LCE503 - Managing File Permissions

• LCE503 - Managing File Permissions
  • Contents
  • Presentation
  • Preparation
  • LAB #1 - Basic Unix File Permissions
    • 1.1 - Changing Permissions with chmod
      • Symbolic Mode
      • Octal Mode
      • The umask Command
    • 1.2 - Changing the Owner or the Group with chown and chgrp
      • The chown Command
      • The chgrp Command
  • LAB #2 - Advanced Unix Permissions
    • 2.1 - SUID/SGID bit
    • 2.2 - Inheritance Flag
    • 2.3 - Sticky bit
  • LAB #3 - Extending Linux Permissions using ACLs and Attributes
    • 3.1 - ACLs
    • 3.2 - Attributes

Linux uses the DAC security model:

In your home directory, create a file called tux.jpg using the touch command:

[root@centos8 ~]# exit
logout
[trainee@centos8 ~]$ pwd
/home/trainee
[trainee@centos8 ~]$ touch tux.jpg
[trainee@centos8 ~]$ ls -l | grep tux.jpg
-rw-rw-r--. 1 trainee trainee   0 Apr 21 03:42 tux.jpg

Basic Unix/Linux file permissions are expressed as follows:

where r = read, w = write and x = executable

Each inode contains the UID of the owner of a file. When the file is opened, the system compares the UID of the user opening the file with the UID stored in the inode. If they match, the user gets granted the permissions in the user section of the permissions mask. If they do not, the system compares the GID of the user opening the file with the GID stored in the inode. If they match the user gets granted the permissions in the group section of the mask. If neither the UID or the GID match, the user gets granted the permissions in the other section of the permission mask.

Permissions for directories are slightly different:

Permissions can be changed by using the chmod command. The syntax of that command is as follows:

chmod [ -R ] ugoa +-= rwxXst file or directory

where:

For example the following command will give write access to other:

[trainee@centos8 ~]$ chmod o+w tux.jpg
[trainee@centos8 ~]$ ls -l | grep tux.jpg
-rw-rw-rw-. 1 trainee trainee   0 Apr 21 03:42 tux.jpg

whereas the following command will remove write access for the user and the group:

[trainee@centos8 ~]$ chmod ug-w tux.jpg
[trainee@centos8 ~]$ ls -l | grep tux.jpg
-r--r--rw-. 1 trainee trainee   0 Apr 21 03:42 tux.jpg

The chmod commande can also use the Octal Mode ( 8 base ). The octal values of the permissions are as follows:

In this case, the syntax of the chmod command is as follows:

chmod [ -R ] octal mode file or directory

For example, the following command corresponds to the following permissions: rw- r– r–:

[trainee@centos8 ~]$ chmod 644 tux.jpg
[trainee@centos8 ~]$ ls -l | grep tux.jpg
-rw-r--r--. 1 trainee trainee   0 Apr 21 03:42 tux.jpg

The default permissions assigned to an object by the system differ depending on the type of object:

The command line switches for the chmod command are :

[trainee@centos8 ~]$ chmod --help
Usage: chmod [OPTION]... MODE[,MODE]... FILE...
  or:  chmod [OPTION]... OCTAL-MODE FILE...
  or:  chmod [OPTION]... --reference=RFILE FILE...
Change the mode of each FILE to MODE.
With --reference, change the mode of each FILE to that of RFILE.

  -c, --changes          like verbose but report only when a change is made
  -f, --silent, --quiet  suppress most error messages
  -v, --verbose          output a diagnostic for every file processed
      --no-preserve-root  do not treat '/' specially (the default)
      --preserve-root    fail to operate recursively on '/'
      --reference=RFILE  use RFILE's mode instead of MODE values
  -R, --recursive        change files and directories recursively
      --help     display this help and exit
      --version  output version information and exit

Each MODE is of the form '[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+'.

GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation at: <https://www.gnu.org/software/coreutils/chmod>
or available locally via: info '(coreutils) chmod invocation'

A user can change these default values by modifying his/her umask value:

[trainee@centos8 ~]$ umask
0002
[trainee@centos8 ~]$ su -
Password: fenestros
[root@centos8 ~]# umask
0022
[root@centos8 ~]# exit
logout

The value of the umask is deducted from the default permissions when the object is created:

Consider the following example:

[trainee@centos8 ~]$ umask 044
[trainee@centos8 ~]$ touch tux1.jpg
[trainee@centos8 ~]$ ls -l | grep tux1.jpg
-rw--w--w-. 1 trainee trainee   0 Apr 21 04:06 tux1.jpg
[trainee@centos8 ~]$ umask 002
[trainee@centos8 ~]$ umask
0002

The command line switches for the umask command are :

[trainee@centos8 ~]$ help umask
umask: umask [-p] [-S] [mode]
    Display or set file mode mask.
    
