Linux basics from the founder of Gentoo. Part 3 (2/4): Permissions Model
The second excerpt is the third installment of the Linux beginner tutorial series. In which you can learn about one of the main security tools in Linux. Namely, the permissions and ownership of the files.
In this section, we will look at the permissions in Linux and the ownership model (ownership). We have already seen that each file belongs to one user and one group. This is the very essence of the Linux permissions model. You can find out which user and group the file belongs to in the output of the ls -l command .
In this example, the / bin / bash executable belongs to the root user and the wheel group. The access rights model allows you to set three independent levels of rights for each file system object - for the owner, for the group and for all other users.
Let's consider the output of the ls -l command . Take a look at the first listing column:
')
The first field -rwxr-xr-x contains a symbolic representation of the rights to this file. The first character (-) in this field defines the file type, in this case it is a regular file. Other possible values:
The rest of the field consists of three triples of characters. The first three represent the rights of the owner of the file, the second represents the rights of the group of the file and the third rights of all other users.
Above r means that reading (viewing data contained in a file) is allowed, w means writing (modifying and deleting data) is allowed and x means execution (program launch is allowed). Putting it all together we see that anyone is allowed to read the contents and execute this file, but only the owner (root) is allowed to modify this file either. So if normal users are allowed to copy the contents of this file, then only root can change or delete it.
Before we learn how to change the owner or group of which the file belongs, let's first look at how to find out your current user and the group to which you belong. If you have not used the su command recently, your current user is the one with whom you are logged in. If you use su often, you may not remember the user you are currently working under. To find out which user you're using, type whoami :
To see which groups you belong to, use the groups command:
This example shows that I belong to the drobbins, wheel, and audio groups. If you want to see which groups the other user is in, pass his name as an argument.
To change the owner or group of a file (or other object), use the chown or chgrp command, respectively. First you need to pass the name of the group or owner, and then the list of files.
You can also change the user and group at the same time using the chown command in another form:
You cannot use the chown command without superuser privileges, but chgrp can be used by everyone to change the group that owns the file to the group to which they belong.
The chown and chgrp commands can be used with the -R parameter, which allows you to recursively change the owner or group of all objects in a given directory and below. Example:
chown and chgrp are used to change the owner and group of the file system object, but there is another program, called chmod , which is used to change the read, write and execute permissions that we see in the output of the ls -l command . chmod uses two or more arguments: a method that describes how exactly you need to change permissions followed by a file name or a list of files to which you want to apply these changes:
In the example above, the method is + x. As you might guess, the + x method tells chmod that the file needs to be made executable for the user, the group, and for everyone else. If we decide to take away all rights to the execution of the file, we will do it like this:
Until now, our examples of the chmod command have influenced the access rights of all three sets of access rights — user, group, and all other users. It is often convenient to change only one or two sets at a time. To do this, simply use a special character to indicate the set of access rights that you need to change, with a + or - sign in front of it. Use u for user, g for group and o for other users.
We have just removed the write permission for the group and all other users, but left the owner's rights intact.
In addition to switching the bits responsible for access rights, in the on / off state, we can set specific values for all at once. Using the equality operator, we can tell chmod that we want to set only the specified permissions:
With this command, we set all the read and execute bits and reset all the write bits. If you want to set the values of a particular triple of bits, you can do this by specifying its symbolic name before the equality operator:
Until now, we have used what is called the symbolic way of specifying permissions for the chmod command . However, there is another fairly common way of specifying rights: the use of four-digit octal numbers. This syntax is called the numerical syntax of access rights, where each digit represents the top three permissions. For example, in 1777, 777 set the flags we are talking about in this section for the owner, group, and other users. 1 is used to indicate a special bit of access rights, which we will look at later (see “Elusive first digit” at the end of the section). This table shows how the permissions on numeric values are translated.
The numeric permissions syntax is especially useful when you need to specify all permissions for a file, as shown in the following example:
In this example, we assigned access rights 0755, which is equivalent to a combination of rights -rwxr-xr-x.
When a process creates a new file, it indicates which access rights to set for this file. Often, 0666 permissions are requested (read and write by all), which gives more permissions than is necessary in most cases. Fortunately, every time a new file is created in Linux, the system accesses a parameter called umask. The system uses the umask value to lower permissions initially set to something more reasonable and secure. You can view the current umask settings by typing umask on the command line:
On Linux systems, the default value for umask is 0022, which allows others to read your new files (if they can get to them), but not change them. To automatically provide a higher level of security for the files you create, you can change the umask settings:
Such a umask value will lead to the fact that the group and others will have absolutely no access rights for all newly created files. So how does umask work? Unlike the “normal” assignment of file permissions, umask sets which access rights should be disabled. Look again at the table of correspondence between the values of numbers and methods:
Using this table, we see that the last three characters in 0077 denote --- rwxrwx. Now remember that umask shows the system which access rights to disable. By combining the first and second it becomes clear that all rights for the group and other users will be disabled, while the rights of the owner will remain intact.
