- POSIX based file permissions пришли еще с UNIX (поэтому актуальны и для MacOS), они определили формат назначания прав read/write/execute для user/group/others; подробнее ниже
- ACL based file permissions позволяют назначать разные права для разных пользователей и групп, в отличии от классического POSIX подхода; подробнее ниже
- Удобный калькулятор разрешений в десятичом виде в зависимости от типа прав (r/w/e) и scope (u/g/o)
- Грамотные админы в повседневной работе не работают из под root, а заходят в эту учетку только если нужно что-то сделать – защита от случайных поломок, безопасность (как минимум пароль нужно ввести для входа под root)
- Изначально ownership придуман чтобы собственник даже в случае некорректной установки прав не потерял доступ
sudo/su
su – тоже самое что su root. Нужно вводить пароль root, а не свой, даже если у тебя есть права sudo.
~ ll /usr/bin/su
-rwxr-xr-x 1 root root 32072 Aug 2 20:12 /usr/bin/su
sudo -i -u root – нужно вводить свой пароль, а не root.
ACL based file permissions
ACL based permissions – file access control lists (FACL) – позволяют назначать разные права для разных пользователей и групп, в отличии от классического POSIX подхода, где
- для назначения двух групп для одного файла требуется создание третьей группы, которая будет включать две целевые группы (nested groups), причем сделать разные права для этих вложенных групп не получится
- назначить же несколько пользователей неполучится никак (только через группы)
Причем FACL живут одновременно с POSIX правами, можно назначать одного пользователя/группу в posix, остальных в ACL. На практике обычно создателя файла назначают в posix как пользователя владельца и его группу как группу владельца, а все остальные в ACL – это позволяет в одном месте управлять всем.
Чаще всего FACL поддерживаются на уровне дистрибутива, но включены или нет FACL зависит от дистрибутива, при этом инструменты управления одинаковые между дистрибутивами. Управление включением/отключением FACL происходит посредством указания флага при монтировании раздела. Посмотреть отключена (она часто включена по умолчанию, например в ubuntu) ли опция обычно можно в file system table (fstab):
# cat /etc/fstab # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # <file system> <mount point> <type> <options> <dump> <pass> # / was on /dev/sdb1 during installation UUID=48711f5b-89da-4c2c-b4f8-49c5d92945cb / ext4 errors=remount-ro 0 1 # swap was on /dev/sdb5 during installation UUID=e7717451-7951-4f3e-94d5-40bd83943003 none swap sw 0 0
# df -h
Filesystem Size Used Avail Use% Mounted on
udev 16G 0 16G 0% /dev
tmpfs 3.2G 342M 2.8G 11% /run
/dev/sda1 915G 17G 852G 2% /
# tune2fs -l /dev/sda1
tune2fs 1.44.5 (15-Dec-2018)
Filesystem volume name: <none>
Last mounted on: /
Filesystem UUID: 48711f5b-89da-4c2c-b4f8-49c5d92945cb
Filesystem magic number: 0xEF53
Filesystem revision #: 1 (dynamic)
Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery extent 64bit flex_bg sparse_super large_file huge_file dir_nlink extra_isize metadata_csum
Filesystem flags: signed_directory_hash
Default mount options: user_xattr acl
Filesystem state: clean
Errors behavior: Continue
Filesystem OS type: Linux
Inode count: 60989440
Block count: 243940096
Reserved block count: 12197004
Free blocks: 236242783
Free inodes: 60813007
First block: 0
Block size: 4096
Fragment size: 4096
Group descriptor size: 64
Reserved GDT blocks: 1024
Blocks per group: 32768
Fragments per group: 32768
Inodes per group: 8192
Inode blocks per group: 512
Flex block group size: 16
Filesystem created: Wed Mar 17 15:13:45 2021
Last mount time: Wed Dec 27 20:00:13 2023
Last write time: Wed Dec 27 20:00:11 2023
Mount count: 64
Maximum mount count: -1
Last checked: Wed Mar 17 15:13:45 2021
Check interval: 0 (<none>)
Lifetime writes: 416 GB
Reserved blocks uid: 0 (user root)
Reserved blocks gid: 0 (group root)
First inode: 11
Inode size: 256
Required extra isize: 32
Desired extra isize: 32
Journal inode: 8
Default directory hash: half_md4
Directory Hash Seed: 3c32a2d8-b166-4a58-b8b3-49cd6136c939
Journal backup: inode blocks
Checksum type: crc32c
Checksum: 0xd51c8574
Для назначения и просмотра facl используются команды setfcl и getfacl.
