04 - Advanced file management Flashcards
User access rights
Control of permissions on files and directories may also be referred to as user access rights.
Access permissions on files and directories allow administrative control over which user (permission classes) can access them and to what level (permission types). File and directory permissions are referred to as standard ugo/rwx permissions.
Permission classes
Users are categorized into three unique classes for maintaining file security through access rights. These classes are, user (u), group (g), and other (o, often referred to as public).
There is another special user class called all (a) that represents the three user classes combined.
Permission types
Permissions control what actions can be performed on a file or a directory and by whom. There are three types of permission bits - read(r), write (w), and execute (x)- and they behave differently for files and directories.
For files, the permissions allow viewing and copying (read), modifying (write), and running (execute).
For directories, they allow listing contents with ls (read); creating, editing, and renaming files and subdirectories (write); enter (with the cd command) into it (execute)
If a read, write, or execute permission bit is not desired, the hypen character (-) is used to represent its absence.
Permission modes
A permission mode is used to add (+), revoke (-), or assign (=) a permission type to a permission class.
-rwxrwxrwx
First group of three characters are for the user(owner), the next three characters are for the group, and the last three characters are for other (public) respectively.
Modifying permission bits
The chmod command modifies access rights. It works identically on files and directories. chmod can be used by root or the file owner, and can modify permissions specified in one of two ways; sybmolic or octal.
Symbolic notation uses a combination of letters (ugo/rwx) and symbols (+.-,=) to add, revoke, or assign permissions.
The octal notations (the absolute presentation) uses a three-digit numbering system ranging from 0 to 7 to express permissions for the three user classes.
Octal Binary Symbolic Explanation
==== ====== ======== =============
0 000 — No permissions
1 001 –x Execute only
2 010 -w- Write only
3 011 -wx Write and execute only
4 100 r– Read only
5 101 r-x Read and execute only
6 110 rw- Read and write only
7 111 rwx Read, write and execute
X X X
4 2 1
Change permissions command
chmod
ex. chmod 444 a.txt -v
wx. chmod o+w a.txt -v
-v = verbose
Default permissions
Linux assigns default permissions to a file or a directory at the time of its creation. Default permissions are calculated based on the umask (user mask) permission value subtracted from a preset initial permissions value.
umask
The unmask is a three-digit octal value (also represented in symbolic notations) that refers to read, write, and execute permissions for owner, group, and public. Its purpose is to set default permissions on new files and directories without touching the permissions on existing files and directories.
The default umask value is set to 0022 for the root and 0002 for all normal users. Note the left-most 0 has no significance.
umask
umask -p
umask -S
The predefined initial permission values are 666 (rw-rw-rw-) for files and 777 (rwxrwxrwx) for directories. Even if the umask is set to 000, the new files will always get a maximum of 666 permissions; however, you can add the executable bits explicitly with the chmod command if desired.
setuid or suid or setgid or sgid
Linux offers three types of special permission bites that may be set on binary executable files or directories that respond differently to non-root users for certain operations. These permission bits are:
1. set user identifier bit (setuid or suid)
2. set group identifier bit (setgid or sgid)
The setuid and setguid bits may be defined on binary executable files to provide non-owners and non-group members the ability to run them with the privileges of the owner or the owning group, respectively. The setgid bit may also be set on shared directories for group collaboration. The sticky bit may be set on public directories for inhibiting file erasures by non-owners.
Note: The setuid and sticky bits may be set on directories and files; however, they will have no effect.
ex.
ls -l /ysr/bin/su
-rwsr-xr-x - Notice the s in the permission
su command
The switch user (su) command allows a user to switch to a different user account with the password for the target user.
setuid on executables
The setuid flag is set on binary executable files at the file owner level. With this bit set, the file is executed by non-owners with the same privileges as that of the file owner. A common example is the su command that is owned by the root user. This command has the setuid bit enabled on it by default.
setgid on executables
The setgid attribute is set on binary executable files at the group level. With this bit set, the file is executed by non owners with the exact same privileges as that of the group members. A common example is the write command that is owned by the root user with tty as the owning group. This command has the setgid bit enabled on it by default.
write command
The write command allows users to write a message on another logged-in user’s terminal. By default, normal users are allowed this special elevated privilege because of the presence of setgid flag on the file. When a normal user executes this command to write to the terminal of another user, the command will run as if a member of the tty group is running it, and the user is able to execute it successfully.
