Linux file permission

From HPCWIKI
Jump to navigation Jump to search

Traditional file permission

ls command witl -al option to view the permissions (or file mode) set for the contents of a directory[1]

$ ls -al /
total 2098648
drwxr-xr-x   20 root    root             4096 May 25 08:40 .
drwxr-xr-x   20 root    root             4096 May 25 08:40 ..
lrwxrwxrwx    1 root    root                7 Aug 31  2022 bin -> usr/bin
drwxr-xr-x    4 root    root             4096 May 25 09:40 boot
drwxr-xr-x   20 root    root             4820 May 25 08:37 dev
drwxr-xr-x  130 root    root            12288 May 25 09:42 etc
drwxr-xr-x    6 root    root             4096 May 15 10:36 home
lrwxrwxrwx    1 root    root                7 Aug 31  2022 lib -> usr/lib
lrwxrwxrwx    1 root    root                9 Aug 31  2022 lib32 -> usr/lib32
lrwxrwxrwx    1 root    root                9 Aug 31  2022 lib64 -> usr/lib64
lrwxrwxrwx    1 root    root               10 Aug 31  2022 libx32 -> usr/libx32
drwx------    2 root    root            16384 Aug 31  2022 lost+found
drwxr-xr-x    3 root    root             4096 Aug 31  2022 media
drwxr-xr-x    5 root    root             4096 Dec 13 10:03 mnt
drwxr-xr-x   10 root    root             4096 Apr  9 12:37 opt
dr-xr-xr-x 1264 root    root                0 May 25 08:36 proc
drwxr-xr-x   35 root    root             1160 May 25 09:26 run
lrwxrwxrwx    1 root    root                8 Aug 31  2022 sbin -> usr/sbin
drwxr-xr-x    2 root    root                0 May 25 08:37 server
drwxr-xr-x    2 root    root             4096 May 18 16:03 srv
-rw-------    1 root    root       2147483648 Aug 31  2022 swapfile
dr-xr-xr-x   13 root    root                0 May 25 08:36 sys
drwxrwxrwt   10 root    root          1441792 May 25 09:40 tmp
drwxr-xr-x   15 root    root             4096 May 18 15:36 usr
drwxr-xr-x   13 root    root             4096 Dec  5 17:31 var

Following table explains what is the meaning of character you should focus

d rwx rwx rwx +
The file type, technically not part of its permissions The permissions that the owner has over the file, explained below. The permissions that the group has over the file, explained below. The permissions that all the other users have over the file, explained below. A single character that specifies whether an alternate access method applies to the file. When this character is a space, there is no alternate access method. A . character indicates a file with a security context, but no other alternate access method. A file with any other combination of alternate access methods is marked with a + character, for example in the case of Access Control Lists.

Each of rwx(s) permission meaning,

rwx(s/S) Owner ship Character Effect on files Effect on directories
Read permission (first character) owner - The file cannot be read. The directory's contents cannot be shown.
r 4 The file can be read. The directory's contents can be shown.
Write permission (second character) group - The file cannot be modified. The directory's contents cannot be modified.
w 2 The file can be modified. The directory's contents can be modified (create new files or directories; rename or delete existing files or directories); requires the execute permission to be also set, otherwise this permission has no effect.
Execute permission (third character) the other - The file cannot be executed. The directory cannot be accessed with cd.
x 1 The file can be executed. The directory can be accessed with cd; this is the only permission bit that in practice can be considered to be "inherited" from the ancestor directories, in fact if any directory in the path does not have the x bit set, the final file or directory cannot be accessed either, regardless of its permissions; see path_resolution(7) for more information.
SUID/GUID s 4/2 The setuid bit when found in the user triad; the setgid bit when found in the group triad; it is not found in the others triad; it also implies that x is set.
S Same as s, but x is not set; rare on regular files, and useless on directories.
Sticky t 1 The sticky bit; it can only be found in the others triad; it also implies that x is set.
T Same as t, but x is not set; rare on regular files.
+ "+" to indicate that there is an extended ACL for this item

SUID, SGID, and Sticky

SUID and SGID mean that for executable commands, they run as user and group respectively.

