RH12408 - Managing File Permissions

• RH12408 - Managing File Permissions
  • Contents
  • Presentation
  • Preparation
  • LAB #1 - Simple Unix File Permissions
    • 1.1 - Changing File Permissions
      • The chmod Command
        • Symbolic Mode
        • Octal mode
      • The umask command
    • 1.2 - Changing the owner or group
      • The chown command
      • The chgrp command
  • LAB #2 - Extended Unix File Permissions
    • 2.1 - SUID/SGID bit
    • 2.2 - Inheritance Flag
    • 2.3 - Sticky bit

In its basic design, Linux uses a DAC security approach:

In your home directory, create a tux.jpg file using the touch command:

[root@redhat9 ~]# exit
logout

[trainee@redhat9 ~]$ pwd
/home/trainee

[trainee@redhat9 ~]$ touch tux.jpg

[trainee@redhat9 ~]$ ls -l | grep tux.jpg
-rw-r--r--. 1 trainee trainee 0 Sep 27 12:42 tux.jpg

File permissions in Linux are communicated as follows:

where r = read, w = write and x = executable

Each inode stores the number of the user to whom the file belongs and the group number. When the file is opened, the system compares the user number (UID) with the user number stored in the inode (Reference User). If these two numbers are identical, the user obtains the permissions of the file owner. If the numbers differ, the system checks whether the user is in the group referenced in the inode. If so, the user will have the permissions specified for the group. If no conditions are met, the user is given the permissions of ‘others’.

The permissions for directories are slightly different:

To modify file access permissions, use the chmod command, whose syntax is as follows:

chmod [ -R ] category operator permissions file_name

or

chmod [ -R ] ugoa +-= rwxXst file_name

where

for example the following command will give others write access to the file tux.jpg :

[trainee@redhat9 ~]$ chmod o+w tux.jpg

[trainee@redhat9 ~]$ ls -l | grep tux.jpg
-rw-r--rw-. 1 trainee trainee 0 Sep 27 12:42 tux.jpg

while the following command will remove write access permissions for the user and group:

[trainee@redhat9 ~]$ chmod ug-w tux.jpg

[trainee@redhat9 ~]$ ls -l | grep tux.jpg
-r--r--rw-. 1 trainee trainee 0 Sep 27 12:42 tux.jpg

The chmod command can also be used with an octal representation ( base of 8 ). The octal values for access permissions are:

The chmod command therefore takes the following form:

chmod [ -R ] mode_octal filename

The following command therefore corresponds to the allocation of permissions: rw- r– r– :

[trainee@redhat9 ~]$ chmod 644 tux.jpg

[trainee@redhat9 ~]$ ls -l | grep tux.jpg
-rw-r--r--. 1 trainee trainee 0 Sep 27 12:42 tux.jpg

The default access permissions when an object is created are:

The options for this command are:

[trainee@redhat9 ~]$ chmod --help
Usage: chmod [OPTION]... MODE[,MODE]... FILE...
  or: chmod [OPTION]... OCTAL-MODE FILE...
  or: chmod [OPTION]... --reference=RFILE FILE...
Change the mode of each FILE to MODE.
With --reference, change the mode of each FILE to that of RFILE.

  -c, --changes like verbose but report only when a change is made
  -f, --silent, --quiet suppress most error messages
  -v, --verbose output a diagnostic for every file processed
      --no-preserve-root do not treat ‘/’ specially (the default)
      --preserve-root fail to operate recursively on ‘/’
      --reference=RFILE use RFILE's mode instead of MODE values
  -R, --recursive change files and directories recursively
      --help display this help and exit
      --version output version information and exit

Each MODE is of the form ‘[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+’.

GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation <https://www.gnu.org/software/coreutils/chmod>
or available locally via: info ‘(coreutils) chmod invocation’

Users can change their default permission mask when creating objects using the umask command :

[trainee@redhat9 ~]$ umask
0022
[trainee@redhat9 ~]$ su -
Password: fenestros
[root@redhat9 ~]# umask
0022
[root@redhat9 ~]# exit
logout
[trainee@redhat9 ~]$

For example in the case where the user wants files created in the future to have write and read permissions for the user and group but only read permissions for others, they would use the command:

$ umask 002 [Enter]

before creating his file.

umask is used to remove permissions from the default permissions:

In the following example, we use the touch command to create an empty file with the new default permissions:

[trainee@redhat9 ~]$ umask 044

[trainee@redhat9 ~]$ touch tux1.jpg

[trainee@redhat9 ~]$ ls -l | grep tux1.jpg
-rw--w--w-. 1 trainee trainee 0 Sep 27 12:48 tux1.jpg

[trainee@redhat9 ~]$ umask 022

[trainee@redhat9 ~]$ umask
0022

The options for this command are:

[trainee@redhat9 ~]$ help umask
umask: umask [-p] [-S] [mode]
    Display or set file mode mask.
    
