Linux | Cloud | DevOps | Scripting

Breaking

Wednesday, 20 August 2014

Permissions and Special Permissions

MANAGE FILE OWNERSHIP AND PERMISSIONS

Ownership

  • chown
  • chgrp
Permissions
  • files and folders
  • chmod
  • umask
Special Permission
  • SUID (Set User ID)
  • SGID (Group User ID) &
  • Sticky Bit
=======================================================================
OWNERSHIP:

-rwxr--r-- 1 student admin 4096 Aug 21 10:11 myfile.txt



Here; file named "myfile" is created by user student and its group is admin. If we want to change the owner of this group, we use chown command.

# chown root myfile.txt


Now check by listing;

# ls -l
-rwxr--r-- 1 root admin 4096 Aug 21 10:11 myfile.txt

Look, user "student" has changed to "root". Same like it if we want to change group of this file then we use chgrp command.


# chgrp spower myfile.txt



Now check by listing;
# ls -l
-rwxr--r-- 1 root spower 4096 Aug 21 10:11 myfile.txt

Here, you can see user has changed from user "student" to "root" and its group has changed from "admin" to "spower".




root: For root default permission of a directory is 755 and of a file is 644.
normal user: For normal user default permission of a directory is 775 and of file is 664.


Full Permission for everything is 777. So, how this default permissions be set? We must set umask value to set default permission.

Default Permission = Full Permission - Umask Value

For root umask value is 0022 and for normal user umask value is 0002. If we want to change default permission we must change umask value from file /etc/bashrc.


chmod: Change File Mode Bits

We use chmod command to change permissions of a file or directory.

For Example;

drwxr-xr-x 1 root root 4096 Aug 21 10:11 mydir

user: rwx: 4+2+1 =7
group: r-x: 4+1 = 5

other: r-x: 4+1 = 5

In this example permission for mydir is 755. If we want to change its permission, so that group members can only read this directory and other can not do anything (neither read nor write nor execute), we must use chmod command to provide 740 permission.


user: rwx: 4+2+1 = 7
group: r--: 4+0+0 = 4
other: ---: 0+0+0 = 0

#  chmod 740 mydir

#  ls -l
    drwxr----- 1 root root 4096 Aug 21 10:11 mydir

========================================================================

SPECIAL PERMISSION:
There are three types how can we set special permissions;


  1. SUID
  2. SGID and
  3. Sticky Bit
1. SUID:
If SUID bit is set on a file and a user executed it, the process will have the same rights as the owner of the file being executed. Sometimes, users say its Super User ID but its actually Set User ID. We can set this bit on executable files. There are some files which can be execute only by root but we also can execute them by normal user by the permission set by root. But this is really very dangerous. Because this file can also be run by the user which do not has root access. 


Implementation of SUID on file:
Mehtod 1:

# chmod u+s tecadmin.txt

# ls -l tecadmin.txt
-rwsr-xr-x 1 root root 0 Mar  8 02:06 tecadmin.txt

Method 2:


# chmod 4655 tecadmin.txt

# ls -l tecadmin.txt

-rwSr-xr-x 1 root root 0 Mar  8 02:06 tecadmin.txt

For e.g. every user can switch to each other as SUID is set on /bin/su file:


[root@server1] # ll /bin/su

-rwsr-xr-x 1 root root 36440 Jan 14 2010 /bin/su

here, s shows that SUID is enable on this file, by this reason every user can switch each other. But if we remove this bit, then no normal user can switch to another user (It is understood that root user has full access).

[root@server1] # chmod u-s /bin/su

-rwxr-xr-x 1 root root 36440 Jan 14 2010 /bin/su

Now, check switching in normal users

[student@server1] $ su - user1

Password: <type password of user1 and press enter>
su:  incorrect password

========================================================================

2. SGID:
Same as SUID, The process will have the same group rights of the file being executed. If SGID bit is set on any directory, all sub directories and files created inside will get same group ownership as main directory, it doesn’t matter who is creating.

Implementation of SGID on directory:
# chmod g+s /test/
# ls -ld /test
drwxrwsrwx 2 root root 4096 Mar  8 03:12 /test

Now swich to other user and create a file in /test directory.
# su - tecadmin
$ cd /test/
$ touch tecadmin.net.txt
$ ls -l tecadmin.net.txt
-rw-rw-r-- 1 tecadmin root 0 Mar  8 03:13 tecadmin.net.txt

For e.g. we create a directory /data & also create a group grp1. Now, change its groupowner from root to grp1. Now if we want every future created file or directory should have the group ownership of grp1, then we should set SGID, like;

# mkdir /data          //to create /data directory
# ls  -l  /          
drwxr-xr-x.  2  root  root  4096  Aug  20  14:18  /data
# groupadd  grp1          //to create a group
# chgrp grp1  /data          //to create a group
# ll  -d  /data
drwxr-xr-x.  2  root  grp1  4096  Aug  20  14:18  /data

=> Now we set SGID and full permission to the group grp1


# chmod  2775  /data

drwxr-sr-x.  2  root  grp1  4096  Aug  20  14:18  /data

# touch  /data/file1.txt
# mkdir  /data/newdir

# ll  /data
drwxr-sr-x.  2  root  g1  4096  Aug  20  14:28  newdir
-rw-r--r--.  1  root  g1  0  Aug  20  14:28  file1.txt

========================================================================
Sticky Bit:
The sticky bit is used to indicate special permissions for files and directories. If a directory with sticky bit enabled, will restricts deletion of file inside it. It can be removed by root, owner of file or who have write permission on it. This is usefull for publically accessible directories like /tmp.

Implementation of Sticky bit on file:

Method 1:
# chmod  o+t  tecadmin.txt
# ls -l  tecadmin.txt
-rw-r--r-T  1  root  root  0  Mar  8  02:06  tecadmin.txt

Mothod 2:
# chmod  1777  tecadmin.txt
# ls -l  tecadmin.txt
-rwxrwxrwt  1  root  root  0  Mar  8  02:06  tecadmin.txt

For e.g, there is one directory /data. This directory has full permission. Every user including root has some files in it. But as this file has full permission normal user can also delete, move or update another user's files. In this case, to prevent our files from another users we may use sticky bit.

# mkdir  /data
# chmod  777  /data
# touch  /data/file{1,2}.txt

# su - student
$ touch /data/file{3,4}.txt
$ exit

# ls  -l  /data          
This shows file1.txt and file2.txt created by user root and file3.txt & file4.txt created by user student. As this directory /data has full access, student user can delete its file, like;

$ rm  /data/file1.txt
rm: remove write-protected regular empty file '/data/file1.txt'?          //here type y and press enter

=> To prevent our file from other users we have to set sticky bit

#  chmod   o+t   /data
drwxrwxrwt  2  root  root  4096  Mar  8  02:06  /data

Now, delete root file file2.txt from user student,


$ rm  /data/file2.txt

rm: remove write-protected regular empty file '/data/file2.txt'?          //here type y and press enter
rm: cannot remove '/data/file2.txt' : Operation not permitted

Now, user cannot delete, move or update root files till sticky bit is on. Hence; your files are save.


=====================================================================

Thanks for reading this article...

No comments:

Post a Comment

Pages