Monday, August 29, 2011

Linux Permissions along with ACL (access control list)

Linux file permissions are based upon three actions:
Read – read a file, on directories grants permission to read names of files in the directory (but not find any additional information size owner etc..)
Write – modify, delete rename a file, on directories it gives permission to modify entries inside the directory including create, delete and rename files
Execute – execute a file, on directories is grants permission to go into the directory and subdirectories it goes not grant read access to the directory
Linux also supports three additional permissions:
SUID – Set user ID – when a file with this bit is set and it is executable it will be executed with the effective permissions of the owner.
SGID – Set group ID – when a file with this bit is set and it is executable it will be executed with the effective permissions of the group, directories with the SGID new files and directories created under the original directory will inhert it's group from the SGID group.
sticky - when a file with this bit is set and it is executable it encourages the kernel to retain the resulting process beyond termination, when set upon a directory it prevents users who are not the owner from renaming, deleting or moving files or subdirectories.
Each file can be owned by a single user, group and everyone else. Other is everyone who is not the user or a member of the group. All directories are really just files in linux. Linux filenames can be up to 256 characters long. Linux permissions are not inherited except SGID directories. Since the 2.6 Kernel linux also support acl based file permissions giving you better control on your file system. You can see the permission user and group on a file by performing a long listing of a file:
ls -al
drwxr-xr-x 3 root root 4096 Nov 10 21:25 .
drwx—— 46 root root 4096 Nov 10 21:12 ..
drwxr-xr-x 2 jgriffiths users 4096 Nov 10 21:25 cheese
-rw-r–r– 1 root root 0 Nov 10 21:12 donkey.doc
-rw-r–r– 1 jgriffiths video 0 Nov 10 21:12 myfile.txt
This listing displays hidden files because we issued ls with the -a command line switch. The sections are divided as follows:
Permissions on the directory or file
Amount of links (files and directories) inside the directory including itself
Owner of this files username
Group this file is owner by
Size of file in k-bytes
Nov 10 21:25
Modification time
Time of last change
Name of directory or file
The permissions field is 11 characters broken down into four sections: type, owner permissions, group permissions and other permissions.
Characters #'s
This defines a directory vs a file or special type
owner permissions
This defines users permissions
group permissions
This defines group permissions
other permissions
This defines world permissions
There can be the following types:
Symbolic link
Named pipe
Normal file
Character device or special file
Block device or special file
Each of the user, group and other permissions files contain either a r,w,x or an -. They are always displayed in the order of rwx.
Not set not allowed to take action
Read permission
Write permission
Execute permission
For example the following listing:
drwxr-xr-x 2 root root 4096 Nov 10 21:25 cheese
Is a directory (d) with owner (root) read (r), write (w), execute (x), group (root) read (r), no-write (-), execute (x), other, read (r), no-write (-), and execute (x).
Additional Permissions
The additional permissions show up by replacing the execute bit with a character:
Sticky bit
Changing Permissions
In Linux you use the chmod command to change permissions of a file or directory. chmod can be used with an octal set of permissions or individually using characters to represent user (u), group (g), other (o), and an add (+), subtract (-). I will cover Octal permissions using numbers to represent combination permissions. When using octal permissions you seperate out permission in the following order user:group:other. Each permission type adds an amount to zero:
Read – Adds 4 to the total
Write – Adds 2 to the total
Execute – Adds 1 to the total
So permission 744 would be User: read,write, execute; Group read; Other read. The command to set a file to 744 would be:
chmod 744 filename
Changing Additional Permissions
Additional permissions take the first bit a hidden bit of the permissions:
The setuid bit adds 4 to the total.
The setgid bit adds 2 to the total.
The sticky bit adds 1 to the total.
If I wanted to set the permissions to 744 with the sticky bit set I would run this command:
chmod 1744 filename
Default Permissions – Umask
The umask defines the default permissions assigned to any file created by a user or system. You can assign your umask at any time by executing:
umask permissions
The permissions on umasks can be tricky. You need to take the permissions of 777 and subtract the umask. For example a user has the umask of 022 when he / she creates a file the default permissions are: 644.
