Linux Permissions
Linux Permissions
What are User and Group Permissions?
- Linux was designed to allow more than one user to have access to the system at the same time. In order for this multiuser design to work properly, there needs to be a method to protect users from each other.
- Permissions are the "rights" to act on a file or directory.
- Read - allows the contents of the file to be viewed. Read permission on a directory will allow you to list the contents of a directory.
- Write - write permission allows you to modify the contents of that file. Write permissions on a directory will allow you to add/remove files in that directory.
- Execute - Executable permission allows you to run the file and execute a program or script. Executable permissions on a directory allows you to enter int and access files (or other directories) inside. Users usually have a default group, but they may belong to several additional groups.
How to view permissions of file/directory?
Use 'ls' command like so:
$ ls -l directory/file $ ll directory/file
10 bits in the Permissions
- First column = ten bits/characters = permissions of the directory/file.
- Second column with the number indicates the number of files/directories in the directory.
- It will show a 1 if it is just a file, a directory with 1 file will show as 2.
- Third column = owner, then group, size, data, and time of last access, name of file/directory.
$ ls -al drwxrwxr-x 2 ec2-user ec2-user 39 Jan 26 05:37 .aws -rw------- 1 ec2-user ec2-user 26372 Mar 24 17:51 .bash_history
- 'd' this indicates a directory.
- '-' this indicates a file.
- The last 9 bits are the permissions.
- The first 3 bits are the permissions of the OWNER.
- The second 3 bits are the permissions of the GROUP.
- The last 3 bits are the permissions of OTHER user on the server.
Users and Groups
User permissions are used to provide your system with greater security without any direct interaction. The best practice is to give each user their own login to your system. This protects each user’s files from all other users. Furthermore, using specific accounts for users allows more accurate system logging, particularly when combined with tools like sudo.
Creating User Accounts
(Note* you will need root/sudo privileges) To create a new standard user account:
- useradd:
$ useradd [user] # Add user $ useradd -c "Real Name" [user] # Add user with REAL NAME. $ useradd [user] -d /home/[user] # Create home directory for user $ useradd [user] -e [YYYY-MM-DD] # The date when the account will expire $ useradd [user] -f [#] # The number of days before the account expires.
What is the difference between useradd and adduser?
- 'adduser' is more user friendly and interactive. Creates a home directory and sets the default group, shell, etc. Must include username like so:
$ adduser [user]
Deleting User Accounts
(Note* you will need root/sudo privileges) To remove a user:
- userdel:
$ userdel [user] $ userdel -r [user] # To remove the user, their home folder, and their files.
Set a Password for the New User
- passwd:
$ passwd [user]
The user will be able to change their password at anytime using the passwd command.
$ passwd Changing password for ec2-user. (current) UNIX password: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
We recommend avoiding situations where more than one individual knows the password for a user account for maximum security.
How to list users in a linux system
https://linuxize.com/post/how-to-list-users-in-linux/
How to view users with password
You can check /etc/shadow. The second field starting with '$' means there's a password.
$ cat /etc/shadow . ec2-user:!!:18424:0:99999:7::: testuser:$6$r.P4TVQD$kDta0nGBdoATQh4LRjLljNn7df1BjIoD.elwRT/gFOtBn7BPRNDITuBbJhA4Vrf7Fo/3910szbb60cnqgtfv0/:18470:0:99999:7:::
Or you can use the following commands to verify which users have a password:
$ egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1 # to list users with password
Working with Groups
chgrp or editgrp or newgrp:
- The chgrp command changes the definition of a group. The editgrp command can define a new group and change an existing group. The newgrp command defines a new group.
- Control of group membership is administered through the /etc/group file. Shows a list of groups and its members.
- Every user has a default or primary group.
- A user may access other files in other groups, as long as they are also a member of that group and the access permissions are set.
- To run programs or create a file in a different group, the user must run the newgrp command to switch their current group:
- If the user entering the above command is a member of the finances group in the /etc/group file, then the current group membership will change.