At the time of your login, a new shell process is launched. You already know about this, but you may not know that this new shell process (usually bash) works on behalf of your user. And so the bash program can access all the files and directories you own. In fact, we, as users, are totally dependent on programs that perform operations on our behalf. And since the programs that you run inherit your user ID, they cannot access filesystem objects that you are not given access to. For example, ordinary users cannot directly change the contents of the passwd file because the write flag is disabled for all users except root:
However, ordinary users also need to be able to at least indirectly change the contents of / etc / passwd when they need to change their password. But if the user can not change this file, how to do it?
Fortunately, there are two special bits in the Linux permissions model, called suid and sgid . When the suid bit is set for the program being started, it will work on behalf of the owner of the executable file, and not on behalf of the person who started the program. Now we can return to the issue with / etc / passwd. If we look at the executable file passwd, we will see that it is owned by the root user:
Note that instead of x in the owner's access rights triplet, it is worth s. This means that the suid bits and launch permissions are set for this particular program. For this reason, when you run the passwd program, it will work as the root user (with all superuser access rights), and not the user who started it. And since passwd works with superuser privileges, it is able to edit / etc / passwd without any difficulties.
We saw how suid works, sgid works in a similar way. It allows the program to inherit the permissions of the group, not the current user.
The method of installing and removing suid and sgid bits is extremely simple. This is how we set the suid bit:
And in the following example, we remove the sgid flag from the directory. You will see how the sgid bit works with directories a bit lower:
Up to now, we have considered access rights from the point of view of ordinary files. When it comes to directories, there are some differences. Directories use the same permissions flags, but their interpretation has a slightly different meaning.
If a read flag is set for a directory, then you can view a list of directory contents; a write flag means that you can create files in a directory; and the execution flag means that you can enter the directory and access all subdirectories inside. Without the execution flag, you will not have access to the file system objects inside the directory. Without the read flag, the filesystem objects inside the directory cannot be viewed, but objects within the directory can still be accessed if you know the full path to the object on the disk.
In the case, if the sgid bit is set for a directory, all file system objects created inside inherit the directory group. This feature comes in handy when you need to create a directory tree and all of them must belong to the same group. This can be done like this:
Now any users of the mygroup group can create files and directories inside / home / groupspace and they will also automatically be assigned to the group mygroup. Depending on the umask settings for this user, new filesystem objects may or may not be readable, modifiable, or executable by other users of the mygroup group.
By default, Linux directories do not behave in the most convenient way in many situations. Usually, anyone can rename or delete a file within a directory if they have write access to this directory. For directories owned by individual users, this behavior usually causes no problems.
However, for directories used by a large number of users, especially / tmp and / var / tmp, this can cause a whole bunch of problems. That's because anyone can write to these directories, anyone can delete and rename anyone's files — even if they don't belong to them! Obviously, it is quite difficult to use / tmp even for temporary storage of anything, when any user can type rm -rf / tmp / * at any time and destroy all other files.
The good news is that there is a sticky bit in Linux. When the sticky bit is set for / tmp (with the chmod + t command), the only people who can delete or rename the files in / tmp are either the owners of these files or the superuser.
At the end of this section, we finally pay attention to the first character used in the numerical syntax. It is used to set the sticky, suid and sgid bits:
Below is an example of how to use the 4-digit mode to set permissions on the directory that will be used by the working group:
As a homework, find out what 1755 means in the permissions settings. :)
The translation was performed by collective intelligence using notabenoid.com . Thanks to the following benoid-users (in alphabetical order): kindacute , nekjine , Rich . Special thanks to Alexey Blazhko (blazhkoa@gmail.com), as well as to the initiator of the entire translation series, VBart .
To be continued...
Daniel Robbins
Daniel Robbins is the founder of the Gentoo community and the creator of the Gentoo Linux operating system. Daniel lives in New Mexico with his wife, Mary, and two energetic daughters. He is also the founder and head of Funtoo , has written many technical articles for IBM developerWorks , Intel Developer Services and the C / C ++ Users Journal.
Chris Hauser was a UNIX supporter since 1994 when he joined the team of administrators at Taylor University (Indiana, USA), where he received a bachelor's degree in computer science and mathematics. After that, he worked in many areas, including web applications, video editing, drivers for UNIX, and cryptographic protection. Currently working in Sentry Data Systems. Chris also contributed to many free projects, such as Gentoo Linux and Clojure, co-authored The Joy of Clojure .
Airon Griffis lives in Boston, where he spent the last decade working with Hewlett-Packard on projects such as UNIX network drivers for Tru64, Linux security certification, Xen and KVM virtualization, and most recently, the HP ePrint platform. In his spare time, Airon prefers to ponder over the problems of programming while riding his bike, juggling with bats, or cheering for the Boston professional Red Sox baseball team.
Navigating Linux basics from the founder of Gentoo:
Part I:
- BASH, navigation basics
- File and Directory Management
- Links, and deleting files and directories
- Glob substitutions
Part II:
- Regular expressions
- Folder Assignments, File Search
- Process management
- Text processing and redirection
- Kernel modules
Part III
- Documentation
- Access rights model
- Account Management
- Setting up the environment (totals and links)
Linux Permissions Model
One user, one group
In this section, we will look at the permissions in Linux and the ownership model (ownership). We have already seen that each file belongs to one user and one group. This is the very essence of the Linux permissions model. You can find out which user and group the file belongs to in the output of the ls -l command .
$ ls -l /bin/bash
-rwxr-xr-x 1 root wheel 430540 Dec 23 18:27 /bin/bash
In this example, the / bin / bash executable belongs to the root user and the wheel group. The access rights model allows you to set three independent levels of rights for each file system object - for the owner, for the group and for all other users.
Understanding "ls -l"
Let's consider the output of the ls -l command . Take a look at the first listing column:
')
$ ls -l /bin/bash
-rwxr-xr-x 1 root wheel 430540 Dec 23 18:27 /bin/bash
The first field -rwxr-xr-x contains a symbolic representation of the rights to this file. The first character (-) in this field defines the file type, in this case it is a regular file. Other possible values:
'd'
'l'
'c' -
'b' -
'p' FIFO
's'
Three triples
$ ls -l /bin/bash
-rwxr-xr-x 1 root wheel 430540 Dec 23 18:27 /bin/bash
The rest of the field consists of three triples of characters. The first three represent the rights of the owner of the file, the second represents the rights of the group of the file and the third rights of all other users.
"rwx"
"rx"
"rx"
Above r means that reading (viewing data contained in a file) is allowed, w means writing (modifying and deleting data) is allowed and x means execution (program launch is allowed). Putting it all together we see that anyone is allowed to read the contents and execute this file, but only the owner (root) is allowed to modify this file either. So if normal users are allowed to copy the contents of this file, then only root can change or delete it.
Who am I?
Before we learn how to change the owner or group of which the file belongs, let's first look at how to find out your current user and the group to which you belong. If you have not used the su command recently, your current user is the one with whom you are logged in. If you use su often, you may not remember the user you are currently working under. To find out which user you're using, type whoami :
# whoami
root
# su drobbins
$ whoami
drobbins
What groups am I in?
To see which groups you belong to, use the groups command:
$ groups
drobbins wheel audio
This example shows that I belong to the drobbins, wheel, and audio groups. If you want to see which groups the other user is in, pass his name as an argument.
$ groups root daemon
root : root bin daemon sys adm disk wheel floppy dialout tape video
daemon : daemon bin adm
Change user and owner group
To change the owner or group of a file (or other object), use the chown or chgrp command, respectively. First you need to pass the name of the group or owner, and then the list of files.
# chown root /etc/passwd
# chgrp wheel /etc/passwd
You can also change the user and group at the same time using the chown command in another form:
# chown root:wheel /etc/passwdYou cannot use the chown command without superuser privileges, but chgrp can be used by everyone to change the group that owns the file to the group to which they belong.
Recursive change of rights
The chown and chgrp commands can be used with the -R parameter, which allows you to recursively change the owner or group of all objects in a given directory and below. Example:
# chown -R drobbins /home/drobbins
Meet chmod
chown and chgrp are used to change the owner and group of the file system object, but there is another program, called chmod , which is used to change the read, write and execute permissions that we see in the output of the ls -l command . chmod uses two or more arguments: a method that describes how exactly you need to change permissions followed by a file name or a list of files to which you want to apply these changes:
$ chmod +x scriptfile.shIn the example above, the method is + x. As you might guess, the + x method tells chmod that the file needs to be made executable for the user, the group, and for everyone else. If we decide to take away all rights to the execution of the file, we will do it like this:
$ chmod -x scriptfile.shSeparation between user, group and all others
Until now, our examples of the chmod command have influenced the access rights of all three sets of access rights — user, group, and all other users. It is often convenient to change only one or two sets at a time. To do this, simply use a special character to indicate the set of access rights that you need to change, with a + or - sign in front of it. Use u for user, g for group and o for other users.
