Chapter 7 - Configuring Permissions
How does umask work?
In the umask setting, a numeric value is used that is subtracted from the maximum permissions that can be set automatically to a file.
Which feature of Linux permissions makes Linux almost completely immune to viruses
The execute permission is what you need to execute a file. It is not set to newly created files by default
What happens if a user uses the newgrp command but is not a member of the target group.
The shell prompts for the group password. After you enter the correct group password, the new effective primary group is set. a group password can be set for the group using the gpasswd command.
When a file or directory is created, which two entities becomes the file owner?
The user who creates the file becomes the user owner, and the primary group of that user becomes the group owner
sticky bit numeric value
1
Numeric representation of the execute permission.
1 binary - 001
If you want to modify permissions relative to the current permissions, you can use chmod in relative mode. When you use chmod in relative mode, what are the three indicators to specify what you want?
1. First, you specify for whom you want to change permissions. To do this, you can choose between user ( u ), group ( g ), and others ( o ). 2. Then, you use an operator to add or remove permissions from the current mode, or set them in an absolute way. 3. At the end, you use r , w , and x to specify what permissions you want to set.
To determine whether a user has permissions to a file or a directory, the shell checks ownership. What is the order of this checking process?
1. The shell checks whether you are the user owner of the file you want to access, which is also referred to as the user of the file. If you are the user, you get the permissions that are set for the user, and the shell looks no further. 2. If you are not the user owner, the shell will check whether you are a member of the group owner, which is also referred to as the group of the file. If you are a member of the group, you get access to the file with the permissions of the group, and the shell looks no further. 3. If you are neither the user, nor the group owner, you get the permissions of others.
What are the two commands that can be used to change group ownership of a file or directory?
1. chown 2. chgrp
Who are the three entities to whom the file permissions are assigned to?
1. file owner 2. group owner 3. others
What are the three basic permissions that can be applied on files and directories?
1. read 2. write 3. execute
To avoid problems, which one of the following should be set first? 1. regular permissions 2. default ACLs
1. regular permissions
Two modes of the command, 'chmod'
1. relative 2. absolute
What are the 3 advanced permissions in linux?
1. set use ID (SUID) 2. set group id (SGID) 3. sticky bit
2 benefits of ACLs over normal permissions
1. you can give permissions to more than one user or group at a directory 2. you can enable inheritance by working with default ACLs. By setting a default ACL, you'll determine the permissions that will be set for all new items that are created in the directory
SGID numeric value
2
Numeric representation of the write permission.
2 binary - 010
In the absolute mode of the command, 'chmod', how many digits are used to set basic permissions?
3 digits
SUID numeric value
4
Numeric representation of the read permission.
4 binary - 100
What is the maximum permission setting for directories?
777
When the sticky bit is set on a file, who can delete the file?
Any one who has write permission to the directory where the file exists as sticky bit has no effect when applied to a file.
How to change the umask for a specific user?
Change the umask settings in a file with the name .profile, which is created in the home directory of an individual user.
How to change the umask for all users?
Create a shell script with the name umask.sh in the /etc/profile.d directory and specify the umask you want to use in that shell script
If you have write permission on a directory, what can you do?
Create and delete files and modify permissions on files in that directory.
True or False. A default ACL change the permissions for existing files and sub dir.
False. A default ACL does not change the permissions for existing files and subdirectories. To change those as well you need to add a normal ACL.
What does it mean when a directory has the SGID set?
Files created in directory get the same group owner as the directory
What does it mean if a sticky bit is set on a file or directory?
If sticky bit is applied to a directory, a user may delete a file inside the directory only if he is the user owner of that file or of the directory that contains the file. Sticky bit has no effect when applied to a file.
What does the command below do ? chmod g=rw special
It changes the group permissions of the file named special to read and write, and clears the execute permission if it was set.
What does the command below do ? chmod go-w special
It disables (with the minus sign) write permissions (with the w) for the group owner (with the g) and all other users (with the o) on the local file named special.
What are the effects of the SGID being applied on an executable file?
It gives the user who executes the file the permissions of the group owner of that file
What does the command below do ? chmod +x Ch3Lab2
It makes the noted file executable by all users.
What does it mean while setting ACLs to a file system you are getting an "operation not supported" message? And how do you fix it?
It mean that the file system probably lacks support for ACLs. To fix this, you need to add the acl mount option in the /etc/fstab file so that the file system will be mounted with ACL support by default.
