Advanced File Permission in Linux

7/29/2019 Advanced File Permission in Linux

1/26

Advanced File Permissions in Linux - ( STICKY BIT )

Successful People in life seem to like LINUX Page 1 of 26

Basic User Administration in Linux

To create a new user account in any Linux distribution we can use command

USERADD/ADDUSER. Adding user account can be done by just supplying the

user name along with useradd command. The SUPERUSER/ROOT user is

responsible for creating user account. Linux user account related information

is stored in /etc/shadow , /etc/passwd , and /etc/group.

USERMOD command modifies a user account i.e. adding user to existing

group. There are two types of groups. Primary ( -g) and (-G) Secondery.

When a user account is created , some extra information is associated with

account by default. To view these default values , use

GROUP=100

HOME=/home

INACTIVE=-1EXPIRE=

SHELL=/bin/bash

SKEL=/etc/skel

CREATE_MAIL_SPOOL=no

Command for creating a new user without Group

# usedadd sam

$ mkdir testdir

$ touch file1

$ lsld file1 testdir

-rw-rw-r-- 1 sam sam 640 Jan 15 06:21 file1

drwxrwxr-x 2 sam sam 4096 Jan 15 06:18 testdir


2/26



In linux , when a user is created (if group name is not specified) by default

linux creates group name from the user name and also that user will be

member of that group. ( Ex : see above user account sam).

Password in Linux

User account without a password that the user account will be in locked

status. To unlock the account, need to use passwd command as root.

Setting password for user sam

# passwd sam

Changing password for user sam.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

Directly supply the encrypted password

Whatever password we supply for a user account, it is encrypted and then

stored. Using useradd p option we can directly supply an encrypted

password. Encrypted password is obtained from the crypt command. This

option is not recommended because the password (encrypted password) willbe visible by users listing the processes.

Creating user account with account expiry date

# useradd user1 -e 2013-04-30

Above Ex : From 30/4/2013 the user account will be disabled [-e expire ].

To avoid disable account , we can use [f inactive ] option.


3/26



Setting account inactive state

# useradd user2 -e -f 3 2013-04-30

After password expires, system will allow the user to login for 3 days with a

warning to change his password.

Add new user [user1] to /home/oracle

Generally a normal user do not have write permission on /home/oracle

directory. If we want to read files inside /home/oracle. local user shouldbelong oracle user main directory and local user i.e . group member should

need read , write, execute permission to access /home/oracle.

Add usr1 with oinstall (-g) by default /home/oracle

# useradd -g oinstall user1 -d /home/oracle

Changing Group Permission to Read and Execute

# chmod g=r+x /home/oracle/

Listing home/oracle Permission

# ls -ld /home/oracle/

drwxr-x--- 29 oracle oinstall 4096 Jan 15 00:02 /home/oracle/Logged as usr1 and checking usr1 home path

$ whoami

usr1

$ pwd

/home/oracle


4/26



USERDEL

To remove a user from the system, we can use the userdelcommand to

delete the user's login. Command userdel -r (recursively ) option, the user's

home directory will also be removed.

# userdel

# userdel

Deletes the user (user1) account

# userdel -r

# userdel -r user1

Delete the user1 account recursively (home directory all files inside it).

# userdel -f

# userdel -f user1

deletes even the user is still log in, it will force to delete the users home dir

and files as well, this option is dangerous use with caution.

GROUPADD and GROUPDEL

Command groupadd is used to create group accounts. to the system. IF we

dont specify a group_id, Linux will assign one automatically. ID value greater

than 500 and greater than every other group. Values between 0 and 499 are

typically reserved for system accounts.

Group accounts information is maintained /etc/group and secure group

account information is maintained /etc/gshadow. We can use the

USERADD/USERMOD commands to add a user to a group.

# groupadd [creates new group]


5/26



Creating Group with Specific group_id

# groupadd apache -g 9090

# grep 9090 /etc/group

apache:x:9090:

# groupdel

Command groupdel is used to delete(remove) a group. This is an admin

command. No options for groupdel command directly give the groupname.

GROUPMOD

System administration command. Modify group information for group.

Change the old group name to new_name.

# groupmod -n

# groupadd -n apache apache1


apache1:x:9090:

Change the old group id (9090) to new_id (9095)

# groupmod g

# groupmodg 9095 apache1


apache1:x:9090:

Specifies a new group identification number (GID) The GID must be a non-

negative decimal integer. When the o option is used, the GID can be

duplicated.


