In Red Hat Enterprise Linux (RHEL), file security is managed through a system of permissions and ownership. Each file and directory has associated permissions that determine who can read, write, and execute them. These permissions are defined for three categories of users: the file or directory owner, the group associated with the file or directory, and others (everyone else).

Standard File Permissions

<inode> <Filetype><OwnerFilePerm><GroupFilePerm><OtherFilePerm> <ownerFile> <FileSize> <month><date><Year> <FileName>

inode

📁 An inode is like a file's ID card in a filesystem. It uniquely identifies each piece of metadata (file or directory) and operates independently for each filesystem. Each filesystem has its own pool of inodes, stored in a common table. While an inode number may be reused across different filesystems, it's always combined with a filesystem ID to create a unique label. 🆔

\>> to check inode value of FS[file system]

$ df -i

Advanced:-

https://www.redhat.com/sysadmin/inodes-linux-filesystem

FileType

📄 Regular File (-): Represents standard files containing data or program instructions.

📁 Directory (d): Contains lists of filenames and their corresponding inode numbers.

🔗 Symbolic Link (l): Acts as a pointer or shortcut to another file or directory.

🔒 Block Device File (b): Represents a device that stores data in fixed-size blocks, like hard drives.

🔊 Character Device File (c): Represents devices that transfer data in a character-by-character manner, like keyboards or printers.

🕰️ Named Pipe (FIFO) (p): Provides a mechanism for inter-process communication.

🔧 Socket (s): Facilitates communication between processes on the same or different hosts.

Permissions

file permissions, each permission has a weightage assigned to it. Here's a breakdown:

• Read (r): Weightage of 4.

• Write (w): Weightage of 2.

• Execute (x): Weightage of 1.

Maximum Permission: When all permissions are granted, the maximum permission is rwx, which has a weightage of 7 (4 for read + 2 for write + 1 for execute).

Minimum Permission: When no permission is granted, the minimum permission is ---, which has a weightage of 0.

File Access

Changing Ownership with chown:

In RHEL, the chown command is used to change the ownership of files and directories. You can specify both the user (owner) and group ownership.

🔹 Syntax (Symbolic):

chown [options] [user:group] [file/directory]

1. Changing ownership to a specific user and group

chown user1:group1 file.txt

📝 This command changes the ownership of file.txt to user1 and group1. Only user1 and members of group1 can access the file.

2. Changing ownership to a specific user only

chown user2 file.txt

📝 This command changes the ownership of file.txt to user2. Only user2 can access the file.

3. Changing ownership to a specific group only

chown :group2 file.txt

📝 This command changes the group ownership of file.txt to group2. Only members of group2 can access the file.

4. Recursive change of ownership for a directory

chown -R user3:group3 directory/

📝 This command recursively changes the ownership of all files and subdirectories within directory/ to user3 and group3. Only user3 and members of group3 can access the files and subdirectories.

5. Changing ownership of a symbolic link

chown user4:group4 symlink

📝 This command changes the ownership of the symbolic link symlink itself, not the target file or directory it points to. Only user4 and members of group4 can manipulate the symbolic link.

Changing Permissions with chmod:

The chmod command is used to change file permissions in RHEL. Permissions can be set using either symbolic representation (u: user, g: group, o: others) or octal numbers.

🔹 Syntax (Symbolic):

chmod [u|g|o][+|-|=][r|w|x] [file/directory]

1. Granting Full Permissions to Owner, Read and Execute to Group, and Read-only to Others:

    chmod 754 file.txt
   

   Owner has read (👀), write (📝), and execute (▶️) permissions;

   Group has read (👀) and execute (▶️) permissions;

   Others have read (👀) permission only.

2. Making a Script Executable by All Users:

    chmod +x script.sh
   

   Grants execute (▶️) permission to the owner, group, and others,

   allowing all users to execute the script.

3. Restricting Access to Owner Only:

    chmod 700 file.txt
   

   Owner has full access (🔓),

   while group and others have no access (🚫).

