Friday, January 1, 2021

Home / Unlabelled / CONTROLLING ACCESS TO FILES (ACL)

CONTROLLING ACCESS TO FILES (ACL)

by on

 

CONTROLLING ACCESS TO FILES

There is two type Permission

1. Special Permissions or Advanced Permission
2. Access Control List (ACL)

Let’s first begin with Special Permissions

1. Special Permissions or Advanced Permission

There are three special permissions that can be assigned to a file or directory apart from
basic file permissions(rwx)
  •  SUID – SET USER ID
  •  SGID – SET GROUP ID
  •  STICKY BIT

 SUID – SET USER ID :-

Ping command is having suid, so all users can run that command but if suid is
removed and now normal user wants to user execute it,but it can't executed by user.
example:-
     
suid STICKY BIT sgid

      #which ping
        /bin/ping
Note: observe that in the permissions “–rwsr-xr-x” it contains an “s”, which means SUID is
placed.
      #ls  -l /bin/ping
          -rwsr -xr-r 1 root root 3323 jul 23 2020

Note:- Let’s remove suid on Ping command and logged in as normal user and check the results

 #su - user1
 #ping 192.168.10.10
 ping: icmp open socket: Operation not permitted.

SGID – SET GROUP ID:-

1.When a directory is created and its group is set to some group.
Now :-
if SGID is applied to it,and the group member creates files and directory inside it, then it will get the same group rather than getting user’s primary group

  • Let’s see it practically.
  • root@server:~# mkdir mydir
  • root@server:~# groupadd java
  • root@server:~# chgrp java mydir
  • root@server:~# ls -ld mydir/
    drwxr-xr-x 2 root java 4096 Jun  4 18:29 mydir/
  • root@server:~# chmod g+s mydir/
  • root@server:~# ls -ld mydir/
    drwxr-sr-x 2 root java 4096 Jun  4 18:29 mydir/
  • root@server:~# chmod go+w mydir/
  • root@server:~# cd mydir/
  • root@server:~# su - dev 
  • root@server:~# cd mydir/
  • dev@server:~/mydir# touch file{1..5}  

  • dev@server:~/mydir# ls -l
  • drwx------ 17 root root 4096 Jun  4 18:29 ../
    -rw-r--r--  1 dev  java    0 Jun  4 18:37 file1
    -rw-r--r--  1     dev  java    0 Jun  4 18:37 file2
    -rw-r--r--  1     dev  java    0 Jun  4 18:37 file3
    -rw-r--r--  1     dev  java    0 Jun  4 18:37 file4
    -rw-r--r--  1     dev  java    0 Jun  4 18:37 file5
Note: when a file is created by any user it will get the group as primary group of the owner which is usually owner’s private group with same name.


STICKY BIT:-

If sticky bit is applied on a file or directory, then only root and owner of that file  directory can delete it.


  • root@server:~# chmod o+t mydir
  • root@server:~# ls -ld mydir/
    drwxrwsrwt 2 root java 4096 Jun  4 18:29 mydir/
  • root@server:~# chmod g+s mydir/
  • root@server:~# su -dev
  • root@server:~# cd mydir/
  • root@server:~# su - dev 
  • dev@server:~# cd mydir/
  • dev@server:~/mydir# ls -l
  • drwx------ 17 root root 4096 Jun  4 18:29 ../
    -rw-r--r--  1 dev  java    0 Jun  4 18:37 file1
    -rw-r--r--  1     dev  java    0 Jun  4 18:37 file2
    -rw-r--r--  1     dev  java    0 Jun  4 18:37 file3
    -rw-r--r--  1     dev  java    0 Jun  4 18:37 file4
    -rw-r--r--  1     dev  java    0 Jun  4 18:37 file5
  • dev@server:~/mydir#rm file1
  • rm: cannot remove `file1`:Operation not permitted

CONTROLLING ACCESS TO FILES (ACL):-

You want to share directory between group and users and you want to use this directory only for  particular group and users so that we are use ACL permission .

 examples .
   
      Create directory db_backup
  • root@server:~# mkdir db_backup

  • Now To check the acl permission 

  • root@server:~# getfacl db_backup/
  • # file: db_backup/
  • # owner: root
  • # group: root
  • user::rwx
  • group::r-x
  • other::r-x

Note:-We have two Options for check permission
          
                     -d  Displays the default ACL
                     -R  Recurses into subdirectories
 
  • root@server:~# cd db_backup/
  • root@server:~/db_backup# mkdir project1
  • root@server:~/db_backup# cd ..

USING  - R it is show sub directory permission
root@server:~# getfacl -R db_backup/
# file: db_backup/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

# file: db_backup//project1
# owner: root
# group: root
user::rwx
group::r-x

Note :
Now let’s assign full permission to the directory and then apply acl on it,
so that we can  analyze how acl will work.

root@server:~# chmod 777 db_backup/

root@server:~# ls -ld  db_backup/
drwxrwxrwx 3 root root 4096 Jun  5 23:05 db_backup/

#setfacl <option> < argument > < file or directory name >

The options are :-
    -m Modifies an ACL
    -x  Removes an ACL
    -R Recurses into subdirectories


root@server:~# getfacl db_backup/
# file: db_backup/
# owner: root
# group: root
user::rwx
group::rwx
other::rwx

Now set permission for dev user so dev user can read write at directory


root@server:~# setfacl -m u:dev:rw db_backup/

Now Verify it by using getfacl command

root@server:~# getfacl db_backup/
# file: db_backup/
# owner: root
# group: root
user::rwx
user:dev:rw-
group::rwx
mask::rwx
other::rwx

To assign read write and execute permission to a particular group


root@server:~# setfacl -m g:javagroup:rwx db_backup/

Now Verify it by using getfacl command

root@server:~# getfacl db_backup/
# file: db_backup/
# owner: root
# group: root
user::rwx
user:dev:rw-
group:javagroup:rwx
mask::rwx
other::rwx

Assigning read and write or execute  permission for a user and a group.

 #setfacl –m u:dev:rx,g:javagroup:rx  db_backup


Removing acl for a particular user

 #setfacl –x u:dev db_backup

Removing acl for a particular group

 #setfacl –x g:javagroup db_backup


Removing all ACL permissions from a file and directory

 #setfacl –b db_backup

Note: it is remove all permission on files or direcotry at same time.


You May Also Like:
By -

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)