6/26



USERMOD

Command usermod can be used to modify a users account.

Create the new home Dir for user1

# usermod -d /home/oracle user1

user1 old home path was /home/user1; now user1 would use /home/oracle/

as (-d) default home path. user1 default path will be where (-d) specifies.

Setting password Expiry date and allow the user to login for 1

# usermod -e 2013-01-16 user1

# usermod -f 1 user1

-e on which the user account will be disabled.

-f allows the user to login for n days with a warning to change the password.

Set new initial group as oinstall

# usermod -g oinstall user1

To lock users password.

# usermod -L user1

To unlock users password.

# usermod -U user1

LAST and LASTB

last displays listing of last logged in users and system last reboot time and date

$ last reboot

reboot system boot 2.6.9-42.0.0.0.1 Sun Jan 13 04:34 (2+21:33)

reboot system boot 2.6.9-42.0.0.0.1 Sat Jan 12 04:14 (3+21:53)


7/26



Command last searches back through the file /var/log/wtmp and displays a

list of all users logged in (and out) since that file was created.

$ last oracle

List all entries of oracle (user).

$ last -6

List only last 6 entries.

$ last

List all entries.

$ last -x|grep shutdown | head -1

shutdown system down 2.6.9-42.0.0.0.1 Wed Jan 16 02:14 - 02:21 (00:07)

- x: Display the system shutdown entries and run level changes.

$ lastb

Display a list of recent bad login attempts (from the /var/log/btmp file).

HISTROY

Command history displays the command # and the command for auditing

purpose. command history is a convenient tool that can use to review

previous commands

$ history

255 cd $ORACLE_HOME

256 cd dbs/

257 orapwd file=orapwtestdb password=welcome entries=3

258 exit

259 cd $ORACLE_HOME

260 cd dbs/


8/26



CHMOD CHGRP CHOWN in LINUX

All three commands are used to FILE/DIRECTORY access permission in Linux.

Every file and directory in Linux has an OWNER and a GROUP. ls

lor ls -ld

command used to check the access permission of files and directories.

drwxr-xr-x 2 oracle oinstall 4096 Jan 16 03:43 script

-rw-r--r-- 1 oracle oinstall 670 Jan 16 03:43 script.sql

Chown vs Chgrp

Command chown is used to change the owner of a files and directories.

[can change both user and group ownership]. Permissions can be changed

by the owner or root user. [.and: are interchangeable, so u can use anything].

CHOWN stands for- CHange file OWNership and group.

Checking /home/oracle path permission

# ls -ld /home/oracle/

drwxr-x--- 32 oracle oinstall 4096 Jan 16 06:04 /home/oracle/

oinstall group members only can access /home/oracle/ because others dont

have any rights to access /home/oracle path. See green color marked.

Creating user sam with oinstall Group

# useradd -g oinstall sam

# su - sam

$ groups

oinstall


9/26



Listing Permissions for script dir in /home/oracle

# pwd

/home/oracle

ls -ld script


Change file ownership to user sam

# chown sam: oinstall script [or] # chown sam.oinstall script

# ls -ld script

drwxr-xr-x 2 sam oinstall 4096 Jan 16 03:43 script

Change the group of the directory

# ls -ld script


# chown sam.dba script

# ls -ld script

drwxr-xr-x 2 sam dba 4096 Jan 16 03:43 script

Change both owner and group

# ls ld script


We can change both Owner and group in single command.


10/26



Now script directory ownership changed to sam with apache group.

# chown sam.apache script

# ls -ld script

drwxr-xr-x 2 sam apache 4096 Jan 16 03:43 script

Changing ownership of multiple files to sam user

# pwd

/home/oracle/script

# ls -al

-rw-r--r-- 1 root root 248 Jan 16 06:02 file1




Changing ownership for files from root to sam

# chown sam /home/oracle/script/{file1,file2,file3} or

# chown sam /home/oracle/script/file1 /home/oracle/script/file2

/home/oracle/script/file3

-rw-r--r-- 1 sam root 248 Jan 16 06:02 file1



-rw-r--r-- 1 root root 640 Jan 16 06:02 fle4Using R Recursively change ownership of directory and their contents. i.e

to all files we can change ownership


11/26



Changing ownership using R (Recursively)

/home/oracle/script

# lsal




-rw-r--r-- 1 root root 640 Jan 16 06:02 fle4

Changing ownership from sam to root

# chown root -R /home/oracle/script

# chown root -f /home/oracle/script

/home/oracle/script

# lsal




-rw-r--r-- 1 root root 640 Jan 16 06:02 fle4

-f - To change the ownership permissions forcefully/silent/quiet.

