Table of Content
Weight: 3
Description: Candidates should be able to control file access through the proper use of permissions and ownerships.
Key Knowledge Areas:
- Manage access permissions on regular and special files as well as directories
- Use access modes such as suid, sgid and the sticky bit to maintain security
- Know how to change the file creation mask
- Use the group field to grant file access to group members
Terms and Utilities:
chmod umask chown chgrp
group
oldhorse@dclab-u1504s:~$ id uid=1000(oldhorse) gid=1000(oldhorse) groups=1000(oldhorse),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),117(sambashare) oldhorse@dclab-u1504s:~$ groups oldhorse adm cdrom sudo dip plugdev lpadmin sambashare root@dclab-u1504s:~# groups oldhorse oldhorse : oldhorse adm cdrom sudo dip plugdev lpadmin sambashare root@dclab-u1504s:~# id oldhorse uid=1000(oldhorse) gid=1000(oldhorse) groups=1000(oldhorse),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),117(sambashare)
suid
it will run as if it had been started by the file’s owner, rather than by the user who really started it.
oldhorse@dclab-u1504s:~$ ls -l /usr/bin/passwd -rwsr-xr-x 1 root root 51224 Apr 20 11:05 /usr/bin/passwd
sgid
When a directory has the sgid mode enabled, any files or directories created in it will inherit the group id of the directory.
root@dclab-u1504s:/home/oldhorse# chmod g+ws sub1 root@dclab-u1504s:/home/oldhorse# ls -l total 1536 drwxrwsr-x 3 root root 4096 Oct 17 07:42 sub1
stick
It is represented symbolically by t and numerically as a 1 in the high-order octal digit.
it permits only the owning user or thesuperuser (root) to delete or unlink a file.
root@dclab-u1504s:/home/oldhorse# ls -ld /tmp drwxrwxrwt 8 root root 4096 Oct 17 08:29 /tmp Access mode Symbolic Octal suid s with u 4000 sgid s with g 2000 sticky t 1000 find . -name sub1 -printf "%M %m %f\n" drwxrwsr-x 2775 sub1 %m File's permission bits (in octal). This option uses the `traditional' numbers which most Unix implementations use, but if your particular implementation uses an unusual ordering of octal permissions bits, you will see a difference between the actual value of the file's mode and the output of %m. Normally you will want to have a leading zero on this number, and to do this, you should use the # flag (as in, for example, `%#m'). %M File's permissions (in symbolic form, as for ls). This directive is supported in findutils 4.2.5 and later. %f File's name with any leading directories removed (only the last element).
chattr
root@dclab-u1504s:/home/oldhorse# touch keep.me root@dclab-u1504s:/home/oldhorse# chattr +i keep.me root@dclab-u1504s:/home/oldhorse# lsattr keep.me ----i--------e-- keep.me root@dclab-u1504s:/home/oldhorse# rm -f keep.me rm: cannot remove ‘keep.me’: Operation not permitted root@dclab-u1504s:/home/oldhorse# chattr -i keep.me root@dclab-u1504s:/home/oldhorse# rm -f keep.me
umask
root@dclab-u1504s:/home/oldhorse# umask 0022 root@dclab-u1504s:/home/oldhorse# umask 0022 root@dclab-u1504s:/home/oldhorse# umask -S u=rwx,g=rx,o=rx root@dclab-u1504s:/home/oldhorse# umask u=rwx,g=,o= root@dclab-u1504s:/home/oldhorse# umask -S u=rwx,g=,o= root@dclab-u1504s:/home/oldhorse# umask 0077 root@dclab-u1504s:/home/oldhorse# umask 0022 root@dclab-u1504s:/home/oldhorse# umask 0022
Quiz questions1
1. What is the effect of setting the sticky bit for a file? 2. What is the meaning of chmod 640 filename? 3. Which users may change the permissions on a given file? 4. What are the default permissions for a file and for a directory when the umask is 0027? 5. What is the effect of the set group-id bit for a directory? 6. Which filesystems support chattr and lsattr? Answers to quiz questions 1. Nothing happens, except that the sticky bit is set. 2. Set permissions to rw-r----- for the file. 3. Root and the file owner. Not group members. 4. For a file 0666 - 027 = 0640 (rw-r-----), for a directory 0777 - 027 = 0750 (rwxr-x---). 5. Files and directories in the directory receive the group of the directory.
Quiz questions2
6. Under what circumstances would one use the command chmod 2775 directoryname? 7. Which users may change the group of a file? 8. Which users may change the ownership of a file? Answers to quiz questions 6. To set the directory to give its group away to all the files created in it. 7. The owner and root. 8. Only root.