Vous êtes ici : Formations en Ligne Gratuites » Catalogue » workbooks » Red Hat » RH124 - Course Overview » RH12408 - Managing File Permissions

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

--- elearning:workbooks:redhat:rh124en:l107 [2024/11/11 14:40] – created admin
+++ elearning:workbooks:redhat:rh124en:l107 [2024/11/27 10:10] (Version actuelle) – admin
@@ Ligne 22: / Ligne 22: @@
         * The chown command
         * The chgrp command
-    * LAB #2 - Extended Unix File Permissions
+    * LAB #2 - Advanced Unix File Permissions
       * 2.1 - SUID/SGID bit
       * 2.2 - Inheritance Flag
       * 2.3 - Sticky bit
+    * LAB #3 - Extending Linux Permissions using ACLs and Attributes
+      * 3.1 - ACLs
+      * 3.2 - Attributes
 =====Presentation=====
@@ Ligne 32: / Ligne 34: @@
 In its basic design, Linux uses a **DAC** security approach:
-^ Security Type ^ Name ^ Description ^
+^ Security Type  ^ Name ^ Description ^
-| DAC | //Discretional Access Control// | Access to objects is based on identity (user, group). A user can make his own objects accessible to others.
+| DAC |  //Discretional Access Control//  | Accessing file objects is a function of the identity of the accessing user (user,group). A user can allow other users to access his/her objects. |
 =====Preparation=====
@@ Ligne 53: / Ligne 55: @@
 <WRAP center round important 60%>
-**Important**: Note that the file created is a **text** file. This is because Linux ignores the **.jpg** extension.
+**Important** : The file **tux.jpg** is a text file. Linux does not use file extensions to determine file types.
 </WRAP>
@@ Ligne 60: / Ligne 62: @@
 File permissions in Linux are communicated as follows:
-{{free:fenestros_essentiels_img_9.jpg}}
+^  User/Owner  ^  Group  ^ 	Others  ^
+|  rwx  |  rwx  |  rwx  |
 where r = read, w = write and x = executable
-Each inode stores the number of the user to whom the file belongs and the group number. When the file is opened, the system compares the user number (UID) with the user number stored in the inode (Reference User). If these two numbers are identical, the user obtains the permissions of the file owner. If the numbers differ, the system checks whether the user is in the group referenced in the inode. If so, the user will have the permissions specified for the group. If no conditions are met, the user is given the permissions of ‘others’.
+Each inode stores the UID of the user to whom the file belongs and the GID. When the file is opened, the system compares the user UID with the UID stored in the inode (Reference User). If these two numbers are identical, the user obtains the permissions of the file owner. If the numbers differ, the system checks whether the user is in the group referenced in the inode. If so, the user will have the permissions specified for the group. If no conditions are met, the user is given the permissions of ‘others’.
 The permissions for directories are slightly different:
@@ Ligne 102: / Ligne 105: @@
 ^  t  | sticky bit |
-for example the following command will give others write access to the file tux.jpg :
+For example the following command will give others write access to the file tux.jpg :
 <code>
@@ Ligne 119: / Ligne 122: @@
 -r--r--rw-. 1 trainee trainee 0 Sep 27 12:42 tux.jpg
 </code>
-<WRAP center round important 60%>
-**Important** : Only the file owner or root can change permissions.
-</WRAP>
 ==Octal mode==
-The chmod command can also be used with an octal representation ( base of 8 ). The octal values for access permissions are:
+The chmod command can also be used with an octal representation. The octal values for access permissions are:
-{{free:fenestros_essentiels_img_12.jpg}}
+^  User/Owner  ^^^  Group  ^^^ 	Other  ^^^
+|  r  |  w  |  x  |  r  |  w  |  x  |  r  |  w  |  x  |
+|  400  |  200  |  100  |  40  |  20  |  10  |  4  |  2  |  1  |
-<WRAP centre round important 60%>
+<WRAP center round important 60%>
-**Important**: So the permissions rwx rwx rwx correspond to a figure of 777.
+**Important** : Full permissions are therefore **777**
 </WRAP>
-The chmod command therefore takes the following form:
+The chmod command takes the following form:
-  chmod [ -R ] mode_octal filename
+  chmod [ -R ] Octal_value filename
-The following command therefore corresponds to the allocation of permissions: rw- r-- r-- :
