====== Files/directories permissions and ACL ======

Do not forget that all permissions are related to user ID and group ID, not name.

===== Standard file permissions =====

A user can delete a file on which he isn't the owner, if he is the owner of the directory and rights on this folder allows him to write it

Ex:
<cli prompt='>'>
manu@manu-opensuse:~> ls -ld /home/manu
drwx------ 45 manu users 4096 Aug 17 11:01 /home/manu
manu@manu-opensuse:~> ls -l test*
-rw-r--r-- 1 root root    0 Aug 17 12:01 test
-rw-r--r-- 1 manu users   0 Aug 17 12:02 test1
manu@manu-opensuse:~> rm test
rm: remove write-protected regular empty file 'test'? y
manu@opensuse:~> ls -l test*
-rw-r--r-- 1 manu users   0 Aug 17 12:01 test1
</cli>

3 commands that can be used to change permissions...
<cli>
chmod 644 <file>
chmod {ugo}{+,-,=}{rwx} <file>
chmod <user>{.:}<group> <file>
chgoup <group> <file>
</cli>

===== Special permissions =====

==== SUID ====

Set user ID on a file
  chmod u+s <file>
  
This file 'll be executed as file owner, even if my owner is not the same.
  Ex: /usr/bin/passwd this will access the file /etc/shadow which requires root permissions

List all SUID files
  find / -perm /4000 -ls

==== GUID ====

Set group ID on a file or directory
  chmod g+s <file>

If you set GUID on a folder, all newly created files will inherit from group of the parent foder

List all GUID files
  find / -perm /2000 -ls

==== Sticky bit ====

Sticky bit: only user of the file or directory is authorized to remove the files inside the folder. It's used in conjuction with GUID
<cli prompt='#'>
# chmod +t mydir/
# ls -l 
drwxrwsr-t  2 manu users     6 Aug 17 15:50 aaa
</cli>

Now it can be useful to remove read access to others
<cli prompt='#'>
# chmod o-rx mydir
# ls -l 
drwxrws--T  2 manu users     6 Aug 17 15:50 aaa
</cli>

===== ACL =====

ACL are enable on most latest newly created filesystems by default, you can check using **tune2fs -l <logical_vol_name>**
<cli prompt='#'>
manu-opensuse:~ # tune2fs -l /dev/mapper/libraryvg-uncryptlv
tune2fs 1.43.8 (1-Jan-2018)
...
Default mount options:    user_xattr acl
</cli>


<cli prompt='>'>
manu@opensuse:~> umask
0022
</cli>

New files will be created with permissions: 0777-0022=**0755 (rwxr-xr-x)**

First bit is for special permissions

List ACL on file or folder
<cli prompt='>'>
manu@opensuse:~> getfacl aaa
# file: aaa
# owner: manu
# group: users
# flags: --t
user::rwx
group::r-x
other::r-x
</cli>

When are ACL used ?
<cli prompt='>'>
manu@opensuse:~> setfacl -R -m g:qemu:rx aaa

manu@opensuse:~> ls -l 
drwxr-xr-t+  2 manu users     6 Aug 17 15:50 aaa
</cli>
If you see the **+** at end of permissions, use **getfacl**, because **ls -l** doesn't knows ACL
<cli prompt='>'>
manu@opensuse:~> getfacl aaa
# file: aaa
# owner: manu
# group: users
# flags: --t
user::rwx
group::r-x
group:qemu:r-x
mask::r-x
other::r-x
</cli>

If you use an **X** instead of **x**, execute applies only to directories, not for files 

New files doesn't inherit ACL from foder, so add also a default policy **d:**
<cli prompt='>'>
manu@opensuse:~> setfacl -R -m d:g:qemu:rx aaa
manu@opensuse:~> getfacl aaa
# file: aaa
# owner: manu
# group: users
# flags: --t
user::rwx
group::r-x
group:qemu:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:qemu:r-x
default:mask::r-x
default:other::r-x
</cli>

===== User extended attribute =====

If extended user attribute is enable on a file or folder, you 'll see a dot (.) at end of file proterties
<cli>
  -rw-r-----. 1 root root     32 Oct 15  2018 secret.key
</cli>

lsattr <file>

You can change a file to secure delete, immutable... check **chattr** command