[Linux] - Managing Permissions and Ownership

 [Linux] - Managing Permissions and Ownership

Topic A: Modify File and Directory Permissions

Permissions

# ls -l: a long list of files and directories in your current working directory










Permission Attributes
# - r: Read
# -w: Write
# -x: Execute
Permission Context:
# Owner (u): user
# Group (g)
# Other (o)
Permission String










Chmod Command

Modify the permissions of a file or directory. It has two forms: Chmod symbolic mode and Chmod absolute mode.

Chmod symbolic mode

# Permission contexts: u/g/o/a
# Permission operators: +/-/=
# Permission attributes: r/w/x
# chmod +x <filename>: add execution permissions on the installation file  








# chmod g+r file1: give group read permission to file
# chmod o-r: removes read for others
# chmod go+rw file1: give group and other read and write permission






# chmod go+rw file1
# ls -l


# chmod go-rwx DirA
# ls -l


# chmod go-w file1
# ls -l


Chmod absolute mode











# chmod 764 file1: user=rwx; group=rw; others=r

# chmod 700 file1: user=rwx; group =-, others =-

# chmod 640 file1: user =rw; group =r, others =-          










# 755: u=rwx, g=rx, o=rx
# 700: u=rwx, g=, o=
# 644: u=rw, g=r, o=r
# 600: u=rw, g=, o=

# mkdir permissions-demo
# cd permissions-demo



# mkdir DirA
# touch file1
# ls -l






# chmod 755 DirA
# ls -l





# chmod 660 file1
# ls -l 






# chmod 750 DirA
# ls -l





# chmod 744 file1
# ls -l





# sudo mkdir /Graphics
# sudo touch /Graphics/file1
# sudo touch /Graphics/file2
# sudo touch /Graphics/file3
# ls -l /Graphics





# sudo chmod -R 774 /Graphics
# sudo ls -l /Graphics





Default permissions:
# Files created by root user: 644
# Directories created by root user: 755
# Files created by users with limited access rights: 664
# Newly created directories: 755
Umask: alter the default permissions on newly created files and directories



# cd /home/cmason/.bashrc
# Use Page down to move the cursor to the bottom of the file
# Press i to enter insert mode
# umask 022
























# Esc
# wq

# su - cmason
# umask
# touch test-file
# ls -l





TOPIC B: Modify File and Directory Ownership 

chown

To set the group association as GraphicsDept group:
# sudo chown -R :GraphicsDept /Graphics
# sudo ls -ld /Graphics
# sudo chown rstanley /Graphics/file2
# ls -l /Graphics







# chgr

TOPIC C: Configure Special Permissions and Attributes

SUID (Set User ID): is the permission that allows a user to have similar permissions as the owner of the file.  
SYNTAX

The following is the syntax for setting the SUID on a file, using symbolic and absolute mode, respectively:

chmod u+s {file names}

# chmod 4### {file names}

SGID (Set Group ID): is the permission that allows a user to have similar permissions as the group owner of the file

# chmod g+s {directory names}
# chmod g-s {directory names}
# ls -ld /Grpahics
# sudo chmod g+s /Graphics
# ls -ld /Graphics
# su - rstanley
# cd /Graphics
# ls -l










The following is the syntax for setting the SGID on a directory, using symbolic and absolute mode, respectively:

chmod g+s {directory names}

# chmod 2### {directory names}

Removing the SUID and SGID is as simple as using the - (minus) operator in symbolic mode, or setting the first permission bit to 0 in absolute mode.

Sticky bit

is a special permission bit that provides protection for files in a directory
SYNTAX

The syntax for setting the sticky bit is as follows, using symbolic mode and absolute mode, respectively:

chmod +t {directory names}

# chmod 1### {directory names}

# chmod -t {directory name}

# sudo chmod +t /Graphics
# su - jrobinson



# cd /Graphics
# rm file4





Immutable flag

is an attribute of a file or directory that prevents it from being modified, even by the root user
# lsattr <file1>
# chattr +i <file1>
# chattr -i <file1>








# sudo touch /Graphics/README
# sudo ls -l /Graphics
# sudo chattr + i /Graphics/README
# sudo ls -l /Graphics
# sudo lsattr /Graphics/README
# sudo rm /Graphics/README

getfacl 

to retrieve the ACLs of files and directories





setfacl

to change the permissions associated with the ACL of a file or directory
# sudo setfacl -R -m g:MarketingDept:r /Graphics
# getfacl /Graphics






