2021-01-18 User and File management(Permission)

• User identity management

  • UID(User Identification)

  1. UID of Administrator is 0
  2. UID of Sys Users is range from 1~999, for the sake of security, Linux allows individual sys-user for each services by default which prevents massive destruction from Hackers to some extent.
  3. Ordinary users their UID starts from 1000 that must be created by Administrator

  • UID must be independent, and Linux also has GID(Group Identification) to which the similar Users can be put together for the betterment of management.

  When a new user is created, there is a basic group automatically created which has the same name as the user, this basic group has only one user and that is the current user itself. If the current user is added by other groups, then the latter groups are called "extended groups" which helps to improve the betterment of the work or services.

  • id
    Print real and effective user and group IDs

  [root@linuxprobe userAndFilePermission]# id linuxprobe
  uid=1000(linuxprobe) gid=1000(linuxprobe)        groups=1000(linuxprobe)
  

  • useradd
    create a new user or update default new user information
    The default home directory would be put in the /home directory and the default shell interpreter is /bin/shell

  -d home directory（default directory /home/username）
  -e user account expiration at YYYY-MM-DD.
  -u Default UID
  -g Initial group(basic group)
  -G extended groups
  -N Don't create the home directory with the same name of the user
  -s default bash interpreter

  [root@linuxprobe userAndFilePermission]# useradd test
  [root@linuxprobe userAndFilePermission]# id test
  uid=1005(test) gid=1005(test) groups=1005(test)
  
  # useradd with cusotmized options
  [root@linuxprobe userAndFilePermission]# useradd -d   /home/linuxtest -u 8889 -s /sbin/noloing linuxtest
  [root@linuxprobe userAndFilePermission]# id linuxtest
  uid=8889(linuxtest) gid=8889(linuxtest) groups=8889(linuxtest)
  
  [root@linuxprobe userAndFilePermission]# su linuxdown
  su: failed to execute /sbin/noloing: No such file or directory
  

  • groupadd
    create a new group

  Add user to a group which cause better convenience since the permissions will be automatically set to the same for all users that are in the same group

  [root@linuxprobe userAndFilePermission]# groupadd xuan
  

  • usermod user modify
    modify a user account

  -c comment for the particular user
  -d -m set home directory and move all data to
  -e set the expiration at YYYY-MM-D
  -g change the group
  -G change the extended group
  -L disable login
  -U enable login
  -s change default terminal /sbin/...
  -u change UID

  [root@linuxprobe cool]# usermod -G root linxprobe
  [root@linuxprobe cool]# usermod -u 10000 linxprobe
  [root@linuxprobe cool]# id linxprobe
  uid=10000(linxprobe) gid=8889(linxprobe)   groups=8889(linxprobe),0(root)
  [root@linuxprobe cool]# usermod -s /sbin/nologin linxprobe
  [root@linuxprobe cool]# su - linxprobe
  This account is currently not available.
  # once the default terminal has been changed to /sbin/nologin, this   user will not be able to login in to the terminal but the service still   work
  

  • passwd password
passwd can be used to change user password.
    ordinary user can use passwd to change the password itself, root can change all users password

  -l disable login

  -u enable login
  --stdin allow changing passwd through standard input, e.g. echo "NewPassWord" | passwd --stdin Username
  -d allow empty passwd login
  -e force user change passwd during next login
  -S check whether the login is disabled, and the autentication algorithm

  # root user
  [root@linuxprobe cool]# passwd
  Changing password for user root.
  New password: 
  Retype new password: 
  passwd: all authentication tokens updated successfully.  
  
  [root@linuxprobe cool]# passwd -S linxprobe
  linxprobe LK 2021-01-20 0 99999 7 -1 (Password locked.)
  
  # ordinary user
  [linuxprobe@linuxprobe cool]$ passwd
  Changing password for user linuxprobe.
  Current password: 
  New password: 
  Retype new password: 
  passwd: all authentication tokens updated successfully.
  
  # lock and unlock user
  root@linuxprobe ~]# passwd -l linuxprobe
  Locking password for user linuxprobe.
  passwd: Success
  [root@linuxprobe ~]# passwd -u linuxprobe
  Unlocking password for user linuxprobe.
  passwd: Success
  

  • userdel user delete
    delete the exist users. userdel will delete the account and remain the home directory, add -r parameter will remove it completely

  -f force to delete the user
  -r delete the user completely which will cause the home directory to be removed together

  Normally it is recommended to remain the home directory for which the data is valuable in the future

  [root@linuxprobe ~]# userdel linxprobe
  [root@linuxprobe ~]# id linxprobe
  id: ‘linxprobe’: no such user
  
  [root@linuxprobe ~]# cd /home
  [root@linuxprobe home]# tree
  .
  ├── cool
  ├── linuxcool
  ├── linuxprobe
  │   ├── Desktop
  │   ├── Documents
  │   ├── Downloads
  │   ├── Music
  │   ├── Pictures
  │   ├── Public
  │   ├── Templates
  │   ├── test
  │   ├── the job from file rather than standard input.
  │   └── Videos
  └── linxprobe
  13 directories, 1 file
  [root@linuxprobe home]# rm -fR linxprobe/
  

• File Permission and Ownership

  1. Each file relates to a particular user and group in Linux and the permission which are read, write, and executable.
  2. It is easier to understand w,r, and x for ordinary files but directories. In fact, files and directories have a similar but different approach in Linux permission management.