    Sets the user file-creation mask to MODE.  If MODE is omitted, prints
    the current value of the mask.
    
    If MODE begins with a digit, it is interpreted as an octal number;
    otherwise it is a symbolic mode string like that accepted by chmod(1).
    
    Options:
      -p if MODE is omitted, output in a form that may be reused as input
      -S makes the output symbolic; otherwise an octal number is output
    
    Exit Status:
    Returns success unless MODE is invalid or an invalid option is given.

In the case of the file tux.jpg belonging to trainee, root can change the owner from trainee to root with the following command:

[trainee@redhat9 ~]$ su -
Password: fenestros

[root@redhat9 ~]# cd /home/trainee

[root@redhat9 trainee]# chown root tux.jpg 

[root@redhat9 trainee]# ls -l | grep tux.jpg
-rw-r--r--. 1 root trainee 0 Sep 27 12:42 tux.jpg

The options for this command are:

[root@redhat9 trainee]# chown --help
Usage: chown [OPTION]... [OWNER][:[GROUP]] FILE...
  or: chown [OPTION]... --reference=RFILE FILE...
Change the owner and/or group of each FILE to OWNER and/or GROUP.
With --reference, change the owner and group of each FILE to those of RFILE.

  -c, --changes like verbose but report only when a change is made
  -f, --silent, --quiet suppress most error messages
  -v, --verbose output a diagnostic for every file processed
      --dereference affect the referent of each symbolic link (this is
                         the default), rather than the symbolic link itself
  -h, --no-dereference affect symbolic links instead of any referenced file
                         (useful only on systems that can change the
                         ownership of a symlink)
      --from=CURRENT_OWNER:CURRENT_GROUP
                         change the owner and/or group of each file only if
                         its current owner and/or group match those specified
                         here.  Either may be omitted, in which case a match
                         is not required for the omitted attribute
      --no-preserve-root do not treat ‘/’ specially (the default)
      --preserve-root fail to operate recursively on ‘/’
      --reference=RFILE use RFILE's owner and group rather than
                         specifying OWNER:GROUP values
  -R, --recursive operate on files and directories recursively

The following options modify how a hierarchy is traversed when the -R
option is also specified.  If more than one is specified, only the final
one takes effect.

  -H if a command line argument is a symbolic link
                         to a directory, traverse it
  -L traverse every symbolic link to a directory
                         encountered
  -P do not traverse any symbolic links (default)

      --help display this help and exit
      --version output version information and exit

Owner is unchanged if missing.  Group is unchanged if missing, but changed
to login group if implied by a ‘:’ following a symbolic OWNER.
OWNER and GROUP may be numeric as well as symbolic.

Examples:
  chown root /u Change the owner of /u to ‘root’.
  chown root:staff /u Likewise, but also change its group to ‘staff’.
  chown -hR root /u Change the owner of /u and subfiles to ‘root’.

GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation <https://www.gnu.org/software/coreutils/chown>
or available locally via: info ‘(coreutils) chown invocation’

The same applies to the group :

[root@redhat9 trainee]# chgrp root tux.jpg

[root@redhat9 trainee]# ls -l | grep tux.jpg
-rw-r--r--. 1 root root 0 Sep 27 12:42 tux.jpg

The options for this command are:

[root@redhat9 trainee]# chgrp --help
Usage: chgrp [OPTION]... GROUP FILE...
  or: chgrp [OPTION]... --reference=RFILE FILE...
Change the group of each FILE to GROUP.
With --reference, change the group of each FILE to that of RFILE.

  -c, --changes like verbose but report only when a change is made
  -f, --silent, --quiet suppress most error messages
  -v, --verbose output a diagnostic for every file processed
      --dereference affect the referent of each symbolic link (this is
                         the default), rather than the symbolic link itself
  -h, --no-dereference affect symbolic links instead of any referenced file
                         (useful only on systems that can change the
                         ownership of a symlink)
      --no-preserve-root do not treat ‘/’ specially (the default)
      --preserve-root fail to operate recursively on ‘/’ (the default)
      --reference=RFILE use RFILE's group rather than specifying a
                         GROUP value
  -R, --recursive operate on files and directories recursively

The following options modify how a hierarchy is traversed when the -R
option is also specified.  If more than one is specified, only the final
one takes effect.

