Today, GNU/Linux based operating systems are considered to be among the most secure available. They're used by a majority of the largest supercomputers we have available, far outpacing the amount of computers running UNIX or Windows. And one of the reasons Linux holds its reputation for security is the way it handles user access. Its user and group control functions were developed around the time of the first UNIX systems, and these controls allow file owners to control access to reading, execution, and writing of files, directories, processes and other system tools.
This access control system inside Linux OSs fundamentally works by assigning each object in its file system two attributes: owner and group. Owner is a user that owns any given file or directory. The owner has unlimited access to the files/directories, and has full control of other users' permissions to these files/directories. A group consists of multiple users that have access to any given file or directory. A system user could belong to multiple user groups.
The id -a command will return the user and group that's currently using the file. The command
$ /usr/bin/id -a
will give you something like this:
uid=1000(username) gid=1000(groupname1) groups=1000(groupname1), 1001(groupname2)
In this case, groupname1(gid=1000) is the effective group, and the group groupname2(gid=1001) is not. As you can expect, a user in a group that has access permission will also be allowed access. Which gid is considered effective is important when creating new directories and files. The list of system users is located in /etc/passwd, and list of groups is located in /etc/group. If that looks kinda weird to you, the /etc/passwd file used to store passwords in previous versions of this system, but this list is now located in /etc/shadow. You can pull the file up using $ sudo /bin/grep username /etc/shadow, though access to this file is usually restricted to normal users.
Another command you'll likely use a lot is the stat command, that will look something like:
$ /usr/bin/stat /etc/fstab | grep "Access: ("
Access: (0644/-rw-r--r--) Uid: ( 0/root) Gid: ( 0/root)
What this command is doing here is returning the attributes of a file. So we can see in our example, that the /etc/fstab file is owned by the user root (uid=0) within a group of the same name. The access rights are displayed here in form of the 0644 and of the access attributes as (-rw-r--r--).
Each digit in the 0644 can go from 0 to 7 (base 8). We can look at this number in binary (base 2) and it will look like 110 100 100 which we can then compare to the analogous attributes rw-r--r--. As you can see, these sequences become almost identical (every letter a 1, every dash a 0). Each of the letters can either be r (read), w (write), and x (execute). The format there is a rwx slot for every "level" of permissions (user, group, world). So we get a rw- for user, r-- for group, and r-- for world in this example. You might notice there's another dash in the front of that original readout (-rw--r--r--). The first symbol (which is a "-" in this case) is defined by the file type. The dash (-) is for a regular file, but you might also see d for a directory, l for a symbolic link file, c for character device file, p for named pipe, s for socket, and b for block file.
So let's get back to the original numerics though (0644). The attributes here break down as follows; read (4), write (2), and execute (1). They combine together arithmetically, so the 6 in the sequence is a combination of read and write (4 and 2) but not execute (1).
With the information in our example in mind, we can conclude that the file owner (root) can read and write to the /etc/fstab file, but not execute it. The group root, however, can only read it.
We talked earlier about passwords stored in the /etc/shadow file, that normally can't be read by regular users. Let's use our stat command to see its attributes:
$sudo /usr/bin/stat /etc/shadow | grep "Access: ("
Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 42/ shadow)
Just like we expected, only root user has read/write access, the group has only read access, and everyone else is locked out entirely.
Besides the stat utility, there are a few other methods of going through permissions for files and directories. One of the more popular alternatives is the ls utility with a -l flag, which will also return user permissions in the rwx format we talked about earlier. It looks something like this:
$ /bin/ls -l /etc/fstab
-rw-r--r-- 1 root root 1047 jan 11 2018 /etc/fstab
You can see how similar the return values are to the ones for the stat command.
There's also the umask utility, which sets default permissions for all new files and directories. By default, it will assign permissions in the form of 0022 which, if you look at our earlier example, means the newly created file will have full access permissions, and the group and other users will only have read and execute rights.
The utility chmod is the standard method of controlling these access rights in Linux.
If we have a text.txt file with 0644 rights and want to change it so that every user can write to it, you'll use chmod to do something like this:
$ touch text.txt
$ /bin/ls -lh text.txt
$ /bin/chmod 666 text.txt
$ /bin/ls -lh text.txt
Now you can write to the file with something like:
# su Jack -s /bin/bash
$ echo hello > test.txt
$ cat test.txt
There's also an utility for permissions called Access Control Lists (abbreviated ACL) that allows for access permissions to be delegated with much more granularity. However, I think we've been here long enough and our coverage of ACL will have to wait for another article.
Hope this was helpful to you, and if you have any questions about this article or anything else ServerSuit, leave a comment or reach out through our Twitter and Facebook. Like and follow us for ServerSuit updates and our follow up articles.
Until Next Time!