Индикатором использования facl в выводе ls -l является знак «+» в конце списка прав – т.е. в дополнение к индикатору прав execution для всех будет символ плюса. И это логично – значит чтобы посмотреть все разрешения нужно использовать getfacl команду.
# ls -l
-rw-rwxr--+ 1 root root 4 Jun 9 16:48 sw
setfacl
setfacl -m – modify (аналог + chmod); даем права на rw пользователю redkin_p для файла somefile (в примере sw)
apt install acl
setfacl -m u:redkin_p:rwx sw setfacl -m u:user:rw sw groupadd marketing setfacl -m g:marketing:rw sw
команда так же прекрасно работает и на директории (в примере test) – с синтаксисом как на файл назначается именно на директорию, не наследуется; но можно сделать наследование (directory default), указав перед типом прав d. Тогда новые файлы (не старые или перемещенные move) в директории будут по умолчанию получать те права, которые мы укажем. Кроме того можно указать маску/mask (по умолчанию rwx), которая позволит задать максимальные права для файлов в директории – даже если права пользователя выше прав в mask, по факту пользователь сможет использовать mask права.
setfacl -m u:redkin_p:rwx test # без наследования setfacl -m d:u:redkin_p:r test # с наследованием
setfacl -s – replace (аналог = chmod)
setfacl -x – remove (аналог – chmod)
getfacl – смотрим разрешения.
# getfacl sw # file: sw # owner: root # group: root user::rw- user:user:rw- user:redkin:rwx group::r-- group:marketing:rw- mask::rw- other::r-- # getfacl test # file: test # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:user:redkin:r-- default:group::r-x default:mask::r-x default:other::r-x
Permissions
Permissions are set on files and directories to restrict their access to authorized users only. Users are grouped into three distinct categories. Each user category is then assigned required permissions.
The user mask may be defined for individual users so that the new files and directories they create always get preset permissions.
Every file in Linux has an owner and a group associated with it.
FILE PERMISSIONS
Access permissions on files and directories allow administrative control over which users (permission classes) can
access them and to what level (permission types). File and directory permissions discussed in this section are referred
to as standard ugo/rwx permissions.
Permission Classes
Users are categorized into three unique classes for maintaining file security through access rights
- User (u) The owner of file or directory. Usually, the file creator is its owner.
- Group (g) A set of users that need identical access on files and directories that they share. Group information is maintained in the /etc/group file and users are assigned to groups according to shared file access needs.
- Others (o) All other users on the system except for the owner and group members. Also called public
Permission Types
Permissions control what actions can be performed on a file or directory and by whom. There are three types of permissions
- Read (r) – Let us view file/directory contents. Let us copy file (not directory).
- Write (w) – Allow us to modify the contents – create/remove/rename file/directory and subdirectories.
- Execute (x) – Lets us execute a file. Let us to cd into the directory.
Permission Modes
A permission mode is used to add, revoke, or assign a permission type to a permission class.
- Add (+) Allocates permissions.
- Revoke (-) Removes permissions.
- Assign (=) Allocates permissions to owner, group members, and public at once.
We can view permission settings on files and directories using the ll command. This information is enclosed in the first
column of the command output. The first character indicates the type of file: d for directory, – for regular file, l for
symbolic link, c for character device file, b for block device file, p for named pipe, s for socket, and so on. The next
nine characters—three groups of three characters—show the read (r), write (w), and execute (x) permissions for the
three user classes: user (owner), group, and others (public), respectively. The hyphen character represents a permission
denial for that level.
chatr
To apply attribute-based protection, we’ll use the chattr command to prevent the file from being deleted or modified:
$ lsattr -l permissions.txt
permissions.txt Extents
$ chattr +i permissions.txt
$ lsattr -l permissions.txt
permissions.txt Immutable, Extents
# rm sw
rm: невозможно удалить 'sw': Операция не позволена
~# cat > sw
-bash: sw: Операция не позволена
Modifying Access Permissions
- chmod command accepts the –v option to display what it has changed
Linux provides the chmod command to modify access rights on files and directories. It works identically for both files
and directories. chmod can be used by root or the file owner, and can modify permissions specified in one of two ways:
symbolic or octal. Symbolic notation uses a combination of letters and symbols to add, revoke, or assign permissions to
each class of users. The octal notation (a.k.a. the absolute notation), on the other hand, uses a three-digit numbering
system ranging from 0 to 7 to express permissions for the three user classes.
