Ceci est une ancienne révision du document !
Table des matières
Version : 2024.01
Last update : 2024/11/11 14:49
RH12408 - Managing File Permissions
Module content
- RH12408 - Managing File Permissions
- Contents
- Presentation
- Preparation
- LAB #1 - Simple Unix File Permissions
- 1.1 - Changing File Permissions
- The chmod Command
- Symbolic Mode
- Octal mode
- The umask command
- 1.2 - Changing the owner or group
- The chown command
- The chgrp command
- LAB #2 - Extended Unix File Permissions
- 2.1 - SUID/SGID bit
- 2.2 - Inheritance Flag
- 2.3 - Sticky bit
Presentation
In its basic design, Linux uses a DAC security approach:
| Security Type | Name | Description |
|---|---|---|
| DAC | Discretional Access Control |
Preparation
In your home directory, create a tux.jpg file using the touch command:
[root@redhat9 ~]# exit logout [trainee@redhat9 ~]$ pwd /home/trainee [trainee@redhat9 ~]$ touch tux.jpg [trainee@redhat9 ~]$ ls -l | grep tux.jpg -rw-r--r--. 1 trainee trainee 0 Sep 27 12:42 tux.jpg
Important: Note that the file created is a text file. This is because Linux ignores the .jpg extension.
LAB #1 - Simple Unix File Permissions
File permissions in Linux are communicated as follows:
| User/Owner | Group | Other |
|---|---|---|
| rwx | rwx | rwx |
where r = read, w = write and x = executable
Each inode stores the number of the user to whom the file belongs and the group number. When the file is opened, the system compares the user number (UID) with the user number stored in the inode (Reference User). If these two numbers are identical, the user obtains the permissions of the file owner. If the numbers differ, the system checks whether the user is in the group referenced in the inode. If so, the user will have the permissions specified for the group. If no conditions are met, the user is given the permissions of ‘others’.
The permissions for directories are slightly different:
| r | The user can list the contents of the directory. |
|---|---|
| w | The user can create or delete objects within the directory. |
| x | The user can position himself within the directory. |
1.1 - Changing permissions
The chmod Command
Symbolic Mode
To modify file access permissions, use the chmod command, whose syntax is as follows:
chmod [ -R ] category operator permissions file_name
or
chmod [ -R ] ugoa +-= rwxXst file_name
where
| u | user |
|---|---|
| g | group |
| o | other |
| a | all |
| + | add a permission |
| - | delete a permission |
| = | set the permissions as indicated |
| r | read |
| w | write |
| x | execute |
| X | execute - only if the target is a directory or if the file is already executable for one of the u, g or o categories. |
| s | SUID/SGID bit |
| t | sticky bit |
for example the following command will give others write access to the file tux.jpg :
[trainee@redhat9 ~]$ chmod o+w tux.jpg [trainee@redhat9 ~]$ ls -l | grep tux.jpg -rw-r--rw-. 1 trainee trainee 0 Sep 27 12:42 tux.jpg
while the following command will remove write access permissions for the user and group:
[trainee@redhat9 ~]$ chmod ug-w tux.jpg [trainee@redhat9 ~]$ ls -l | grep tux.jpg -r--r--rw-. 1 trainee trainee 0 Sep 27 12:42 tux.jpg
Important : Only the file owner or root can change permissions.
Octal mode
The chmod command can also be used with an octal representation ( base of 8 ). The octal values for access permissions are:
| User/Owner | Group | Other | ||||||
|---|---|---|---|---|---|---|---|---|
| r | w | x | r | w | x | r | w | x |
| 400 | 200 | 100 | 40 | 20 | 10 | 4 | 2 | 1 |
Important: So the permissions rwx rwx rwx correspond to a figure of 777.
The chmod command therefore takes the following form:
chmod [ -R ] mode_octal filename
The following command therefore corresponds to the allocation of permissions: rw- r– r– :
[trainee@redhat9 ~]$ chmod 644 tux.jpg [trainee@redhat9 ~]$ ls -l | grep tux.jpg -rw-r--r--. 1 trainee trainee 0 Sep 27 12:42 tux.jpg
The default access permissions when an object is created are:
| Directories | rwx rwx rwx | 777 |
|---|---|---|
| Normal file | rw- rw- rw- | 666 |
Command Line Switches
The options for this command are:
[trainee@redhat9 ~]$ chmod --help
Usage: chmod [OPTION]... MODE[,MODE]... FILE...
or: chmod [OPTION]... OCTAL-MODE FILE...
or: chmod [OPTION]... --reference=RFILE FILE...
Change the mode of each FILE to MODE.
With --reference, change the mode of each FILE to that of RFILE.
-c, --changes like verbose but report only when a change is made
-f, --silent, --quiet suppress most error messages
-v, --verbose output a diagnostic for every file processed
--no-preserve-root do not treat ‘/’ specially (the default)
--preserve-root fail to operate recursively on ‘/’
--reference=RFILE use RFILE's mode instead of MODE values
-R, --recursive change files and directories recursively
--help display this help and exit
--version output version information and exit
Each MODE is of the form ‘[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+’.
GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation <https://www.gnu.org/software/coreutils/chmod>
or available locally via: info ‘(coreutils) chmod invocation’
The umask Command
Users can change their default permission mask when creating objects using the umask command :
[trainee@redhat9 ~]$ umask 0022 [trainee@redhat9 ~]$ su - Password: fenestros [root@redhat9 ~]# umask 0022 [root@redhat9 ~]# exit logout [trainee@redhat9 ~]$
For example in the case where the user wants files created in the future to have write and read permissions for the user and group but only read permissions for others, they would use the command:
$ umask 002 [Enter]
before creating his file.
umask is used to remove permissions from the default permissions:
| Maximum mask when creating a file | rw- rw- rw- | 666 |
|---|---|---|
| Permissions to be removed | — -w- | 002 |
| Result | rw- rw- r– | 664 |
In the following example, we use the touch command to create an empty file with the new default permissions:
[trainee@redhat9 ~]$ umask 044 [trainee@redhat9 ~]$ touch tux1.jpg [trainee@redhat9 ~]$ ls -l | grep tux1.jpg -rw--w--w-. 1 trainee trainee 0 Sep 27 12:48 tux1.jpg [trainee@redhat9 ~]$ umask 022 [trainee@redhat9 ~]$ umask 0022
Command Line Switches
The options for this command are:
[trainee@redhat9 ~]$ help umask
umask: umask [-p] [-S] [mode]
Display or set file mode mask.
Sets the user file-creation mask to MODE. If MODE is omitted, prints
the current value of the mask.
If MODE begins with a digit, it is interpreted as an octal number;
otherwise it is a symbolic mode string like that accepted by chmod(1).
Options:
-p if MODE is omitted, output in a form that may be reused as input
-S makes the output symbolic; otherwise an octal number is output
Exit Status:
Returns success unless MODE is invalid or an invalid option is given.
.2 - Change owner or group
Important - The owner of a file can only be changed by the system administrator - root.
The chown Command
In the case of the file tux.jpg belonging to trainee, root can change the owner from trainee to root with the following command:
[trainee@redhat9 ~]$ su - Password: fenestros [root@redhat9 ~]# cd /home/trainee [root@redhat9 trainee]# chown root tux.jpg [root@redhat9 trainee]# ls -l | grep tux.jpg -rw-r--r--. 1 root trainee 0 Sep 27 12:42 tux.jpg
Command Line Switches
The options for this command are:
[root@redhat9 trainee]# chown --help
Usage: chown [OPTION]... [OWNER][:[GROUP]] FILE...
or: chown [OPTION]... --reference=RFILE FILE...
Change the owner and/or group of each FILE to OWNER and/or GROUP.
With --reference, change the owner and group of each FILE to those of RFILE.
-c, --changes like verbose but report only when a change is made
-f, --silent, --quiet suppress most error messages
-v, --verbose output a diagnostic for every file processed
--dereference affect the referent of each symbolic link (this is
the default), rather than the symbolic link itself
-h, --no-dereference affect symbolic links instead of any referenced file
(useful only on systems that can change the
ownership of a symlink)
--from=CURRENT_OWNER:CURRENT_GROUP
change the owner and/or group of each file only if
its current owner and/or group match those specified
here. Either may be omitted, in which case a match
is not required for the omitted attribute
--no-preserve-root do not treat ‘/’ specially (the default)
--preserve-root fail to operate recursively on ‘/’
--reference=RFILE use RFILE's owner and group rather than
specifying OWNER:GROUP values
-R, --recursive operate on files and directories recursively
The following options modify how a hierarchy is traversed when the -R
option is also specified. If more than one is specified, only the final
one takes effect.
-H if a command line argument is a symbolic link
to a directory, traverse it
-L traverse every symbolic link to a directory
encountered
-P do not traverse any symbolic links (default)
--help display this help and exit
--version output version information and exit
Owner is unchanged if missing. Group is unchanged if missing, but changed
to login group if implied by a ‘:’ following a symbolic OWNER.
OWNER and GROUP may be numeric as well as symbolic.
Examples:
chown root /u Change the owner of /u to ‘root’.
chown root:staff /u Likewise, but also change its group to ‘staff’.
chown -hR root /u Change the owner of /u and subfiles to ‘root’.
GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation <https://www.gnu.org/software/coreutils/chown>
or available locally via: info ‘(coreutils) chown invocation’
The chgrp Command
The same applies to the group :
[root@redhat9 trainee]# chgrp root tux.jpg [root@redhat9 trainee]# ls -l | grep tux.jpg -rw-r--r--. 1 root root 0 Sep 27 12:42 tux.jpg
Important: The permission to delete a file depends on the permissions of the directory in which the file is stored, not the permissions of the file itself.
Command Line Switches
The options for this command are:
[root@redhat9 trainee]# chgrp --help
Usage: chgrp [OPTION]... GROUP FILE...
or: chgrp [OPTION]... --reference=RFILE FILE...
Change the group of each FILE to GROUP.
