Lesson 3: Permissions and Ownership
Permission String
(First part of the row) drwxr-xr-x DirA/+/. - The first letter indicates the type of file(d for directory, and "-" for file) - The 2nd, 3rd, and 4rth letters denote the owner's permissions. - The 5th, 6th, and 7th positions denote group permissions. - The 8th, 9th, and 10th letters denote other permissions. - The last characters indicate the access method for a file. (.) for SELinux security context and (+) for any other combination of alternative access methods.
Permission Contexts
- Owner(u) : Owner of the file or directory, or referred to as the user. - Group(g) : FILE or DIRECTORY's group including all users belonging to that group. - Other(o) : All other users(neither owner nor group member)
Group Membership Troubleshooting 2
- The "lid" and "libuser-lid" commands are pre-installed on some distributions and can retrieve all members of a group, including members whose primary group is the group being searched for. - The "getent" command, available on some distributions, enables you to retrieve group members of non-standard authentication methods.
All users are able to delete a file, but they should only be able to write to it.
Cause - By default, the write and execute permissions on directories enable users to delete the objects therein. Solution - Add the sticky bit permission to the container directory so that only the owner or root can delete the file.
A user is denied permission to change the contents of a script, even though they have the ability to execute that script.
Cause - Like with any other file, the user needs write permission in order to change a script's contents. Solution - Use chmod to add write permission to the script for the appropriate context.
Ownership Troubleshooting When a user creates files in a shared directory, the files take on the directory's group ID, when they should take on the user's group ID.
Cause - The SGID permission is set on the shared directory so that new files inherit the directory's group ID. Solution - Use chmod to remove the SGID permission on the containing directory, disabling inheritance of the directory's group ID.
Permission Attributes r, w, x
Read - Files: Access and view files - Directories : Permission to list contents of a directory Write - Files: Permission to save changes to a file. - Directories : Permission to create, rename, and delete files in a directory. (Requires "execute" attribute) Execute - Files: Permission to run a script, program, and/or other software. - Directories : Permission to access a directory and execute a file or perform a task on that directory. (ex. a search)
Default Permissions
When created by the root user... • Files : the default permissions are 644 • Directories : the default permissions are 755 - In the case of users with limited access rights Linux assigns permissions of 664 of newly created FILES and 775 for newly created DIRECTORIES. (Default permissions can be altered by the root user)
Access Control List
a list of permissions attached to an object. - ACLs enable you to assign permissions to individual users or groups even if these do not correspond to the object's owner or group. EX. If Group1 needs r/w/x to a directory while Group2 needs r/x by using ACLs you can grant different levels of access to different users, groups, and even processes. (a more granular level of control)
SGID(set group ID)
the permission that allows a user to have similar permissions as the group owner of the file. - SGID can be set on directories, any 'subdirectories' created will automatically INHERIT the SGID permissions. Files/Subdirectories will inherit the group id - Can be checked with ls -al, in the execute position for the group as s.
SUID(set user ID)
the permission that allows a user to have similar permissions as the owner of the file. - Instead of granting permissions individually, the passwd command is configured so that any user will execute it as root(the owner), gaining additional services. - Can be checked with ls -al, in the execute position for the owner as s
chgrp Command
used to change the group ownership of a file/directory. -In doing this you ensure that the group permissions are applied to the specific group.
chown Command
used to change the owner, the group, or both for a file or directory. with the -R option, one can change the ownership constantly(recursively) through a directory structure.
Troubleshooting Models II Theory, Plan, Solution, Verify, and Document
3) - When the theory is confirmed, determine the next steps to resolve the problem. - If the theory is not confirmed, establish a new theory or escalate the issue. 4) - Establish a plan of action to resolve the problem, while identifying the potential effects of you plan 5) Implement the solution, or escalate the issue. 6) Verify full system functionality and, if applicable, implement preventative measures. 7) Document your findings, actions, and the outcomes.