TOPIC D: TROUBLESHOOTING

Permissions Troubleshooting

First and foremost, verify the permissions of the relevant object
# ls -al
  1. The owner of a text file is denied permission to view the contents of the text file => use chmod to grant read privileges to the owner context
  2. A user is denied permission to remove a directory, despite having a write permission => use chmod to add execute permissions to the directory for the appropriate context
  3. A user is denied permission to enter into a directory, despite having read permission => use chmod to add execute permission to the directory for the appropriate context
  4. A user is denied permission to remove a file, despite having full permission on that file => use chmod to add write permission to the directory for the proper context
  5. A user is denied permission to create files in a directory they have write and execute permission to => use chattr to remove the immutable flag
  6. The root user is denied permission to modify a file => use chattr to remove the immutable flag
  7. All users have the ability to list the contents of a directory, when only the owner, group members, and a specific service account should => The read permission is set on the directory for the others context. Add the service account to the directory's ACL using the setfacl command, granting the account read access
  8. A user is denied permission to execute a script that they themselves created => use chmod to add execute permission to the script for the file owner
  9. A user is denied permission to execute a script, despite having execute permission => Use chmod to add read permission to the script for the appropriate context
  10. All users are able to delete a file, but they should be able to write to it => By default, the write and execute permissions on directories enable users to delete the objects therein. Add the sticky bit permission to the container directory so that only the owner or root can delete the file.

Ownership Troubleshooting

# ls -al: to verify user and group ownership of a file or directory
  1. A user is unable to access a file, despite the owner context having full permissions => Use the chown command to make the user the owner of the file 
  2. A user is unable to delete a file, despite the containing directory granting full permissions to the group => Use the chgrp command to make the directory's owning group the same as the user's
  3. Several users are able to modify a file despite the others context only having read permission => Use chgrp to change the file's owning group to some other group
  4. When a user creates files in a shared directory, the files take on the user's group ID, when they should take on the directory's group ID => Use chmod to set the SGID permission on the containing directory
  5. When a user creates files in shared directory, the files take on the directory's group ID, when they should take on the user's group ID => Use chmod to remove the SGID permission on the containing directory

Group Membership Troubleshooting

# groups {user name}: to discover what group a user is a member of
# /etc/group





Comments

Post a Comment

Popular posts from this blog

Install Gophish and Start Your Phishing Campaign

Image
Install Gophish on Kali Linux and Start Your Phishing Campaign  Installing go programming language # source ~/.bashrc # sudo apt install -y golang # sudo vim helloworld.go  # go run helloworld.go # sudo vim ~/.bashrc Add the following paths to the end of the file export GOPATH=/root/go-workspace export GOROOT=/usr/local/go PATH=$PATH:$GOROOT/bin/:$GOPATH/bin Installing gophish using pre-built binaries Download the  gophish installer  and extract the contents of the zip file # unzip gophish-v0.11.0-linux-64bit.zip -d /home/kali/Downloads/gophish Give Gophish necessary permissions Give the gophish the necessary permissions to run without permission restrictions: # sudo chmod +x gophish Running gophish # ./gophish Logging into gophish  Go to the admin server at https://127.0.0.0:3333. Setting up gophish sending profile New Sending Profile Note : Create an application-specific password on Gmail. First, enable 2-step verification: Send Test Email Received the test em...
Read more

Hướng dẫn cách đọc và hiểu thông số firewall - tường lửa

Image
  Hướng dẫn cách hiểu thông số firewall - tường lửa 17/01/2021 09:00 Chắc hẳn trong chúng ta khi tìm hiểu các mẫu mã và thông số firewalls (tường lửa) để mua cho công ty, ai cũng thấy bối rối khi đọc các thông số kỹ thuật. Vậy làm cách nào để có thể hiểu được các thông số cơ bản của firewalls? Firewall Throughput Thông thường, chỉ số này được ghi là Mbps (megabits per second) hoặc Gbps (gigabits per second). Đây chính là lượng traffic có thể đi qua tường lửa tài một thời điểm. Thông số này có vẻ quan trọng, nhưng thực ra nó...không có ý nghĩa gì lắm. Thực ra con số này chỉ là con số thô, chỉ đo lượng traffic đi qua firewall mà không tính đến việc quét virus, lọc nội dung (content filtering), ngăn chặn xâm nhập (intrusion prevention), kiểm tra thất thoát dữ liệu và các bước tương tự. Con số còn có thể thay đổi theo giao thức (protocol) và kích cỡ gói tin (packet). Thông số Throughput thậm chí quan trọng hơn cho việc chia lớp mạng nội bộ (network segmentation). Khi tường lửa được sử ...
Read more

How to install GVM/OpenVAS to scan vulnerabilities on Kali Linux?

Image
How to install GVM/OpenVAS to scan vulnerabilities on Kali Linux? First, you need to upgrade your Kali Linux environment. Before conducting an upgrade, it is recommended that you enter the following command so that the list of available packages and their versions is updated beforehand (without installing or upgrading any packages): # sudo apt-get update After that, installing newer versions of the packages you have (As mentioned previously, because the lists have bee updated, the package manager is aware of available updates for the software you have installed): # sudo apt full-upgrade -y Note: you can use the combo command " apt-get update && apt-get upgrade"  to do both steps after each other. After that, install gvm or openvas (opevas used to be the name for this scanning tool, and it was then changed to gvm. Currently, openvas refers to scan engine. However, if you choose to install opevas, it will refer to gvm): # sudo apt install gvm Then, check the prerequisit...
Read more