  The following content shows the difference between file and directory operations
  

  image.png

  The following content shows the different permission and its text and digital representation as well as the ownership

  [root@linuxprobe ~]# ls -la
  total 36
  dr-xr-x---.  5 root root  221 Jan 20 21:16 .
  dr-xr-xr-x. 17 root root  224 Jan  6 22:13 ..
  -rw-------.  1 root root 1403 Jan  6 22:20 anaconda-ks.cfg
  -rw-------.  1 root root  281i Jan 19 01:28 .bash_history
  -rw-r--r--.  1 root root   18 Aug 13  2018 .bash_logout
  -rw-r--r--.  1 root root  176 Aug 13  2018 .bash_profile
  -rw-r--r--.  1 root root  176 Aug 13  2018 .bashrc
  

  Every 3 bits represents read, write, and execute properties respectively as well as the ownerships, either in text form or digital form
  

  image.png

  
  

  image.png

  
  

  image.png

  
  

  image.png

  Frequently used file type:

  • Ordinary File(-)
  • Directory(d)
  • LinkFile(l)
  • Pipe(p)
  • Block(b)
  • CharacterDevice(c)

• Special Permssion

  • SUID
    SUID provides special permission for binary applications which allows the user who executes the binary applications to get the owner permission temporarily(only work for binary application). e.g. the passwd command can do the password modification for the user itself, even though the password are stored within the /etc/shadow file which has the default permission 000 - Only root user can make the change for it. It is feasible since passwd has SUID Permission

    [root@linuxprobe ~]# ls -l /bin/passwd
    -rwsr-xr-x. 1 root root 34512 Aug 12  2018 /bin/passwd
    

    Warning!!!, SUID is powerful and dangerous, it must be avoided to have vim, cat, rm, etc...
  • SGID
    • User will require the same permission of the group as the file belongs to rather than the file itself

    [root@linuxprobe sgid]# chmod 440 onlyroot.txt 
    [root@linuxprobe sgid]# ls -l onlyroot.txt 
    -r--r-----. 1 root root 14 Jan 20 15:53 onlyroot.txt
    [root@linuxprobe sgid]# chmod g+s onlyroot.txt 
    [root@linuxprobe sgid]# ls -l onlyroot.txt 
    -r--r-S---. 1 root root 14 Jan 20 15:53 onlyroot.txt
    

    When the user access the file onlyroot.txt will require the same permission as the file belongs to which is root
    • For a directory, the newly created file will be put into the same group as the directory, e.g. If we set up a directory with SGID permission and the directory will be shared with all the people in the same department. Now everyone in this department will generate the file in which belongs to the same group as the directory as we set up before with SGID permission.

    # create a test directory for sgid with root permission and gorup
    [root@linuxprobe sgid]# chmod -R 777 sgidDir/
    [root@linuxprobe sgid]# chmod -R g+s sgidDir/
    [root@linuxprobe sgid]# ls -ald sgidDir/
    drwxrwsrwx. 3 root root 18 Jan 20 16:06 sgidDir/
    
    # switch to an ordinary user and create a new file within the same directory as above, 
    # check the group name of this newly generated text file
    [test@linuxprobe test]$ echo "test" > test.txt
    [test@linuxprobe test]$ ls -al test.txt 
    -rw-rw-r--. 1 test root 5 Jan 20 16:24 test.txt
    
    # switch to another directory and now the group name becomes to the ordinary user group, 
    #i.e. the basic group
    [test@linuxprobe userAndFilePermission]$ ls -la test.txt 
    -rw-rw-r--. 1 test test 5 Jan 20 16:31 test.txt
    

  • SBIT
    SBIT also known as sticky bit is has a special function that will only allow the file to be deleted by the creator himself, not other users.