  -H if a command line argument is a symbolic link
                         to a directory, traverse it
  -L traverse every symbolic link to a directory
                         encountered
  -P do not traverse any symbolic links (default)

      --help display this help and exit
      --version output version information and exit

Examples:
  chgrp staff /u Change the group of /u to ‘staff’.
  chgrp -hR staff /u Change the group of /u and subfiles to ‘staff’.

GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation <https://www.gnu.org/software/coreutils/chgrp>
or available locally via: info ‘(coreutils) chgrp invocation’

Despite what you have just seen, in the first of the two windows below, you will notice that the passwd file located in the /etc directory has rw- r– r– permissions and that it belongs to root. In other words, only root can write to this file. However, when a normal user changes their password, they write to this file. So this seems to be a contradiction.

[root@redhat9 trainee]# ls -l /etc/passwd /usr/bin/passwd
-rw-r--r--. 1 root root 2162 Sep 26 14:57 /etc/passwd
-rwsr-xr-x. 1 root root 32648 Aug 10 2021 /usr/bin/passwd

To remedy this apparent contradiction, Linux has two extended access file permissions:

• Set UserID bit ( SUID bit )
• Set GroupID bit ( SGID bit )

When the SUID bit is set on a program, the user who launches the program is assigned the user number of the program's owner for the duration of its execution.

In the case of a password change, each user who launches the /usr/bin/passwd program is temporarily assigned the user number of the owner of the /usr/bin/passwd program, i.e. root. In this way, the user can intervene in the /etc/passwd file. This right is indicated by the letter s instead of the letter x.

The same function exists for the group, using the SGID bit.

To assign permissions, use the chmod command:

• chmod u+s file_name
• chmod g+s filename

In base eight the values are as follows:

• SUID = 4000
• SGID = 2000

To identify executables with the SGID or SUID bit, use the following command:

[root@redhat9 trainee]# find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls {} \;
find: ‘/proc/9995/task/9995/fdinfo/6’: No such file or directory
find: ‘/proc/9995/fdinfo/5’: No such file or directory
/usr/bin/fusermount3
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/mount
/usr/bin/umount
/usr/bin/su
/usr/bin/write
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/locate
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper
/usr/bin/at
/usr/bin/chfn
/usr/bin/screen
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/userhelper
/usr/sbin/lockdev
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/utempter
/usr/libexec/openssh/ssh-keysign
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/libexec/sssd/krb5_child
/usr/libexec/sssd/ldap_child
/usr/libexec/sssd/proxy_child
/usr/libexec/sssd/selinux_child
/usr/libexec/Xorg.wrap
/usr/libexec/cockpit-session

The SGID bit can also be assigned to a directory. In this way, files and directories created inside will have the group of the parent directory as their group. This right is therefore called the Inheritance Flag or the Inheritance Flag.

For example:

[root@redhat9 trainee]# cd /tmp

[root@redhat9 tmp]# mkdir inherit

[root@redhat9 tmp]# chown root:trainee inherit

[root@redhat9 tmp]# chmod g+s inherit

[root@redhat9 tmp]# touch inherit/test.txt

[root@redhat9 tmp]# mkdir inherit/testrep

[root@redhat9 tmp]# cd inherit; ls -l
total 0
drwxr-sr-x. 2 root trainee 6 Sep 27 12:55 testrep
-rw-r--r--. 1 root trainee 0 Sep 27 12:54 test.txt

[root@redhat9 inherit]# 

There is one last case which is called the sticky bit. The sticky bit is used for directories where everyone has full permissions. In this case, anyone can delete files in the directory. By adding the sticky bit, only the owner of the file can delete it.

# chmod o+t /directory 

or

# chmod 1777 /directory

For example:

[root@redhat9 inherit]# mkdir /tmp/repertoire_public; cd /tmp; chmod o+t repertoire_public

[root@redhat9 tmp]# ls -l | grep repertoire_public
drwxr-xr-t. 2 root root 6 Sep 27 12:56 repertoire_public

Copyright © 2024 Hugh Norris.