Differences

This shows you the differences between two versions of the page.

--- linux:file_perm [2021/08/17 11:54]
manu created
+++ linux:file_perm [2021/08/17 18:12] (current)
manu
@@ Line 1: / Line 1: @@
 ====== Files/directories permissions and ACL ======
+Do not forget that all permissions are related to user ID and group ID, not name.
+===== Standard file permissions =====
+A user can delete a file on which he isn't the owner, if he is the owner of the directory and rights on this folder allows him to write it
+Ex:
+<cli prompt='>'>
+manu@manu-opensuse:~> ls -ld /home/manu
+drwx------ 45 manu users 4096 Aug 17 11:01 /home/manu
+manu@manu-opensuse:~> ls -l test*
+-rw-r--r-- 1 root root    0 Aug 17 12:01 test
+-rw-r--r-- 1 manu users   0 Aug 17 12:02 test1
+manu@manu-opensuse:~> rm test
+rm: remove write-protected regular empty file 'test'? y
+manu@opensuse:~> ls -l test*
+-rw-r--r-- 1 manu users   0 Aug 17 12:01 test1
+</cli>
+commands that can be used to change permissions...
+<cli>
+chmod 644 <file>
+chmod {ugo}{+,-,=}{rwx} <file>
+chmod <user>{.:}<group> <file>
+chgoup <group> <file>
+</cli>
+===== Special permissions =====
+==== SUID ====
+Set user ID on a file
+  chmod u+s <file>
+This file 'll be executed as file owner, even if my owner is not the same.
+  Ex: /usr/bin/passwd this will access the file /etc/shadow which requires root permissions
+List all SUID files
+  find / -perm /4000 -ls
+==== GUID ====
+Set group ID on a file or directory
+  chmod g+s <file>
+If you set GUID on a folder, all newly created files will inherit from group of the parent foder
+List all GUID files
+  find / -perm /2000 -ls
+==== Sticky bit ====
+Sticky bit: only user of the file or directory is authorized to remove the files inside the folder. It's used in conjuction with GUID
+<cli prompt='#'>
+# chmod +t mydir/
+# ls -l
+drwxrwsr-t  2 manu users     6 Aug 17 15:50 aaa
+</cli>
+Now it can be useful to remove read access to others
+<cli prompt='#'>
+# chmod o-rx mydir
+# ls -l
+drwxrws--T  2 manu users     6 Aug 17 15:50 aaa
+</cli>
+===== ACL =====
+ACL are enable on most latest newly created filesystems by default, you can check using **tune2fs -l <logical_vol_name>**
+<cli prompt='#'>
+manu-opensuse:~ # tune2fs -l /dev/mapper/libraryvg-uncryptlv
+tune2fs 1.43.8 (1-Jan-2018)
+...
+Default mount options:    user_xattr acl
+</cli>
+<cli prompt='>'>
+manu@opensuse:~> umask
+</cli>
+New files will be created with permissions: 0777-0022=**0755 (rwxr-xr-x)**
+First bit is for special permissions
+List ACL on file or folder
+<cli prompt='>'>
+manu@opensuse:~> getfacl aaa
+# file: aaa
+# owner: manu
+# group: users
+# flags: --t
+user::rwx
+group::r-x
+other::r-x
+</cli>
+When are ACL used ?
+<cli prompt='>'>
+manu@opensuse:~> setfacl -R -m g:qemu:rx aaa
+manu@opensuse:~> ls -l
+drwxr-xr-t+  2 manu users     6 Aug 17 15:50 aaa
+</cli>
+If you see the **+** at end of permissions, use **getfacl**, because **ls -l** doesn't knows ACL
+<cli prompt='>'>
+manu@opensuse:~> getfacl aaa
+# file: aaa
+# owner: manu
+# group: users
+# flags: --t
+user::rwx
+group::r-x
+group:qemu:r-x
+mask::r-x
+other::r-x
+</cli>
+If you use an **X** instead of **x**, execute applies only to directories, not for files
+New files doesn't inherit ACL from foder, so add also a default policy **d:**
+<cli prompt='>'>
+manu@opensuse:~> setfacl -R -m d:g:qemu:rx aaa
+manu@opensuse:~> getfacl aaa
+# file: aaa
+# owner: manu
+# group: users
+# flags: --t
+user::rwx
+group::r-x
+group:qemu:r-x
+mask::r-x
+other::r-x
+default:user::rwx
+default:group::r-x
+default:group:qemu:r-x
+default:mask::r-x
+default:other::r-x
+</cli>
+===== User extended attribute =====
+If extended user attribute is enable on a file or folder, you 'll see a dot (.) at end of file proterties
+<cli>
+  -rw-r-----. 1 root root     32 Oct 15  2018 secret.key
+</cli>
+lsattr <file>
+You can change a file to secure delete, immutable... check **chattr** command

wiki

User Tools

Site Tools

Differences

Page Tools