Linux Tutorials
About Lesson

So in previous topic we learn about Normal Permission but now we will learn advanced Linux permission.

Let’s Start:

  1. Normal Permission
  2. Special Permission
  3. ACL Permission

Special Permission:

Three special types of permissions are available for executable files and public directories. When these permissions are set, any user who runs that executable file assumes the user ID of the owner (or group) of the executable file.

You must be extremely careful when you set special permissions, because special permissions constitute a security risk. For example, a user can gain superuser privileges by executing a program that sets the user ID (UID) to root. Also, all users can set special permissions for files they own, which constitutes another security concern.

You should monitor your system for any unauthorized use of the SetUID(SUID) and SetGID(SGID)  permissions to gain superuser privileges. To search for and list all of the files that use these permissions, see How to Find Files With setuid Permissions. A suspicious listing grants ownership of such a program to a user rather than to root or bin.

  1. SetUID(SUID)
  2. SetGID(SGID)
  3. Stricky Bit

SUID:

Suid command are applied only on files. If you apply SUID to a file the owner of the file is only the person who can execute the file.

When set-user identification (setuid) permission is set on an executable file, a process that runs this file is granted access based on the owner of the file (usually root), rather than the user who is running the executable file. This special permission allows a user to access files and directories that are normally only available to the owner. For example, the setuid permission on the passwd command makes it possible for a user to change passwords, assuming the permissions of the root ID:

[email protected]:~# chmod u+s file name ## pattern of the command ##
[email protected]:~# chmod u+s /usr/bin/passwd
-r-sr-sr-x   3 root     sys       104580 Sep 16 12:02 /usr/bin/passwd

This special permission presents a security risk, because some determined users can find a way to maintain the permissions that are granted to them by the setuid process even after the process has finished executing.

SGID:

Sgid command are applied on files and directories. When we apply SGID to a file that means the group owner and it’s memeber can access and modify the file. But if we add SGID to a directory that means a group and it’s member can access the directory and it’s file and whenever a new file is created inside the directory then by default group owner of the file is that which is the group owner of the directory.

When setgid permission is applied to a directory, files that were created in this directory belong to the group to which the directory belongs, not the group to which the creating process belongs. Any user who has write and execute permissions in the directory can create a file there. However, the file belongs to the group that owns the directory, not to the user’s group ownership.

You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges. To search for and list all of the files that use these permissions, see How to Find Files With setuid Permissions. A suspicious listing grants group ownership of such a program to a user rather than to root or bin.

[email protected]:~# chmod g+s file or directory name ## Command pattern ##
[email protected]:~# mkdir /a
[email protected]:~# touch /a/file{1..2}.txt 
[email protected]:~# ls -al /a
drwxr-xr-x 2 root root 4096 Sep 17 00:07 /a
-rwxrw-rw- 2 root root 4096 Sep 17 00:07 /a/file1.txt
-rwxrw-rw- 2 root root 4096 Sep 17 00:07 /a/file2.txt
[email protected]:~# chmod g+s /a
[email protected]:~# ls /a
drwxrwsr-x 2 root root 4096 sep 17 00:07 /a

Stricky Bit:

Stricky Bit Permission are applied only on directories not on files. In Stricky bit the owner of the directory can execute and modify the directory and other user can’t do anything.

[email protected]:~# chmod o+t directory name ## Command Pattern ##

ACL(Access Control List):

Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disc resource.

Use of ACL :

Think of a scenario in which a particular user is not a member of group created by you but still you want to give some read or write access, how can you do it without making user a member of group, here comes in picture Access Control Lists, ACL helps us to do this trick.

Basically, ACLs are used to make a flexible permission mechanism in Linux.

From Linux man pages, ACLs are used to define more fine-grained discretionary access rights for files and directories.

setfacl and getfacl are used for setting up ACL and showing ACL respectively.

[email protected]:~# setfacl option permission file or directory name ## Command pattern ##
[email protected]:~# getfacl file or directory name ## to check the ACL permission ##

List of commands for setting up ACL :

## To add permission for user ##
setfacl -m "u:user:permissions" /path/to/file

## To add permissions for a group ##
setfacl -m "g:group:permissions" /path/to/file 

## To allow all files or directories to inherit ACL entries from the directory it is within ##
setfacl -dm "entry" /path/to/dir

## To remove a specific entry ##
setfacl -x "entry" /path/to/file

## To remove all entries ##
setfacl -b path/to/file 

## To add permissions for a user (user is either the user name or ID) ##
setfacl -m "u:user:permission"

## To add permissions for a group (group is either the group name or ID) ##
setfacl -m "g:group:permission"

Example:

[email protected]:~# setfacl -m u:hackonology:rwx /a
[email protected]:~#  getfacl /a
#file /a
#owner: root
#group: root
user::rwx
user::hackonology:rwx
group::r-x
other::r-x

Removing an ACL

If you want to remove the set ACL permissions, use setfacl command with -b option.
For example :

[email protected]:~# setfacl -b /a
[email protected]:~# getfacl /a
#file /a
#owner: root
#group: root
user::rwx
group::r-x
other::r-x

Let’s Join our Hacking Team

We Are Indian We Are Great

Hope this article helpful for you. Thank You

Indian Cyber Army | Make IT Secure

Enjoy…Stay Happy…Stay Secure…

Hope this article helpful for you. Thank You


If You Appreciate What We Do Here On Hackonology, You Should Consider:

Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.

Let's be a part of Hacker's Community! Join our Hacking Team

We Are Indian We Are Great


Exercise Files
No Attachment Found
No Attachment Found