Change the owner of a file : root to sam

-rwxrwx--- 1 root root 1304 Nov 2 09:56 space.sh

# chown filename

# chown sam space.sh

-rwxrwx--- 1 sam root 1304 Nov 2 09:56 space.sh


12/26



Points to REMEMBER

-R means include all subdirectories.

ls l - To check ownership of a file or directory

command chown is used to change the ownership of a file/folder. We can

change even multiple files/folders at a time to a specified user/group.

CHGRP

chgrp - Change group ownership

Command chgrp is used to change the group of the file or directory. The Root

user only can change the group of the file or directory. In simple terms,

Changing the group of one or more FILES/DIRECTORIES to new group.

Changing group ownership recursively

# chgrp -R /path/

# chgrp -R root /home/san/

Changing the group specifically to a single file

/home/sam/sample

$ ls -l

-rw-r--r-- 1 san oinstall 260 Jan 16 11:15 f1

-rw-r--r-- 1 sam oinstall 340 Jan 16 11:15 f2




drwxr-xr-x 2 sam oinstall 4096 Jan 16 11:15 lsn


13/26



Changing group from oinstall to root for f1 and f2

# chgrp root /home/sam/sample/f1# chgrp root /home/sam/sample/f2

# chgrp root /home/sam/sample/{f1,f2}

# chgrp root /home/sam/sample/f1 /home/sam/sample/f2

/home/sam/sample

$ ls -l

-rw-r--r-- 1 san root 260 Jan 16 11:15 f1

-rw-r--r-- 1 sam root 340 Jan 16 11:15 f2




drwxr-xr-x 2 sam oinstall 4096 Jan 16 11:15 lsn

Changing file f5 from oinstall to apache

chgrp c

to print [reporting] verbose , when a change is made.

# chgrp c apache /home/sam/sample/f5

changed group of `/home/sam/sample/f5' to apache

# ls -l

-rw-r--r-- 1 sam apache 862 Jan 16 11:15 f5

If -c not specified , system wont print any message when changes made.


14/26



FILES and DIRECTORIES Permission in LINUX

FILE BASE PERMISSION : 666

DIR BASE PERMISSION : 777

777 (rwx rwx rwx)

No restrictions on permission. Anybody may do anything i.e. may list files ,

create new files in the directory and delete files in the directory.

755 (rwxr-xr-x)

The owner may read, write, and execute the file. All others may read and

execute the file [cant create files and directories] and also cannot delete

anything. This setting is common for dir that we wish to share with others.

700 (rwx------)

The owner has full access . Owner can read, write, and execute the file.

Nobody else has any rights.

666 (rw-rw-rw-)

All users may read and write the file.

644 (rw-rr)

The owner can read and write a file, and all others may only read the file. This

setting for files that everyone may read , but only the owner may change.

600 (rw-------)

The owner may read and write a file. All others have no rights.


15/26



CHMOD

CHMOD stands for CHange MODe.

Command chmod is used to change access permissions to files and

directories. i.e. changing the permissions of a file or directories.

TYPES of FILE Permission

read : Permitted to open and read the contents of file.

write : Permitted to write (overwrite) or modify the file.

execute : Permitted to execute the file as a program/script.

Types of DIRECTORY Permission

read : Permitted to read the contents of dir ( view files & sub-dir)

write : Permitted to write into the dir (creating files and sub-dir)

execute : Permitted to enter into that directory "Change Directory" (cd).

Numeric values for the read(r), write(w) and execute(x)

read : 4

write : 2

execute : 1

So , 7 comes from read + write + execute (4+2+1)=7

OPCODE , Permissions

+ : Add Permission

- : Remove permission

= : Assign Permission

ls l command used to see permissions of FILE and DIRECTORY.


16/26



Symbolic Representation of Three different roles

u is for user

g is for group

o is for others

a is for all of the above (an abbreviation for ugo)

Example of how a file/dir may be listed (ls l)


-rw-r--r-- 1 oracle oinstall 690 Jan 16 20:50 script.sql

If first letter starts with d It is a Directory

If first letter starts with/(l,b,c,p,s,m,n) It is a File.

Next 9 Characters are broken down into 3 groups of 3 characters.

First three are the permission of the owner.

Middle three are permissions for the group.