The right-most position has weight 1, the middle position carries weight 2, and the left-most position has 4. If we
assign a permission of 6, for example, it would correspond to the two left-most digit positions. Similarly, a permission
of 2 would point to the middle digit position only.
Изменение атрибутов для нескольких групп текстом.
chmod u=rwx,g=,o=
umask u=rwx,g=,o=
Notation
x - вес 1 w - вес 2 wx - вес 3 r - вес 4
Мне кажется symbolic notation намного лучше Octal в случае добавления/удаления прав для отдельной группы и немного лучше в случае редактирования прав для всех групп.
Add the execute permission for the owner ~ chmod u+x test -v mode of ‘test’ changed from 0444 (r--r--r--) to 0544 (r-xr--r--) ~ chmod 544 test -v mode of ‘test’ changed from 0444 (r--r--r--) to 0544 (r-xr--r--) Add the write permission for group members and public and verify ~ chmod go+w test ~ chmod 766 test Remove the write permission for the public ~ chmod o-w test ~ chmod 764 test Assign read, write, and execute permissions to all three user categories ~ chmod a=rwx test ~ chmod 777 test
Default Permissions
Linux assigns default permissions to a file or directory at the time of its creation. Default permissions are calculated based on the umask (user mask) permission value subtracted from a preset value called initial permissions.
The umask is a three-digit value that refers to read/write/execute permissions for owner, group, and public. Its purpose
is to set default permissions on new files and directories created without touching the existing files and directories. In RHEL, the default umask value is set to 0022 for the root and other system users and 0002 for all regular users with bash shell assigned. Note that the left-most 0 has no significance. Run the umask command without any options and it will display the current umask value:
Change the umask value.
~ umask u=rwx,g=r,o=w ~ umask 0035 ~ umask 0035 ~ umask 0035
The pre-defined initial permission values are 666 (rw-rw-rw-) for files and 777 (rwxrwxrwx) for directories. Even if the umask is set to 000, the new files will always get a maximum of 666 permissions, and we use the chmod command to add executable bits explicitly if desired.
Consider the following example to calculate the default permission values on files for regular users:
666 (init) – 002 (mask) = 664 (permissions)
This indicates that every new file will have read and write permissions assigned to the owner and the owning group,
and a read-only permission to others.
To calculate default permission values on directories for regular users:
777 (init) – 002 (mask) = 775 (permissions)
Now, if you wish to have different default permissions set for new files and directories, you need to modify the umask.
You first need to determine the desired default values. For instance, if you want all your new files and directories to get 640 and 750 permissions, respectively, you can set the value to 027 as follows:
$ umask 027
The new value becomes effective right away, and it will only be applied to files and directories created thereafter. The
existing files and directories will remain intact. Now create file10 and dir10 as user1 under /home/user1 to test the
effect of the new umask.
$ touch file10 $ ll file10 -rw-r-----. 1 user1 user1 0 Dec 1 08:48 file10 $ mkdir dir10 $ ll –d dir10 drwxr-x---. 2 user1 user1 6 Dec 1 08:48 dir10
The above examples show that the new file and directory were created with different permissions. The file got (666 –
027 = 640) and the directory (777 – 027 = 750) permissions. The umask value set at the command line will be lost as soon as you log off. In order to retain the new setting, place it in an appropriate shell startup files.
File Ownership and Group Membership
In Linux, every file and directory has an owner. By default, the creator assumes ownership but this may be altered and
allocated to a different user if required.
Similarly, every user is a member of one or more groups. A group is a collection of users with common requirements. By default, the owner’s group is assigned to a file or directory.
The following ll command output shows the owner and the owning group for file file10:
$ ll file10
-rw-r-----. 1 user1 user1 0 Dec 1 08:48 file10
The output indicates that the owner of file10 is user1 who belongs to group user1. If you wish to view the corresponding UID and GID instead, you can specify the –n option with ll:
$ ll –n file10
-rw-r-----. 1 1000 1000 0 Dec 1 08:48 file10
CHOWN/CHGRP
Linux provides the chown and chgrp commands that you can use to alter ownership and owning group for files and
directories. you must be root to make these modifications (даже текущий собственник не может менять – защита что создашь скрипт от имени пользователя и убедишь этого пользователя этот скрипт запустить).