+For example, the following command corresponds to the following permissions: rw- r-- r--:
 <code>
@@ Ligne 147: / Ligne 148: @@
 </code>
-The default access permissions when an object is created are:
+The default permissions assigned to an object by the system differ depending on the type of object:
 ^ Directories | rwx rwx rwx | 777 |
@@ Ligne 197: / Ligne 198: @@
 </code>
-For example in the case where the user wants files created in the future to have write and read permissions for the user and group but only read permissions for others, they would use the command:
+For example:
   $ umask 002 [Enter]
-before creating his file.
+The value of the umask is deducted from the default permissions when the object is created:
-umask is used to remove permissions from the default permissions:
 ^ Maximum mask when creating a file | rw- rw- rw- | 666 |
@@ Ligne 209: / Ligne 208: @@
 ^ Result | rw- rw- r-- | 664 |
+Consider the following example:
-In the following example, we use the touch command to create an empty file with the new default permissions:
 <code>
@@ Ligne 252: / Ligne 250: @@
 <WRAP center round important 60%>
-**Important** - The owner of a file can only be changed by the system administrator - root.
+**Important** - Changing the owner of an object can only be done by **root**.
 </WRAP>
@@ Ligne 390: / Ligne 388: @@
 </code>
-=====LAB #2 - Extended Unix Permissions=====
+=====LAB #2 - Advanced Unix Permissions=====
 ====2.1 - SUID/SGID bit====
-Despite what you have just seen, in the first of the two windows below, you will notice that the **passwd** file located in the **/etc** directory has **rw- r-- r--** permissions and that it belongs to **root**. In other words, **only** root can write to this file. However, when a normal user changes their password, they write to this file. So this seems to be a contradiction.
+The following command prints to standard output information concerning the **/etc/passwd** file and the binary **/usr/bin/passwd**. The latter can be used by any user to change his/her password. By doing so, the user writes to the /etc/passwd file. However, note that the permissions of the /etc/passwd file indicate that only root can write to that file:
 <code>
@@ Ligne 402: / Ligne 400: @@
 </code>
-To remedy this apparent contradiction, Linux has two extended access file permissions:
+To remedy this apparent contradiction, Linux has two advanced access file permissions:
   * Set %%UserID%% bit ( SUID bit )
   * Set %%GroupID%% bit ( SGID bit )
-When the SUID bit is set on a program, the user who launches the program is assigned the user number of the program's owner for the duration of its execution.
+When a SUID bit is placed on a binary, the user that executes that binary is given the UID of the owner of that binary for the duration of its execution.
-In the case of a password change, each user who launches the /usr/bin/passwd program is temporarily assigned the user number of the owner of the /usr/bin/passwd program, i.e. root. In this way, the user can intervene in the /etc/passwd file. This right is indicated by the letter s instead of the letter x.
+In the case of a password change, each user who launches the /usr/bin/passwd program is temporarily assigned the user number of the owner of the /usr/bin/passwd program, i.e. root. This advanced file permission is indicated by the letter s instead of the letter x in the user/owner part of the mask.
 The same function exists for the group, using the SGID bit.
-To assign permissions, use the chmod command:
+To assign the advanced permissions it is possible to use the Symbolic Mode:
   * chmod u+s file_name
   * chmod g+s filename
-In base eight the values are as follows:
+Or the Octal Mode where each advanced permission is assigned a value:
   * SUID = 4000
@@ Ligne 467: / Ligne 465: @@
 ====2.2 - Inheritance Flag====
-The SGID bit can also be assigned to a directory. In this way, files and directories created inside will have the group of the parent directory as their group. This right is therefore called the **Inheritance Flag** or the **Inheritance Flag**.
+The SGID bit can also be assigned to a directory. In this way, files and directories created inside will have the group of the parent directory as their group. This advanced file permission is therefore called the **Inheritance Flag**.
 For example:
@@ Ligne 482: / Ligne 480: @@
