Course Content
Introduction
0/1
Course Overview
Linux Fundamental
0/10
Introduction to Unix
History
Operating System
Hardware and Software
Why Linux
Linux Features
Linux vs Unix
Linux vs Windows
Introduction to Shell
Linux Fundamental
Basic Commands
0/3
Linux Basic Commands
Linux System Admin Command
Detecting Linux distribution name and version
Linux Commands
0/2
Tar command
Locate Command
Linux Permission
0/2
Linux File Permission
Advanced Permission
Linux Files and Directory
Linux Users and Group Management
0/1
Linux User & Group Management
Linux Process
Linux Networking
Linux Security
Linux Partitions
0/3
LVM Partition
Swap Partition
Normal Partition
Linux Sysadmin
0/4
Detect open ports
Useful shortcuts
Create Your Own Commands
Change root (chroot)
Linux Advance
0/2
Run level
Services
Linux Filters
Linux Tutorials
About Lesson

So in previous topic we learn about Normal Permission but now we will learn advanced Linux permission.

Let’s Start:

  1. Normal Permission
  2. Special Permission
  3. ACL Permission

Special Permission:

Three special types of permissions are available for executable files and public directories. When these permissions are set, any user who runs that executable file assumes the user ID of the owner (or group) of the executable file.

You must be extremely careful when you set special permissions, because special permissions constitute a security risk. For example, a user can gain superuser privileges by executing a program that sets the user ID (UID) to root. Also, all users can set special permissions for files they own, which constitutes another security concern.

You should monitor your system for any unauthorized use of the SetUID(SUID) and SetGID(SGID)  permissions to gain superuser privileges. To search for and list all of the files that use these permissions, see How to Find Files With setuid Permissions. A suspicious listing grants ownership of such a program to a user rather than to root or bin.

  1. SetUID(SUID)
  2. SetGID(SGID)
  3. Stricky Bit

SUID:

Suid command are applied only on files. If you apply SUID to a file the owner of the file is only the person who can execute the file.

When set-user identification (setuid) permission is set on an executable file, a process that runs this file is granted access based on the owner of the file (usually root), rather than the user who is running the executable file. This special permission allows a user to access files and directories that are normally only available to the owner. For example, the setuid permission on the passwd command makes it possible for a user to change passwords, assuming the permissions of the root ID:

root@localhost:~# chmod u+s file name ## pattern of the command ##
root@localhost:~# chmod u+s /usr/bin/passwd
-r-sr-sr-x   3 root     sys       104580 Sep 16 12:02 /usr/bin/passwd

This special permission presents a security risk, because some determined users can find a way to maintain the permissions that are granted to them by the setuid process even after the process has finished executing.

SGID:

Sgid command are applied on files and directories. When we apply SGID to a file that means the group owner and it’s memeber can access and modify the file. But if we add SGID to a directory that means a group and it’s member can access the directory and it’s file and whenever a new file is created inside the directory then by default group owner of the file is that which is the group owner of the directory.

When setgid permission is applied to a directory, files that were created in this directory belong to the group to which the directory belongs, not the group to which the creating process belongs. Any user who has write and execute permissions in the directory can create a file there. However, the file belongs to the group that owns the directory, not to the user’s group ownership.

You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges. To search for and list all of the files that use these permissions, see How to Find Files With setuid Permissions. A suspicious listing grants group ownership of such a program to a user rather than to root or bin.

root@localhost:~# chmod g+s file or directory name ## Command pattern ##
root@localhost:~# mkdir /a
root@localhost:~# touch /a/file{1..2}.txt 
root@localhost:~# ls -al /a
drwxr-xr-x 2 root root 4096 Sep 17 00:07 /a
-rwxrw-rw- 2 root root 4096 Sep 17 00:07 /a/file1.txt
-rwxrw-rw- 2 root root 4096 Sep 17 00:07 /a/file2.txt
root@localhost:~# chmod g+s /a
root@localhost:~# ls /a
drwxrwsr-x 2 root root 4096 sep 17 00:07 /a

Stricky Bit:

Stricky Bit Permission are applied only on directories not on files. In Stricky bit the owner of the directory can execute and modify the directory and other user can’t do anything.

root@localhost:~# chmod o+t directory name ## Command Pattern ##

ACL(Access Control List):

Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disc resource.

Use of ACL :

Think of a scenario in which a particular user is not a member of group created by you but still you want to give some read or write access, how can you do it without making user a member of group, here comes in picture Access Control Lists, ACL helps us to do this trick.

Basically, ACLs are used to make a flexible permission mechanism in Linux.

From Linux man pages, ACLs are used to define more fine-grained discretionary access rights for files and directories.

setfacl and getfacl are used for setting up ACL and showing ACL respectively.

root@localhost:~# setfacl option permission file or directory name ## Command pattern ##
root@localhost:~# getfacl file or directory name ## to check the ACL permission ##

List of commands for setting up ACL :

## To add permission for user ##
setfacl -m "u:user:permissions" /path/to/file

## To add permissions for a group ##
setfacl -m "g:group:permissions" /path/to/file 

## To allow all files or directories to inherit ACL entries from the directory it is within ##
setfacl -dm "entry" /path/to/dir

## To remove a specific entry ##
setfacl -x "entry" /path/to/file

## To remove all entries ##
setfacl -b path/to/file 

## To add permissions for a user (user is either the user name or ID) ##
setfacl -m "u:user:permission"

## To add permissions for a group (group is either the group name or ID) ##
setfacl -m "g:group:permission"

Example:

root@localhost:~# setfacl -m u:hackonology:rwx /a
root@localhost:~#  getfacl /a
#file /a
#owner: root
#group: root
user::rwx
user::hackonology:rwx
group::r-x
other::r-x

Removing an ACL

If you want to remove the set ACL permissions, use setfacl command with -b option.
For example :

root@localhost:~# setfacl -b /a
root@localhost:~# getfacl /a
#file /a
#owner: root
#group: root
user::rwx
group::r-x
other::r-x

Let’s Join our Hacking Team

We Are Indian We Are Great

Hope this article helpful for you. Thank You

Indian Cyber Army | Make IT Secure

Enjoy…Stay Happy…Stay Secure…

Hope this article helpful for you. Thank You

If You Appreciate What We Do Here On Hackonology, You Should Consider:

Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.

Let's be a part of Hacker's Community! Join our Hacking Team

We Are Indian We Are Great

Previous
Next