Create user accounts user100 and user200:
redkin.p@govnoserver:~$ sudo useradd test_user
redkin.p@govnoserver:~$ sudo useradd test_user2
redkin.p@govnoserver:~$ ll sw
-rw-rw-r-- 1 redkin.p redkin.p 0 авг. 8 19:13 sw
modify the ownership on file10
redkin.p@govnoserver:~$ sudo chown test_user sw
redkin.p@govnoserver:~$ ll sw
-rw-rw-r-- 1 test_user redkin.p 0 авг. 8 19:13 sw
Change the owning group
redkin.p@govnoserver:~$ sudo chgrp test_user sw redkin.p@govnoserver:~$ sudo chown :test_user sw redkin.p@govnoserver:~$ ll sw -rw-rw-r-- 1 test_user test_user 0 авг. 8 19:13 sw
Assign both ownership and owning group
redkin.p@govnoserver:~$ sudo chown test_user2:test_user2 sw redkin.p@govnoserver:~$ ll sw -rw-rw-r-- 1 test_user2 test_user2 0 авг. 8 19:13 sw
Change both ownership and group membership recursively on directory
chown -R owner_name:group_name folder_name
Special Permissions
Linux offers three types of special permission bits that may be set on executable files or directories to allow them to respond differently for certain operations. These permission bits are:
setuid (set user identifier) bit – исполнения от имени владельца файла.
Классический пример использования этого бита в операционной системе это команда sudo. Очевидно, что не следует навешивать этот бит на любое приложение т.к. это может привести к тому, что ты будешь исполнять неизвестное/потенциально опасное приложение от имени того пользователя, которому оно принадлежит (напр. root).
Setuid – это бит разрешения, который позволяет пользователю запускать исполняемый файл с правами владельца этого файла. Другими словами, использование этого бита позволяет нам поднять привилегии пользователя в случае, если это необходимо. root@ruvds-hrc [~]# which sudo /usr/bin/sudo root@ruvds-hrc [~]# ls -l /usr/bin/sudo -rwsr-xr-x 1 root root 125308 Feb 20 14:15 /usr/bin/sudo Как мы видим на месте, где обычно установлен классический бит x (на исполнение), у нас выставлен специальный бит s. Это позволяет обычному пользователю системы выполнять команды с повышенными привилегиями без необходимости входа в систему как root, разумеется зная пароль пользователя root. Установка бита setuid не представляет сложности. Для этого используется команда: root@ruvds-hrc [~]# chmod u+s <filename>
setgid (set group identifier) bit – аналогично вышестоящему, только исполнение от имени группы владельца файла.
sticky bit – используется редко, но это полезный бит, который позволяет изменить стандратное присвоение для новых файлов/поддиректорий (или скопированных файлов, но не перемещенных) в директории uid/пользователя (используя chmod u+s <dir>) или gid/группы (используя chmos g+s <dir>) создавшего пользователя – с sticky bit можно сделать так, чтобы они наследовались от директории. При наличии в выводе ls флаг x заменяется на s для пользователя и/или группы несмотря на наличие или отсутствие прав на execution. Только владелец файла может удалять файлы в папке с sticky bit, но все могут создавать файлы в этой папке.
The first two bits may be defined on executable files to provide non-owners and non-group members the ability to run executables with the privileges of the owner or the owning group, respectively. The setgid bit may also be set on shared directories for group collaboration. The last bit may be set on public directories for inhibiting file deletion by nonowners. The use of the special bits should be regulated and monitored appropriately to avoid potential security issues to the system and applications.