4. Giving Group Write Access:

    chmod g+w file.txt
   

   Adds write (📝) permission to the group,

   while keeping other permissions unchanged.

5. Revoking Write Permission from Others

    chmod o-w file.txt
   

   Removes write (📝) permission from others,

   while keeping owner and group permissions unchanged.

6. Setting Permission for a Directory to Allow Listing by Others:

    chmod o+rx directory
   

   Allows others to read (👀) files and execute (▶️) directories within the specified directory.

Changing Group Ownership with chgrp:

The chgrp command changes the group ownership of files and directories.

🔹 Syntax:

chgrp [group] [file/directory]

1. Change group ownership of a file to a specific group, allowing members of that group to access the file:

    chgrp developers project.txt
   

   This command changes the group ownership of project.txt to the developers group.

   Members of the developers group can now access project.txt.

2. Restrict access to a file to only members of a specific group:

    chgrp managers sensitive_info.txt
    chmod 640 sensitive_info.txt
   

   This sequence of commands changes the group ownership of sensitive_info.txt to the managers group and sets permissions to 640, allowing the owner to read and write, the group to read, and denying access to others.

3. Grant access to a file to multiple groups:

    chgrp -R shared_team project_folder
    chmod g+rw project_folder
   

   -R recursively changes the group ownership of all files and directories within project_folder to the shared_team group.

   Then, g+rw grants read and write permissions to the group.

   Members of shared_team can now access all files within project_folder.

User File Creation Mask umask

The umask command in linux is used to set default permission for files & directories the user creates

• The umask value is a 3-digit octal number that represents the permissions to be removed from the default.

• Common umask values include 022 (deny write permissions to group and others) and 002 (deny write permissions to others only).

📂 Max File and Max Directory Permissions:

• The maximum file permissions are 666 (rw-rw-rw-) and the maximum directory permissions are 777 (rwxrwxrwx).

  Note:-

  Execute permission is typically disabled by default for files for security reasons, as it's often not necessary for regular files.

🛠️ Setting Umask Value:

To set the umask value for a user, use the umask command followed by the desired octal value.

umask 022

This command sets the umask value to 022, denying write permissions to group and others.

📁 Creating a Directory with Modified Permissions:

To create a directory with modified permissions, use the mkdir command followed by the -m option and the desired octal permissions.

mkdir -m 755 my_directory

This command creates a directory named my_directory with permissions 755 (rwxr-xr-x).

📂 Copying Files with Preserved Permissions:

To copy files with preserved permissions, use the cp command with the -p option.

cp -p source_file destination_file

This command copies source_file to destination_file while preserving its permissions.

📁 Recursively Copying Directories with Preserved Permissions:

To recursively copy directories with preserved permissions, use the cp command with the -rp options.

cp -rp source_directory destination_directory

This command copies source_directory to destination_directory recursively while preserving permissions.

Advanced File Permissions

In Red Hat Enterprise Linux (RHEL), advanced file permissions provide additional layers of security and functionality beyond the standard read, write, and execute permissions. Two key advanced permissions are the sticky bit and setuid/setgid.

🧩 Sticky Bit [1]

• The sticky bit is a special permission that can be applied to directories.

• When set on a directory, it restricts the deletion of files within it to only the file owner, the directory owner, or the root user.

• Symbolically represented by t or T, indicating whether the execute permission is also set for others or not.

🔧 Setting Sticky Bit:

1. To set the sticky bit symbolically, use:

chmod +t /directory

2. To set the sticky bit using octal notation along with other permissions:

chmod 1777 /directory

🚫 Removing Sticky Bit:

1. To remove the sticky bit symbolically, use:

chmod -t /directory

2. To remove the sticky bit using octal notation, you'll have to redefine permissions without the sticky bit, such as:

chmod 0777 /directory

📝 Note:

• By default, the /tmp directory in RHEL has the sticky bit set. This ensures that users can only delete their own files within /tmp, contributing to system security.

to check all stickybit files comes exists

$ find / -type d -perm -1000 2> /dev/null

🔒 Setuid and Setgid:

Setgid 🏷️[2]

• Setgid is a special permission that can be applied to directories. When set on a directory, it ensures that files created within that directory inherit the group ownership of the directory, rather than the group ownership of the user creating the file.