COMMON Permissions in Different Modes
ABSOLUTE MODE SYMBOLIC MODE 755 u=rwx, g=rx, o=rx 700 u=rwx, g= f*k all, o= f*k all 644 u=rw, g=r, o=r 600 u=rw, g= f*k all, o= f*k all * files can have four digits (the first one usually being 0)
chmod ABSOLUTE Mode
Absolute mode uses octal(base-8) numbers to specify permissions. Each permission(r/w/x) is associated with a number. OCTAL # ATTRIBUTE 4 Read 2 Write 1 Execute - Full permissions : 7 - Read/Write : 6 Each permission belongs to the user, group and others respectively EX. 700 (full permissions for users, no permissions for groups, no permissions for others)
umask Command
Alters the default permissions on newly created files and directories via octal numeric format. By subtracting/clearing from the default. EX. Original(666) umask 022 -> New(644)
The Immutable Flag
An attribute of a file/directory that prevents it from being MODIFIED, even by the root user. - No one can delete, rename, or write to an immutable file. A careless user will not be able to delete the immutable file. - A flag is not set on all files, one directory can have mutable and immutable files. Also an immutable subdirectory can have mutable files. - With ls -al(list attributes) the lowercase i indicates the immutable flag is set.
chmod Symbolic Mode
Symbolic mode enables you to see permissions using three components: - Permission contexts : u(users)/g(groups)/o(others)/a(all of the above) - Permission operators : +(grants permissions)/-(denies permissions)/=(assigns permissions as provided, doesn't add or subtract) - Permission attributes : r/w/x EX. chmod u+rw, g+rw examplefile (give users and groups read/write privileges to examplefile)
File Attributes
one or more attributes that files have that define how the system interacts with those files. - These attributes enable you to customize what the system is and is not allowed to do with a file. *Some examples include: - Only allowing a file to be opened in append mode for writting - Set a file to be compressed automatically - Save a file if it's deleted, providing an opportunity for it to be recovered. - Make a file immutable
Ownership
refers to the property by which a user can apply and modify the permissions of a file or directory. -By default the owner is the one who created the file/directory, other than the superuser no one can change the permissions. -Owners can also alter advanced & special permissions.
Group Membership Troubleshooting
- Some issues arise because, despite having configured permissions and ownership correctly, the user may not be placed in the correct group. So... ...Use the groups {user name} command to discover what groups a user is a member of. - When a user creates files, the default owning group is not what is expected. So... ...Use the usermod command to change group membership when applicable. JUST Make sure the expected group is the user's primary group, rather than a secondary group
Troubleshooting Permission Issues II Ensure users do not have permissions that... Ensure objects don't have the... Set the SUID permission on an executable if... Set the sticky bit when you...
...enable them to access files beyond what they should have. ...immutable flag set if you expect to modify them. ...you need to run it with root permissions for it to function properly. ...only want the owner and root to be able to delete an object.
Troubleshooting Permission Issues I Follow an overall troubleshooting strategy... Follow a step-by-step... Start by verifying an object's... Ensure users have the permissions to...
...for any kind of troubleshooting task. ...troubleshooting model that can produce repeatable and demonstrable results. ...permissions and ownership using the "ls -al" command. ....work with a file if they are being denied access.
Troubleshooting Permission Issues III - Ensure objects have the... - Set the SGID permission on a... - Use the "groups {user name}"command to... Modify group membership when necessary to... Acquire and use tools like...
...proper owner and owning group set. ...directory when you want new files to take on that directory's group ownership. ...verify the groups a user is a member of. ...ensure access or a lack thereof for specific users. ...lid and getent to view members of a specific group.
ls -l command descriptions
1) identifies if the item is a file or directory. Along user, and/or group with the access method 2) Number of links. Files have at least 1 link Directories have links + 2(directory itself & parent) 3) Displays the owner of the file/directory. 4) Displays any groups that have access to this directory/file. 5) Lists the size in bytes, of the file/directory. 6) Date/Time the file was created or last modified 7) Displays the file/directory name.