    # the other user permission "x" now becomes "t", i.e. the sticky bit 
    # in another words, only the owner of /tmp can delete the file within 
    [root@linuxprobe ~]# ls -lad /tmp
    drwxrwxrwt. 23 root root 4096 Jan 20 16:37 /tmp
    

    So the critical point is whether the user has read, write, and delete permission within the particular directory rather than the user permission himself

    # create a new file with /tmp in which it has sbit permssion configured already
    [root@linuxprobe ~]# cd /tmp
    [root@linuxprobe tmp]# echo "test for sbit" > sbit_test.txt
    [root@linuxprobe tmp]# ls -al sbit_test.txt 
    -rw-r--r--. 1 root root 14 Jan 20 16:45 sbit_test.txt
    [root@linuxprobe tmp]# chmod +777 sbit_test.txt 
    [root@linuxprobe tmp]# ls -al sbit_test.txt 
    -rwxrwxrwx. 1 root root 14 Jan 20 16:45 sbit_test.txt
    
    # switch to the ordinary user
    [root@linuxprobe tmp]# su test
    # try to delete the file and it is ended up with an error of lacking permission
    [test@linuxprobe tmp]$ rm -f sbit_test.txt 
    rm: cannot remove 'sbit_test.txt': Operation not permitted
    

  • chmod, chown
    • chmod change the mod bits, i.e. to change file or directory permission bits
    • chown change file or directory owner or group

    [root@linuxprobe sgid]# echo "test for chmod and chown" >> chmod_chown.txt
    [root@linuxprobe sgid]# dir
    chmod_chown.txt  onlyroot.txt  sgidDir
    [root@linuxprobe sgid]# ls -l chmod_chown.txt 
    -rw-r--r--. 1 root root 25 Jan 20 16:53 chmod_chown.txt
    [root@linuxprobe sgid]# chmod +440 chmod_chown.txt 
    [root@linuxprobe sgid]# chown linuxprobe:test chmod_chown.txt 
    [root@linuxprobe sgid]# ls -la chmod_chown.txt 
    -rw-r--r--. 1 linuxprobe test 25 Jan 20 16:53 chmod_chown.txt
    

    u+s +SUID
    u-s -SUID
    g+s +SGID
    g-s -SGID
    o+t +SBIT
    o-t -SBIT

  Conclusion

  SUID Let ordinary user can execute the program as the owner of the program temporarily
  SGID Let ordinary user require the same permission as the file belongs to; let the file be created within the directory belongs to the directory owner
  SBIT Let other users cannot execute the delete operation even they have the full permission r,w,x
  If the original permission is _ the special permission will be ended up with upper case, lower case otherwise
  special permission and ordinary permission can be mixed together that suid, sgid and sbit are also can be represented as the digital nums 4, 2, 1, and the special permission is taken by the first bit of the permission list, i.e.

  [root@linuxprobe full_permission]# chmod +7777 fullP.txt 
  [root@linuxprobe full_permission]# ls -la fullP.txt 
  -rwsrwsrwt. 1 root root 12 Jan 20 17:15 fullP.txt
  

• Hidden attribute

  • chattr change file attributes on a Linux file system
    Usage: chattr [-pRVf] [-+=aAcCdDeijPsStTu] [-v version] files...

    i Disable file modification; For the directory, disable create and delete
    a Append only, deletion is not allowed
    S Sync the file content right off the bat
    s Delete the data thoroughly, recovery is not allowed, fill the original data with all ZERO
    A stop updating the atime attribute
    b stop updating the mtime attribute
    D detect the error or corruption of the compressed file
    d ignore the current file when using dump command
    c compress the file by default
    u remain the actual data after file deletion
    t allow tail-merging
    x allow direct-access from the compressed file

    Try to delete a file with +a append only attribute

    # without +a
    [root@linuxprobe test]# echo "test " > testForHidden.txt 
    [root@linuxprobe test]# rm testForHidden.txt 
    rm: remove regular file 'testForHidden.txt'? y
    
    [root@linuxprobe test]# chattr +a linuxHidden.txt 
    [root@linuxprobe test]# rm linuxHidden.txt
    rm: remove regular file 'linuxHidden.txt'? y
    rm: cannot remove 'linuxHidden.txt': Operation not permitted
    

  • lsattr list file attributes on a Linux second extended file system

    [root@linuxprobe test]# lsattr linuxHidden.txt 
    --S-iadA---------- linuxHidden.txt
    

    One of the most widely used operations of the hidden attribute is to set up +a for log files /var/log/messages, hence the hacker won't be able to clean up the path where he has walked though

• FACL file access control lists

  Permission management we have been talking about so far works for one group or one type of user, there is also FACL File Access Control Lists which works for the individual user.

