#90DaysOfDevOps Challenge - Day6

File Permissions and Access Control Lists

⚡File Permissions:

Linux file system determines who can access files and directories on a system and how. This blog gives an overview of Linux file permissions, how they work, and how to change them.

-- To View the permissions -> we use the ls -l command

Here we see the metadata of files and directories -

1. The first character shows if it's a file (-) or a directory (d).
2. The next set of 9 characters (rwx) shows the security.
3. The next column shows the owner of the file.
4. The next column shows who is the group owner of the file.
5. Then the size of the file (bytes) is shown.
6. The final column shows the filename.

🌟Type of Ownership - 3 types

-- user (u) - This is applied only to the owner of the file or directory.

-- group (g) - This is applied to the group assigned to the file or directory and does not affect the actions of other users.

-- other users (o) - This is applied to all other users on the system.

🌟Security permissions -

File permissions -

Read - This permission is used to access the file's content. Read permission is required to make copies of a file because we need to access the file's content to duplicate it.

-- We can use cat or less commands to see the file content.

Wite - Required to modify or change the file content.

Execute - Allows us to execute the content of a file like a bash shell script, python programs, etc.

Directory permissions -

Read - This allows us to read the contents of the directory which means we can view the content (file or dir) stored within the directory. This is required for the ls command.

Write - This allows us to modify the content of the directory.

-- Create or copy files into the directory.

-- Move or remove files from the directory.

Execute - This permission is different on directories if we compare from files. Execute permission provides access to the directory. It not only authorizes you to look at extended information of files in the dir but also allows you to change your working directory or pass through this dir when you are accessing any subdirectory inside.

⚡How to change the security permissions:

We use the chmod command which stands for "change mode".

There are 2 ways of modifying the permissions.

1. Using octal values - 4, 2, 1 (mentioned in the above image)
2. Using symbols - r, w, x

Syntax: chmod <permission> <filename>

Ex.

> chmod u+x task3.sh

> chmod 764 task3.sh

Both the commands will give -

rwx to the owner (u)

rw- to group (g)

r-- to other users (o)

Another example -

> chmod ug+rwx task2.sh

This gives read write and execute permission to the owner and group.

There can be many combinations and ways to define a set of permissions using symbols and octal values.

⚡Special Permissions:

🌟SUID - set user ID.

-- This is applied to the user access level.

-- If we set the SUID for a file then it will always execute as the user who owns the file, no matter who is passing the command.

-- passwd command is suid set so any non-root user can change their password, as it executes as root.

-- Symbol:

S (capital) - without execution permission.

s (small) - with execute permission.

-- ex: chmod u+s file.txt

🌟SGID - set group ID.

-- This is applied to the group access level.

-- If SGID is set on any directory then all the files and directories inside it (it does not matter who is creating it) will inherit the group ownership from the parent directory. The owner of the file will be the one who has created it.

-- Symbol is the same as SUID, the difference is that it is applied to the group ownership.

-- ex: chmod g+s file.txt

🌟Sticky Bit

-- This is applied to other users' access levels.

-- This permission is used on directories to avoid deletion of a directory and its content by other users though they have written permissions on the directory contents. Except for the owner and root user, no one can delete the directory's content.

-- Symbol:

T (capital) - without execution permission.

t (small) - with execute permission.

-- ex: chmod o+t file.txt

Note:

Octal values-

SUID - 4

SGID - 2

STICKY BIT - 1

We can change the permissions using the octal values as well.

ex: chmod 4744 test here 4 is for SUID.

chmod 2744 test here 2 is for SGID.

chmod 1744 test here 1 is for sticky bit.

⚡Access Control List in Linux:

The ACLs are useful when we need to provide access to other users or groups which are not listed on a default file permission.

With ACLs, you can grant permission to multiple users and groups, identified by user name, group name, UID, and GID, using the same permission flags which are used with regular file permission: read, write, and execute.

Important commands:

• getfacl <file/dir name> - to view the current ACL of a file or dir.

Right now, there are no ACLs in this directory because the only permissions listed are for the user, group, and others. 

• setfacl [option] [action/specification] file

-- Action would be -m (modify) or -x (remove).

-- Specification would be the user or group followed by the permissions we want to set.

Now we can see the default ACL for this dir.

Owner: Aish

Group owner: Aish

• I have 3 users and 2 groups-

• If Raj from the Aish group wants to create a file in the finance dir, he can do that.

• If user1 who is not from the group Aish wants to create files inside this dir, then he won't have permission for that.

• If we want to provide user1 the ability to see and create new files inside Finance dir then we can set the ACL for this user.

setfacl -m user1:rwx finance/

Now user1 can create the files inside this folder as he got rwx permissions.

• Further, I decided that user1 should only be able to read the files in the finance group and he should work in his dir - user1

• Created a separate dir for user1 but kept the group owner Aish only so that the users of the Aish group can see user1's work. Because the folder is owned by the Aish group, anyone in that group can put files in the user1 dir.

• If we do not want anyone to see what user1 is working on then we will have to modify the ACL for the group Aish.

sudo setfacl -m g:Aish:- user1/

To set ACl for the group we need to use g and for users we use u in front of the group/user name. And if we do not put anything then by default it is considered for a user.

• We still have to remove the base permissions for the group owner so that the rest of the Aish team can’t check into the user1's work:

• Now if the user - Aish from the group - Aish tried to cd into user1 dir, it gives permission denied as the group permissions are set to ---

Thank you for reading.📘