setgid on directories
The setgid bit can also be set on group-shared directories to allow files and subdirectories created underneath to automatically inherit the directory’s owning group. This saves group members who are sharing the directory contents from changing the group ID for every new file and subdirectory that they add. The standard behavior for new files and subdirectories is to always receive the creator’s group.
sticky bit on public and shared writable directories
The sticky bit is set on public and shared writable directories to protect files and subdirectories owner by normal users from being deleted or moved by other normal users. This attribute is set on the /tmp and /var/tmp directories by default.
drwxrwxrwt - Notice t in the permission fields
Searching files - find command
The find command recursively searches the directory tree, finds files that match the specified criteria, and optionally performs an action on the files as they are discovered.
The search criteria may include tracking files by name or part of the name, ownership, owning group, permissions, inode number, last access or modification time in days or minutes, size, and file type.
command: find path search option action
. = current directory
~ = home directory
Search option:
-name / -iname
-user / -group
-inum
-atime/amin
-mtime/amin
-size/-type
-maxdepth x
-mindepth x
-not or ! = negation
-perm
action:
-exec cmd {} \;
-ok cmd {}\;
-delete
replace {} with command, such as ls -ld
With find, files that match the criteria are located and their full paths are displayed.
ACLs
The Access Control Lists (ACLs) provide an extended set of permissions that can be applied on files and directories. There permission are in addition to the standard ugo/rwx permissions and the setuid, setgid, and sticky bit settings. The ACLs define permissions for named users and named groups using either octal or symbolic representation of permissions allocation. The names user may or may not be part of the same group. ACLs are configured and treated the same way on both files and directories.
There are two types of ACLs, Access ACLs and default ACLs.
Access ACLs and Default ACLs
Access ACLs are set on individual files and directories, whereas default ACLs can be applied at the directory level with files and subdirectories inhering them automatically. The directory to be applied the default ACLs needs to have the execute bit at the public level.
ACLS management commands
There are two command - getfacl and setfacl to view and manage ACLs on files and directories.
The getfacl command is used to display ACL settings, and the setfacl command can set, modify, substitute, or delete ACL settings.
getfacl
The getfacl command has several options to see the output as desired; however, it reveal all necessary information without furnishing any flags with it.
ex: getfacl file10getfacl /etc/[
setfacl
The setfacl command is used to apply, modify, or remove ACL settings.
u[ser]:UID:perms
g[roup]:GID:perms
o[ther]:perms
m[asl]:perms
Switches:
-b = Removes all access ACLs
-d = Applies to default ACLs
-k = Remove all default ACLs
-m = Sets or modifies ACLs
-n = Prevents an automatic recalculation of the mask
-R = Applied recursively to a directory
-x = Removes an access ACL
mask value
The value of the ACL mask determines the maximum allowable permissions placed for a named user or group on a file or directory. If it is set to rw, for instance, no named user or group will exceed those permissions. The mask value is displayed on a separate line in the getfacl output. Each time ACLs are modified for a file or directory, the mask is recalculated automatically and applied unless an explicit value is input with the setfacl command or the -n option is employed to override this behavior. On aclfile1, there are currently no ACLs set, as it is a new file.
ex: getfacl -c aclfile1
If you want to give read and write permissions to a specific user (user1) and change the mask to read-only at the same time, the setfacl command will allocate the permissions as mentioned; however, the effective permissions for the named user will only be read-only.
setfacl -m u:user1:rwm,:r aclfile1
# getfacl -c aclfile1
Default ACLs
A group collaboration on a shared directory gives members of the group identical access on files and subdirectories in the directory.
Access ACLs may be applied to the shared directory to give non-group members certain rights. Furthermore, default ACLs can also be set on the shared directory to ensure new files and subdirectories created under the shared directory always have a consistent set of access rights for group and non-group members. This way the users do not have to adjust permissions on each new file and subdirectory they will create. The inheritance works slightly different for files and subdirectories, as indicated below:
- Files receive the shared directory’s default ACLs as their access ACLs
- Subdirectories receive both default ACLs and access ACLs as they are
The default ACLs can be described as the maximum discretionary permissions that can be allocated on a directory. Let’s perform the following exercise and see how default ACLs are applied, viewed, and erased.
