Day 6 Task: File Permissions and Access Control Lists

Understanding File Permissions:

1. Create a simple file and run ls -ltr to see the details of the files.

   • Each of the three permissions are assigned to three defined categories of users. The categories are:

     • Owner: The owner of the file or application.

       • Use chown to change the ownership permission of a file or directory.

     • Group: The group that owns the file or application.

       • Use chgrp to change the group permission of a file or directory.

     • Others: All users with access to the system (outside the users in a group).

       • Use chmod to change the other users' permissions of a file or directory.

   • Task: Change the user permissions of the file and note the changes after runningls -ltr.

       ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ touch permission.sh 
       ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ ls -llrth permission.sh 
       -rw-rw-r-- 1 ubuntu ubuntu 0 Jul 20 12:43 permission.sh
     
       ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ 
       ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ sudo chown linux_admin permission.sh 
       ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ sudo chgrp suse permission.sh 
     
       ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ ls -lrth permission.sh 
       -rw-rw-r-- 1 linux_admin suse 0 Jul 20 12:43 permission.sh
     

2. Writing an Article:

   • Understanding Linux File Permissions

     Linux employs a robust file permission system to control access to files and directories. This ensures data integrity and system security.

     Basic Permissions

     There are three primary permissions for files and directories:

     • Read (r): Allows viewing the contents of a file or listing the contents of a directory.

     • Write (w): Permits modifying the contents of a file or creating/deleting files within a directory.

     • Execute (x): Enables running a file as a program or entering a directory.

These permissions are applied to three categories of users:

• Owner: The user who created the file or directory.

• Group: The group associated with the file or directory.

• Others: All other users on the system.

Permission Representation

File permissions are often displayed using a three-character code, where each character represents the permissions for the owner, group, and others, respectively. For example, -rwxr-xr-x means:

• Owner: Read, write, and execute permissions.

• Group: Read and execute permissions.

• Others: Read and execute permissions.

Changing Permissions

The chmod command is used to modify file permissions.

        chmod u+x file.txt  # Add execute permission for the owner of file.txt

         chmod 755 file.txt  # Set permissions to rwxr-xr-x (owner: rwx, group: rx, others: rx)

Understanding the umask

The umask (user file creation mask) determines the default permissions for newly created files and directories. It's represented as a three-digit octal number, with each digit corresponding to owner, group, and other permissions. For example, a umask of 022 means new files will have -rw-r--r-- permissions.

Special Permissions

• Set User ID (SUID): When a file with SUID is executed, it runs with the permissions of the file's owner, not the user executing it.

• Set Group ID (SGID): Similar to SUID, but the file runs with the permissions of the file's group.

• Sticky Bit: Prevents files in a directory from being deleted or renamed by users who don't own the files.

Additional Considerations

• Directory Permissions: While the same permissions apply to directories, their interpretation differs slightly. For example, the execute permission allows entering a directory.

• File Ownership and Group: The chown and chgrp commands can be used to change the owner and group of a file or directory, respectively.

• ACLs (Access Control Lists): Provide finer-grained control over file permissions, allowing specific users or groups to have custom permissions.

3. Access Control Lists (ACL):

   • Access Control Lists (ACLs) provide a more granular approach to managing file and directory permissions in Linux compared to traditional owner, group, and other permissions. They allow you to assign specific permissions to individual users or groups, regardless of ownership or group membership.

     Basic ACL Commands

     • getfacl: Displays the ACL entries for a file or directory.

     • setfacl: Modifies the ACL entries for a file or directory.

     • delfacl: Removes ACL entries from a file or directory.

   • Additional ACL Commands:

     • setfacl -x: Removes all ACL entries from a file or directory.

     • setfacl -b: Restores the default permissions for a file or directory (removing ACLs).

Important Considerations:

• Not all file systems support ACLs.

• ACLs can be complex to manage compared to traditional permissions.

• Use ACLs judiciously to avoid security vulnerabilities.

Task: Create a directory and set specific ACL permissions for different users and groups. Verify the permissions usinggetfacl.

        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ mkdir directory
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ ls -ld directory
        drwxrwxr-x 2 ubuntu ubuntu 4096 Jul 20 12:48 directory
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ 
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ getfacl directory/
        # file: directory/
        # owner: ubuntu
        # group: ubuntu
        user::rwx
        group::rwx
        other::r-x
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ 
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ setfacl -m u:suse:r-x directory
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ 
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ setfacl -m g:linux_admin:rwx directory/
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ getfacl directory
        # file: directory
        # owner: ubuntu
        # group: ubuntu
        user::rwx
        user:suse:r-x
        group::rwx
        group:linux_admin:rwx
        mask::rwx
        other::r-x
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$

4. Additional Tasks:

   • Task: Create a script that changes the permissions of multiple files in a directory based on user input.

     •     ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ cat permission.sh 
           #!/bin/bash 
       
           read -p "Enter the directory of file name for which persmission change is required:" path
           read -p "Enter the permission you wanter do give to the file/Direcotry" permission
       
           sudo chmod -R $permission $path 
       
           echo "Permission has been chnaged successfully"
       

         ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ sudo chmod 700 permission.sh 
         ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ ls -lrth sum.sh 
         -rwx------ 1 ubuntu ubuntu 150 Jul 15 05:26 sum.sh
         ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ 
         ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ 
         ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ 
         ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ ./permission.sh 
         Enter the directory of file name for which persmission change is required:sum.sh
         Enter the permission you wanter do give to the file/Direcotry777
         Permission has been chnaged successfully
         ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ ls -lrth sum.sh 
         -rwxrwxrwx 1 ubuntu ubuntu 150 Jul 15 05:26 sum.sh
       

     • Task: Write a script that sets ACL permissions for a user on a given file, based on user input.

         ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ getfacl var_name.sh 
         # file: var_name.sh
         # owner: ubuntu
         # group: ubuntu
         user::rwx
         group::rwx
         other::rw-
         ubuntu@ip-172-31-29-217-Khushbu:~/scripts$
       

         ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ sudo chown ubuntu ACL_permission.sh 
         ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ sudo chmod 700 ACL_permission.sh 
         ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ ./ACL_permission.sh 
         Enter user name : suse
         Enter permission : rwx
         Enter file name : ACL_permission.sh
         ACL permission has been set successfully 
         ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ getfacl ACL_permission.sh 
         # file: ACL_permission.sh
         # owner: ubuntu
         # group: ubuntu
         user::rwx
         user:suse:rwx
         group::---
         mask::rwx
         other::---
         ubuntu@ip-172-31-29-217-Khushbu:~/scripts$
       

5. Understanding Sticky Bit, SUID, and SGID:

   • In addition to standard file permissions (read, write, execute), Linux offers special permissions known as SUID, SGID, and sticky bit. These provide additional control over file and directory access.

     SUID (Set User ID)

     • Purpose: Allows a file to be executed with the permissions of the file's owner, regardless of the user running it.

     • How it works: When a file with the SUID bit set is executed, the operating system temporarily assigns the user ID of the file's owner to the executing process.

     • Common Use Cases:

       • passwd: Allows users to change their own passwords, even though modifying the password file requires root privileges.

       • Other system utilities that require elevated privileges for specific tasks.

SGID (Set Group ID)

• Purpose: Allows a file or directory to be accessed with the permissions of the file's group, regardless of the group membership of the user running it.

• How it works: When a file with the SGID bit set is executed, the operating system temporarily assigns the group ID of the file's group to the executing process.

• Common Use Cases:

  • Scripting: Allows scripts to create files with the group ownership of the script itself.

  • Directories: When set on a directory, newly created files within that directory inherit the group ownership of the directory.

Sticky Bit

• Purpose: Controls how files within a directory can be deleted or renamed.

• How it works: When the sticky bit is set on a directory, only the owner of the directory, the owner of a file within the directory, or the root user can delete or rename files within that directory.

• Common Use Cases:

  • /tmp directory: Prevents users from deleting each other's temporary files.

  • Shared directories where users need to create and modify their own files but cannot delete or modify others' files.

Key Points

• SUID and SGID apply to files, while the sticky bit applies to directories.

• These special permissions can be powerful but should be used carefully to avoid security risks.

• Misusing SUID or SGID can lead to vulnerabilities.

• The sticky bit is often used in shared directories to protect user data.

• Task: Create examples demonstrating the use of sticky bit, SUID, and SGID, and explain their significance.

        chmod +s /path/to/executable  # Sets SUID bit on the executable file
        chmod +s /path/to/directory   # Sets SGID bit on the directory
        chmod +t /tmp                 # Sets sticky bit on the /tmp directory

        #SUID
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ sudo chmod 4700 name 
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ ls -lrth name 
        -rws------ 1 ubuntu ubuntu 30 Jul  5 20:06 name
        #SGID
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ sudo chmod 2700 name 
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ ls -lrth name 
        -rwx--S--- 1 ubuntu ubuntu 30 Jul  5 20:06 name
        #Sticky bit
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ sudo chmod 1700 name 
        ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ ls -lrth name 
        -rwx-----T 1 ubuntu ubuntu 30 Jul  5 20:06 name

Note: Always use these permissions with caution and after careful consideration of security implications.

6. Backup and Restore Permissions:

   • Task: Create a script that backs up the current permissions of files in a directory to a file.

       ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ ./backup_permission.sh 
       Enter the direcotry path to backup permission : backup_permission.sh
       Backup of permission is created successfully
       ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ ls -lrth permission_bckup.sh 
       -rw-rw-r-- 1 ubuntu ubuntu 94 Jul 20 13:33 permission_bckup.sh
       ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ 
       ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ 
       ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ cat permission_bckup.sh 
       # file: backup_permission.sh
       # owner: ubuntu
       # group: ubuntu
       user::rwx
       group::---
       other::---
     
       ###################################################
       ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ cat backup_permission.sh 
       #!/bin/bash
     
       read -p "Enter the direcotry path to backup permission : " dir_path
       getfacl -R $dir_path > permission_bckup.sh
     
       echo "Backup of permission is created successfully"
       ubuntu@ip-172-31-29-217-Khushbu:~/scripts$
     

   • Task: Create another script that restores the permissions from the backup file.

     • ```powershell ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ ./restore_backup.sh Enter backup file path : /home/ubuntu/scripts setfacl: /home/ubuntu/scripts: Operation not permitted Permission restore Successfully.

############################### ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ cat restore_backup.sh

#!/bin/bash

read -p "Enter backup file path : " path sudo setfacl --restore=$path

echo "Permission restore Successfully." ubuntu@ip-172-31-29-217-Khushbu:~/scripts$ ```