- It is important to note that any files created will now be associated with the finances group rather than the user’s primary group.
$ newgrp [finances]
- Users may also change their group by using the chgrp command.
$ chgrp [user]
Creating and Removing Directories
To make a directory, use 'mkdir':
$ mkdir [dir] $ mkdir -m a=rwx [dir] # To make a directory and set the permissions at the same time.
To remove a directory, you can use:
- 'rmdir' - It removes the directory entry specified by each directory argument, provided it is empty.
- 'rm -r' - 'rm' typically removes a file but can be used to remove directory even if directory is not empty.
$ rmdir [empty dir] $ rm -r [dir] $ rm -rf [dir] # Be careful with this one!!!
Sudo Permissions
Understanding Sudo
- Root is the superuser and has the ability to do anything on a system. Therefore, in order to have protection against potential damage, sudo is used in place of root.
- Sudo allows users and groups access to commands they normally would not be able to use. It will allow a user to have administrative privileges without logging in as root.
Depending on your distro, you may or may not need to install ‘sudo’ package
- Debian: apt-get install sudo
- CentOS/redhat: yum install sudo
- In order to provide a user with sudo ability, their name will need to be added to the sudoers file.
- Login as root (su), and enter the command visudo:
- After you have given you user account sudo privileges, save the sudoers file and log out as root. You can now run visudo like so, sudo visudo.
$ sudo visudo
- If you lose access to sudo, you can add user to a group that has sudo privileges such as the ‘wheel’ group using usermod:
$ usermod -aG [group] [user]
How to remove user from a group
To remove a user from a group, use the gpasswd command with the -d option as follows.
# gpasswd -d [user] [group]
How to allow user to run sudo without password
sudo visudo . ## Same thing without a password %wheel ALL=(ALL) NOPASSWD: ALL
Chmod
Changing Directory and File Permissions
'chmod - Change mode; Used to change permissions on files and directories.
- Maybe used with either letter or numbers (octal) to set permissions.
Letters used with chmod are:
- r = read
- w = write
- x = execute
- x = execute (only if file is a directory)
- s = set user or group ID on execution, setuid bit
- t = sticky bit
- u = current permissions the file has for user
- g = current permissions the file has for users in the same group
- o = current permissions the file has for others not in the group
r - read - permission needed to do a ls inside the directory.
w - write - permissions needed to create a new file (or sub-directory) inside the directory.
x - execute - permission needed to cd into the directory.
You can use the plus (+) sign to grant permissions:
$ chmod u+r, g+x [file]
- u is for user
- r is for read
- g is for group
- x is for execute
- The user was given read permission and the group was given execute permission for the file.
Additional File Permissions: (+t) Stick Bit.
- +t (sticky bit) means that only the owner or root can delete the file, regardless of which users have write access to this file/directory by way of group membership or ownership. This is useful when a file or directory is owned by a group through which a number of users share write access to a given set of files.
$ chmod +t [file] # To add sticky bit to file/dir $ chmod -t [file] # To remove the sticky bit.
- To change the sticky bit you need to be root or the file owner. The root will be able to delete files regardless of the status of the sticky bit.
Setg/uid Bit (+s)
+s on file:
- Allows users with permissions to execute a given file the ability to run that file with the permissions of file owner.
- I.e. if the file ‘work.txt’ was owned by the root user and the marketing group, members of the marketing group could run the work program as if they were the root user.
- This may pose potential security risks in some cases and executables should be properly evaluated before receiving the +s flag.
$ chmod g+s /usr/bin/work.txt
+s on a directory:
- Files created in +s directories receive the ownership of that directory’s user and group, rather than the ownership of the user that created the file and their default group.
$ chmod u+s ./Dir # To set the setuid (user id) for a directory named dir. $ chmod g+s ./Dir # To set the setguid (group id) option on a directory
Chmod Octal Format
Octal format requires calculating the permissions for each portion of the file or directory.