    Sets the user file-creation mask to MODE.  If MODE is omitted, prints
    the current value of the mask.
    
    If MODE begins with a digit, it is interpreted as an octal number;
    otherwise it is a symbolic mode string like that accepted by chmod(1).
    
    Options:
      -p	if MODE is omitted, output in a form that may be reused as input
      -S	makes the output symbolic; otherwise an octal number is output
    
    Exit Status:
    Returns success unless MODE is invalid or an invalid option is given.

In the following example, tux.jpg belongs to the trainee user. root can modify the owner by using the following command:

[trainee@centos8 ~]$ su -
Password: fenestros
[root@centos8 ~]# cd /home/trainee
[root@centos8 trainee]# chown root tux.jpg
[root@centos8 trainee]# ls -l | grep tux.jpg
-rw-r--r--. 1 root    trainee   0 Apr 21 03:42 tux.jpg

The command line switches for the chown command are :

[root@centos8 trainee]# chown --help
Usage: chown [OPTION]... [OWNER][:[GROUP]] FILE...
  or:  chown [OPTION]... --reference=RFILE FILE...
Change the owner and/or group of each FILE to OWNER and/or GROUP.
With --reference, change the owner and group of each FILE to those of RFILE.

  -c, --changes          like verbose but report only when a change is made
  -f, --silent, --quiet  suppress most error messages
  -v, --verbose          output a diagnostic for every file processed
      --dereference      affect the referent of each symbolic link (this is
                         the default), rather than the symbolic link itself
  -h, --no-dereference   affect symbolic links instead of any referenced file
                         (useful only on systems that can change the
                         ownership of a symlink)
      --from=CURRENT_OWNER:CURRENT_GROUP
                         change the owner and/or group of each file only if
                         its current owner and/or group match those specified
                         here.  Either may be omitted, in which case a match
                         is not required for the omitted attribute
      --no-preserve-root  do not treat '/' specially (the default)
      --preserve-root    fail to operate recursively on '/'
      --reference=RFILE  use RFILE's owner and group rather than
                         specifying OWNER:GROUP values
  -R, --recursive        operate on files and directories recursively

The following options modify how a hierarchy is traversed when the -R
option is also specified.  If more than one is specified, only the final
one takes effect.

  -H                     if a command line argument is a symbolic link
                         to a directory, traverse it
  -L                     traverse every symbolic link to a directory
                         encountered
  -P                     do not traverse any symbolic links (default)

      --help     display this help and exit
      --version  output version information and exit

Owner is unchanged if missing.  Group is unchanged if missing, but changed
to login group if implied by a ':' following a symbolic OWNER.
OWNER and GROUP may be numeric as well as symbolic.

Examples:
  chown root /u        Change the owner of /u to "root".
  chown root:staff /u  Likewise, but also change its group to "staff".
  chown -hR root /u    Change the owner of /u and subfiles to "root".

GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation at: <https://www.gnu.org/software/coreutils/chown>
or available locally via: info '(coreutils) chown invocation'

A similar operation is used to change the group:

[root@centos8 trainee]# chgrp root tux.jpg
[root@centos8 trainee]# ls -l | grep tux.jpg
-rw-r--r--. 1 root    root      0 Apr 21 03:42 tux.jpg

The command line switches for the chgrp command are :

[root@centos8 trainee]# chgrp --help
Usage: chgrp [OPTION]... GROUP FILE...
  or:  chgrp [OPTION]... --reference=RFILE FILE...
Change the group of each FILE to GROUP.
With --reference, change the group of each FILE to that of RFILE.

  -c, --changes          like verbose but report only when a change is made
  -f, --silent, --quiet  suppress most error messages
  -v, --verbose          output a diagnostic for every file processed
      --dereference      affect the referent of each symbolic link (this is
                         the default), rather than the symbolic link itself
  -h, --no-dereference   affect symbolic links instead of any referenced file
                         (useful only on systems that can change the
                         ownership of a symlink)
      --no-preserve-root  do not treat '/' specially (the default)
      --preserve-root    fail to operate recursively on '/'
      --reference=RFILE  use RFILE's group rather than specifying a
                         GROUP value
  -R, --recursive        operate on files and directories recursively

The following options modify how a hierarchy is traversed when the -R
option is also specified.  If more than one is specified, only the final
one takes effect.