Finding Files with Special Permissions
Since special permissions break the authentication method for Linux they can be very dangerous. There are some simple ways to locate suid and sgid files.
Find all SetGID files on your system:
find / -xdev -type f -perm +g=s -print'
Find all SetUID files on your system:
find / -xdev -type f -perm +u=s -print
Find all world writable files on a system:
find / -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -printtype f -perm +u=s -print
ACL File Permissions on 2.6 Kernel
The 2.6 Linux kernel added ACL's to file permissions (access control lists) it allows you to have unlimited number of users with individual permissions on a file. It also adds a level of complexity to your file system. Before you can work with ACL's you need to enable them on a mount point basis. Enabling ACL's requires adding the option acl to the /etc/fstab and remounting the mount point. For example take a look at this root partition:
/dev/hda5 / ext3 acl,user_xattr 1 1
This shows acl's enabled and ready to work. ACL can only be used on the following file systems: ext2/3, XFS, JFS and ReiserFS. The primary method for manipulating acl's is using the getfacl and setfacl commands. getfact allows you to display acl lists on a file or directory. setfacl allows you to set the current acl on a file or directory. In order to explain acl's lets assume that I have a unix system with four users jack,jill,bob and myself (jgriffiths). I want to create a file called test.txt and give jack and jill read and write permission to this file while bob can only read the file. I created the file and started with the following permissions:
ls -al test.txt
-rw——- 1 jgriffiths users 0 2007-11-16 23:37 test.txt
The permissions are clearly set to allow jgriffiths as the only person who can manipulate this file in anyway. setfacl allows you to set permissions for more than one user at a time. To create my acl permissions I would use the following command:
setfacl -m u:bob:r–,u:jack,jill:rw- tester.txt
I can use the getfacl to view the current effective permissions on the file:
getfacl test.txt
# file: test.txt
# owner: jgriffiths
# group: users
So jack and jill can read and write while bob can only read. Everyone else but jgriffiths cannot do anything with this file. You will also notice an entry called mask. The mask sets the effective permissions for all acl groups and users. This allows you to limit acl's control maxium on a file or directory. Assume my mask looks like this in the above entry: mask::r– then no one would be able to do more than read this file unless they are the owner. You can set the mask using:
setfacl -m mask::rw- tester.txt
Viewing the rights of our file now produces an effective rights listing:
getfacl tester.txt
# file: tester.txt
# owner: jgriffiths
# group: users
user:jack:rw- #effective:r–
If we perform an ls -al on the file it produces the following confusing results:
-rw-rw—-+ 1 jgriffiths users 0 2007-11-17 00:01 test.txt
As you can see it seems the users group has read and write access to test.txt when in reality they do not. Also linux has added a + to the permission list to help us know there is a acl on this file.
ACL's can be added based upon Linux groups using the same setfacl command:
setfacl -m g:groupname:rw-,g:groupname_two:r test.txt
Removing acl based permission can be done using the -x command line parameter:
setfacl -x u:bob,u:jack tester.txt
Now only Jill can access the tester.txt file. Or we can removal all acl's on a file with the –remove-all:
setfacl –remove-all tester.txt
If you would like to recursively assign an acl to a directory and all files add an -R to the command use the following command:
setfacl -R -m g:users:r-x /data/webroot
ACL's viewed by the getfacl command can be piped into a file and used to generate the same acl on any other file using the setfacl command:
# getfacl -omit tester.txt
# setfacl -M myacl test*
# getfacl -omit test.txt
You can also use gid's and uid's instead of names as long as you provide the -numeric switch to setfacl.
ACL's and Directories the Default ACL
ACL's created inherited permissions that allow subdirectories and file to get the permissions of their parent. This type of inheritance is easy to manage but can be a security concern make sure to consider carefully how you set acl's on directories because those same permissions will exist on the lower levels.