In-depth analysis of file permissions and ACLs in Linux

Linux file and directory permissions are mainly controlled by the standard Linux file permissions and Control access list (ACL) two blocks. In general, standard file permissions have met most of our needs, but one of the limitations of this is that restricted access to file permissions is restricted to the file owner, a single group of members, or others. You cannot refine to a specific user's permissions (other user). This article introduces the common file permissions and ACL permissions respectively.

First, the standard file permissions

Normal file permissions are represented by 10 digits, as shown in the following figure:

The first representative of the "file" type, its possible values are:-(files, d (directory), B (Block device), l (link file), C (character devices, such as serial port), s (socket socket).

The 2nd to 4th bit indicates the permissions the file belongs to

The 5th to 7th bit indicates the permissions of the file group

The 8th to 10th bit indicates the permissions that other users and groups have.

1, rwx permission set

Each three-bit file or directory uses RWX to represent the appropriate permission value, where the R value is 4, W is 2, and the X value is 1, and you can use chmod to make permissions changes to the file or directory. There are two ways to represent permission settings:

Permission value notation, such as
# chmod 777 File1
Alphabetic notation, such as
# chmod A+x file1

2, Umask

The default setting for the Umask value in the/etc/profile file is 022, which corresponds to the default file and directory-created permission values:

The default permissions for the directory are: 777-umask
The default permissions for files are: 666-umask
So when Umask is 022, the permissions created by default are 755, and the file permissions created by default are 644.

3. Special permission

In addition to the above mentioned RWX permissions, the system has three special permissions S T rights (adventure bit and sticky bit), specifically described below:

These three special permissions can also be expressed in letters and numbers, as follows:

Set Suid: $ chmod u+s test
Set Sgid: $ chmod g+s test
Set Sticky: $ chmod o+t test
Suid:4
Sgid:2
Sticky:1
Special permission bits are used in some special cases, such as the passwd command, and other users cannot use the passwd command to modify their passwords without the S permission.

[Root@361way etc]# ls-l/usr/bin/passwd
-rwsr-xr-x. 1 root 27832 June 2014/usr/bin/passwd
Here's an example that adds s S t permission:

[Root@361way tmp]# Touch test
[Root@361way tmp]# ll Test
-rw-r--r--. 1 Root 0 Aug 5 01:03 test
[Root@361way tmp]# chmod 7777 Test
[Root@361way tmp]# ll Test
-RWSRWSRWT. 1 Root 0 Aug 5 01:03 test
[Root@361way tmp]# Su-usera
[Usera@361way ~]$ cd/tmp/
[Usera@361way tmp]$ echo ' www.361way.com ' > Test
[Usera@361way tmp]$ Cat Test
Www.361way.com
[Usera@361way tmp]$ RM-RF Test
Rm:cannot Remove test:operation not permitted
In the example above, because of the increased T permission, the normal user UserA, can write and change files, cannot delete files.

Note:

1, the need to pay attention to the special permission is a double-edged sword, many Trojans provide will also use to the S permission bit, so often in the search for the host Trojan, we will find all 4777 and 6777 files;

2. If there is an X on that bit, then these special flags (SUID, sgid, sticky) are shown as lowercase letters (s, s, t), otherwise they are shown as uppercase letters (s, s, T).

3, there is also a large x permission, followed by the ACL will also be mentioned.

Second, ACL

1. Enable ACLs

Under the XFS and Ext4 file system under Rhel 7, ACL rules have been supported by default (EXT4 already supported by default in RHEL6)---fstab are already integrated with ACL support, but in some older distributions, The specified ACL parameter mount is required when mount the file system mounts. Such as:

# mount-t Ext3-o Remount,acl/home
Or
# Mount-o Acl/dev/sdb/data
2. ACL Settings and commands

In the ACL-enabled file permission bit, there will be a 11th character (the first file type character), and a plus sign in the 11th bit of the file that has the ACL set. The specific permissions can be obtained by GETFACL:

[Root@361way acl]# LL
Total 4
-rw-rwxr--+ 1 root 5 Aug 4 21:08 A
[Root@361way acl]# Getfacl A
# file:a
# Owner:root
# Group:root
user::rw-
User:mysql:rwx
group::r--
Mask::rwx
other::r--
There are three ACL-related commands, Getfacl (get ACL-related information), SETFACL (set ACL permissions), Chacl (change ACL permissions). Usually used is the second command Setfacl, its specific commonly used parameters are:

-M: Set ACL rules for files or directories
-M: Read ACL rule from file
-x: Removing ACL parameters
-X: Read ACL rules from a file and delete them
-B: Delete all extended ACL rules, base ACL rules reserved
-K: Delete default ACL rules if no default rules are not prompted
-R: Recursively set ACLs, including subdirectories
-D: Set default ACL
--mask The valid permissions, even if the ACL mask is explicitly specified
--no-mask do not recalculate valid permissions
The Setfack command recognizes rules for the following formats:

[D[efault]:] u[ser]:uid [:p erms] Specifies the permissions of the user, and the permissions of the owner of the file, if the UID is not specified.
[D[efault]:] g[roup]:gid [:p erms] Specifies the permissions of the group, the permissions of all groups of files (if the GID is not specified)
[D[efault]:] m[ask][:] [:p erms] Effective permission mask
[D[efault]:] o[ther] [:p erms] Other permissions
Let's look at some specific examples and usages

3.-M Set permissions

When the-m parameter is set, if the previous file already has ACL settings, the previous ACL permission settings are overwritten through the-m setting.

[Root@localhost acl]# setfacl-m U:USER1:RW A
[Root@localhost acl]# Getfacl A
# file:a
# Owner:root
# Group:root
user::rw-
user:user1:rw-
group::r--
mask::rw-
other::r--
The above setting is the simplest setting, and when specified, we can also specify multiple permissions, like the chmod command:

[Root@localhost acl]# setfacl-m U:user1:rw,g:test:rx file1
Note: Note that although this gives the file the appropriate read and write permission, but the User1 user can read and write to execute file A, but cannot delete the file, want to delete the file, need its original main root to delete.

[User1@localhost acl]$ RM-RF A
Rm:cannot remove ' A ': Permission denied
4 Default Permissions

The default here is the default parameter before the U, G, M, and O parameters. This permission is only for directories and cannot be targeted at files, as follows:

[Root@localhost acl]# setfacl-m D:U:USER1:RW file1
Setfacl:file1:Only directories can have default ACLs
The directory to which the default permission is set does not have read-write access to the files and directories that already exist in the directory, and has the appropriate permissions to set the directory after the permissions have been set.

[Root@localhost ~]# setfacl-m d:u:user1:rwx acl/
#None of the directories and files that existed before
[Root@localhost/]# Su-user1
[User1@localhost acl]$ LL
-rw-r--r--. 1 root root 0 Aug 4 23:08 Filea
Drwxr-xr-x. 2 root root 6 Aug 4 22:59 Dir1
[User1@localhost acl]$ Touch File1
Touch:cannot Touch ' file1 ': Permission denied
[User1@localhost acl]$ mkdir Dir2
Mkdir:cannot Create directory ' Dir2 ': Permission denied
[User1@localhost acl]$ CD dir1/
[User1@localhost dir1]$ LL
Total 0
[User1@localhost dir1]$ Touch File1
Touch:cannot Touch ' file1 ': Permission denied
[User1@localhost acl]$ Echo ' aaa ' > Filea
-bash:filea:permission denied
#Newly created subdirectory has permissions
[Root@localhost acl]# mkdir Dir2
[Root@localhost acl]# Su-user1
[User1@localhost ~]$ cd/acl/
[User1@localhost acl]$ LL
Total 4
Drwxr-xr-x. 2 root root 6 Aug 4 22:59 Dir1
drwxrwxr-x+ 2 Root 6 Aug 4 23:04 Dir2
[User1@localhost acl]$ CD dir2/
[User1@localhost dir2]$ Touch File1
[User1@localhost dir2]$ LL
Total 4
-rw-rw-r--+ 1 User1 user1 0 Aug 4 23:04 file1
5, Mask parameter

When you obtain permissions for a file or directory by Getfacl, you will find that there are also mask and no-mask parameters in the Setfacl, in addition to the user, group, other, and mask parameters, which are not easily understood from the simple explanation in the Man Handbook, where we look at the following experiment:

[Root@localhost/]# CD acl/
[Root@localhost acl]# Touch File-mask
[Root@localhost acl]# setfacl-m u:user1:rwx file-mask
[Root@localhost acl]# Getfacl File-mask
# File:file-mask
# Owner:root
# Group:root
user::rw-
User:user1:rwx
group::r--
Mask::rwx
other::r--
[Root@localhost acl]# setfacl-m m:r file-mask
[Root@localhost acl]# Getfacl File-mask
# File:file-mask
# Owner:root
# Group:root
user::rw-
USER:USER1:RWX #effective: r--
group::r--
mask::r--
other::r--
[Root@localhost acl]# Su-user1
Last Login:tue Aug 4 23:09:06 CST 2015 on pts/0
[User1@localhost ~]$ cd/acl/
[User1@localhost acl]$ echo ' Test ' > File-mask
-bash:file-mask:permission denied
When you set ACL permissions for a user, you see the Mask permission value in addition to the permissions specified by the user: corresponding users. The user actually has the permissions that are marked after #effective (that is, the intersection of the user permission and the Mask permission-the least privilege). This is a bit of a detour, and if you have a effective item when you actually view it, the user right is the right that follows the field.

6.-R recursion

When using the-r parameter, this can chmod and chown the effect of using the-r parameter, the permissions of all files and directories under the recursive directory.

[Root@localhost/]# CD acl/
[Root@localhost acl]# LL
Total 0
[Root@localhost acl]# mkdir Dir1
[Root@localhost acl]# Touch File1
[Root@localhost/]# setfacl-rm U:user1:rwx/acl
[Root@localhost/]# CD acl/
[Root@localhost acl]# ls
Dir1 file1
[Root@localhost acl]# Getfacl file1
# File:file1
# Owner:root
# Group:root
user::rw-
User:user1:rwx
group::r--
Mask::rwx
other::r--
[Root@localhost acl]# Getfacl dir1/
# file:dir1/
# Owner:root
# Group:root
User::rwx
User:user1:rwx
Group::r-x
Mask::rwx
Other::r-x
7.-X permission

In addition to the basic RWX permissions, there is also an argument x (uppercase X) in the ACL, which is used primarily in the recursive setting of ACLs, which means that if the file does not have permission to execute, only the directory's execution permissions are set, without increasing the execution permissions on the file. The place is the same as the X under Chmod.

[Root@localhost acl]# LL
Total 0
DRW-------. 2 root root 6 Aug 4 23:51 Dir1
-rw-r--r--. 1 root root 0 Aug 4 23:46 file1
-rwxr--r--. 1 root root 0 Aug 4 23:47 file2
[Root@localhost/]# setfacl-rm U:user1:rwx/acl
[Root@localhost/]# CD acl/
[Root@localhost acl]# Getfacl file2
# File:file2
# Owner:root
# Group:root
User::rwx
User:user1:rwx
group::r--
Mask::rwx
other::r--
[Root@localhost acl]# Getfacl file1
# File:file1
# Owner:root
# Group:root
user::rw-
user:user1:rw-
group::r--
mask::rw-
other::r--
[Root@localhost acl]# Getfacl dir1/
# file:dir1/
# Owner:root
# Group:root
user::rw-
User:user1:rwx
Group::---
Mask::rwx
Other::---
From above you can see the two files and a directory that I created. Files and directories I set the appropriate permissions separately. After the execution of the big X, getfacl see the permissions can be found, if the previous file owner has no X permissions, the increase in the ACL corresponding users do not have X permissions, if the owner has x permissions, the corresponding User1 also have x permissions; The directory is different, although the owner root does not have X permission, User1 still has x privileges.

8. Other

Backup permissions
# getfacl-r/dir >permacl
Use the backup above to restore permissions
# Setfacl--set-file=permacl
# Setfacl--restore Permacl
Set the ACL rules for file B to the same as file a (ACL replication)
# Getfacl Filea | Setfacl--set-file=-Fileb
The "-" above specifies the Getfacl stdout for the current stdin argument
Remove ACL permissions for a user or group
# setfacl-x U:username,g:groupname File
Remove all ACL rules
# setfacl-b File
Note: ACL permissions also follow the move when using cp-p or MV to move files that are set to ACLs, except that the directory mount point does not support ACL rules. ACL rules are not logged by default when you package files with tar, so the unpacked files no longer have ACL rules. You can use star to package ACL files and directories:

[Root@361way acl]# star-hexustar-zv-acl-c f=file.star.gz *
A file1 0 bytes, 0 tape blocks
A HoHo directory
Star:1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
Solution Package Method:
[Root@361way acl]# STAR-ACL-ZVX f=file.star.gz
Iii. chattr and Sticky, ACL

1, Chattr and lsattr

CHATTR is supported by the Linux kernel version, and chmod only changes the file's read-write and execution permissions, and the lower-level control of the property is changed by Chattr. When you use Chattr to lock a file, even root cannot manipulate the file. So it's the most powerful control over permissions.

