Friday, April 25, 2014

Permission and ACL

Unix file and directories level Permissions

There are main three types of permision in Linux/UNIX ( excluding SElinux).

Chmod - is used to assign permission to the Users, groups and others on a file or directory.
ACL - Is used to assign extra level of security or access to the user.
Special Permissions
    Sticky Bit  
    Special group Permission  
                    iii.) SGID (special Group ID)
-----------------------------------------------------------------------------------------

If you run,
# ls -l

-/---/---/---
   U   G   O

U- Owner Permission
G- Group Permission
O- Other users

_____________________________
        Symbolic  Numeric
_____________________________
read        r    4
write        w    2
execute     x    1
_____________________________
               =7

-----------------------------------------------------------------------------------------
===================================================================
    Maximum Permission of file and directory

Directory -    777   (r=4,w=2,x=1)
File      -    666   (r=4,w=2,x=0)
===================================================================
    Default Permission of file and directory [with ROOT]

Directory -    755  
File      -    644  
===================================================================
    Default Permission of file and directory [with local User]

Directory -    775  
File      -    664  
====================================================================
-----------------------------------------------------------------------------------------

UMASK - Umask is a default value that define permission if directories and files

To view :

# umask

With Root Value = 0022
With local user = 0002

-----------------------------------------------------------------------------------------

* How to calculate default permission in case of Root

1. Directory :

Max Permission    =  777
Umask Value     = 0022
_______________________
                = 755  Default permission of Directory


2. File      :

Max Permission    =  666
Umask Value     = 0022
_______________________
                = 644  Default permission of File

-------------------------------------------------------------------------------------------


* How to calculate default permission in case of Local user

1. Directory :

Max Permission    =  777
Umask Value     = 0002
_______________________
                = 775  Default permission of Directory


2. File      :

Max Permission    =  666
Umask Value     = 0002
_______________________
                = 664  Default permission of File

-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------

            CHMOD  [Change Mode]

1. Symbolic Method

u- owner
g- group
o- Other
r- read
w- write
x- execute
'+'- add
'-'- remove

Example :

# Chmod ugo+rwx dir        // This will assign read,write and execute permissions to owner, group and other users

# chmod go+rw dir        // This will assign read,write permissions to owner, group users

# chmod o+r dir            // This will assign read permission to other users

# chmod u+rwx,g+rw,o+r dir

To remove :

# chmod ugo -rwx dir

# chmod go-rw dir

# chmod o-r dir

# chmod u-rwx,g-rw,o-r dir


2. Numeric Method

# chmod 744 dir            // Owner = 7 (r=4,w=2,x=1); group = 4 (r=4); other = 4 (r=4)

# chmod 511 dir

-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------

            ACL [Access Control List]

# mkdir /tmp/test
# groupadd sales        // Add users raj,sumit,hemant and ram
# chgrp sales /tmp/test
OR
# chown :sales /tmp/test
# chmod 777 /tmp/test

Condition 1 : Give read access to sumit user only to /tmp/test

# setfacl -m i:sumit:r-- /tmp/test
To check,
# getfacl /tmp/test

Condition 2 : Give read,write access to all sales group users to /tmp/test

# setfacl -m g:sales:rw- /tmp/test
To check,
# getfacl /tmp/test

Condition 4 : Remove all premission for all sales group users to /tmp/test

# setfacl -m g:sales:--- /tmp/test
To check,
# getfacl /tmp/test

-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------

            Special Permissions

1.    Sticky Bit

# chmod 1777 /tmp/test            // Full permission assigned to owner,group and other users

However, other users still cannot delete the file to which they have full access

2.    Group Permissions

Condition : If you create any file within test, the group should be sales by default  [Sumit is already in sales group]

# chmod 2777 /tmp/test
OR
# chmod g+s /tmp/test

3.    SGID

# chmod 4777 /tmp/test

-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------

No comments:

Post a Comment