As well as the standard read, write and execute permissions applied to files there are some special permissions. These include SUID, SGID, and sticky bit. SUID stands for Set owner User ID upon execution. Normally when a program runs, it inherits permissions from the logged-on user. When the SUID special permission is applied to a file, the file executes with the permissions of the user who owns the file.
This is shown in the screenshot below on the /usr/bin/mount file, where the user x permission is replaced with an s.
Ok so that’s nice, but why is it important. Well if the SUID bit is set on a service or executable that is owned by root then this can be used to escalate privileges on the affected system.
Finding files with a SUID can be achieved with the command below:
Netcat, often shortened to nc is a utility for reading from and writing to network connections using TCP or UDP. Its often viewed as the swiss army knife of network utilities and can be driven directly or used in scripts.
To send a file using netcat, on the receiving server:
In order to see what permissions have been set on a file the ls command can be used.
So what does all that mean? All of the lines start with a string like -rw-rw-r– or drwxrwxr-x. Lets brake this down. The first character can be either – or d, – denotes a file and d a directory.
The remaining characters are split into three groups of three characters. The first group denotes the permissions assigned to the user or the owner of the file. The next three are the permissions assigned to the group of the file and the last 3 are the permissions assigned to others.
The characters follow a simple scheme.
r = read
w = write
x = execute
– = no permission assigned
In the diagram above the user who created the file has read and write permissions but does not have execute permissions. The same permissions apply to the group. All other users only have read permissions.
Note the x -execute permission shown on the directory in the screenshot above means that the folder can be accessed by the user or group it is applied to.
Changing File Permissions
A useful command for managing file permissions is chmod which can be used in two ways, absolute mode or symbolic mode. Absolute mode uses numerals to define permissions whilst symbolic defines the permissions using letters.
Execute + Write
Read + Execute
Read + Write +Execute
For example, using absolute mode to set the permissions of a file to user to read+write+execute, group to read+write, other to read, you would run the command:
>chmod 764 file1.txt
Adds a permission to a file or directory
Removes the permission
Sets the permission and overrides the permissions set earlier.
Achieving the same permissions via symbolic commands as we did above looks like this:
>sudo chmod u=rwx file1.txt
Changing File Ownership
If you want to change who has access to a file you use the chown command. For example to change the user and group with access to a file:
>sudo chown user:group file
As an example
>sudo chown fbloggs:testgrp file1.txt
Now, file1.txt is able to be accessed by the fbloggs account or members of the testgrp.
Setting ACLs for Additional Users and Groups
All this is a bit limiting though, one user and one group per file, does not allow for much flexibility. The good news is that there is a way around this using Access Control lists.
To see whether a an ACL is set run the ls command
If you see a + at the end of the access control list then an ACL has been applied as is shown on fu.txt in the image below.
To see the acl use the getacl command.
> getacl fu.txt
In this case both the file owner ffugazi and another user and group fbloggs have access to the file.
To set an ACL on a file run setfacl.
To add an additional user or modify an existing user:
>setfacl -m u:username:rwx ./fu.txt
To add an additional group or modify an existing user:
>setfacl -m g:group:rwx ./fu.txt
To remove all permissions for a user:
>setfacl -x u:username ./fu.txt
To remove all permissions for a group:
>setfacl -x g:group ./fu.txt
Setfacl and getfacl can both be used on directories too. In the case of directories, a d is prepended to the permissions.
The Sticky Bit
One other extended permission that is worth mentioning is the sticky bit. Say for example you have a shared directory that all users of a system can access and edit. What is to stop a user from accidentally deleting files that were created by another user? Enter the sticky bit. This is a flag on a file or directory which lets only the owner of the file or the root user delete the file. How do we set this?
Groups play an important role in controlling the access to files and resources in Linux. However, group management is a little different in Linux from that of Windows. One difference is that when a user is created, a group with the same name as the user is also created. So if we set up a user ffugazi a group called ffugazi is also created and the user object is put in it. Another difference is the idea of nested groups does not exist in Linux, a single group will be applied to a single file.
Users can have primary and secondary groups. Primary groups are created when a user account is created and have the same name as the user; when a user carries out an action, by default it uses this group’s context for all actions. For example, when a user creates a file the group with the same name as their account (the primary group) is applied to the file. Primary groups are detailed in the /etc/passwd file.
Secondary groups are those a user may be added to once they already have an account, can be called anything, and can be used to grant access to shared resorces. They are detailed in /etc/group file.
This arrangement of primary and multiple secondary groups that a user can be a member of does mean that you have to remember that when you create a file unless you apply a shared group, no one else will have access by default, the chgrp command will need to be used to apply group to a file.
So how do we create a group in Linux?
>sudo groupadd testgroup
Removing a group is equally easy.
>sudo groupdel testgroup
If we want to modify a group there is the handy groupmod command. For example if we want to change the name of the group to testgrp:
>sudo groupmod -n testgrp testgroup
Adding or removing a user to or from a group is done using the gpasswd command. Adding users to groups can also be done using the adduser, useradd and usermod commands too.
Adding users to groups
>sudo gpasswd -a ffugazi testgrp
>sudo adduser ffugazi testgrp
>sudo useradd -G testgrp ffugazi
>sudo usermod -a -G testgrp ffugazi
usermod is also useful for adding a user to multiple groups
>sudo usermod –a –G group1,group2,group3 ffugazi
Removing a user from a group
>sudo gpasswd -d ffugazi testgrp
>sudo deluser ffugazi testgrp
Users can also be made an admin for the group.
>sudo gpasswd -A ffugazi testgrp
If we wanted to make a user an administrator on our Linux system we would use the command below to grant sudo access:
Ubuntu / Debian
>sudo usermod -a -G sudo ffugazi
On RHEL / Centos
>sudo usermod -a -G wheel ffugazi
If a user needs access to resources only accessible to their secondary group they would use:
Resources the group testgrp have permissions to access would now be available.
Verifying information about users and groups can be done with the getent and groups commands
Creating users in Linux is fairly straightforward and achieved as most things in Linux are, via the command line. To create a user account locally, make sure you sudo and run a command like the one below:
We need super user privileges for a variety of tasks on Linux, for example system-wide changes, changes that affect other users, and changing the configuration of services.
There are a few ways to get access to superuser privileges, the most commonly used when entering a single command is sudo.
>sudo apt install chromium
This will prompt you for a password, execute the command as root and then cache the password for a default time of 5 minutes.
If we want to make a change as though we were another user or even the root user we would use the su command. Su stands for substitute user.
> su -
this switches to the root user
> su - fred
this switches to the user fred
Not just any user is authorised to run su/sudo, your account must be authorised. Some distros, for example, Ubuntu have a sudo group as a secondary group on other distros you need to make your own group and add it to the /etc/sudoers file.
>visudo fred ALL=(ALL)
If you wanted to limit a user to having sudo rights over specific commands then the sudoers file would contain an entry like this.