🔧 Setting Setgid:

1. To set the setgid bit symbolically, use:

    chmod g+s /directory
   

2. To set the setgid bit using octal notation:

    chmod 2777 /directory
   

🚫 Removing Set gid:

1. To remove the setgid symbolically, use:

    chmod g-s /directory
   

2. To remove the setgid bit using octal notation:

    chmod 00777 /directory
   

📝 Note:

• To find directories with the setgid bit set:

find / -type d -perm -2000 2> /dev/null

Setuid 🧑‍🎓 [4]

Setuid is a special permission that can be applied to executable files. When set on an executable file, it allows the file to be executed with the privileges of the file's owner, rather than the privileges of the user executing the file.

🔧 Setting Setuid:

1. To set the setuid bit symbolically, use:

    chmod u+s /executable
   

2. To set the setuid bit using octal notation:

    chmod 4755 /executable
   

🚫 Removing Set uid:

1. To remove the setgid symbolically, use:

    chmod u-s /directory
   

2. To remove the setgid bit using octal notation:

    chmod 00777 /directory
   

📝 Note:

• To find directories with the setgid bit set:

find /usr/bin -type -f -perm -04000

above commands works as it's owner is executing commands by himself.\

Access Control List [ACL]

• ACLs extend traditional file permissions (ugo and rwx) by allowing you to assign specific permissions (read, write, execute) to individual users or groups for a file or directory.

• Think of it as a detailed access list, granting granular control over who can do what.

• While ls -l might not show ACLs by default, some systems display a . in the permission string to indicate their presence.

• Use getfacl to view the complete ACL for a file or directory.

🖥️ Filesystem Support:

Not all filesystems in RHEL support ACLs. Common supported ones include:

• ext3

• ext4

• XFS (with limitations, explained later) ---> Can't able to disable acl

• NFS

🛠️Enabling/Disabling ACLs in/etc/fstab:

The /etc/fstab file controls how filesystems are mounted. You can specify options to enable or disable ACL support for specific filesystems.

/dev/sda1   / ext4    defaults,acl  # Enables ACL for the root filesystem
/dev/sdb1   /data  ext4    defaults     # No ACL for the /data partition
/dev/sdb2   /opt ext4 defaults,noacl # also disable ACL for the opt filesystem

📝 Note:

ACLs cannot be disabled in XFS. They are enabled by default.

Managing ACLs withgetfacl and setfacl:

getfacl:

Retrieves the ACL entries for a file or directory.

getfacl filename

# file: filename
# owner: user
# group: group
user::rwx
group::r-x
other::r--

1. Get ACL for a directory and its contents recursively:

    getfacl -R directory
   

    # file: directory
    # owner: user
    # group: group
    user::rwx
    group::r-x
    other::r-x
   
    # file: directory/file1
    # owner: user
    # group: group
    user::rw-
    group::r--
    other::r--
   
    # file: directory/file2
    # owner: user
    # group: group
    user::r--
    group::r--
    other::---
   

2. Get only the effective permissions (without mask):

    getfacl --no-mask filename
   

    # file: filename
    # owner: user
    # group: group
    user::rwx
    group::r-x
    other::r--
   

3. Get ACL for multiple files:

    getfacl file1 file2
   

    # file: file1
    # owner: user
    # group: group
    user::rw-
    group::r--
    other::---
   
    # file: file2
    # owner: user
    # group: group
    user::r--
    group::r--
    other::---
   

setfacl:

Modifies the ACL for a file or directory.

It has various options:

• -m (modify): Change an existing entry.

• -x (remove): Delete an entry.

• -b (completely replace): Set a new ACL entirely.

• --no-mask: Inherit permissions from the parent directory (cautious use advised).

