2. Linux chmod commands example and implementations
In our last two articles you learnt about permission. Permission can be set by chmod command in two different way symbolic and binary masks.
In this article we will practically implements whatever you have learnt so far in file permissions. This article is a sequential of last two articles if you have missed last two articles we suggest you to review them before going through this first.
Create 3 user a b c without password. Use for loop despite of creating them separately. You have learnt about this in our advance user managements assignments.
#for user in a b c
>do
>useradd $USER
>passwd –d $USER
>done
Now create a group example and add user a and b to in.
#groupadd example
#usermod –G example a
#usermod –G example b
now create a test director y on root partition and change ownership to user a and group to example.
Now logon 3 separate terminals form these users.
From root set permission to
#chmod 700 /test
This will set permissions to
owner a full group example ( a ,b ) none other c none
to verify these permission go on the terminals where user a is logged on and
$cd /test
$cat > a_file
This is a file of user a
$ls a_file
user a will able to do all three task read write execute as owner have all three permission Now try to change /test directory form user b . It will deny. Because user b remain in example group. and group have no permissions.
Now try to change /test directory form user c. it will also deny. Because user c is other for this directory and other have no permissions.
Now change permission from root to
#chmod 710 /test
This will give full permission to owner a. And execute to b ( b is in the group of a which is example) User c (other ) still have no permissions.
To verify try change directoy form user b to /test is should success but he will not able to list the contain of directory.
$cd /test $ls
Also verify the permission of c ( other ) by changing the directory to /test
$cd /test
Now change permission from root to
#chmod 751 /test
This will give full permission to owner a. execute and read to b ( b is in the group of a which is example) User c (other ) now have execute permissions.
To verify try to list form user b to /test is should success but he will not able to write in directory.
$ls $cat > b_file
Also verify the permission of c ( other ) by changing the directory to /test
$cd /test $ls
Now change permission from root to
#chmod 775 /test
This will give full permission to owner a b ( b is in the group of a which is example) User c (other ) now have read and execute permissions.
To verify try make new file form user b to /test is should success.
$cd /test $ls $ cat > b_file This file is created by b
Also verify the permission of c ( other ) by listing the directory to /test
$cd /test $ls
Now change permission from root to
#chmod 777 /test
This will give full permission to owner a b and c. User c (other ) now have full permissions.
To verify make file form user c
$ cat > c_file This file is created by user c
3. Linux chmod commands sticky bit example and implementations
In our pervious articles we have discussed about read write and execute permission for file and directory. Now I will show you some special permission which you can set for files and directories.
Ownership issue
In some case you want to grant permission to other user while keeping ownership to self.
s permission is used to deal with this situations. s options is used to add both user ID and group ID permission to a file.
The following example add's user ID permission to the pppd program, which is owned by the root user. When an ordinary user runs pppd, the root user retains ownership, allowing the pppd program to change root-owned files.
# chmod +s /usr/sbin/pppd
The Set User ID and Set Group ID permissions show up as an s in the execute position of the owner and group segments. Set User ID and Group ID are essentially variations of the execute permission, x. Read, write, and User ID permission are rws instead of just rwx.
# ls -l
/usr/sbin/pppd -rwsr-sr-x 1 root root 18666 Jan 12 12:48 /usr/sbin/pppd
Sticky Bit Permissions
Sticky Bit is used for directories to protect files within them. Files in a directory with the sticky bit set can only be deleted or renamed by the root user or the owner of the directory.
Sticky Bit Permission Using Symbols
The sticky bit permission symbol is t. The sticky bit shows up as a t in the execute position of the other permissions. A program with read and execute permissions with the sticky bit has its permissions displayed as r-t.
# chmod +t /home/vinita/data
# ls -l /home/vinita/data -rwxr-xr-t 1 root root 4096 /home/vinita/data
Sticky Bit Permission Using the Binary Method
As with ownership, for sticky bit permissions, you add another octal number to the beginning of the octal digits. The octal digit for the sticky bit is 1 (001). The following example sets the sticky bit for the data directory:
# chmod 1755 /home/vinita/data
The next example sets both the sticky bit and the User ID permission on the newprogs directory.
# chmod 5755 /usr/bin/newprogs
# ls -l /usr/bin/newprogs drwsr-xr-t 1 root root 4096 /usr/bin/newprogs
Sticky bit example of practically implementations
USER ID and GROUP ID Permissions
To understand sticky bit and user permission in more depth let's take an example. Create two user named vinita and nikita. And a example directory on root partitions.
#useradd vinita
#passwd –d vinita
#useradd nikita
#passwd –d nikita
#mkdir /example
As example directory is created by root so the owner and group of this directory will root. By default permission will be inherited to all other object created in this directory to root owner. Now we will use symbolic method to change the ownership issue to this directory.
#chmod ugo+rwxs /example
#ls –ld /example
As you can see in image s bit is set in owner and group filed which will automatically set owner and group to their respective owner and group. To verify login form user nikita and change directory to example and creates a file.
$cd /example
$cat > nikita_file
This is the file of nikita
$ls –l
As you can see owner filed is changed to user nikita.
Now create a file form user vinita.
$cd /example
$cat > vinita_file
This is file of Vinita
$ls –ld
Now you can understand what s bit do in chmod command. This is best options when users are working on some shared project. As they will gets ownership of their files automatically.
Implementation of sticky bit
But this could create other problem. User can accidently or intensely delete other user’s files and folder as all user have full permission on this shared folder. Go on terminal where user Vinita is logged in and delete the file of nikita.
To control this behaviors switch to root user and set sticky bit on /example folder.
