====== UNIX/Linux base file permissions ====== 

https://www.stationx.net/linux-file-permissions-cheat-sheet/

https://abcofaix.wordpress.com/tag/sticky-bit/


===== UNIX/Linux standard Permissions =====

When listing a file or folder on UNIX, using detailed view you 'll see the permissions and owner...
<cli prompt='#'>
[root@aix01]/root# ls -lsa
   0 drwxr-x---    2 root     system          256 Aug 16 16:56 bar
</cli>

{{unix:unix_file_permissions01.png?650|}}

{{unix:unix_file_permissions02.png?650|}}

The first character indicates the type of file:
    – : represents an ordinary file
    d: represents a directory
    l: symbolic link
    c: represents a character device file
    b: represents a block device file


The table below gives numbers for all permission types of a File/Directory.
^Number    ^ Octal Permission Representation ^  	   Symbol ^
|  0        |  	    No Permission          |  	    ---        |
|  1        |  	    Execute                |  	    -–x        |
|  2        |  	    Write                  |  	    -w-        |
|  3        |Execute and write permission: 1(execute)+2(write)=3 | -wx        |  
|  4        |  	    Read                   | 	    r–-        |
|  5        |Read and execute permission: 4(read)+1(execute)=5 | r-x        |
|  6        |Read and write permission: 4(read)+2(write)=6|   	    rw-        |
|  7        |All permissions: 4(read)+2(write)+1(execute)=7|   	    rwx        |

2 ways to change unix permissions:

=== Adding or remove rights ===

<cli prompt='$'>
$ chmod u-x,g=rx,o+wx testfile
$ ls -l testfile
-rw-r-xrwx  1 user01  users 1024  Nov 2 00:10  testfile
</cli>

=== Using absolute permissions (octal) ===

<cli prompt='$'>
$ chmod 647 testfile
$ ls -l testfile
-rw-r-xrwx  1 user01  users 1024  Nov 2 00:10  testfile
</cli>

List file properties and octal permissions
<cli prompt='$'>
$ stat testfile
  File: testfile
  Size: 256             Blocks: 0          IO Block: 4096   directory
Device: 8000002200000007h/9223372182883663879d  Inode: 774148      Links: 2
Access: (0647/-rw-r-xrwx)  Uid: ( 1000/  user01)   Gid: ( 1001/     mygroup01)
Access: 2023-08-17 09:59:39.000000000 +0200
Modify: 2022-04-11 11:06:46.000000000 +0200
Change: 2022-04-11 11:06:46.000000000 +0200
 Birth: -
</cli>

===== Special permission: setuid, setgid, and the Sticky Bit =====

Setuid, setgid, and the sticky bit can be tough for new and aspiring Linux admins to understand. It's easy enough to do a web search for the basic definitions:
  * **setuid**: a bit that makes an executable run with the privileges of the owner of the file
  * **setgid**: a bit that makes an executable run with the privileges of the group of the file
  * **sticky bit**: a bit set on directories that allows only the owner or root can delete files and subdirectories

==== user +s ====

**setuid** example
  A non-root user is not able to edit the passwd file, but every user can change his own password. This is due to 
  the sticky bit positionned on the executable command **passwd**, Which 'll execute the passwd command as root,
  because the sticky bit is positionned on the program

<cli prompt='#'>
[root@srvadm01]/root# ll /etc/security/passwd
   4 -rw-------    1 root     system         1505 Jun 06 13:42 /etc/security/passwd

[root@srvadm01]/root# ll /usr/bin/passwd
  44 -r-sr-xr-x    1 root     security      44959 Feb 25 2022  /usr/bin/passwd
</cli>

==== group +s ====

this special permission has a couple of functions:
  * If set on a file, it allows the file to be executed as the group that owns the file (similar to SUID)
  * If set on a directory, any files created in the directory will have their group ownership set to that of the directory owner


==== other + t (sticky) ====

This permission does not affect individual files. However, at the directory level, it restricts file deletion. Only the owner (and root) of a file can remove the file within that directory.
==== Setting special permissions ====

2 ways to set special permissions:

  * To do this using the symbolic method, we do the following:
<cli prompt='#'>
[root@srvadm01]/root# chmod g+s community_content/
</cli>


  * Using the numerical method, we need to pass a fourth, preceding digit in our chmod command. The digit used is calculated similarly to the standard permission digits:

    Start at 0
    SUID = 4
    SGID = 2
    Sticky = 1

The syntax is:
  chmod X### file | directory

Where X is the special permissions digit.

