wiki

User Tools

Site Tools

Trace: script_security_aix concurrent_fs_mount file_perm
linux:file_perm

This is an old revision of the document!

Table of Contents

Files/directories permissions and ACL

Standard file permissions

A user can delete a file on which he isn't the owner, if he is the owner of the directory and rights on this folder allows him to write it

Ex: 

manu@manu-opensuse:~> ls -ld /home/manu
drwx------ 45 manu users 4096 Aug 17 11:01 /home/manu
manu@manu-opensuse:~> ls -l test*
-rw-r--r-- 1 root root    0 Aug 17 12:01 test
-rw-r--r-- 1 manu users   0 Aug 17 12:02 test1
manu@manu-opensuse:~> rm test
rm: remove write-protected regular empty file 'test'? y
manu@opensuse:~> ls -l test*
-rw-r--r-- 1 manu users   0 Aug 17 12:01 test1

Special permissions

SUID

Set user ID on a file 

chmod u+s <file>

This file 'll be executed as file owner, even if my owner is not the same. 

Ex: /usr/bin/passwd this will access the file /etc/shadow which requires root permissions

List all SUID files 

find / -perm /4000 -ls

GUID

Set group ID on a file or directory 

chmod g+s <file>

If you set GUID on a folder, all newly created files will inherit from group of the parent foder

List all GUID files 

find / -perm /2000 -ls

Sticky bit

Sticky bit: only user of the file or directory is authorized to remove the files inside the folder. It's used in conjuction with GUID 

# chmod +t mydir/
# ls -l 
drwxrwsr-t  2 manu users     6 Aug 17 15:50 aaa

Now it can be useful to remove read access to others 

# chmod o-rx mydir
# ls -l 
drwxrws--T  2 manu users     6 Aug 17 15:50 aaa

ACL

manu@opensuse:~> umask
0022

New files will be created with permissions: 0777-0022=0755 (rwxr-xr-x)

First bit is for special permissions

List ACL on file or folder 

manu@opensuse:~> getfacl aaa
# file: aaa
# owner: manu
# group: users
# flags: --t
user::rwx
group::r-x
other::r-x

When are ACL used ? 

manu@opensuse:~> setfacl -R -m g:qemu:rx aaa

manu@opensuse:~> ls -l 
drwxr-xr-t+  2 manu users     6 Aug 17 15:50 aaa

If you see the + at end of permissions, use getfacl, because ls -l doesn't knows ACL 

manu@opensuse:~> getfacl aaa
# file: aaa
# owner: manu
# group: users
# flags: --t
user::rwx
group::r-x
group:qemu:r-x
mask::r-x
other::r-x

If you use an X instead of x, execute applies only to directories, not for files

New files doesn't inherit ACL from foder, so add also a default policy d: 

manu@opensuse:~> setfacl -R -m d:g:qemu:rx aaa
manu@opensuse:~> getfacl aaa
# file: aaa
# owner: manu
# group: users
# flags: --t
user::rwx
group::r-x
group:qemu:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:qemu:r-x
default:mask::r-x
default:other::r-x
linux/file_perm.1629210583.txt.gz · Last modified: 2021/08/17 16:29 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki