advanced file-permissions

Advanced File Permissions(sgid-suid-stickybit,chattr)

SUID ( setuid ) :-
If SUID bit is set on a file and a user executed it. The process will have the same rights as the owner of the file being executed.

For example: passwd command have SUID bit enabled. When a normal user change his password this script update few system files like /etc/passwd and /etc/shadow which can’t be update by non root account. So that passwd command process always run with root user rights.
———————————–
[root@machine2 ~]# ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 30768 Feb 17  2012 /usr/bin/passwd
———————————–

[root@machine2 ~]# touch sample.txt
[root@machine2 ~]# ls -l sample.txt
-rw-r–r–. 1 root root 0 Feb  8 17:14 sample.txt
[root@machine2 ~]# chmod 4655 sample.txt
[root@machine2 ~]# ls -l sample.txt
-rwSr-xr-x. 1 root root 0 Feb  8 17:14 sample.txt

———————————————–
SGID ( setgid) :-

Same as SUID, The process will have the same group rights of the file being executed. If SGID bit is set on any directory, all sub directories and files created inside will get same group ownership as main directory, it doesn’t matter who is creating.

[root@machine2 ~]# mkdir /test-sgid

[root@machine2 ~]# cd /test-sgid/
[root@machine2 test-sgid]# touch one

[root@machine2 test-sgid]# chmod g+s /test-sgid/

[root@machine2 test-sgid]# ls -l /test-sgid/
-rw-r–r–. 1 root root 0 Feb  8 16:47 one

[root@machine2 test-sgid]# ls -l / | grep  test
drwxr-sr-x.   2 root root  4096 Feb  8 16:47 test-sgid

[root@machine2 test-sgid]# chmod 777 /test-sgid/

[root@machine2 test-sgid]# su jack

[jack@machine2 test-sgid]$ touch two

[jack@machine2 test-sgid]$ ls -l
-rw-r–r–. 1 root root 0 Feb  8 16:47 one
-rw-rw-r–. 1 jack root 0 Feb  8 16:50 two

————————————————————-
Sticky Bit :-

The sticky bit is used to indicate special permissions for files and directories. If a directory with sticky bit enabled, will restricts deletion of file inside it. It can be removed by root, owner of file or who have write permission on it. This is usefull for publically accessible directories like /tmp.

[root@machine2 ~]# touch stickfile
[root@machine2 ~]# ls -l | grep stickfile
-rw-r–r–. 1 root root                  0 Feb  8 17:23 stickfile

[root@machine2 ~]# chmod +t stickfile
[root@machine2 ~]# ls -l | grep stickfile
-rw-r–r-T. 1 root root                  0 Feb  8 17:23 stickfile

[root@machine2 ~]# chmod 777 stickfile

[root@machine2 ~]# su jack
[jack@machine2 root]$ rm -rf stickfile
rm: cannot remove `stickfile’: Permission denied
—————————————————-
[root@machine2 ~]# touch stickfile2
[root@machine2 ~]# ls -l | grep stickfile2
-rw-r–r–. 1 root root                  0 Feb  8 17:24 stickfile2

[root@machine2 ~]# chmod 1777 stickfile2
[root@machine2 ~]# ls -l | grep stickfile2
-rwxrwxrwt. 1 root root                  0 Feb  8 17:24 stickfile2

[jack@machine2 root]$ rm -rf stickfile2
rm: cannot remove `stickfile2′: Permission denied

In above output it showing sticky bit is set with character t or T in permissions filed. Small t represent that execute permission also enable and capital T represent that execute permission are not enabled.
———————————
[root@machine2 ~]# mkdir stickfiledirectory
[root@machine2 ~]# touch stickfiledirectory/today
[root@machine2 ~]# chmod +t stickfiledirectory/

drwxr-xr-t. 2 root root               4096 Feb  8 17:42 stickfiledirectory

[root@machine2 ~]# cd stickfiledirectory/
[jack@machine2 stickfiledirectory]$ rm -rf today
rm: cannot remove `today’: Permission denied

[root@machine2 stickfiledirectory]# chmod 777 today
[root@machine2 stickfiledirectory]# su jack
[jack@machine2 stickfiledirectory]$ rm -rf today
rm: cannot remove `today’: Permission denied

========================================================================

chattr (Change Attribute) is a command line Linux utility that is used to set/unset certain attributes to a file in Linux system to secure accidental deletion or modification of important files and folders, even though you are logged in as a root user.

In Linux native filesystems i.e. ext2, ext3, ext4, btrfs, etc. supports all the flags, though all the flags won’t support to all non-native FS. One cannot delete or modify file/folder once attributes are sets with chattr command, even though one have full permissions on it.

This is very useful to set attributes in system files like passwd and shadow files wherein user’s info are contains.

# chattr [operator] [flags] [filename]

Attributes and Flags

Following are the list of common attributes and associated flags can be set/unset using the chattr command.
If a file is accessed with ‘A‘ attribute set, its atime record is not updated.
If a file is modified with ‘S‘ attribute set, the changes are updates synchronously on the disk.
A file is set with ‘a‘ attribute, can only be open in append mode for writing.
A file is set with ‘i‘ attribute, cannot be modified (immutable). Means no renaming, no symbolic link creation, no execution, no writable, only superuser can unset the attribute.
A file with the ‘j‘ attribute is set, all of its information updated to the ext3 journal before being updated to the file itself.
A file is set with ‘t‘ attribute, no tail-merging.
A file with the attribute ‘d‘, will no more candidate for backup when the dump process is run.

When a file has ‘u‘ attribute is deleted, its data are saved. This enables the user to ask for its undeletion.

Operator
+ : Adds the attribute to the existing attribute of the files.
– : Removes the attribute to the existing attribute of the files.

= : Keep the existing attributes that the files have

1. How to add attributes on files to secure from deletion

For demonstration purpose, we’ve used folder demo and file important_file.conf respectively. Before setting up attributes, make sure to verify that the existing files have any attributes set using ‘ls -l‘ command. Did you see the results, currently no attribute are set.

[root@machine1 ~]# touch myfile

[root@machine1 ~]# mkdir mydir

[root@machine1 ~]# ls -lh |grep my
drwxr-xr-x. 2 root root 4.0K Jan 28 02:30 mydir

-rw-r–r–. 1 root root    0 Jan 28 02:29 myfile

[root@machine1 ~]# chattr +i myfile

[root@machine1 ~]# chattr +i mydir/

[root@machine1 ~]# ls -lh |grep my
drwxr-xr-x. 2 root root 4.0K Jan 28 02:30 mydir

-rw-r–r–. 1 root root    0 Jan 28 02:29 myfile

[root@machine1 ~]# lsattr | grep my
—-i——–e- ./myfile
—-i——–e- ./mydir
[root@machine1 ~]# rm -rf myfile
rm: cannot remove `myfile’: Operation not permitted
[root@machine1 ~]# rm -rf mydir/
rm: cannot remove `mydir’: Operation not permitted[root@machine1 ~]# chmod 755 myfile
chmod: changing permissions of `myfile’: Operation not permitted

[root@machine1 ~]# chattr -i myfile mydir/

Append data without Modifying existing data on a File

[root@machine1 ~]# chattr -a myfile

Screenshot from 2016-08-31 06:50:27.png

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s