SUID or Set Owner User ID is a permission bit flag that applies to executables. SUID allows an alternate user to run an executable with the same permissions as the owner of the file instead of the permissions of the alternate user. The passwd command is the best example for SUID. if we look at the file in detail

SUID, user + s (pecial)

The best SUID example would be /usr/bin/passwd comand 

$ ls -al /usr/bin/passwd
-rwsr-xr-x 1 root root 68208 Nov 29  2022 /usr/bin/passwd

SGID, group + s (pecial)

The best SGID example

This permission set is noted by a lowercase s where the x would normally indicate execute privileges for the group

  • If set on a file, it allows the file to be executed as the group that owns the file (similar to SUID)
  • If set on a directory, any files created in the directory will have their group ownership set to that of the directory owner

Sticky bit, other + t (sticky)

The sticky bit - originally implemented in UNIX meant a program stayed in RAM after running- Under linux, This permission does not affect individual files. However, at the directory level, it restricts file deletion. Only the owner (and root) of a file can remove the file within that directory. A common example of this is the /tmp directory:

$ ls -ld /tmp
drwxrwxrwt 10 root root 4096 Jul 21 08:04 /tmp

Set SUID,SGID, Sticky bit

We can use Symbolic or numerical method to set these special bit. for example,

$ chmod g+s file | directory

$ chmod X### file | directory


In numerical method, need to pass a fourth, preceding pre-defined special digit in our chmod command

  • Start at 0
  • SUID = 4
  • SGID = 2
  • Sticky = 1

The syntax is: 

$ chmod X### file | directory

Umask

The umask utility is used to control the file-creation mode mask, which determines the initial value of file permission bits for newly created files since all new file permission calculated by

new file permission = default permission & (~mask)

  • default permission on Linux - the default creation permissions are 777 for directories and only 666 for files.
  • only the file permission bits of the mask are used - see umask(2). The suid, sgid and sticky bits of the mask are ignored.

assumming that the file-creation mode mask is 027

  • 0 stands for the user permission bits not set on a newly created file
  • 2 stands for the group permission bits not set on a newly created file
  • 7 stands for the other permission bits not set on a newly created file

To display the current mask, simply invoke umask without specifying any arguments

$ umask
0027

#When the -S option, standardized by POSIX 
$ umask -S
u=rwx,g=rx,o=


To set the umask value through the umask command

System-wide umask value can be set in /etc/profile or in the default shell configuration files (e.g. /etc/bash.bashrc) in most Linux distributions.

User specific umask value can be set in ~/.bashrc to only change your umask, however these changes will only take effect after the next login

under GUI environment like KDE, The umask value can be set via pam_umask.so or a systemd

/etc/systemd/system/user@.service.d/override.conf

[Service]
UMask=0002

pam_umask.so allows to set the system-wide umask value for both, text console and graphical environment.

pam_umask.so needs to be enabled in a configuration file that is included by both, /etc/pam.d/login and /etc/pam.d/systemd-user. Add the following line to /etc/pam.d/system-login: 

# session    optional   pam_umask.so         umask=022

Permission change

Text method Octal method Result Meaning
$ chmod g= fileordir

$ chmod o= fileordir

$chmod 700 fileordir drwx------ just = means deny permission
$ chmod g=rx fileordir

$ chmod o=rx fileordir or $chmod go=rx fileordir

$chmod 755 fileordir drwxr-xr-x set group to rx

set others to rx

Extended ACL

Extended ACLs allow us to apply a more specific set of permissions to a file or directory without (necessarily) changing the base ownership and permissions. Default permissions can be set only for one owner, one group and Other users. So different permissions cannot be configured for different users and groups.