  -H                     if a command line argument is a symbolic link
                         to a directory, traverse it
  -L                     traverse every symbolic link to a directory
                         encountered
  -P                     do not traverse any symbolic links (default)

      --help     display this help and exit
      --version  output version information and exit

Examples:
  chgrp staff /u      Change the group of /u to "staff".
  chgrp -hR staff /u  Change the group of /u and subfiles to "staff".

GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation at: <https://www.gnu.org/software/coreutils/chgrp>
or available locally via: info '(coreutils) chgrp invocation'

The following command prints to standard output information concerning the /etc/passwd file and the binary /usr/bin/passwd. The latter can be used by any user to change his/her password. By doing so, the user writes to the /etc/passwd file. However, a casual glance at the permissions of the /etc/passwd file indicates that only root can write to that file:

[root@centos8 trainee]# ls -l /etc/passwd /usr/bin/passwd
-rw-r--r--. 1 root root  2104 Apr 20 18:36 /etc/passwd
-rwsr-xr-x. 1 root root 33600 Apr  6  2020 /usr/bin/passwd

To remedy this apparent contradiction, Linux uses two advanced permissions:

• Set UserID bit ( SUID bit )
• Set GroupID bit ( SGID bit )

When a SUID bit is placed on a binary, the user that executes that binary is given the UID of the owner of that binary for the duration of it'd execution, in this case the UID of root. The SUID bit is represented by the letter s in the user part of the permissions mask.

The same can also be applied to the group by placing the SGID bit, represented by the letter s in the group part of the permissions mask

To assign the advanced permissions it is possible to use the Symbolic Mode:

• chmod u+s nom_du_fichier
• chmod g+s nom_du_fichier

Or the Octal Mode where each advanced permission is assigned a value:

• SUID = 4000
• SGID = 2000

In order to identify which executables have the SUID bit or SGID bit, use the following command:

[root@centos8 trainee]# find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls {} \;
find: ‘/proc/17916/task/17916/fdinfo/5’: No such file or directory
find: ‘/proc/17916/fdinfo/6’: No such file or directory
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/write
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/crontab
/usr/bin/chsh
/usr/bin/at
/usr/bin/sudo
/usr/bin/locate
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/screen
/usr/sbin/grub2-set-bootflag
/usr/sbin/unix_chkpwd
/usr/sbin/pam_timestamp_check
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/libexec/utempter/utempter
/usr/libexec/openssh/ssh-keysign
/usr/libexec/cockpit-session
/usr/libexec/sssd/krb5_child
/usr/libexec/sssd/ldap_child
/usr/libexec/sssd/selinux_child
/usr/libexec/sssd/proxy_child
/usr/libexec/qemu-bridge-helper
/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper

The SGID bit can also be placed on a directory. In this case, the files and directories created within the directory are given the group of the parent directory. This advanced permission is called the Inheritance Flag.

For example:

[root@centos8 trainee]# cd /tmp
[root@centos8 tmp]# mkdir inherit
[root@centos8 tmp]# chown root:trainee inherit
[root@centos8 tmp]# chmod g+s inherit
[root@centos8 tmp]# touch inherit/test.txt
[root@centos8 tmp]# mkdir inherit/testrep
[root@centos8 tmp]# cd inherit; ls -l
total 0
drwxr-sr-x. 2 root trainee 6 Apr 21 04:50 testrep
-rw-r--r--. 1 root trainee 0 Apr 21 04:50 test.txt

The last advanced permission is calle the sticky bit. The sticky bit is assigned to directories where everyone has full file permissions such as the /tmp directory. By assigning the sticky bit, only the owner of an object can delete it. The sticky bit is assigned by using one of the two following methods:

# chmod o+t /répertoire 

or

# chmod 1777 /répertoire

For example:

[root@centos8 inherit]# mkdir /tmp/repertoire_public; cd /tmp; chmod o+t repertoire_public
[root@centos8 tmp]# ls -l | grep repertoire_public
drwxr-xr-t. 2 root root            6 Apr 21 04:53 repertoire_public

An extension to the permissions under Linux are the ACLs.

To list the ACL's on a file, use the getfacl file:

[root@centos8 tmp]# getfacl /home/trainee/tux.jpg
getfacl: Removing leading '/' from absolute path names
# file: home/trainee/tux.jpg
# owner: root
# group: root
user::rw-
group::r--
other::r--

To set ACLs on a file, you need to use the setfacl command:

[root@centos8 tmp]# setfacl --set u::rwx,g::rx,o::-,u:trainee:rw /home/trainee/tux.jpg
[root@centos8 tmp]# getfacl /home/trainee/tux.jpg
getfacl: Removing leading '/' from absolute path names
# file: home/trainee/tux.jpg
# owner: root
# group: root
user::rwx
user:trainee:rw-
group::r-x
mask::rwx
other::---

Create the directory /home/trainee/rep1 :

[root@centos8 tmp]# mkdir /home/trainee/rep1

ACLs on directories are managed slightly differently. Placing ACLs on the directory rep1 takes the following form :

[root@centos8 tmp]# setfacl --set d:u::r,d:g::-,d:o::- /home/trainee/rep1

The use of the letter d here means you are setting default ACLs.

