So in the previous topic, we learn about Normal Permission but now we will learn about advanced Linux permission.
Let’s Start:
- Normal Permission
- Special Permission
- ACL Permission
Special Permission:
Three special types of permissions are available for executable files and public directories. When these permissions are set, any user who runs that executable file assumes the user ID of the owner (or group) of the executable file.
You must be extremely careful when you set special permissions because special permissions constitute a security risk. For example, a user can gain superuser privileges by executing a program that sets the user ID (UID) to root. Also, all users can set special permissions for files they own, which constitutes another security concern.
You should monitor your system for any unauthorized use of the SetUID(SUID) and SetGID(SGID) permissions to gain superuser privileges. To search for and list all of the files that use these permissions, see How to Find Files With setuid Permissions. A suspicious listing grants ownership of such a program to a user rather than to root or bin.
- SetUID(SUID)
- SetGID(SGID)
- Stricky Bit
SUID:
Suid commands are applied only on files. If you apply SUID to a file the owner of the file is only the person who can execute the file.
When set-user identification (setuid) permission is set on an executable file, a process that runs this file is granted access based on the owner of the file (usually root), rather than the user who is running the executable file. This special permission allows a user to access files and directories that are normally only available to the owner. For example, the setuid permission on the passwd command makes it possible for a user to change passwords, assuming the permissions of the root ID:
root@localhost:~# chmod u+s file name ## pattern of the command ## root@localhost:~# chmod u+s /usr/bin/passwd -r-sr-sr-x 3 root sys 104580 Sep 16 12:02 /usr/bin/passwd
This special permission presents a security risk because some determined users can find a way to maintain the permissions that are granted to them by the setuid process even after the process has finished executing.
SGID:
Sgid commands are applied to files and directories. When we apply SGID to a file that means the group owner and its member can access and modify the file. But if we add SGID to a directory that means a group and its member can access the directory and its file and whenever a new file is created inside the directory then by default group owner of the file is that which is the group owner of the directory.
When setgid permission is applied to a directory, files that were created in this directory belong to the group to which the directory belongs, not the group to which the creating process belongs. Any user who has to write and execute permissions in the directory can create a file there. However, the file belongs to the group that owns the directory, not to the user’s group ownership.
You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges. To search for and list all of the files that use these permissions, see How to Find Files With setuid Permissions. A suspicious listing grants group ownership of such a program to a user rather than to root or bin.
root@localhost:~# chmod g+s file or directory name ## Command pattern ##
root@localhost:~# mkdir /a
root@localhost:~# touch /a/file{1..2}.txt
root@localhost:~# ls -al /a
drwxr-xr-x 2 root root 4096 Sep 17 00:07 /a
-rwxrw-rw- 2 root root 4096 Sep 17 00:07 /a/file1.txt
-rwxrw-rw- 2 root root 4096 Sep 17 00:07 /a/file2.txt
root@localhost:~# chmod g+s /a root@localhost:~# ls /a drwxrwsr-x 2 root root 4096 sep 17 00:07 /a
Stricky Bit:
Stricky Bit Permission is applied only on directories, not on files. In Stricky bit the owner of the directory can execute and modify the directory and another user can’t do anything.
root@localhost:~# chmod o+t directory name ## Command Pattern ##
ACL(Access Control List):
Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disc resource.
Use of ACL :
Think of a scenario in which a particular user is not a member of a group created by you but still you want to give some read or write access, how can you do it without making the user a member of the group, here comes in picture Access Control Lists, ACL helps us to do this trick.
Basically, ACLs are used to make a flexible permission mechanism in Linux.
From Linux man pages, ACLs are used to define more fine-grained discretionary access rights for files and directories.
setfacl and getfacl are used for setting up ACL and showing ACL respectively.
root@localhost:~# setfacl option permission file or directory name ## Command pattern ## root@localhost:~# getfacl file or directory name ## to check the ACL permission ##
List of commands for setting up ACL :
## To add permission for user ## setfacl -m "u:user:permissions" /path/to/file ## To add permissions for a group ## setfacl -m "g:group:permissions" /path/to/file ## To allow all files or directories to inherit ACL entries from the directory it is within ## setfacl -dm "entry" /path/to/dir ## To remove a specific entry ## setfacl -x "entry" /path/to/file ## To remove all entries ## setfacl -b path/to/file ## To add permissions for a user (user is either the user name or ID) ## setfacl -m "u:user:permission" ## To add permissions for a group (group is either the group name or ID) ## setfacl -m "g:group:permission"
Example:
root@localhost:~# setfacl -m u:hackonology:rwx /a root@localhost:~# getfacl /a #file /a #owner: root #group: root user::rwx user::hackonology:rwx group::r-x other::r-x
Removing an ACL
If you want to remove the set ACL permissions, use setfacl command with -b option.
For example :
root@localhost:~# setfacl -b /a root@localhost:~# getfacl /a #file /a #owner: root #group: root user::rwx group::r-x other::r-x
Pingback: Linux Interview Questions - Youngster Company
Pingback: What is Partition, Type, and how to create a normal partition
Pingback: Types of ACLs in Networking - Youngster Company