The setuid flag is set on executable files at the file owner level. With this bit set, the file is executed by other regular users with the same privileges as that of the file owner.A common example is that of su command that is owned by the root user. This command has the setuid bit enabled on it by default. When a normal user executes this command, it will run as if root (the owner) is running it and, therefore, the user is able to run it successfully and gets the desired result. See the highlighted s in the owner’s permission class below: ~ ll /usr/bin/su -rwsr-xr-x 1 root root 32072 Aug 2 20:12 /usr/bin/su When a normal user executes this command, it will run as if root (the owner) is running it and, therefore, the user is able to run it successfully and gets the desired result. Now, remove the setuid bit from su and replace it with the underlying execute attribute. You must be root in order to make this change. List the file after this modification for verification. user gets an “authentication failure” message even though they entered the correct login credentials. ~ sudo chmod u-s /usr/bin/su ~ ll /usr/bin/su -rwxr-xr-x 1 root root 32072 Aug 2 20:12 /usr/bin/su ~ su - Password: su: Authentication failure You can use either: chmod 4755 /usrbin/su # 4 - setuid, 2 - setgid, 1 - sticky bit chmod u+s /usr/bin/su To return setuid bit. When digit 4 is used with the chmod command in this manner, it enables setuid on the specified file. The setgid attribute is set on executable files at the group level. With this bit set, the file is executed by non-owners with the exact same privileges that the group members have. For instance, the wall command is owned by root with group membership set to tty and setgid enabled. See the highlighted s in the group’s permission class below: # ll /usr/bin/wall -r-xr-sr-x. 1 root tty 15344 Jan 27 2014 /usr/bin/wall To remove the bit from /usr/bin/wall and replace it with the underlying execute flag. You must be root in order to make this change. List the file after this modification for confirmation. # chmod g-s /usr/bin/wall -r-xr-xr-x. 1 root tty 15344 Jan 27 2014 /usr/bin/wall To add the bit you can use: $ chmod g+s /usr/bin/wall $ chmod 2555 /usr/bin/wall When digit 2 is used with the chmod command in this manner, it sets the setgid attribute on the specified file. The setgid bit can also be set on group-shared directories to allow files and sub-directories created in that directory to automatically inherit the directory’s owning group. This saves group members sharing the directory contents from changing the group on every new file and sub-directory that they add to that directory. The standard behavior for new files and sub-directories is to always receive the creator’s group. *** The wall command allows users to broadcast a message to all logged-in users and print it on their terminal screens. By default, normal users are allowed this privilege because of the presence of the setgid flag on the file. To test, run the command and supply a message as an argument: $ wall Hello, this is to test the setgid flag on the wall command Broadcast message from user1@host1.example.com (pts/0) (Mon Dec 1 11:26:24 2014): Hello, this is to test the setgid flag on the wall command The sticky bit is set on public writable directories (or other directories with rw permissions for everyone) to protect files and sub-directories owned by regular users from being deleted or moved by other regular users. This attribute is set on /tmp and /var/tmp directories by default as depicted below: ~ ll -d /tmp /var/tmp drwxrwxrwt 7 root root 4096 Aug 9 03:14 /tmp drwxrwxrwt 2 root root 6 Aug 7 02:37 /var/tmp You can use the chmod command to set and unset the sticky bit. When digit 1 is used with the chmod command, it sets the sticky bit on the specified directory [redkin.p@snake ~]$ chmod 1777 share/ Alternatively, you can use the symbolic notation to do exactly the same: # chmod o+t /var To unset, use either of the following: # chmod 755 /var mode of ‘/var’ changed from 1755 (rwxr-xr-t) to 0755 (rwxr-xr-x) # chmod o-t /var
Questions
1. Which command can be used to determine a file type?
ls (general file, device character/block file)
file (file type)
2. The output generated by the umask command shows the current user mask in four digits. What is the significance of the left-most digit?
The left-most digit has no significance in the umask value.
3. Default permissions are calculated by subtracting the initial permissions from the umask value. True or False?
False. Default permissions are calculated by subtracting the umask value from the initial permission values.
4. The chgrp command may be used to modify both ownership and group membership on a file. True or False?
False, only group
5. Name the permission classes, types, and modes.
classes - user, group, others
types - read, write, execute
mode - add, revoke, assign
6. The default umask for a regular user in bash shell is 0027. True or False?
false
7. What digit represents the setuid bit in the chmod command?
first digit, value 4
8. What would the command find /var -perm -1000 –type d do?
It would search the /var directory for directories with sticky bit set.
9. What would the command chmod g-s file1 do?
It would remove the setgid bit from file1.
10. Sticky bit is recommended for every system directory. True or False?
False
11. The setgid bit enables group members to run a command at a higher priority. True or False?
False
12. The chown command may be used to modify both ownership and group membership on a file. True or False?
True
13. What is the equivalent symbolic value for permissions 751?
chmod u=rwx chmod g=rx chmod o=x rwxr-x--x
20. The ll command produces 9 columns in the output by default. True or False?
false, 10
22. What permissions would the owner of the file get if the chmod command is executed with 555?
u=rx (r-x)
23. What would the find / -name core –ok rm {} \; command do?
Nothing, needed –exec, not -ok
24. Which special permission bit is set on a directory for team sharing?
Sticky