$ chmod go-w scriptfile.shWe have just removed the write permission for the group and all other users, but left the owner's rights intact.
Reset permissions
In addition to switching the bits responsible for access rights, in the on / off state, we can set specific values for all at once. Using the equality operator, we can tell chmod that we want to set only the specified permissions:
$ chmod =rx scriptfile.shWith this command, we set all the read and execute bits and reset all the write bits. If you want to set the values of a particular triple of bits, you can do this by specifying its symbolic name before the equality operator:
$ chmod u=rx scriptfile.shNumeric Modes
Until now, we have used what is called the symbolic way of specifying permissions for the chmod command . However, there is another fairly common way of specifying rights: the use of four-digit octal numbers. This syntax is called the numerical syntax of access rights, where each digit represents the top three permissions. For example, in 1777, 777 set the flags we are talking about in this section for the owner, group, and other users. 1 is used to indicate a special bit of access rights, which we will look at later (see “Elusive first digit” at the end of the section). This table shows how the permissions on numeric values are translated.
Number Mode
rwx 7 rw- 6 rx 5 r-- 4 -wx 3 -w- 2 --x 1 --- 0
Numeric syntax permissions
The numeric permissions syntax is especially useful when you need to specify all permissions for a file, as shown in the following example:
$ chmod 0755 scriptfile.sh
$ ls -l scriptfile.sh
-rwxr-xr-x 1 drobbins drobbins 0 Jan 9 17:44 scriptfile.shIn this example, we assigned access rights 0755, which is equivalent to a combination of rights -rwxr-xr-x.
umask
When a process creates a new file, it indicates which access rights to set for this file. Often, 0666 permissions are requested (read and write by all), which gives more permissions than is necessary in most cases. Fortunately, every time a new file is created in Linux, the system accesses a parameter called umask. The system uses the umask value to lower permissions initially set to something more reasonable and secure. You can view the current umask settings by typing umask on the command line:
$ umask
0022On Linux systems, the default value for umask is 0022, which allows others to read your new files (if they can get to them), but not change them. To automatically provide a higher level of security for the files you create, you can change the umask settings:
$ umask 0077Such a umask value will lead to the fact that the group and others will have absolutely no access rights for all newly created files. So how does umask work? Unlike the “normal” assignment of file permissions, umask sets which access rights should be disabled. Look again at the table of correspondence between the values of numbers and methods:
Number Mode
rwx 7 rw- 6 rx 5 r-- 4 -wx 3 -w- 2 --x 1 --- 0
Using this table, we see that the last three characters in 0077 denote --- rwxrwx. Now remember that umask shows the system which access rights to disable. By combining the first and second it becomes clear that all rights for the group and other users will be disabled, while the rights of the owner will remain intact.
Introduction to suid and sgid
At the time of your login, a new shell process is launched. You already know about this, but you may not know that this new shell process (usually bash) works on behalf of your user. And so the bash program can access all the files and directories you own. In fact, we, as users, are totally dependent on programs that perform operations on our behalf. And since the programs that you run inherit your user ID, they cannot access filesystem objects that you are not given access to. For example, ordinary users cannot directly change the contents of the passwd file because the write flag is disabled for all users except root:
$ ls -l /etc/passwd
-rw-r--r-- 1 root wheel 1355 Nov 1 21:16 /etc/passwdHowever, ordinary users also need to be able to at least indirectly change the contents of / etc / passwd when they need to change their password. But if the user can not change this file, how to do it?
suid
Fortunately, there are two special bits in the Linux permissions model, called suid and sgid . When the suid bit is set for the program being started, it will work on behalf of the owner of the executable file, and not on behalf of the person who started the program. Now we can return to the issue with / etc / passwd. If we look at the executable file passwd, we will see that it is owned by the root user:
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root wheel 17588 Sep 24 00:53 /usr/bin/passwdNote that instead of x in the owner's access rights triplet, it is worth s. This means that the suid bits and launch permissions are set for this particular program. For this reason, when you run the passwd program, it will work as the root user (with all superuser access rights), and not the user who started it. And since passwd works with superuser privileges, it is able to edit / etc / passwd without any difficulties.
