| Terminology |
Definition |
| Permissions |
Security settings that control access to objects, including file system items and network resources |
| Access Control Lists (ACLS) |
The Collection of access control entries that determine which subjects are allowed or denied access to |
| Principle of Least Privilege |
A basic principle of security stating that something should be allocated the minimum rights needed to preform there jobs |
| Group |
An Access control object that contains multiple users with similar security requirements |
| Graphical Interface |
An environment for passing commands to a computer by using a graphical, mouse-driven interface rather than text-based commands |
| ownership |
The Property by which the user is allowed to apply and modify permissions of a file or directory |
| immutable flag |
An attribute of a file or directory that prevents it from being modified even by the root user |
| Troubleshooting |
Structured approach to problem-solving using identification, theory of cause, planning, implementation, verification, and documentation steps. |
| Sticky Bit |
A special Permission bit that provides protection for files in a directory |
| SUID |
A special Permission that enables a user to execute a file with privileges of the files owner |
| SGID |
A Special Permission that enables a user to execute a file with the privileges of the File's group |
| Kerenel |
All operating systems have a kernel, which is a loww-level piece of code responsible for controlling the rest of the operating system |
| The Collection of access Control entries (ACE's) that determines which subjects are allwoed or denied access to the object and the privileges given. |
|
¶ Configuring Standard Linux Permissions
Standard Permissions in Linux help System Administrators keep their systems in control and functioning
- Standard permissions have three Identities with up to three levels of access
- You can edit these permissions with chmod and chown
- You can display the current permissions with ls -l
Applying the concept of Least Privilege is one of the best practices to ensure that your systems stay secure and functioning
- The Principle of least privilege means that you never give someone more access rights than what is necessary to preform there job
- Linux permissions define three identities to which you can apply permissions
- User - this entity owns the file or direcotry You can change the owner of a file with chown
- Group - this is a single collection of all users associated with the resource
- this allow multiple people to access the resource
- Others - These resources represent everyone else that does not fall under the users or group entities
- Linux permissions define three levels of access
- r - read - This permission allows the ability to view the contents of a file or directory
- w - write - This permission allows the ability to save changes to a file or create a file within a directory
- e - Execute - This permission grants the ability to run scripts or other programs and allows users to access a directory or perform tasks on a directory
- You can use the ls command with the -l option to display permissions
- The permissions string consists of 10 fields
- The first string defines whether the resource is a file or a directory. A identifies a file, and a d is a directory
- The next three fields are related and identify the permissions assigned ot the resource for the user identity and can be filled with three characters rwx (read Write Execute) or - as a placeholder for that permission not being assigned
- The Fifth Field Identifies the file owner
- The 6th Field identifies the group
- The next 7th field is the size of the file
- The 8th field is the month it was last modified
- The 9th field is the day it was last modified
- The 10 Field is the time it was last modified
¶ Absolute and Symbolic Modes
- The chmod commands allow you to modify the permissions of a file or directory
- -c - reports changes made in permission
- -f - hides most error messages
- -v - Displays a diagnostic entry for every file processed
- -R - Recursively modifies permissions of files and directories- The chmod command has two ways of modifying permissions: the Absolute or Symbolic
- Absolute users octal values
- Read = 4
- Write = 2
- Execute = 1
- You can apply write and execute with the number 3 and read and execute with 5 ect.
- Symbolic mode uses symbols or letters
- Permissions contexts u/g/o/a (a applies the permissions to all three contexts)
- Permission operators +/-/=
- "+ grants peermissions."
- "- denies permissions"
- "= assigns permissions exactly how provided rather than adding or subtracting."
- Permission attributes r/w/x
- umask defines default permissions on a per-user basis, while chmod can change the permissions from those defaults
The umask command alters the default permissions on newly created files and directories
- With umask, you set the default permissions using an octal numeric format by specifying which permissions to mask / clear from the default.