What does it mean if the output of ls -l shows an s at the position where you normally find the group execute permission. drwxr-sr-x.
It means the file/directory has SGID bit/permission.
The command 'ls -l' gives the permission output of a file, '-rwsr-xr-x'. What does the 's' bit refer to?
It refers to the SUID (set user ID). SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it.
If you have read permission on a directory, what can you do?
List contents of directory
What will be the default permissions for all new files and all new directories if the umask setting is set at 022?
New Files --> 644 New Directories --> 755
John is a member of the group, "mike". Given the permission assigned below, can mike read, write or modify the file, 'setup.sh'? -rwx---rwx. 1 root mike 127 Dec 13 07:21 setup.sh
No. Although everyone else has full permissions to the file, the members of the group "mike" have not been granted any permissions, and as such they won't be able to read, modify, or execute the file.
What is the one downside of Access Control Lists?
Not all utilities support it. Therefore, you might lose ACL settings when copying or moving files, and your backup software might not be able to back up ACL settings.
What does it mean when a directory has the sticky bit set?
Prevents users from deleting files from other users
When a non-root use wants to change his password, he will have to run the command, 'passwd' which will write to shadow file. A user who runs an executable file or command runs this file with his own permissions. The shadow file, however, is not writeable for users who do not have root permissions. How is the user able to successfully change the password?
The SUID permission offers a solution for this problem. On the /usr/bin/passwd utility, this permission is applied by default. That makes that when changing his password, the user temporarily has root permissions (root is the file owner), which allows him to write to the /etc/shadow file.
Root has removed the write permission of the file lincense.txt using the command, 'chmod a-w license.txt'. How can the user who owns the file, still make changes ?
The user who owns the file can still make changes, however. It won't work in GUI text editors such as gedit. It won't even work in the nano text editor. Using the VI editor, the user who owns that file can override a lack of write permissions with the bang character, which looks like an exclamation point (!). user who owns the file can run the following command to override the lack of write permissions: w!
True or False, a user who runs an executable file runs this file with his own permissions.
True
True or False, by default, when a user creates a file, his effective primary group is set as the group owner for that file.
True
Without sticky bit, if a user has execute permissions in a directory, he can create and delete files in that directory. True or False?
True
How many times does one set ACLs if you want to use ACLs to configure access for multiple users or groups to the same directory and wants the ACLs to be applied immediately to all new files and sub-dir created.
Twice. First, use setfacl -R -m to modify the ACLs for current files. Then, use setfacl -m d: to set a default ACL to take care of all new items that will be created
What does it mean when a file has the SUID set?
User executes file with permissions of file owner.
What does it mean when a file has the SGID set?
User executes file with permissions of group owner
What are the two ways to change the umask settings?
You can change the umask settings for 1. All users 2. Individual Users
If you have execute permission on a directory what can you do?
You can use the 'cd' command to go inside that directory. You can also access the files in the directory
Use the command, 'chgrp' to set group ownership for the directory /home/account to the group, 'account'
chgrp account /home/account
Command used to apply SUID, SGID, and sticky bit
chmod
Command used to apply permissions
chmod
Command to add execute permission for all, (user , group and others)
chmod +x somefile
Add the SGID permission to the 'somedir' directory, and Set rwx for user and rx for group and others
chmod 2755 somedir
command used to 1. set read, write, and execute for the user 2. read and execute for the group 3. read and execute for others on the file 'somefile'.
chmod 755 somefile
Command used to set SGID in relative mode
chmod g+s
Command to add the write permission to the group and remove read for others, for the file 'file2'
chmod g+w,o-r file2
Command used to set sticky bit in relative mode
chmod o+t
Command used to set SUID in relative mode
chmod u+s
2 commands that can be used to change group ownership recursively
chown -R chgrp -R
Use 'chown' to change the group owner of directory '/home/account' to the group 'account'.
chown .account /home/account chown :account /home/account
Use 'chown' to set 'sales' as the group owner of the file, 'happyFile'
chown .sales happyFile chown :sales happyFile
Command used to change user ownership for the file, "account" to user "Linda"
chown Linda account
Use 'chown' to set 'Lisa' as the owner of the file, 'filex1'
chown Lisa filex1
Use 'chown' to set 'Lisa' as the owner and 'sales' as the group owner of the file, 'myfile'
chown lisa.sales myfile chown lisa:sales myfile
Which permission is never set by default in linux ?
execute
To access the files inside a directory, what permission do you need? (use the command 'cd' to go inside the directory)
execute permission on the directory
True or False, to open a file for reading, you need read permissions for the directory under which the file exists.
false. you need execute permission for the directory to open files under it for reading.