A user is denied permission to remove a file, despite having full permissions on that file.
Cause - A user is denied permission to remove a file, despite having full permissions on that file. Solution - Use chmod to add write permission to the directory for the proper context.
Ownership Troubleshooting A user is unable to access a file, despite the owner context having full permissions.
Cause - The directory's owning group is not the same as the user's group. Solution - Use the chgrp command you make the directory's owning group the same as the user's.
A user is denied permission to execute a script that they themselves created.
Cause - The execute permission is not automatically set for new files. Solution - Use chmod to add execute permission to the script for the file owner.
Ownership Troubleshooting Several users are able to modify a file despite the others context only having read permission.
Cause - The file's owning group is set to the same group that these users are members of. Solution - Use chgrp to change the file's owning group to some other group.
A user is denied permission to create files in a directory they have write and execute permission to.
Cause - The immutable flag is set on the directory. Solution - As root, remove the immutable flag from the directory using the chattr command.
Ownership Troubleshooting A user is unable to access a file, despite the owner context having full permissions.
Cause - The user is not the owner of the file. Solutions - Use the chown command to make the user the owner of the file.
A user is denied permission to remove a directory, despite having write permission.
Cause - The user needs both write and execute permission to modify a directory. Solution - Use chmod to add execute permission to the directory for the appropriate context.
Ownership Troubleshooting When a user creates files in a shared directory, the files take on the user's group ID, when they should take on the directory's group ID.
Cause - By default, files created by a user take on that user's group ID. Solution - Use chmod to set the SGID permission on the containing directory so that all new files inherit the directory's group ID.
The owner of a text file is denied permission to view the contents of the text file.
Cause - Despite being the owner, the user is not explicitly granted read access. Solution - Use chmod to grant read privileges to the owner context.
The root user is denied permission to modify a file
Cause - The immutable flag is set on the file. Solution - As root, remove the immutable flag from the file using the chattr command.
All users have the ability to list the contents of a directory, when only the owner, group members, and a specific service account should.
Cause - The read permission is set on the directory for the others context. Solution - Remove read permission from the others context. Add the service account to the directory's ACL using the setfacl command, granting the account read access.
A user is denied permission to execute a script, despite having execute permission.
Cause - The user also needs read permission in order to execute a script. Solution - Use chmod to add read permission to the script for the appropriate context.
A user is denied permission to enter into a directory, despite having read permission.
Cause - The user needs execute permission to change to a directory. Solution - Use chmod to add execute permission to the directory for the appropriate context.
Troubleshooting Models I Identify, Question, And Obvious
Identify the problem. This stage includes: - Gathering information - Duplicating the problem, if possible. 1) - Questioning users to gain experiential information. - Identifying the symptoms - Determining if anything has changed. - Approaching multiple problems individually. Establish a theory of probable cause. This stage includes : 2) - Question the obvious. -Considering multiple approaches. - Looking for not just a cause, but the root cause. Test the theory to determine the cause.
Permissions
access rights assigned to users, which enable them to access or modify certain files and directories. This mitigates risk by ensuring users have access to what they need in order to do their job.
ACL Specification
can be formatted in one of several ways : - when working with users, the format is u:{username}:{permissions} - when working with groups, the format is g:{group name}: {permissions} EX. - To modify the ACL on a directory where the user http is given read access: setfacl -m u:http:r-- /home/directory
Sticky Bit
special permission bit that provides protection for files in a directory. It ensures that only the owner of a file or directory(root) can delete the file/directory. - Can be checked with ls -al, in the execute position as t or T. * If you need to protect specific FILES, you need to apply the sticky bit on the directory that contains them. As Linux kernels ignore sticky bits on files.
Special Permissions
used when normal permissions become inadequate. - Grants special privileges to less privileged users in a limited context. EX. allows others to execute a file by assuming the privileges of the file's owner/group.