Usage of the chattr command: chattr [-RVF] [-v version] [mode] files ...

Most crucially, in the [mode] section, the [mode] section is composed of +-= and [Asacddiijsttu] characters. The corresponding parameters are:

+: On the basis of the original parameter setting, append the parameter.
-: On the basis of the original parameter, remove the parameter.
=: Update set for specified parameter.
A: Atime (Access time) for a file or directory cannot be modified (modified) to effectively prevent the occurrence of disk I/O errors such as laptop computers.
S: HDD I/O sync option, features similar to sync.
A: That is append, set this parameter, can only add data to the file, and can not be deleted, more for the server log file security, only root can set this property.
C: That is, Compresse, set the file is compressed and then stored. An automatic decompression operation is required for reading.
D: That is no dump, the set file can not be a dump program backup target.
I: The settings file can not be deleted, renamed, set link relationship, can not write or add content. The I parameter is a great help for the security settings of the file system.
J: Journal, set this parameter so that when passed through the Mount parameter: data=ordered or data=writeback mounted file system, the file is written to be recorded first (in journal). If the filesystem is set to Data=journal, the parameter is automatically invalidated.
S: Delete files or directories confidentially, that is, the hard disk space is fully recovered.
U: In contrast to S, when set to U, the data content actually exists in the disk and can be used for undeletion.
A and I are commonly used in various parameter options. The A option enforces that only non-removable, and more security settings for the logging system can be added. While I is a stricter security setting, only superuser (root) or processes with cap_linux_immutable processing power (identification) can impose this option.

Example:

[Root@361way tmp]# chattr  +i passwd
[root@361way tmp]# lsattr passwd
----i--------e-passwd
[root@36 1way tmp]# Echo ' aaa ' >> passwd
-bash:passwd:permission denied
[Root@361way tmp]# chattr -I passwd [Root@361way tmp]# lsattr passwd
-------------e-passwd
[Root@361way tmp]# echo ' aaa ' >> passwd
with MV /ETC/PASSWD and other commands operate on the file and are the result of operation not permitted. Vim will prompt W10:Warning:Changing a readonly file error when editing the file. To modify this file, you will remove the I attribute: Chattr-i/etc/passwd.

[Root@361way tmp]# Touch Test.log
[Root@361way tmp]# chattr +a test.log
[Root@361way tmp]# Echo ' Www.361way ' >> test.log
[Root@361way tmp]# echo ' Www.361way ' > Test.log
-bash:test.log:operation not permitted
[Root@361way tmp]# echo ' Test ' >> test.log
[Root@361way tmp]# RM-RF Test.log
Rm:cannot remove ' test.log ': Operation not permitted
[Root@361way tmp]# lsattr Test.log
-----a-------E-test.log
Note: The chattr command modifies the property to improve the security of the system, but it does not fit all directories. The CHATTR command cannot protect//dev,/tmp,/var directories.

2, chattr and sticky, ACL summary

Both the sticky, ACLs, and chattr mentioned above can set protection permissions that files or directories cannot be deleted. The difference is:

1, sticky only to owner, group, other set sticky bit (t permission), set up after other users can not delete, but the root user and the owner of the user will be normal to delete. And the base belongs in the standard permission set, so the comparison is limited;

2, the ACL can be set for each user individual sets of permissions, permissions for the set of more flexible, in some cases, the normal users of the parent directory does not normally delete, but root and is the same as the main user can be deleted;

3, chattr function is relatively single, but its security is strong, focus on the permission settings, the set itself can not be deleted operations.

In general, Linux for file and directory permissions set is more flexible, the three strengths, combination of complementary circumstances can be convenient to deal with the needs of different scenarios.