With --reference, change the group of each FILE to that of RFILE.
-c, --changes like verbose but report only when a change is made
-f, --silent, --quiet suppress most error messages
-v, --verbose output a diagnostic for every file processed
--dereference affect the referent of each symbolic link (this is
the default), rather than the symbolic link itself
-h, --no-dereference affect symbolic links instead of any referenced file
(useful only on systems that can change the
ownership of a symlink)
--no-preserve-root do not treat ‘/’ specially (the default)
--preserve-root fail to operate recursively on ‘/’ (the default)
--reference=RFILE use RFILE's group rather than specifying a
GROUP value
-R, --recursive operate on files and directories recursively
The following options modify how a hierarchy is traversed when the -R
option is also specified. If more than one is specified, only the final
one takes effect.
-H if a command line argument is a symbolic link
to a directory, traverse it
-L traverse every symbolic link to a directory
encountered
-P do not traverse any symbolic links (default)
--help display this help and exit
--version output version information and exit
Examples:
chgrp staff /u Change the group of /u to ‘staff’.
chgrp -hR staff /u Change the group of /u and subfiles to ‘staff’.
GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation <https://www.gnu.org/software/coreutils/chgrp>
or available locally via: info ‘(coreutils) chgrp invocation’
LAB #2 - Extended Unix Permissions
2.1 - SUID/SGID bit
Despite what you have just seen, in the first of the two windows below, you will notice that the passwd file located in the /etc directory has rw- r– r– permissions and that it belongs to root. In other words, only root can write to this file. However, when a normal user changes their password, they write to this file. So this seems to be a contradiction.
[root@redhat9 trainee]# ls -l /etc/passwd /usr/bin/passwd -rw-r--r--. 1 root root 2162 Sep 26 14:57 /etc/passwd -rwsr-xr-x. 1 root root 32648 Aug 10 2021 /usr/bin/passwd
To remedy this apparent contradiction, Linux has two extended access file permissions:
- Set UserID bit ( SUID bit )
- Set GroupID bit ( SGID bit )
When the SUID bit is set on a program, the user who launches the program is assigned the user number of the program's owner for the duration of its execution.
In the case of a password change, each user who launches the /usr/bin/passwd program is temporarily assigned the user number of the owner of the /usr/bin/passwd program, i.e. root. In this way, the user can intervene in the /etc/passwd file. This right is indicated by the letter s instead of the letter x.
The same function exists for the group, using the SGID bit.
To assign permissions, use the chmod command:
- chmod u+s file_name
- chmod g+s filename
In base eight the values are as follows:
- SUID = 4000
- SGID = 2000
To identify executables with the SGID or SUID bit, use the following command:
[root@redhat9 trainee]# find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls {} \;
find: ‘/proc/9995/task/9995/fdinfo/6’: No such file or directory
find: ‘/proc/9995/fdinfo/5’: No such file or directory
/usr/bin/fusermount3
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/mount
/usr/bin/umount
/usr/bin/su
/usr/bin/write
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/locate
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper
/usr/bin/at
/usr/bin/chfn
/usr/bin/screen
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/userhelper
/usr/sbin/lockdev
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/utempter
/usr/libexec/openssh/ssh-keysign
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/libexec/sssd/krb5_child
/usr/libexec/sssd/ldap_child
/usr/libexec/sssd/proxy_child
/usr/libexec/sssd/selinux_child
/usr/libexec/Xorg.wrap
/usr/libexec/cockpit-session
2.2 - Inheritance Flag
The SGID bit can also be assigned to a directory. In this way, files and directories created inside will have the group of the parent directory as their group. This right is therefore called the Inheritance Flag or the Inheritance Flag.
For example:
[root@redhat9 trainee]# cd /tmp [root@redhat9 tmp]# mkdir inherit [root@redhat9 tmp]# chown root:trainee inherit [root@redhat9 tmp]# chmod g+s inherit [root@redhat9 tmp]# touch inherit/test.txt [root@redhat9 tmp]# mkdir inherit/testrep [root@redhat9 tmp]# cd inherit; ls -l total 0 drwxr-sr-x. 2 root trainee 6 Sep 27 12:55 testrep -rw-r--r--. 1 root trainee 0 Sep 27 12:54 test.txt [root@redhat9 inherit]#
Important: Note that despite the fact that root created the two objects, they are not associated with the root group but with the trainee group, the group of the parent directory (inherit). Also note that the system has set the inheritance flag on the testrep subdirectory.
2.3 - Sticky bit
There is one last case which is called the sticky bit. The sticky bit is used for directories where everyone has full permissions. In this case, anyone can delete files in the directory. By adding the sticky bit, only the owner of the file can delete it.
# chmod o+t /directory
or
# chmod 1777 /directory
For example:
[root@redhat9 inherit]# mkdir /tmp/repertoire_public; cd /tmp; chmod o+t repertoire_public [root@redhat9 tmp]# ls -l | grep repertoire_public drwxr-xr-t. 2 root root 6 Sep 27 12:56 repertoire_public
Copyright © 2024 Hugh Norris.
