Mastering Linux Permissions: A Beginner’s Guide

Overview

The foundation of Linux security is permissions. Maintaining the integrity and functionality of any Linux environment requires sysadmins and power users to know how to assign, change, and manage permissions. In addition to covering the fundamentals of file permissions, this article will explore more complex ideas like Access Control Lists (ACLs) and the sudoers file for privileged access management.

1. Decoding Linux File Permissions

In Linux, every file and directory is owned by a user and a group, with each having specific permissions. The ls -l command is your go-to tool for inspecting these permissions.

bash

$ ls -l /var/www/html

drwxr-xr-x 2 root root 4096 Oct 22 10:24 index.html

Let’s break down the first part of the output:

Symbol Description

d Directory (a - would indicate a file)

rwx User (owner) has Read, Write, and Execute permissions

r-x Group has Read and Execute permissions

r-x Others have Read and Execute permissions

The first character indicates whether the item is a file (-) or directory (d).

The next nine characters are split into three sets of permissions for the owner (user), group, and others.

2. Changing Permissions with chmod: The Octal and Symbolic Method

Modifying file permissions is essential when managing user access. The chmod command is used to change these permissions.

Using Symbolic Notation:

bash

$ chmod u+w,g-w,o-r filename

This command does the following:

u+w: Adds write permission for the user (owner).

g-w: Removes write permission from the group.

o-r: Removes read permission for others.

Using Octal (Numeric) Notation:

Octal notation assigns a numeric value to each permission:

r = 4, w = 2, x = 1

Add these values to represent combinations. For example:

rwx = 7 (4+2+1)

r-x = 5 (4+1)

r-- = 4

To give a file rwxr-xr-- permissions:

bash

$ chmod 754 filename

The permission breakdown:

Owner: 7 = rwx

Group: 5 = r-x

Others: 4 = r--

3. Managing Users and Groups

In Linux, every user belongs to at least one group, and permissions are granted based on user roles. Sysadmins often use groups to manage access to shared resources.

Creating Users and Groups

To add a new user and create a group, you can use the following commands:

bash

$ sudo useradd alice

$ sudo groupadd dev_team

$ sudo usermod -aG dev_team alice # Add alice to the dev_team group

Now, alice belongs to the dev_team group and will have access to any files or directories assigned to this group.

File Ownership:

To change the ownership of a file, use the chown command:

bash

$ sudo chown alice:dev_team /var/www/html/index.html

This command changes the ownership of index.html to alice and assigns the group dev_team.

4. Going Beyond Basic Permissions with ACLs

Basic permissions may not always provide the granularity required in multi-user systems. Enter Access Control Lists (ACLs), which allow you to set permissions for multiple users or groups on a file.

Setting an ACL:

To give user bob read access to file.txt:

bash

$ setfacl -m u:bob:r file.txt

Viewing ACLs:

To view the ACL entries on a file:

bash

$ getfacl file.txt

# file: file.txt

# owner: alice

# group: dev_team

user::rw-

user:bob:r--

group::r--

mask::r--

other::r--

ACLs provide more flexibility, particularly when managing complex environments where multiple users require different levels of access to the same file or directory.

Removing an ACL:

To remove the ACL for bob:

bash

$ setfacl -x u:bob file.txt

5. Managing Privileged Access with sudo and the sudoers File

Using sudo is the safest way for users to execute commands with root privileges, without logging in as the root user directly. The /etc/sudoers file controls which users can run commands as root and what they are allowed to execute.

Adding a User to the sudoers File

Edit the sudoers file with visudo to ensure proper syntax:

bash

$ sudo visudo

A typical entry for user alice might look like this:

bash

alice ALL=(ALL:ALL) ALL

This grants alice full administrative privileges across the system.

Restricting sudo Access:

You can limit what commands a user can run with sudo. For example, to allow bob to only restart services:

bash

bob ALL=NOPASSWD: /bin/systemctl restart

This prevents bob from accessing other privileged commands, improving security.

Conclusion

Developing a solid understanding of Linux permissions is an essential skill for system administrators and cybersecurity analysts. From fundamental file permissions to more advanced techniques such as Access Control Lists (ACLs) and sudo privilege management, a thorough grasp of these concepts is vital for maintaining a secure and efficient system.

It's important to recognize that permissions go beyond simply granting access; they play a crucial role in managing security and ensuring that only the appropriate individuals can access specific resources.