Suid / sgid warnings
We saw how suid works, sgid works in a similar way. It allows the program to inherit the permissions of the group, not the current user.
! , suid sgid. -, suid sgid ls -l. x , s ( ). , x S ( ). ! : suid sgid , . suid . passwd — , suid. Change suid and sgid
The method of installing and removing suid and sgid bits is extremely simple. This is how we set the suid bit:
# chmod u+s /usr/bin/myappAnd in the following example, we remove the sgid flag from the directory. You will see how the sgid bit works with directories a bit lower:
# chmod gs /home/drobbinsRights and Directories
Up to now, we have considered access rights from the point of view of ordinary files. When it comes to directories, there are some differences. Directories use the same permissions flags, but their interpretation has a slightly different meaning.
If a read flag is set for a directory, then you can view a list of directory contents; a write flag means that you can create files in a directory; and the execution flag means that you can enter the directory and access all subdirectories inside. Without the execution flag, you will not have access to the file system objects inside the directory. Without the read flag, the filesystem objects inside the directory cannot be viewed, but objects within the directory can still be accessed if you know the full path to the object on the disk.
Directories and sgid flag
In the case, if the sgid bit is set for a directory, all file system objects created inside inherit the directory group. This feature comes in handy when you need to create a directory tree and all of them must belong to the same group. This can be done like this:
# mkdir /home/groupspace
# chgrp mygroup /home/groupspace
# chmod g+s /home/groupspaceNow any users of the mygroup group can create files and directories inside / home / groupspace and they will also automatically be assigned to the group mygroup. Depending on the umask settings for this user, new filesystem objects may or may not be readable, modifiable, or executable by other users of the mygroup group.
Directory and deletion
By default, Linux directories do not behave in the most convenient way in many situations. Usually, anyone can rename or delete a file within a directory if they have write access to this directory. For directories owned by individual users, this behavior usually causes no problems.
However, for directories used by a large number of users, especially / tmp and / var / tmp, this can cause a whole bunch of problems. That's because anyone can write to these directories, anyone can delete and rename anyone's files — even if they don't belong to them! Obviously, it is quite difficult to use / tmp even for temporary storage of anything, when any user can type rm -rf / tmp / * at any time and destroy all other files.
The good news is that there is a sticky bit in Linux. When the sticky bit is set for / tmp (with the chmod + t command), the only people who can delete or rename the files in / tmp are either the owners of these files or the superuser.
Elusive first sign
At the end of this section, we finally pay attention to the first character used in the numerical syntax. It is used to set the sticky, suid and sgid bits:
suid sgid sticky mode
on on on 7 on on off 6 on off on 5 on off off 4 off on on 3 off on off 2 off off on 1 off off off 0
Below is an example of how to use the 4-digit mode to set permissions on the directory that will be used by the working group:
# chmod 1775 /home/groupfilesAs a homework, find out what 1755 means in the permissions settings. :)
The translation was performed by collective intelligence using notabenoid.com . Thanks to the following benoid-users (in alphabetical order): kindacute , nekjine , Rich . Special thanks to Alexey Blazhko (blazhkoa@gmail.com), as well as to the initiator of the entire translation series, VBart .
To be continued...
About the authors
Daniel Robbins 
Daniel Robbins is the founder of the Gentoo community and the creator of the Gentoo Linux operating system. Daniel lives in New Mexico with his wife, Mary, and two energetic daughters. He is also the founder and head of Funtoo , has written many technical articles for IBM developerWorks , Intel Developer Services and the C / C ++ Users Journal.
Chris Houser
Chris Hauser was a UNIX supporter since 1994 when he joined the team of administrators at Taylor University (Indiana, USA), where he received a bachelor's degree in computer science and mathematics. After that, he worked in many areas, including web applications, video editing, drivers for UNIX, and cryptographic protection. Currently working in Sentry Data Systems. Chris also contributed to many free projects, such as Gentoo Linux and Clojure, co-authored The Joy of Clojure .
Aron griffis
Airon Griffis lives in Boston, where he spent the last decade working with Hewlett-Packard on projects such as UNIX network drivers for Tru64, Linux security certification, Xen and KVM virtualization, and most recently, the HP ePrint platform. In his spare time, Airon prefers to ponder over the problems of programming while riding his bike, juggling with bats, or cheering for the Boston professional Red Sox baseball team.
Source: https://habr.com/ru/post/109392/
All Articles