True or false, if you have read permission to a directory, you can read the files in that same directory.
false. The Linux permission system does not know inheritance, and the only way to read a file is by using the read permissions on that file.
True or false, if you have read permissions on a file, you are able to create or delete new files or modify permissions of the file..
false. write allows you to modify the contents of existing files. It does not, however, allow you to create or delete new files or modify permissions of a file. To do that, you need write permission on the directory where you want to create the file.
Command to see a list of all files on the system with the group, 'users' as the group owner.
find / -group users
Command to see a list of all files on the system with Linda as the owner
find / -user linda
Command used to see current ACL settings
getfacl
Command to create a backup of ACLs
getfacl getfacl -R /directory >file.acl
Command that a user can use to show the current effective primary group
groups
Why is it useful to set SGID on shared group directories?
if you create a shared group directory (say, /groups/account) and make sure that the SGID permission is applied to that directory, and that the group accounting is set as the group owner for that directory, all files created in this directory and all its subdirectories also get the group accounting as the default group owner. The default situation is that when these users creates a file, the primary group becomes group owner of the files (not the group owner for the directory). So by default, linda cannot access the files that lori has and vice versa.
Commands to change the effective primary group and to revert back to the original primary group
newgrp exit
What happens when the SUID is set on a directory?
no effect
What happens when the sticky bit is set on a file?
no effect
What is the order of precedence over file and directory permissions
permissions granted to the group take precedence over permissions granted to all other users. permissions granted to the owner take precedence over all other permissions categories. 1. Owner user 2. Owner group 3. Other
To list the contents of a directory, what permission do you need?
read
If you have read permission to a directory, what does it allow you to do the directory?
read allows you to list the contents of that directory.
Command used to set ACLs
setfacl
Command to restore the setting from the ACL back up file
setfacl setfacl --restore=file.acl
Use a default ACL to get the group, 'sales' to have read and execute on everything that will ever be created in the data directory
setfacl -m d:g:sales:rx data
Give read and execute permissions to the group, 'sales' using ACL.
setfacl -m g:sales:rx /dir -m indicates that the current ACL settings need to be modified. g:sales:rx tells the command to set the ACL to read and execute ( rx ) for the group ( g ) sales.
Command to use if you want others not to get any permissions on anything that is created in /data
setfacl -m o::- /data
Give full permissions to the user, Linda on the data directory without making her the owner and without changing the current owner assignment.
setfacl -m u:Linda:rwx data
What is the maximum permission setting for files?
666 *execute permission is not set by default
Command to see file permissions/current ownership assignments
ls -l
The tar utility does not support ACLs. What is an alternative utility that support ACL settings?
star
Which permission can u set to protect files against accidental deletion in an environment where multiple users have write permissions in the same directory.
sticky bit
Root has removed the write permission of the file lincense.txt using the command, 'chmod a-w license.txt'. The user can write to the file in contents using the w! command in the vi editor. Does this mean w! command is bypassing the Linux file permission system?
the w! command of the vi editor is not bypassing the Linux file permission system. The w! command overwrites a file—that is, it deletes the existing file and creates a new one with the same name. the permission bit that grants the privilege to create and delete files is the write permission on the parent directory, not the write permission on the file itself. Hence, if a user has write permission on a directory, she can overwrite (copy the old contents over to the new files + alter the content --> delete the old file --> save the new file with the old file's name) the files in it, regardless of the write permission bits set on files.
If you do not use ACLs, there is a shell setting that determines the default permissions that you will get. What is that called?
umask
When creating a new file, some default permissions are set. What determines these default permissions
umask settings
With normal linux permissions, it does not allow you to give permissions to more than one user or one group in the same file, what can you use to give permission to more than one user or group?
use Access Control Lists
When using chmod -R o+rx /data , you set the execute permission on all directories as well as files in the /data directory. How can this command be modified to set the execute permissions to directories only and not to files?
use chmod -R o+rX /data . The uppercase X ensures that files will not get the execute permission unless the file has already set the execute permission for some of the entities.
To create and remove files in a directory, what permission do you need?
write
Where can u see the sticky bit using an output from the command, 'ls -l' ?
you can see sticky bit as a T at the position where you normally see the execute permission for others. drwxr-sr-T