File Permissions and Access Control Lists

1.) Understanding File Permissions :

Create a simple file and run ls -ltr to see the details of the files.

Each of the three permissions are assigned to three defined categories of users.

• Owner: The owner of the file or application. Use chown to change the ownership permission of a file or directory.
• Group: The group that owns the file or application. Use chgrp to change the group permission of a file or directory.
• Others: All users with access to the system (outside the users in a group). Use chmod to change the other users' permissions of a file or directory.
• Task: Change the user permissions of the file and note the changes after running ls -ltr.

Solution:

To understand file permissions in Linux, let's break down the steps for creating a file, viewing its permissions using ls -ltr, and modifying the permissions using chown, chgrp, and chmod.

Create a Simple File: You can create a file using the touch command:

touch example.txt        

Check File Permissions: To view the file's details and permissions, run:

ls -ltr        

Example of the output:

• The first - refers to a file.
• rw- means the owner has read and write permissions.
• r-- means the group has read permission.
• r-- means others have read permission.

To Change Ownership : use chown

sudo chown manit example.txt        

Replace msd (group) with the any group name. Run ls -ltr to check the new group assignment.

Change Permissions : use chmod

chmod o-r example.txt        

Change Group : use chgrp

sudo chgrp msd example.txt        

1. Change Permissions

Use the chmod command to change permissions for others.

chmod o-r example.txt        

Task : Change Permissions and Note Changes

• 1 . Create a file:

 touch msd.txt        

• 2. View permissions:

 ls -ltr        

Output :

• The owner (user) has read (r) and write (w) permissions.
• The group has only read permission.
• Others also have read permission.

Change owner:

sudo chown manit(Group) msd.txt        

Run ls -ltr to verify :

Change group:

 sudo chgrp msd msd.txt        

Run ls -ltr to verify

-rw-r--r-- 1 manit msd 109 Oct 15 22:49 msd.txt        

Change permissions for others:

 chmod o-wr msd.txt        

What we learned :

By using chown, chgrp, and chmod, you can modify the file ownership and permissions. The ls -ltr command helps you verify these changes and understand the current permissions.

2 . Writing an Article:

• Write an article about file permissions based on your understanding from the notes.

Answer

• Understanding File Permissions in Linux

File permissions in Linux are critical for maintaining security and proper access control. They define who can read, write, and execute a file or directory. Here, we explore the concepts and commands related to file permissions.

• Basic Permissions

Permissions in Linux are represented by a three-digit number, where each digit represents a different set of users: owner, group, and others.

Highest Permission: 7 (4+2+1)

Maximum Permission: 777, but effectively 666 for files due to security reasons, meaning no user gets execute permission.

Effective Permission for Directories: 755

Lowest Permission: 000 (not recommended)

Minimum Effective Permission for Files: 644 (default mask value of 022)

Default Directory Permission: Includes execute permission for navigation

• Categories of Users :

Each of the three permissions are assigned to three defined categories of users:

Owner: The owner of the file or application. (chown)

Group: The group that owns the file or application. (chgrp)

Others: All users with access to the system. (chmod)

• Special Permissions

SUID (Set User ID): If SUID is set on an executable file and a normal user executes it, the process will have the same rights as the owner of the file being executed instead of the normal user (e.g., passwd command).

SGID (Set Group ID): If SGID is set on any directory, all subdirectories and files created inside will inherit the group ownership of the main directory, regardless of who creates them.

Sticky Bit: Used on folders to avoid deletion of a folder and its contents by other users though they have write permissions. Only the owner and root user can delete other users' data in the folder where the sticky bit is set.

3. Access Control Lists (ACL):

• Read about ACL and try out the commands getfacl and setfacl.
• Task: Create a directory and set specific ACL permissions for different users and groups. Verify the permissions using getfacl.

4. Additional Tasks:

• Task: Create a script that changes the permissions of multiple files in a directory based on user input.