 [root@redhat9 tmp]# touch inherit/test.txt
-[root@redhat9 tmp]# mkdir inherit/testrep
+[root@redhat9 tmp]# mkdir inherit/testdir
 [root@redhat9 tmp]# cd inherit; ls -l
 total 0
-drwxr-sr-x. 2 root trainee 6 Sep 27 12:55 testrep
+drwxr-sr-x. 2 root trainee 6 Sep 27 12:55 testdir
 -rw-r--r--. 1 root trainee 0 Sep 27 12:54 test.txt
@@ Ligne 493: / Ligne 491: @@
 <WRAP center round important 60%>
-**Important**: Note that despite the fact that root created the two objects, they are not associated with the **root** group but with the **trainee** group, the group of the parent directory (inherit). Also note that the system has set the inheritance flag on the **testrep** subdirectory.
+**Important**: Note that despite the fact that root created the two objects, they are not associated with the **root** group but with the **trainee** group, i.e. the group of the parent directory (inherit). Also note that the system has set the inheritance flag on the **testdir** subdirectory.
 </WRAP>
@@ Ligne 509: / Ligne 507: @@
 <code>
-[root@redhat9 inherit]# mkdir /tmp/repertoire_public; cd /tmp; chmod o+t repertoire_public
+[root@redhat9 inherit]# mkdir /tmp/public_directory; cd /tmp; chmod o+t public_directory
-[root@redhat9 tmp]# ls -l | grep repertoire_public
+[root@redhat9 tmp]# ls -l | grep public_directory
-drwxr-xr-t. 2 root root 6 Sep 27 12:56 repertoire_public
+drwxr-xr-t. 2 root root 6 Sep 27 12:56 public_directory
+</code>
+=====LAB #3 - Extending Linux Permissions using ACLs and File Attributes=====
+====3.1 - ACLs====
+An extension to the permissions under Linux are the ACLs.
+To list the ACL's on a file, use the **getfacl** file:
+<code>
+[root@redhat9 tmp]# getfacl /home/trainee/tux.jpg
+getfacl: Removing leading '/' from absolute path names
+# file: home/trainee/tux.jpg
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+</code>
+To set ACLs on a file, you need to use the **setfacl** command:
+<code>
+[root@redhat9 tmp]# setfacl --set u::rwx,g::rx,o::-,u:trainee:rw /home/trainee/tux.jpg
+[root@redhat9 tmp]# getfacl /home/trainee/tux.jpg
+getfacl: Removing leading '/' from absolute path names
+# file: home/trainee/tux.jpg
+# owner: root
+# group: root
+user::rwx
+user:trainee:rw-
+group::r-x
+mask::rwx
+other::---
+</code>
+<WRAP center round important 60%>
+**Important** - A mask ACL entry specifies the maximum access which can be granted by any ACL entry except the user entry for the file owner and the other entry (entry tag type
+ACL_MASK).
+</WRAP>
+Create the directory /home/trainee/dir1 :
+<code>
+[root@redhat9 tmp]# mkdir /home/trainee/dir1
+</code>
+ACLs on directories are managed slightly differently. Placing ACLs on the directory dir1 takes the following form :
+<code>
+[root@redhat9 tmp]# setfacl --set d:u::r,d:g::-,d:o::- /home/trainee/dir1
+</code>
+The use of the letter **d** here means you are setting **default** ACLs.
+Now create a file called **file1** in the **dir1** directory:
+<code>
+[root@redhat9 tmp]# touch /home/trainee/dir1/file1
+</code>
+Once again use the getfacl command to see the ACLs:
+<code>
+[root@redhat9 tmp]# getfacl /home/trainee/dir1
+getfacl: Removing leading '/' from absolute path names
+# file: home/trainee/dir1
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+default:user::r--
+default:group::---
+default:other::---
+[root@redhat9 tmp]# getfacl /home/trainee/dir1/file1
+getfacl: Removing leading '/' from absolute path names
+# file: home/trainee/dir1/file1
+# owner: root
+# group: root
+user::r--
+group::---
+other::---
+</code>
+The ACLs positioned on the file **file1** are the ACLs positioned by default on the parent directory.
+Lastly the standard archiving commands under Linux do not understand ACLs. As a result, the ACLs need to be backed-up to a file using the following command:
+<code>
+[root@redhat9 tmp]# cd /home/trainee/dir1
+[root@redhat9 dir1]# getfacl -R --skip-base . > backup.acl
+[root@redhat9 dir1]# cat backup.acl
+# file: .
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+default:user::r--
+default:group::---
+default:other::---
+</code>
+Restoring ACLs is acheived by using the following command:
+  # setfacl --restore=backup.acl [Enter]
+====Commande Line Switches====
+The command line switches for the getfacl command are :
+<code>
+[root@redhat9 dir1]# getfacl --help
+getfacl 2.2.53 -- get file access control lists