1. -m (modify): Change an existing entry.

    setfacl -m u:john:rw file.txt
   

   This command adds read and write permissions for user john to the file file.txt.

    # file: file.txt
    # owner: user1
    # group: group1
    user::rw-
    user:john:rw-
    group::r--
    mask::rw-
    other::r--
   

2. -x (remove): Delete an entry.

    setfacl -x u:john file.txt
   

   This command removes any ACL entry for user john from the file file.txt.

    # file: file.txt
    # owner: user1
    # group: group1
    user::rw-
    group::r--
    mask::rw-
    other::r--
   

3. -b (completely replace): Set a new ACL entirely.

    setfacl -b file.txt
    setfacl -m u:john:rw file.txt
   

   These commands remove all existing ACL entries and then add read and write permissions for user john to the file file.txt.

    # file: file.txt
    # owner: user1
    # group: group1
    user::rw-
    user:john:rw-
    group::---
    mask::rw-
    other::---
   

4. --no-mask: Inherit permissions from the parent directory.

    setfacl --no-mask -m u:john:rw file.txt
   

   This command sets read and write permissions for user john on the file file.txt, ignoring the mask entry and inheriting permissions from the parent directory.

    # file: file.txt
    # owner: user1
    # group: group1
    user::rw-
    user:john:rw-
    group::r--
    mask::rw-
    other::r--
   

🔗File Links

• File links are references to files that allow them to be accessed from multiple locations in the filesystem.

• They provide flexibility and organization, enabling files to be logically grouped or accessed from different directories.

📄inode

• Inodes are data structures used by the filesystem to store metadata about files, including their names, creation dates, permissions, contents, and timestamps.

• Each file in the filesystem is associated with an inode, which uniquely identifies it.

🔗 Hard Links:

source

• Hard links create additional directory entries (file names) that directly point to the same underlying data on the disk.

• Unlike symbolic links (soft links), hard links do not point to a path or location; they reference the inode itself.

1. Creating Hard Links:

ln source_file hardlink_name

This command creates a hard link named hardlink_name that points to source_file.

Example:

ln /etc/passwd /tmp/passwd_backup

📝 In this example, a hard link named passwd_backup is created in the /tmp directory, pointing to the /etc/passwd file.

2. Viewing Inodes:

    ls -i filename
   

   This command displays the inode number of a file.

   Example:

    $ ls -i /etc/passwd /tmp/passwd_backup
    123456 /etc/passwd
    123456 /tmp/passwd_backup
   

   📝 The inode numbers of both /etc/passwd and /tmp/passwd_backup are the same, indicating they are hard links to the same file data.

3. Checking Link Count:

    ls -l filename
   

   This command displays the link count of a file.

   Example:

    $ ls -l /etc/passwd /tmp/passwd_backup
    -rw-r--r-- 2 root root 2315 Mar 15 08:00 /etc/passwd
    -rw-r--r-- 2 root root 2315 Mar 15 08:00 /tmp/passwd_backup
   

   📝 Both /etc/passwd and /tmp/passwd_backup have a link count of 2, indicating they have two hard links.

🔗 Soft Links:

source

Soft links, also known as symbolic links, are special files that point to other files or directories using their path names. They provide a convenient way to reference files or directories across the filesystem.

1. Creating a Soft Link:

   To create a soft link, use the ln command with the -s option followed by the source file or directory and the name of the soft link.

    ln -s /path/to/source /path/to/softlink
   

   For example:

    ln -s /home/user/documents/file.txt /usr/libraries/file_link
   

2. Viewing Soft Links:

   To view the contents of a directory including soft links, use the ls command with the -l option.

    ls -l /path/to/directory
   

   Soft links are indicated by an l at the beginning of the listing, followed by the path to the target file or directory.

   For example:

    lrwxrwxrwx 1 user group  24 Mar 23 10:00 file_link -> /home/user/documents/file.txt
   

📝 Note:

• Soft links can span filesystems and can point to both files and directories.

• They provide flexibility but can break if the target file or directory is moved or deleted.