Now create a file called file1 in the rep1 directory:

[root@centos8 tmp]# touch /home/trainee/rep1/file1

Once again use the getfacl command to see the ACLs:

[root@centos8 tmp]# getfacl /home/trainee/rep1
getfacl: Removing leading '/' from absolute path names
# file: home/trainee/rep1
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::r--
default:group::---
default:other::---

[root@centos8 tmp]# getfacl /home/trainee/rep1/file1
getfacl: Removing leading '/' from absolute path names
# file: home/trainee/rep1/file1
# owner: root
# group: root
user::r--
group::---
other::---

The ACLs positioned on the file file1 are the ACLs positioned by default on the parent directory.

Lastly the standard archiving commands under Linux do not understand ACLs. As a result, the ACLs need to be backed-up to a file using the following command:

[root@centos8 tmp]# cd /home/trainee/rep1
[root@centos8 rep1]# getfacl -R --skip-base . > backup.acl
[root@centos8 rep1]# cat backup.acl 
# file: .
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::r--
default:group::---
default:other::---

Restoring ACLs is acheived by using the following command:

# setfacl --restore=backup.acl [Enter]

The command line switches for the getfacl command are :

[root@centos8 tmp]# getfacl --help
getfacl 2.2.53 -- get file access control lists
Usage: getfacl [-aceEsRLPtpndvh] file ...
  -a,  --access           display the file access control list only
  -d, --default           display the default access control list only
  -c, --omit-header       do not display the comment header
  -e, --all-effective     print all effective rights
  -E, --no-effective      print no effective rights
  -s, --skip-base         skip files that only have the base entries
  -R, --recursive         recurse into subdirectories
  -L, --logical           logical walk, follow symbolic links
  -P, --physical          physical walk, do not follow symbolic links
  -t, --tabular           use tabular output format
  -n, --numeric           print numeric user/group identifiers
  -p, --absolute-names    don't strip leading '/' in pathnames
  -v, --version           print version and exit
  -h, --help              this help text

The command line switches for the setfacl command are :

[root@centos8 tmp]# setfacl --help
setfacl 2.2.53 -- set file access control lists
Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ...
  -m, --modify=acl        modify the current ACL(s) of file(s)
  -M, --modify-file=file  read ACL entries to modify from file
  -x, --remove=acl        remove entries from the ACL(s) of file(s)
  -X, --remove-file=file  read ACL entries to remove from file
  -b, --remove-all        remove all extended ACL entries
  -k, --remove-default    remove the default ACL
      --set=acl           set the ACL of file(s), replacing the current ACL
      --set-file=file     read ACL entries to set from file
      --mask              do recalculate the effective rights mask
  -n, --no-mask           don't recalculate the effective rights mask
  -d, --default           operations apply to the default ACL
  -R, --recursive         recurse into subdirectories
  -L, --logical           logical walk, follow symbolic links
  -P, --physical          physical walk, do not follow symbolic links
      --restore=file      restore ACLs (inverse of `getfacl -R')
      --test              test mode (ACLs are not modified)
  -v, --version           print version and exit
  -h, --help              this help text

File attributes are an addition to the classic file permissions in Ext2/Ext3/Ext4 and ReiserFS file systems.

The principal attributes are :

The two commands associated with attributes are:

To clarify the use of the two commands, create the directory /root/attributs/rep:

[root@centos8 rep1]# cd /root
[root@centos8 ~]# mkdir -p attributs/rep

Create the files file et rep/file1 :

[root@centos8 ~]# touch attributs/file
[root@centos8 ~]# touch attributs/rep/file1

Now modify the attributes recursively:

[root@centos8 ~]# chattr +i -R attributs/

View the attributes using the lsattr command:

[root@centos8 ~]# lsattr -R attributs
----i----------- attributs/rep

attributs/rep:
----i----------- attributs/rep/file1

----i----------- attributs/file

If you now try and move file to /root/attributes/rep/, you will get the following error message:

[root@centos8 ~]# cd attributs; mv /root/attributs/file /root/attributs/rep/file
mv: cannot move '/root/attributs/file' to '/root/attributs/rep/file': Operation not permitted

<html>

</html>