Last three are the permissions for everyone.

Sample Permission Settings for FILE/DIRECTORY (ugo)

1 2 3 4 5 6 7 8 9 10

FILE User permissions Group Permissions Other Permissions

Type Read write execute read write Execute read write execute

drwxrwxrwx = read, write and executable for owner, group and all others

-rwxrwx- - - = read, write and executable for owner, group only

-rw-rw-rw-

= read and write for owner, group and all others

-rwx- - - - - - = read, write and executable for owner only


17/26



Adding Single Permission to a File/Dir

$ chmod u+x

$ chmod u+r sample.sh

$ ls ld sample.sh

-r-------- 1 oracle oinstall 640 Jan 17 00:05 sample.sh

Add Multiple Permission to a File/Dir

$chmod u=r+w,g=r+x,o+r sample.sh

$ ls -ld sample.sh

-rw-r-xr-- 1 oracle oinstall 640 Jan 17 00:05 sample.sh

Remove Permission from a File/Dir

$ chmod g-r-x,o-r sample.sh

$ ls -ld sample.sh

-rw------- 1 oracle oinstall 640 Jan 17 00:05 sample.sh

Change Permission for all roles on a file/Dir

$ chmod a+r+w+x sample.sh

$ ls -ld sample.sh

-rwxrwxrwx 1 oracle oinstall 640 Jan 17 00:05 sample.sh

Make permission for a file same as another file (using reference)

$ ls -ld sample*

-rw-r--r-- 1 oracle oinstall 640 Jan 17 01:08 sample1.sh



18/26



If we want to change a file permission same as another file, use the reference

option In this example, file permission will be set exactly same

as permission.

$ chmod --reference=sample.sh sample1.sh

$ ls -ld sample*

-rwxrwxrwx 1 oracle oinstall 640 Jan 17 01:08 sample1.sh


Here , sample1.sh file permission set exactly same as sample.sh permission.

Using REFERENCE option.

Applying Permission to all the FILES/SUB-DIR (recursively)

- R - To change the permission recursively.

/home/oracle

# tree test/

test /

f1f2test1

f1 f2test2 f1 f2test3

3 directories, 8 files (will be 755 permission)

# chmod -R 755 /home/oracle/test/

# chmod -R u=r+w+x,g=r+x,o=r+x /home/oracle/test/


19/26



POINTS TO REMEMBER

chown : Change the ownership of the file/dir (need to be root to use)

chgrp : Change "Group Ownership" of a file or directory.

chmod : Change the "access rights" to the file or directory.

Directory Default Permission is 755.

Directory Base Permission is 777.

Umask would be 022 (777 755)

Directory

Default Permission is 755.

File Base Permission is 644.

Umask would be 022 (666 644)

read=4; write=2; execute=1;

Octal Representation for Permissions

Setting (r w) to user and( r ) to group and others.

$ chmod 644 sample.sql

$ chmod u=r+w,g+r,o=r sample.sql

Setting (rx) to user and ( 0 ) to group , and r (4 ) to others.

$ chmod 504 script.sh

$ chmod u=r+x,g=0,o=r script.sh

Setting (rw) to user and (r) to group, and (0 ) to others.

$ chmod 604 samp.sql

$ chmod u+r+w,g=r,o=0 samp.sql

Octal representation cmds are background colored to identify separately.


20/26



STICKY BIT

The STICKY BIT is primarily used on shared directories to prevent users

from renaming or deleting . Other users [cannot delete or rename the files (or)

sub - directories] within that directory.

The STICKY BIT is represented by the letter t in the last character with the

other permissions. If STICKY BIT is enabled on a directory , only the owner

and the super user (root) can delete / rename the files or directories within

that directory.

Identifying Sticky Permissions.

$ ls -ld /var/tmp

drwxrwxrwt 3 root root 4096 Dec 24 03:40 /var/tmp

"t" that tells us that the sticky bit is set.

"t" refers to when the execute permissions are ON.

"T" refers to when the execute permissions are OFF.

/tmp, which must be publicly writable, but should deny users permission to

delete or rename it.

Sticky Bit Setup

Command chmod to set the sticky bit. If we need OCTAL numbers in

[chmod] command put 1 prefix before specifying directory privilege.

i.e. $ chmod 1757 .

Here in 1757, 1 indicates STICKY BIT set, 7 for full permissions for owner,

5 for (r- x) permissions for group, and full permissions for others.