- For example, the default for non-executable files is 666(rw-rw-rw-). If you would like to change that so the groups and others to owwnly have write access, you would set the umask to 022
In linux the only person other than root that can change the permissions of a file is the owner of said file
- You can use the chown command to change the owner, group, or both of a file
chown newowner filename # Changes only the owner
chown newowner: newgroup file name # Changes the owner and the group
chown : newgroup # changes only the group
¶ The chgrp command
Another way to only change the group of a file is the chgrp command
chgrp groupname filename # Changes only the group
- Files can have more attributes set on them than just permissions, some of which are
- Only allow users to open the file for writing in append mode
- Set the file to be automatically compressed
- Save the file if it's deleted
- Make the file immutable
- Giving a file or directory the immutable attribute prevents it from being modified at all, even by the root user
- A single directory can have a mix of both mutable and immutable files
- You can use thelsattr command to list the attributes of a file or directory, and some of the options available are
- -R Recursively list the attributes of directories and their contents
- -a lists all files in directories
- -d lists directories like files instead of listing the contents
- -v lists the version number of the file
- You can use chattr to change the attributes of a file or directory. Some of its options are:
- -R recursively change the attributes of directories and their contents
- -v Sets the version number of a file
- +i Marks the file as read-only or immutable
- -i removes the read-only attribute
¶ User ID and Group ID Concepts
When Standard Permissions are inadequate, you can request special permissions
- Special permissions allow less-privileged users to execute a file by assuming the privileges: of the files owners group
- There are two main special permissions in Linux - Set user ID - Allows a user to have permissions similar to those of the owner of the file
- Set Group ID - Allows a user to have permissions similar to those of a file group
- All new files and subdirectories created will inherit the directory's group ID, though the set Group ID does not apply to existing files and directories within a directory
- You can set the SUID and the SGID with the chmod command, and it can be set with symbolic or absolute mode
- Symbolic Mode
- chmod u+s filename. This sets the SUID
- chmod g+s directoryname sets the SGID
- Absolute mode Syntax
- chmod 4--- filename to set the SUID
- chmod 2--- directoryname to set the SGID
- The last three bits in absolute mode are whatever standard permissions you choose
- You can remove the SUID and the SGID by using the - operator in symbolic mode or setting the first permission bit to 0 in absolute mode
chmod u+s /usr/bin/xmms # Sets the SUID and leaves permissions the same
¶ Remove SUID and SGID Permissions
chmod u-s /usr/bin/gpasswd # Removes the SUID and leaves permissions the same
chmod u-s /usr/bin/newgrp # Removes the SUID and leaves permissions the same
chmod g-s /usr/bin/wall # Removes the SGID and leaves permissions the same
chmod g-s /usr/bin/write # Removes the SGID and leaves permissions the same
The Sticky Bit is a special permission bit that protects files in a directory, it ensure that only the file or directory owner or root can delete the file or directory
- Just like the SUID and SGID, you can set the sticky bit with the chmod command
- The octal value of the sticky bit is 1 and displays as t
- chmod 1--- directoryname sets the sticky bit in absolute mode
- chmod +t directoryname sets the sticky bit in symbolic mode
- You can use - or 0 to remove the sticky bit
- In old versions of the kerenel a sticky bit could force a program or file to remain in memory. Thatbeing said, the system wouldn't need to reload it when invoked again. It basically told the operating system that the file would be frequently executed.
Access Control lists a really useful tool when standard file permissions are not sufficient. They allow you to assign many users and groups to a resource instead of just one, as you can with standard permissions
There are two commands that you can use to manage access control lists on files: getfacl and setfacl
- getfacl - Displays existing ACL settings
- setfacl - Configures ACL permissions
- The getfacl command shows metadata about an object, including things like the owner, group, SUID, SGID, sticky bit, standard permissions, and ACL permissions.
- The Syntax of getfacl is getfacl filename
- The setfacl command is used to change the acl peremissions of an object. There are several options associated with this command, like:
- -R - Recursively sets ACL options for directories and their contents
- -s - Sets the ACL of an object, replacing any existing ACL
- -m - Modifies the existing ACL of an object
- -x - Removes entries from an existing ACL
- -b - Removes all acl Entries
- The syntax for setfacl is setfacl optionAndACLEntry filenameOrDirectoryname
- When working with users, the format is u:username: permissions
- When working with groups, the format is g:groupname: permissions
ACL entries do not replace standard permissions; standard permissions are still enforced on top of ACLs.is-warning}