Here is the command to set SGID on community_content using the numerical method:
<cli prompt='#'>
[root@srvadm01]/root# chmod 2770 community_content/
[root@srvadm01]/root# ls -ld community_content/
drwxrws---. 2 user01  staff 113 Apr  7 11:32 community_content/
</cli>

==== Listing all files with the setuid or setgid bit set ====

<cli prompt='#'>
[root@srvadm01]/root# find / -perm /6000 -type f
</cli>

<cli prompt='#'>
[root@srvadm01]/root# find / -type d -perm -1000 -exec ls -ld {} \;
drwxrwxrwt    1 root     system            7 Aug 16 15:06 /aha
drwxrwxrwt    1 root     system            3 Aug 16 15:06 /aha/mem
drwxr----t    3 oracle   dba             256 Apr 11 2022  /opt/admindev/oracle/product/19.5.0.0.191015-171/suptools/release/diag/tfa/tfactl
drwxr----T    2 oracle   dba             256 Apr 11 2022  /opt/admindev/oracle/product/19.5.0.0.191015-171/suptools/release/diag/tfa/tfactl/user_oracle/alert
</cli>

===== Advanced permission: ACL (access control list) =====

Access Control List are not available on every kind of filesystems !
===== Ownership and groups =====

While creating an account on Unix, it assigns a **owner ID** and a **group ID** to each user. All the permissions mentioned above are also assigned based on the Owner and the Groups.

Changing owner
<cli prompt='$'>
$ chown user02 testfile
$ ls -l testfile
-rw-r-xrwx  1 user02  users 1024  Nov 2 00:10  testfile
</cli>

Changing group
<cli prompt='$'>
$ chgrp mygroup01 testfile
$ ls -l testfile
-rw-r-xrwx  1 user02  mygroup01 1024  Nov 2 00:10  testfile
</cli>

List owner and group of files and folders
<cli prompt='#'>
[root@aix01]/export# ls -lsa
   0 drwxr-xr-x    2 root     staff           256 Sep 25 2015  powerlinux
   4 drwxrwxrwx   16 root     nobody         4096 Feb 22 2022  rear
</cli>

List userID and groupID of files and folders
<cli prompt='#'>
[root@aix01]/export# ls -n
drwxr-xr-x    2 0        1                 256 Sep 25 2015  powerlinux
drwxrwxrwx   16 0        4294967294       4096 Feb 22 2022  rear
</cli>

FIXME Do not forget, UNIX/Linux use IDs, name of user is just a mapping from UserID (based on /etc/passwd)

==== Umask: file creation rights ====

When you create a file with a specific user, a umask will defined the base rights on the created file.
<cli prompt='#'>
[lpar2rrd@aix01]/home/lpar2rrd# umask
022
[lpar2rrd@aix01]/home/lpar2rrd# touch testfile
[lpar2rrd@aix01]/home/lpar2rrd# ls -lsa
   0 -rw-r--r--    1 lpar2rrd staff             0 Aug 17 10:16 testfile
</cli>

The flag consists of three octal digits, each representing the permissions masks for the user, the group, and others. The default permissions are determined by subtracting the umask value from ‘777’ for directories and ‘666’ for files. The default value of the umask is ‘022’.

My file is created with permissions **666-022=644**

On **AIX** a umask is specified by default into **/etc/security/user**, you can specify one per user
  # chuser umask=022 user01
  
On **linux** the default mask is defined into **/etc/bashrc**, maybe also into **/etc/login.defs**. For custom, you can either add into homedir from every user, or globaly by script, you can add it to /etc/bashrc
<code>
if [ $UID -gt 199 ] && [ $(/usr/bin/id -gn) == $(/usr/bin/id -un) ]
then
  umask 444
else
  umask 555
fi
</code>