Advanced File Permissions

1
Advanced File Permissions

• ICE System
• Consultant Group 2nd
• 5? 17?

2
The Octal(Absolute) Mode
3
Read, Write, Execution

• File
• Read
• Write
• Execute
• Directory
• Read
• Write
• execute

4
The umask Filter

• Determines the default permissions for new files
  and directory(/etc/profile, .cshrc)
• Assigns permissions during the creation of new
  files and directories
• Displays your umask
• umask
• 022
• Enables users to set their own umask value
• Max Permission
• File 666
• Directory 777

5
Changing the umask Value

• In the current shell
• umask 027
• umask
• 027
• Will lost when you log out of the system
• Permanently
• .profile .cshrc .login
• vi .profile
• umask 027

6
Access Control Lists(ACLs)

• Provides greater control over file permissions
• Provides traditional UNIX file protection(read,
  write, execute) and more
• Set for individual users and additional groups.
• The setfacl Command
• Setfacl options acl_entry filename1 filename2
• Options
• -m Creates or modifies an ACL
• -s Replaces the entire ACL with the new ACL
• -d Deletes ACL entries(getfacl?? ?? ?)
• -r Recalculates ACL permissions
• acl_entry Is an ACL entry
• Filename is a file or directory which contains
  the ACL entries

7
The setfacl Command
8
setfacl Command Examples

• Adding read/write permissions for ssa20
• setfacl m userssa206 ch3.doc
• Checking if a file has an ACL
• ls l ch3.doc
• -rwxr----- 1william sysadmin 163 Nov 11 1112
• Deleting an ACL entry
• setfacl d userssa206 ch3.doc

9
The getfacl Command

• To verify that an ACL was set on the file
• getfacl options filename filename2
• Options
• -a the file name, owner, group, ACL entries
  for the specified file or directory
• -d the file name, owner, group and default
  ACL entries for the specified directory
• Result
• effective effected from mask values
• Changing mask permissions

10
How to Use ACLs

• Set the ACL(setfacl)
• Check that the ACL exists(ls l)
• Verify that the ACL is correct.(getfacl)

11
Using setuid setgid permissions

• These special permissions enable you to control
  the modification of files and create shared
  directories
• Executable programs
• setuid permission Run as like programs owner
• setgid permission Run as like programs group
• Directories
• Propagate permission to below dereictory
• setuid and setgid permissions
• Display s
• S no execute permission

12
Using setuid setgid Permissions

• Setting setuid and setgid permissions
• Numeric or symbolic notation
• 4 setuid
• 2 setgid
• 1 sticky bit
• s
• Controlling modification of files
• chmod 4755 setuid_program
• chmod 2755 setgid_program
• Creating shared directories
• chmod gs some_directory

13
Using the Sticky Bit

• Determining the characteristics of a directory
  with set sticky bin
• If a directory is publicly writable and has the
  sticky bit set, files within that directory can
  be removed or renamed only if one or more of the
  following is true
• The user owns the file
• The user owns the directory
• The file is writable by user
• The user is the superuser
• Identifying sticky permission
• ls ld /var/tmp
• Setting the sticky permission
• chmod 1777 project
• chmod arwxt project
• Display t(executable) / T (execute off)