2. 2
SHORT COMINGS OF LINUX PERMISSIONS:-
1) FILES & DIRECTORIES CAN ONLY BELONG TO ONE USER
FILES & DIRECTORIES CAN ONLY BELONG TO ONE GROUP
2) inheritance only supports group ownership & not permissions
3) a child file/ directory can inherit parent directories group owner and not permissions
4) no easy way to backup and restore permissions
3. 3
UMASK
DEFAULT PERMISSIONS
can be seen via the command umask
UMASK VALUE DIFFERENT FOR DIFFERENT USERS
Maximum initial permissions:-
777 - Directories
666 - Files
4. 4
SUID:-
RUNS AS THE ROOT USER
s ===> execute permission is set
S ===> execute permission is not set
finding suid:- sudo find / -perm -4000
suid - 4
ex:- chmod u+s /bin/su
5. 5
SGID
SGID:-
sgid bits on directories represent only inheritance in standard linux permissions & ownership
all files and directories created inside sgid dir will inherit group owner
sgid -2
sgid runs as the group owner
chmod 2755 /usr/bin/screen
chmod g+s /usr/bin/screen
finding SGID:-
sudo find / -perm -2000
Finding both suid & sgid:-
find / ( -perm -4000 -o -perm -2000 ) -perm -1 -type f
7. 7
WHY ACLS ?
1) permissions can be set for multiple users,groups
2) user and group permissions can be inherited
3) easy backup and restoring of permissions
4) easy temporary restriction of permissions
marketing rx
8. 8
ACL CONS ?
1) Not always installed
2) not built into linux
3) can be turned off
9. 9
MASK
maximum allowable permissions
for temporarily limiting access - take permissions from mask
squashing user rights without destroying ACLS -use mask
setfacl -m mask::- dir1
setfacl -m mask::rwx dir1
11. 11
DEFAULT ACLS
if you want a user to access a directory -set regular ACL on it first.
if you want that user to access new(created) files and folders inside
it set default ACL.
what about copied files ?????
Default ACLS provide inheritance
Ex:- setfacl -d -m user:sally:rwx dir1
12. 12
DELETING ACLS
-x remove specific ACL
-k remove all default ACLS
-b remove all ACLS
EX:- setfacl -x user:root acldirname
setfacl -x default:user:root acldir
setfacl -k acldir (Remove default ACLs)
setfacl -b acldir ( Remove all ACLs)