Linux Access Privileges 2: Access Again

In our last article, we covered the chmod command which allows you to manipulate file access permissions on a per-user and per-group basis.That article covered the basics, so with this one we want to get a little deeper with advanced attributes. Let's start off with 'suid' and 'sgid.'

Suid and sgid bits are useful if a user needs to run an executable that they otherwise don't have any priveleges for. Before execution, the system checks these bits and substitutes the current user's privileges to the owner`s (or owner's group) of a file. If we want to, for example, restart apache process and we`d like to delegate its execution to an unprivileged (not root or sudoer) user of our system, we'd start with the following script:

echo service httpd restart >> /home/myuser/

Make it executable:

chmod +x /home/myuser/

Change owner (if you're running these scripts as root, skip this step):

chown root:root /home/myuser/

Finally, set the suid bit and change the other permissions:

chmod 4750 /home/myuser/

In this script, 4 - SUID (Substitute user id to the owner`s for the execution process) 7 - owner have full access (read, write, execute) 5 - owner-group can read and execute, and 0 - others can do nothing.

Or you can set the SGID:

chmod 6570 /home/myuser/

ls -l ./
-rwsr-xr-x 1 root root 24 2016-06-02 22:03 ./

Some things to keep in mind:

1. Don`t allow the delegated user to change the file - they can replace the content and run any other command with higher privileges.

2. Some modern distributions of Linux can ignore SUID and SGID bits.

3. While the it's important to know and understand suid and sgid commands, you should probably never run them on your production servers. It`s kind of a "quick and dirty" hack, the best practice is to use sudo with options (you can grant sudo for defined user and any command specified in /etc/sudoers file) .

Sticky bits

Sticky bits are permission bits that are left on files or directories that ensures that only the owner of the file to delete it. As a quick example:

chmod 1750 /home/shared_folder

ls -l /home/shared_folder
drwxr-x--T   2 root  root             4096 2016-06-02 23:03 shared_folder

Here, we can see a new “T” attribute – that's the sticky bit.

Advanced file attributes with lsattr and chattr

Chattr and lsattr are two components of the e2fsilibs package. They're basically used to set other, special, attributes for file and folders. You can quickly list all their attributes using the 'man chattr' command, which will return:

append only (a), 
no atime  updates(A), 
compressed (c), 
no copy on write (C), 
no dump (d), 
synchronous directory updates (D), 
extent format(e), 
immutable (i), 
data journalling (j), 
secure deletion (s), 
synchronous updates (S), 
no  tail-merging(t), 
top of directory hierarchy (T), 
and undeletable (u)

The following attributes are read-only, and may be listed by lsattr but not modified by chattr: compression error (E), huge file (h), indexed directory (I), inline data (N), compression raw access (X), and compressed dirty file (Z).

We can use 'lsattr' to view file attributes. It works almost just like 'ls -l', so we can compare the output of both:

ls -l /etc/passwd
-rw-r--r-- 1 root root 1730 дек 14 16:47 /etc/passwd
lsattr /etc/passwd
-------------e-- /etc/passwd

There aren't any advanced attributes set by default. Let's mix it up and set a few with chattr. If we have a file we don't want to change or delete by mistake, and don`t want to let anyone else do it either, we can set an immutable (i) attribute to it:

chattr +i /home/myuser/myVeryImportantFile.txt

Check the result with 'ls -l':

ls -l myVeryImportantFile.txt
-rw-r--r-- 1 root root 0 may 30 02:53 myVeryImportantFile.txt

Nothing changed. And with 'lsattr':

lsattr myVeryImportantFile.txt
----i--------e-- myVeryImportantFile.txt

Notice the 'i' is listed now. Let's try to delete it:

rm myVeryImportantFile.txt
rm: unable to delete «myVeryImportantFile.txt»: operation is not permitted

...Or modify:

echo test >> myVeryImportantFile.txt
bash: myVeryImportantFile.txt: access denied

Perfect. Exactly what we wanted. Now, let's say we want to let users add content to a file, but not to replace or delete any. We have to add an "a" (append only) attribute:

chattr +a Linux_File_Permissions_advanced.txt

lsattr Linux_File_Permissions_advanced.txt
-----a-------e-- Linux_File_Permissions_advanced.txt

echo “Put some text to file” >> Linux_File_Permissions_advanced.txt

cat Linux_File_Permissions_advanced.txt
Write some awesome text! 

Using this script, no one will be able to delete or change any part of that document except to write new content.

For our next trick, let's say we want to remove and completely destroy a file because it has private information in it. As you might know, the rm command does not actually remove anything – it just marks the space as free for the system, and the file system will overwrite it eventually when it needs more space. This means files can be easily restored before it's overwritten with basic software like extundelete, for example. So to prevent any restoration we can use the attribute "s", which will overwrite the file with 0s instead of just marking it as free:

chattr +s ./mysecretfile.txt

lsattr ./mysecretfile.txt
s----------------e- mysecretfile.txt

When you 'rm' it now, after enabling the 's' attribute the file will be deleted and unrestorable. Can be useful when old but vulnerable content needs to get deleted. 

Something I'd like to mention again is that advanced attributes should only be used once you really know what you want to do with them. Personally, I don't think they should ever be used on production servers within companies and organizations, unless you have explicit awareness and permission that you're doing so. Any mistake with regards to these permissions can lead to data being compromised or lost. It's generally much safer to go with the traditional routes of backups, firewalls, antiviruses, antirootkits,encryption and server monitoring (hey, that's us!)

That's all for now. Don't forget to like on follow on Twitter and Facebook so keep updated with new articles from ServerSuit.

Until next time!