#chmod o+t /example
#ls –ld /example
Sticky bit is defined by t options. As you can see in output other have t bit set in their filed. Now only owner of file and root user can delete file in this folder.
To verify switch Vinita user again and try to delete the files of nikita. This time it will not success this time.
To remove sticky bit use minus sign.
#chmod o-t /example
now Vinita can delete the files owned by nikita verify
4. Access control lists setfacl getfacl example and implementations
In our pervious articles you learnt that how to set read, write, and execute permissions for the owner of the file, the group associated with the file, and for everyone else who has access to the filesystem. These files are visible with thels -l command. These standard file permissions are all that an administrator needs to grant file privileges to users and to prevent unauthorized users from accessing important files.
However, when these basic file permissions are not enough, access control lists, or ACLs, can be used on an ext3 file system. ACLs expand the basic read, write, and execute permissions to more categories of users and groups.
In addition to permissions for the owner and group for the file, ACLs allow for permissions to be set for any user, any user group, and the group of all users not in the group for the user.
Consider a situation where you want to grant write permission only to two users from a group of ten users. If you set permission from chmod all other users from group will get write access on file. In such a situation ACLs works.
Categories of ACLs
There are four categories of ACLs per file:
- For an individual user,
- For a user group,
- Via the effective rights mask
- For users not in the user group associated with the file.
To view the existing ACLs for a file, execute the following:
getfacl <file>
If ACLs are enabled, the output should look similar
# file: accounts # owner: Shweta # group: Shweta user::rwx group::r-x mask::rwx other::---
To understand acl more clearly let’s take a simple example of acl.
Create three users named Shweta Vinita and Niddhi
#for USER in Shweta Vinita Niddhi
> do
>useradd $USER
>passwd –d $USER
>done
Now make them the member of goswami groups
#groupadd goswami
#usermod –G goswami Shweta
#usermod –G goswami Vinita
#usermod –G goswami Niddhi
Now create a /example directory and change the ownership to Shweta
#mkdir /example
#chown Shweta /example
Now logon form Shweta on other terminals and create a folder
$cd /example
$mkdir /accounts
Now Shweta want to grant write permission only to Vinita. Niddhi will also get writes access on directory if Shewta sets write permission on groups as she is also the member of goswami group. So Shweta will use acl to grant write access to Vinita.
$setfacl –m u:Shweta:rwx accounts
$setfacl –m u:Vinita:rwx accounts
$setfacl –m other:--- accounts
$getfacl accounts
To verify execute getfacl commands on accounts folder
As in output you can see that user Shweta and Vinita have full permission over accounts folder. All other user except Shweta and Vinita have no permission over accounts folder. To verify this acl login form Vinita on other terminal and change directory to example.
Now make a test directory in account folder it should be successful as Vinita user have full permission over account folder.
Now go other terminals and login form user Niddhi and change directory to example
Try to change directory to account she will denied as she have no permission over accounts
5. Linux chattr commands example and implementations
In this part on file permission we will discuss about chattr commands. For exam prospective you should be aware about the basic function of chattr commands. chattr attribute is used to stop accidently deletation of files and folder. You cannot delete the files secured via chattr attribute even though you have full permission over files. This is very use full in system files like shadow and passwd files which contains all user information and passwords.
Syntax for chattr commands is
#chattr [operator] [switch] [file name]
The operator ‘+’ causes the selected attributes to be added to the existing attributes of the files; ‘-’ causes them to be removed; and ‘=’ causes them to be the only attributes that the files have.
-R
Recursively change attributes of directories and their contents. Symbolic links encountered during recursive directory traversals are ignored.
-a
A file with the ‘a’ attribute set can only be open in append mode for writing. Only the superuser can set or clear this attribute.
-i
A file with the ‘i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser can set or clear this attribute.
Let's take a simple example
Create a file from root user and set full permission on this file form chmod and verify it
#cat > test This test file
#chmod 777 test #ls –l
now secure this file with +i options
#chattr +i test
Now you can only read this file. All other actions excepts read will be denied including append, edit, rename or delete. chattr permission can be removed with –i options .
create a new file again This time we will secure this file with +a options
#chattr +a test
with a options you can read and append this file but all other recitations will be as it is. Main difference between a and i switch is in i you cannot append the file while in a switch you can append the file.
To secure entire directory use –R switch. Directory secured with -R option can be reset only with –Rswitch.
6. RHCE Linux - nologin file in etc directory and securetty file
In this article from our series of RHCE exam guide we will learn how can we secure local terminal. In this example we will use a normal user created in our pervious article named Vinita to deny locally login.You should create a normal user in case you do not have any.
Example Questions:-
You are the administrator of example.com domain. Configure to deny local login to all normal users on your domain server. As well as allow to root login only on First Terminal.
To accomplish this task follow this step by step guide
Login from root user and run these command
#touch /etc/nologin
#vi /etc/securetty
Comment all available terminall then first as show in figure
If /etc/nologin file is created, then pam modules pan_nologin deny to all non-root users to login locally. As you can see in third line of /etc/pam.d/login file
pam_securetty modules checks the /etc/securetty file, which terminal are available to root. If terminal is not available in this file then pam_securetty module deny to login on unavailable terminal to root user.
We have made necessary change in configuration files. Now root user can login locally only from terminal 1. All other users are denied from login locally except root. root user in itself can use only terminal 1. He will be denied from login locally same as other user if he try to login locally from other terminals except terminal 1.
You can verify it by login normal user on any locally available terminal
Now you have successfully accomplished the task given you its good habit to remove all the change you have made.
First remove the /etc/nologin file Remove all the comments you placed in /etc/securetty
|