This script will prompt the user to input the directory name and the permissions they want to set. It will then apply the specified permissions to all files in that directory.

This script will allow the user to input a file, a username, and desired permissions. It will then set the specified ACL permissions for that user on the given file.

Understanding Sticky Bit, SUID, and SGID:

• Read about sticky bit, SUID, and SGID.
• Task: Create examples demonstrating the use of sticky bit, SUID, and SGID, and explain their significance.

What is the Sticky Bit? ( chmod +t )

The sticky bit is a permission that is primarily applied to directories. It restricts the deletion of files within that directory to only the file's owner or the root user, even if others have write permissions.

Use Case:

It's often used in shared directories, like /tmp, to prevent users from deleting each other's files while still allowing them to create and modify their own files.

Setting the Sticky Bit:

To set the sticky bit on a directory, use the chmod command with the +t option

1. Create a directory shared_dir:
2. Set write permissions for all users on this directory:
3. Set the sticky bit:
4. Check the permissions using ls -ld:

Output:

SUID (Set User ID) (chmod u+s)

What is SUID?

The SUID (Set User ID) permission allows users to execute a file with the permissions of the file's owner. It is mostly applied to executable files. When SUID is set, the process spawned by executing the file runs with the privileges of the file owner rather than the privileges of the user who launched it.

Use Case:

The passwd command is a classic example where SUID is used. The passwd program allows users to change their passwords, which requires modifying the /etc/shadow file, a file that regular users normally do not have permission to modify. SUID allows the program to run with the elevated privileges of its owner (typically root) to modify the file safely.

Setting SUID:

Use chmod with u+s to set the SUID bit on an executable file.

 echo "echo 'SUID test script executed!'" > SUID.sh
 chmod 777 SUID.sh        

Output :

3. SGID (Set Group ID) (chmod g+s)

What is SGID?

The SGID (Set Group ID) permission has two main purposes, depending on whether it is applied to files or directories.

• On Files: Similar to SUID, it allows users to execute a file with the group permissions of the file’s group owner.
• On Directories: SGID ensures that files created within the directory inherit the group ownership of the directory rather than the group of the user who created the file.

Output :

5.) Backup and Restore Permissions:

Script to Backup Permissions of Files in a Directory

This script will save the current permissions of all files in a specified directory to a backup file.

#!/bin/bash

# Script to backup file permissions

backup_permissions() {
    echo "Enter the directory you want to backup permissions for:"
    read dir

    # Check if directory exists
    if [ ! -d "$dir" ]; then
        echo "Directory does not exist!"
        exit 1
    fi

    echo "Enter the name of the backup file:"
    read backup_file

    # Backup permissions using stat command
    > "$backup_file"  # Clear the backup file if it exists
    for file in "$dir"/*; do
        if [ -f "$file" ]; then
            permissions=$(stat -c "%a %n" "$file")  # Get permissions and file name
            echo "$permissions" >> "$backup_file"  # Write to backup file
        fi
    done

    echo "Permissions backed up to $backup_file"
}

# Run the backup function
backup_permissions
        

Output :

Script to Restore Permissions from a Backup File :

#!/bin/bash

# Script to restore file permissions from a backup file

restore_permissions() {
    echo "Enter the name of the backup file:"
    read backup_file

    # Check if the backup file exists
    if [ ! -f "$backup_file" ]; then
        echo "Backup file does not exist!"
        exit 1
    fi

    # Restore permissions from the backup file
    while read line; do
        permission=$(echo "$line" | cut -d ' ' -f 1)  # Extract permission
        file=$(echo "$line" | cut -d ' ' -f 2)        # Extract file name

        # Check if the file exists before restoring permissions
        if [ -f "$file" ]; then
            chmod "$permission" "$file"  # Restore permission
            echo "Restored $file to $permission"
        else
            echo "File $file not found, skipping."
        fi
    done < "$backup_file"

    echo "Permissions restored from $backup_file"
}

# Run the restore function
restore_permissions
        

Output :