June 14 2016

Add or review comments

Please leave your comment

Existing comments

Comments 66

viagra brand online sensitivity <a href="">viagra softtabs</a> professional vs super active viagra [url=]viagra trial pack canada[/url] ’
over the counter viagra substitute <a href="">where can i buy viagra in canada</a> viagra brand frizer [url=]brand viagra[/url] ’
pain relief <a href="">walgreens pharmacy online</a> canadian pharmaceuticals online safe
buy generic viagra online <a href=" ">where can i buy viagra in ireland</a> cheap prescription drugs online
canada pharmacy online <a href=" ">prescription drugs without prior prescription</a> no prescription pharmacies
canadian pharmacy viagra generic <a href=" ">eye drop</a> cheap pharmacy online
buy viagra cheap usa <a href=" ">online pfizer viagra au</a> chewing gum viagra
viagra on the web <a href=" ">viagra super force</a> genetric viagra
overnightpharmacy4u brand viagra <a href=" ">actual prescription cost of viagra</a> viagra optimum on line to canada
are payday loans legal in kansas <a href=" ">payday loans 2k</a> va loan cash out ltv
cialis high cholesterol <a href=" ">cialis 18 ans</a> cialis kaufen wien
payday loans for az residents <a href=" ">pa cash advances</a> cash loan roodepoort
how does cialis affect the heart <a href=" ">cialis es adictivo</a> cialis 20 mg pris
where can i buy cialis in canada <a href=" "> </a> cialis with dapoxetine
buy viagra in sydney <a href=" "> </a> who has the best deal on viagra generic
cialis usa <a href=" "> </a> cheap generic cialis canada
does viagra work for women <a href=" ">como funciona el viagra </a> viagra overdose
[url=]write my essay website[/url] can someone write my essay for me <a href=" ">can i hire someone to write my essay</a> cheap essay services
[url=]how to write thesis proposal[/url] thesis editing <a href=" ">thesis express</a> thesis writing
[url=]how to get viagra to work[/url] [url=]natural viagra foods[/url] [url=]viagra vs cialis reddit[/url] [url=]buy cialis online in usa[/url] [url=]generic cialis prices[/url]
[url=]writing your thesis[/url] thesis data analysis <a href=" ">help with writing thesis</a> umi thesis
[url=]thesis writing online[/url] thesis abstracts <a href=" ">writing thesis proposal</a> thesis literature review
[url=]thesis paper writing[/url] writing a good thesis <a href=" ">example thesis</a> help me write a thesis statement
discount prescription drug [url= ]canada drug[/url] Top Avana
soft cialis canadian pharmacy buy cialisonline
generic viagra price [url= ]viagra for sale ebay[/url] generic viagra usa
Penegra [url= ]п»їed meds online without doctor prescription[/url] walmart pharmacy price check
canadian prescription drugs [url= ]Malegra DXT[/url] drugs for sale
levitra online amazon levitra before or after meal
tadalafil 40 mg for sale [url= ]cialis tadalafil generic[/url] what is tadalafil liquid
female cialis online cialis generic dapoxetine
Forxiga [url= ]no prior prescription required pharmacy[/url] international pharmacy
free shipping cialis usa generic cialis]
does cialis work howard stern commercial cialis
cheap generic cialis in the us [url= ]cialis online american express[/url] cialis generic dapoxetine
mail order pharmacy india antibiotics
lemonaid health viagra [url= ]cialis vs viagra cost[/url] generic viagra over the counter
buy viagra manchester uk en que casos tomar viagra
Aricept online pharmacy uk
cialis no prescription uk [url= ]buy cialis from cananda[/url] supreme suppliers cialis
cialis overnight online ver to bay cialis 20mg
how much does viagra cost without insurance [url= ]better than viagra[/url] levitra vs viagra
cialis 5mg no perscription cialis black
what is better viagra cialis viagra da 100 mg prezzo
where to get viagra [url= ]what is the cost of viagra[/url] viagra generic date
Sporanox [url= ]erectile dysfunction drug[/url] weight loss
weight loss [url= ]online pharmacy bc[/url] Prothiaden
cialis 10 mg tablet [url= ]take cialis the correct way[/url] cheap cialis from australia
cialis without a perscription [url= ]cialis cost nz[/url] generuc cialis
discount generic cialis [url= ]cialis without prescriptions[/url] cialis fastest shipping
generic cialis online [url= ]overnight cialis online[/url] cialis on line purchase
online pharmacy no prescription needed best drugstore face moisturizer
cialis no prescription paypal [url= ]generic cialis australia[/url] how to get cialis 800mg
cialis or viagra ? online cialis
cheap cialis 20 mg [url= ]best online pharmacy cialis[/url] cialis canadian purchase
generic cialis 40 mg [url= ]what to do when viagra and cialis dont work[/url] what happens when you mix cialis with grapefruit?
best generic cialis [url= ]cialis canada no prescription[/url] cialis dosage for women
what happens if a woman takes cialis [url= ]taking cialis for the first time[/url] cialis reddit
online pharmacy in canada [url= ]canadapharmacy[/url] voltaren gel canadian pharmacy
online pharmacy tech schools [url= ]canadian pharmacy viagra prices[/url] Himplasia
search canadian pharmacy [url= ]canadian discount pharmacy[/url] online canadian pharmacy reviews
best time of day to take cialis 5mg [url= ]cialis for sale online in canada[/url] cialis online kaufen
cialis 20 mg tablets [url= ]cialis with dapoxetine overnight delivery australia[/url] cialis extra
buy cialis online canada pharmacy [url= ]pharmacy rx one coupon code[/url] rx advantage pharmacy
cialis offer [url= ]cialis generika[/url] back pain from cialis
target store pharmacy [url= ]pharmacy technician training online free[/url] best value pharmacy