- r = 4
- w = 2
- x = 1
OCTAL VALUE || READ || WRITE || EXECUTE
7 r w x 6 r w - 5 r - x 4 r - - 3 - w x 2 - w - 1 - - x 0 - - -
PERMISSION STRING || OCTAL CODE || MEANING
rwxrwxrwx 777 Read, write, and execute permissions for all users. rwxrw-rw- 755 Read and execute permissions for all users. The file's owner also has write permission. rwxr-x--- 750 Read and execute permissions for the owner and group. The file's owner also has write permission. Users who aren't the file's owner or members of the group have no access to the file. rwx------ 700 Read, write, and execute permissions for the file's owner only; all others have no access. rw-rw-rw- 666 Read and write permissions for all users. No execute permissions for anybody. rw-rw-r-- 664 Read and write permissions for the owner and group. Read-only permission for all others. rw-rw---- 660 Read and write permissions for the owner and group. No world permissions. rw-r--r-- 644 Read and write permissions for the owner. Read-only permission for all others. rw-r----- 640 Read and write permissions for the owner, and read-only permission for the group. No permission for others. rw------- 600 Read and write permissions for the owner. No permission for anybody else. r-------- 400 Read permission for the owner. No permission for anybody else.
Chown
Changing File Ownership
- By default all files are “owned” by the user who creates them and by that user’s default group.
- To change the ownership of a file, use the ‘chown’ command.
- Whats the difference between chmod and chown?
- chmod changes the user’s/groups permissions on a file.
- chown changes the file’s ownership.
- Whats the difference between chmod and chown?
$ chown user:group [file] $ chown ardika:finances txt
- To change the ownership of a directory AND all of its contents, use the recursive -R flag:
$ chown -R user:group [dir]
Back Up Permissions of a File
How to Back Up Permissions and Restore
1) Back up the current permissions of the directory, such as /var/www:
$ sudo getfacl -R /var/www > /home/ec2-user/wwwvar-perms.txt
2) Change the directory to be world writeable:
$ sudo chmod -R o+w /var/www
3) Restore the permissions back:
$ cd / && sudo setfacl --restore=/home/ec2-user/wwwvar-perms.txt
How to prevent a user from downloading a file via SFTP/Filezilla
Just need to remove READ permissions. :)
Resetting Root Password
You will have to reset the password manually by interrupting grub by using the kernel parameter rd.break.
1. Boot the system and interrupt the booting process when you're at the GRUB menu by pressing 'e'.
2. Add the kernel parameter rd.break to the Linux kernel line.
3. Press 'ctrl+x' to boot.
4. You will enter the emergency mode prompt (or preboot screen, per Joe) to authenticate to unlock the drive.
5. Then run the following commands:
# mount -o remount,rw /sysroot # chroot /sysroot # passwd # touch /.autorelabel # exit # logout
6. A couple of minutes and once done, the system will reboot upon which you can log in as the root user with the new password.
Notes:
- The rd.break parameter interrupts the boot process before the control is passed over to the kernel. At this point, when you run the passwd command to do the password reset, the associated shadow file (/etc/shadow) is modified with an incorrect SELinux context. The touch /.autorelabel command creates a hidden file named .autorelabel under the root directory. On the next boot, the SELinux subsystem will detect this file, and then relabel all of the files on that system with the correct SELinux contexts. On large disks, this process can take a good amount of time.
Reference: [+] https://www.tecmint.com/reset-forgotten-root-password-in-rhel-8/ [+] https://learn.redhat.com/t5/Platform-Linux/Unable-to-reset-the-root-password-when-disabling-SELinux/td-p/21082 [+] https://unix.stackexchange.com/questions/509798/what-does-touch-autorelabel-do-when-we-reset-the-root-password-in-red-hat-en/509801#509801
References:
[+] https://www.linode.com/docs/tools-reference/linux-users-and-groups/
[+] Another really good document: https://access.redhat.com/solutions/1358
[+] My doc: https://docs.google.com/document/d/1wWXfDc6wmqrGWKjkB-b6-6AkEcPxL17nzvS3WJUA34A/edit?usp=sharing