we can manage the ACL with "getfacl" and "setfacl" on the command line

# getfacl /accounting
getfacl: Removing leading '/' from absolute path names
# file: accounting
# owner: accounting
# group: accounting
user::rwx
group::rwx
other::---
#The first three output lines display the name, owner, and owning group of the directory. The next three lines contain the three ACL entries

Setting an Extened ACL

The syntax for setting an ACL is

$setfacl [action] <what>:<user/group>:<permissions>

action what:suer/group:permissions notes
options -m (set/modify) u (user)

g (group) o (others) m (mask)

mask associated with an ACL limits the set of permissions that can be assigned on the file for the the named groups and users and for the group owner, but has no effect on the permissions for the file owner and the other permission group
-x (delete)
-d (defaults) default is a specific type of permission assigned to a directory, that doesn’t change the permissions of the directory itself, but makes it so that the specified ACLs are set by default on all the files created inside of it.
-b (remove all) with -b option, you can erase all the ACLs set[2]

# setfacl -d -m accounting:rwx /accounting

## modify user2 be rwx, group admin rwx for myfolder
# setfacl -m "u:user2:rwx,g:admin:rwx" myfolder

Following example show how mask is mapping to user and group[3]

# file: myfolder
# owner: user1
# group: [[test]]
user::rwx
user:user2:rwx          # effective: r-x due to mask
group::r-x
group:admin:rwx         # effective: r-x due to mask
mask::r-x               # mask effective to user and group 
other::---

File Attributes

Apart from the file mode bits that control user and group read, write and execute permissions, several file systems file attributes that enable further customization of file operations.

Extended attributes can be changed with chattr and listing them with lsattr which is included in e2fsprogs package. this page explained details how to use lsattr and chattr 

<lsattr | chattr> [+|-] [attributes] <filename>

These are a few useful attributes. Not all filesystems support every attribute.

  • a - append only: File can only be opened for appending. like i, but can only be appended.
  • c - compressed: Enable filesystem-level compression for the file.
  • i - immutable: Cannot be modified, deleted, renamed, linked to. Can only be set by root. with this bit set, the file becomes the unmovable object. No writes, not from the kernel or daemons, and not from the root user.
  • j - data journaling: Use the journal for file data writes as well as metadata.
  • m - no compression: Disable filesystem-level compression for the file.
  • A - no atime update: The file's atime will not be modified.
  • C - no copy on write: Disable copy-on-write, for filesystems that support it.

**If root cannot delete or modify some file, that file should have a and i file attributes. some virus or malware use this attributes to execute process under Linux.

Extended Attributes (xattrs)

xattr - Extended attributes are name:value pairs associated permanently with files and directories defines four extended attribute classes: security, system, trusted and user.

archlinux provides great information about xattr and capability

**unlike ACLs, xattrs do not show up anywhere but with lsattr[4]

POSIX Capabilities

POSIX 1003.1e capabilities are role/action based capabilities that that allow certain root-only tasks to be performed by regular users. They can be set in the XATTR space for a file in the filesystem to allow a program to perform such capabilities if run non-root. OR, users on a per user basis can be given capability access by editing/adding /etc/security/capabilities.conf.


The major use for capabilities is to let network tools, especially packet capture tools run as non-root to prevent exploits run against them from gaining root, or otherwise exploited as a SUID binary. Yes, you can use /dev/udp and /dev/tcp to open connections, but not set permissions


If setting per file/program you can check with

getcap <filename>

and you can set capabilities with

setcap <capabilities> <filename>

References

  1. https://wiki.archlinux.org/title/File_permissions_and_attributes
  2. https://linuxconfig.org/how-to-manage-acls-on-linux
  3. https://www.learnitguide.net/2015/12/setting-up-access-control-lists-acl-on.html
  4. https://www.linkedin.com/pulse/linux-permissions-anything-simple-jack-barber
Retrieved from "http://wiki.hpcmate.com/index.php?title=Linux_file_permission&oldid=1197"