+Usage: getfacl [-aceEsRLPtpndvh] file ...
+  -a,  --access           display the file access control list only
+  -d, --default           display the default access control list only
+  -c, --omit-header       do not display the comment header
+  -e, --all-effective     print all effective rights
+  -E, --no-effective      print no effective rights
+  -s, --skip-base         skip files that only have the base entries
+  -R, --recursive         recurse into subdirectories
+  -L, --logical           logical walk, follow symbolic links
+  -P, --physical          physical walk, do not follow symbolic links
+  -t, --tabular           use tabular output format
+  -n, --numeric           print numeric user/group identifiers
+  -p, --absolute-names    don't strip leading '/' in pathnames
+  -v, --version           print version and exit
+  -h, --help              this help text
+</code>
+The command line switches for the setfacl command are :
+<code>
+[root@redhat9 dir1]# setfacl --help
+setfacl 2.2.53 -- set file access control lists
+Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ...
+  -m, --modify=acl        modify the current ACL(s) of file(s)
+  -M, --modify-file=file  read ACL entries to modify from file
+  -x, --remove=acl        remove entries from the ACL(s) of file(s)
+  -X, --remove-file=file  read ACL entries to remove from file
+  -b, --remove-all        remove all extended ACL entries
+  -k, --remove-default    remove the default ACL
+      --set=acl           set the ACL of file(s), replacing the current ACL
+      --set-file=file     read ACL entries to set from file
+      --mask              do recalculate the effective rights mask
+  -n, --no-mask           don't recalculate the effective rights mask
+  -d, --default           operations apply to the default ACL
+  -R, --recursive         recurse into subdirectories
+  -L, --logical           logical walk, follow symbolic links
+  -P, --physical          physical walk, do not follow symbolic links
+      --restore=file      restore ACLs (inverse of `getfacl -R')
+      --test              test mode (ACLs are not modified)
+  -v, --version           print version and exit
+  -h, --help              this help text
+</code>
+====3.2 - Attributes====
+File attributes are an addition to the classic file permissions in Ext2/Ext3/Ext4 and %%ReiserFS%% file systems.
+The principal attributes are :
+^ Attribute ^ Description ^
+| a | The file cannot be deleted and only the addition of data to the file is permitted. This attribute is often used for log files. |
+| i | The file can neither be deleted, modified or moved. In addition, a link cannot be placed on the file. |
+| s | The file will be physically destroyed when deleted. |
+| D | Synchronous directory. |
+| S | Synchronous file. |
+| A | The date and time of the last file access are not updated in the inode. |
+<WRAP center round important 60%>
+**Important** - Synchronous implies that the modifications are immediately written to disk.
+</WRAP>
+The two commands associated with attributes are:
+^ Command ^ Description ^
+| chattr | Modify the attributes. |
+| lsattr | View attributes. |
+To clarify the use of the two commands, create the directory **/root/attributs/dir**:
+<code>
+[root@redhat9 dir1]# cd /root
+[root@redhat9 ~]# mkdir -p attributs/dir
+</code>
+Create the files **file** et **dir/file1** :
+<code>
+[root@redhat9 ~]# touch attributs/file
+[root@redhat9 ~]# touch attributs/dir/file1
+</code>
+Now modify the attributes recursively:
+<code>
+[root@redhat9 ~]# chattr +i -R attributs/
+</code>
+View the attributes using the **lsattr** command:
+<code>
+[root@redhat9 ~]# lsattr -R attributs
+----i----------- attributs/dir
+attributs/dir:
+----i----------- attributs/dir/file1
+----i----------- attributs/file
+</code>
+If you now try and move **file** to **/root/attributes/dir/**, you will get the following error message:
+<code>
+[root@redhat9 ~]# cd attributs; mv /root/attributs/file /root/attributs/dir/file
+mv: cannot move '/root/attributs/file' to '/root/attributs/dir/file': Operation not permitted
 </code>

Piste : • DOF100 - Docker : Fondamentaux • VMW008 - VMware vSphere 6.7 - Troubleshooting • LDF902 - Les Commandes ansible, ansible-playbook et ansible-galaxy • LDF703 - Cookbooks et Recettes

Différences

Recherche

Imprimer/exporter

Menu