in days or minutes, size, and file type.

command: find path search option action
. = current directory
~ = home directory

Search option:
-name / -iname
-user / -group
-inum
-atime/amin
-mtime/amin
-size/-type
-maxdepth x
-mindepth x
-not or ! = negation
-perm

action:
-exec cmd {} \;
-ok cmd {}\;
-delete

replace {} with command, such as ls -ld

With find, files that match the criteria are located and their full paths are displayed.

Question 17

ACLs

Answer 17

The Access Control Lists (ACLs) provide an extended set of permissions that can be applied on files and directories. There permission are in addition to the standard ugo/rwx permissions and the setuid, setgid, and sticky bit settings. The ACLs define permissions for named users and named groups using either octal or symbolic representation of permissions allocation. The names user may or may not be part of the same group. ACLs are configured and treated the same way on both files and directories.

There are two types of ACLs, Access ACLs and default ACLs.

Question 18

Access ACLs and Default ACLs

Answer 18

Access ACLs are set on individual files and directories, whereas default ACLs can be applied at the directory level with files and subdirectories inhering them automatically. The directory to be applied the default ACLs needs to have the execute bit at the public level.

Question 19

ACLS management commands

Answer 19

There are two command - getfacl and setfacl to view and manage ACLs on files and directories.

The getfacl command is used to display ACL settings, and the setfacl command can set, modify, substitute, or delete ACL settings.

Question 20

getfacl

Answer 20

The getfacl command has several options to see the output as desired; however, it reveal all necessary information without furnishing any flags with it.

ex: getfacl file10getfacl /etc/[

Question 21

setfacl

Answer 21

The setfacl command is used to apply, modify, or remove ACL settings.

u[ser]:UID:perms
g[roup]:GID:perms
o[ther]:perms
m[asl]:perms

Switches:
-b = Removes all access ACLs
-d = Applies to default ACLs
-k = Remove all default ACLs
-m = Sets or modifies ACLs
-n = Prevents an automatic recalculation of the mask
-R = Applied recursively to a directory
-x = Removes an access ACL

Question 22

mask value

Answer 22

The value of the ACL mask determines the maximum allowable permissions placed for a named user or group on a file or directory. If it is set to rw, for instance, no named user or group will exceed those permissions. The mask value is displayed on a separate line in the getfacl output. Each time ACLs are modified for a file or directory, the mask is recalculated automatically and applied unless an explicit value is input with the setfacl command or the -n option is employed to override this behavior. On aclfile1, there are currently no ACLs set, as it is a new file.

ex: getfacl -c aclfile1

If you want to give read and write permissions to a specific user (user1) and change the mask to read-only at the same time, the setfacl command will allocate the permissions as mentioned; however, the effective permissions for the named user will only be read-only.

setfacl -m u:user1:rwm,:r aclfile1
# getfacl -c aclfile1

Question 23

Default ACLs

Answer 23

A group collaboration on a shared directory gives members of the group identical access on files and subdirectories in the directory.

Access ACLs may be applied to the shared directory to give non-group members certain rights. Furthermore, default ACLs can also be set on the shared directory to ensure new files and subdirectories created under the shared directory always have a consistent set of access rights for group and non-group members. This way the users do not have to adjust permissions on each new file and subdirectory they will create. The inheritance works slightly different for files and subdirectories, as indicated below:

• Files receive the shared directory’s default ACLs as their access ACLs
• Subdirectories receive both default ACLs and access ACLs as they are

The default ACLs can be described as the maximum discretionary permissions that can be allocated on a directory. Let’s perform the following exercise and see how default ACLs are applied, viewed, and erased.