  • File ACL - File permission will be irrelevant to the directory where the file resides
  • Directory ACL - All files within the directory will inherit the permissions that the directory gives to them

  [root@linuxprobe ~]# su linuxprobe
  [linuxprobe@linuxprobe root]$ cd /root
  bash: cd: /root: Permission denied
  

  • setfacl manage ACL set files ACL, it controls each individual user, group, file or directory
    -m set up permission
    -M detect permission
    -x remove one of the permissions
    -b remove all permissions
    -R do the operation recursively

    [root@linuxprobe ~]# setfacl -Rm u:1000:rwx /root
    [root@linuxprobe ~]# su linuxprobe
    [linuxprobe@linuxprobe root]$ cd /root
    

    [linuxprobe@linuxprobe root]$ ls -ld /root
       dr-xrwx---+ 15 root root 4096 Jan 22 00:28 /root
    # "+" sign means the **/root directory is now having ACL configuration**
    

  • getfacl get the facl information from file or directory

    [linuxprobe@linuxprobe root]$ getfacl /root
    getfacl: Removing leading '/' from absolute path names
    # file: root
    # owner: root
    # group: root 
    user::r-x
    user:linuxprobe:rwx
    group::r-x 
    mask::rwx
    other::---
    

    Mistakes while setting up the ACL, what if -_-

    Bacup and Restore ACL

    [root@linuxprobe ~]# getfacl -R /home > backup.acl
    getfacl: Removing leading '/' from absolute path names
    [root@linuxprobe ~]# setfacl --restore ./backup.acl &> /dev/null
    

• su and sudo

  • su allows user switch to and back between different accounts

    [root@linuxprobe /]# su - linuxprobe
    [linuxprobe@linuxprobe ~]$ 
    # "-" means switch over completely
    

    root -> user no validation
    user -> root validation check

  • sudo allows user to perform some of the superuser tasks while limiting
    and watching the ordinary user from taking superuser permission completely. Linux system will record each command that has been done by an ordinary user with sudo command, manage those sudo users in /etc/sudoers, as well as allow executing command without validation in a short period of time.

    -h display help information
    -l list executable command for the current user
    -u execute commands with specified user-name/UID
    -k clean up the existing validation information, force the user to input password when executing the new command next time
    -b executes the command in the background
    -p change the prompt for asking password

    • Using visudo to edit /etc/sudoers file in order to make more resilient configuration for sudo command

      Call the vim editor
      More reliable, easier to edit

      ## Allow root to run any commands anywhere
      # target user     available host=(permission, or user-name)   executable list,seperated by "comma"     
      root                                  ALL=(ALL)                    ALL
      linuxprobe                            ALL=(ALL)                    ALL
      
      # when you run the following command you can see the permission for "inuxprobe" 
      [linuxprobe@linuxprobe ~]$ sudo -l
      [sudo] password for linuxprobe: 
      Matching Defaults entries for linuxprobe on linuxprobe:
      !visiblepw, always_set_home, match_group_by_gid,       always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY       HOSTNAME HISTSIZE
      KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR         USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE     LC_IDENTIFICATION
      LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY     LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",   env_keep+="LC_TIME LC_ALL LANGUAGE
      LINGUAS _XKB_CHARSET XAUTHORITY",       secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
      
      User linuxprobe may run the following commands on linuxprobe:
      (ALL) ALL
      
      # It is unsafe to have sudo permission for all "Commands"
      # Modify the sudoers file and change the available command for "linuxprobe"
      ## Allow root to run any commands anywhere
      ## Allow root to run any commands anywhere
      root               ALL=(ALL)                    ALL
      linuxprobe         ALL=(ALL)                    /usr/bin/ls,/usr/bin/cat,/usr/sbin/reboot
      
       # now try to list the content of /root with or without "sudo"
      [linuxprobe@linuxprobe ~]$ ls /root
      ls: cannot open directory '/root': Permission denied
      [linuxprobe@linuxprobe ~]$ sudo ls /root
      anaconda-ks.cfg  backup.acl  Desktop  Documents  Downloads  initial-        setup-ks.cfg  Music  Pictures  Public  Templates  Videos
      
      [linuxprobe@linuxprobe ~]$ cat /etc/shadow
      cat: /etc/shadow: Permission denied
      [linuxprobe@linuxprobe ~]$ sudo cat /etc/shadow
      root:$6$qAPQugz7F2TmGSMr$NnTP4W4WyQooEx3gmfxM611e893PraAZMMdaPUpkmNzieolNjT8rYoPyVTWcFia/Sc3XNbawKUQ9KQbDCxLqd/:18647:0:99999:7:::
      bin:*:17784:0:99999:7:::
      
      # NOPASS   let  user use "sudo" without inputting the passwd all the time
      ## Allow root to run any commands anywhere
      root               ALL=(ALL)                    ALL
      linuxprobe         ALL=(ALL)                   NOPASSWD:/usr/bin/ls,/usr/bin/cat,/usr/sbin/reboot
      
      [linuxprobe@linuxprobe ~]$ sudo reboot
      ......