21/26



Setting Sticky bit to directory (Option -1)

/home/rose$ mkdir shell_script shell_sample

$ ls -l

drwxr-xr-x 2 rose oragroup 4096 Jan 17 10:45 shell_script

drwxr-xr-x 2 rose oragroup 4096 Jan 17 10:45 shell_sample

Difference between t vs T

$ chmod 1 757 shell_scripts

$ chmod 1 750 shell_samples

$ ls -ld shell_scripts shell_samples

drwxr-xrwt 2 rose oragroup 4096 Jan 17 10:45 shell_scripts

drwxr-xrwT 2 rose oragroup 4096 Jan 17 10:45 shell_samples

Setting Sticky bit to directory (Option -2)

/home/rose

$ tree

.sample_scripts

shell_script

shell_samples

test_dir

file1

file2

fille3

4 directories, 3 files


22/26



Enable Sticky bit to test_dir

$ mkdir test_dir

$ chmod 757 test_dir/

$ chmod +t test_dir/

$ ls -l

drwxr-xrwt 2 rose oragroup 4096 Jan 17 11:37 test_dir

Creating fies under test_dir [ rose]

$ cd test_dir/

$ touch file1 file2 file3

$ ls -l

-rw-r--r-- 1 rose oragroup 128 Jan 18 00:40 file1



Connecting oracle user to access /home/rose/testdir

/home/oracle

oracle@localhost-]$ lsld /home/rose/test_dir/

drwxr-xrwt 2 rose oragroup 4096 Jan 18 01:07 /home/rose/test_dir/

$ cd home/rose/test_dir/

$ ls -l





23/26



Now oracle user can access test_dir and their contents. Lets check how

sticky bit works here ..

User oracle trying to remove all files under test_dir

[oracle@testorcl test_dir] $ rm -rf fi*

rm: cannot remove file1': Operation not permitted



User oracle trying to move all files under test_dir to /home/rose

$ [oracle@testorcl test_dir] $ mv file* /home/rose/

mv: cannot move file1' to `/home/rose/file1': Operation not permitted



User oracle trying to remove test_dir

$ cd ..

oracle@testorcl rose] rm -rf test_dir/

rm: cannot remove test_dir//file3': Operation not permitted



All three operations are failed because stick bit is enabled on test_dir. Other

users cant remove or move[rename] on test_dir and their contents. This is

good example for sticky bit enables on directory [/test_dir] to prevent

ordinary users from deleting or moving.


24/26



As i said , owner and the super user (root) can delete / rename the files or

directories even sticky bit enabled. Lets check.

Super user (#- root) is deleted test_dir contents.

# rm -rf /home/rose/test_dir/f*

# cd /home/rose/test_dir/

# ls -l

total 0

Dir owner (rose) removed test_dir

/home/rose

$ rmrf test_dir/

$ ls -ld test_dir

ls: test_dir: No such file or directory

POINTS TO NOTE :

Can set sticky bit for files ?

Yes, but most of the time it is not required. Setting the sticky bit on a file is

pretty much useless, and it doesnt do anything

To remove sticky bit on a FILE/DIRECTORY.

Should use t option. $ chmod t

There are Three special attributes other than the common (r/w/x)

drwxrwxrwt - Sticky Bits - chmod 1777

drwsrwxrwx - SUID set - chmod 4777

drwxrwsrwx - SGID set - chmod 2777


25/26



Advanced File Permission in Linux

SUID OR SETUID :

suid and sgid on FILES

change user ID on execution.

Program runs as the equivalent user ID to whatever the SUID is set to. Set it to

root , and a normal user can run the program with root-level rights.

SGID OR SETGID :

sgid on DIRECTORIES

change group ID on execution.

Program runs with permissions of the GROUP. If the group has root privileges,

and the group is set to be root, then anyone in that group can run the program

with those rights.

Simple Example

SUID : If we run a program and the program tries to access files/dir. whatever

it will use your user and group id for permissions.If you don't have access to a

file, the program won't have it as well. However if suid is set for the executable

the user id of the owner is used when executed. Same for groupandsgid.

SGID : sgid on DIRECTORIES; When we create a file or directory the result will

have user and group id. However, if the directory where you create has sgid

set, the new file or directory will inherit the group id of the directory it is

created in instead of your group id. New directories will inherit the sgid as well


26/26


Date post:	04-Apr-2018
Category:	Documents
Upload:	grthiyagu-oracle-dba
View:	227 times
Download:	0 times

Advanced File Permission in Linux

Documents