


                Permissions
                
                Unix/Linux manage permssions by file access
                in Unix/Linux everything is a file
                
                we have 3 sets of permissions:
                
                User (Owner)    - u  (su to switch UID)
                Group           - g  (newgrp to switch GID)
                Other (Public)  - o
                
                id command will tell me my UID and GID
                
                when I run ls -l, I get lines like:
                
                -rwxr-xr-x 1 student00A students 2949 May 10 18:28 states

                whitespace delimted fields:
                
                1 - the type and permissions
                2 - the name count, ln command updates this field
                3 - the User Id (the system uses UID)
                4 - the Group (GID)
                5 - the file size
                6 - the access date/time
                7 - the name 
                
                field #1 the type/permissions:
                -rwxr-xr-x
                
                this is broken into chars
                
                char 1 - the type flag
                          d - directory
                          - - reg file
                          l - symbolic link
                     2,3,4 - the User permissions
                     5,6,7 - the Group permissions
                     8,9,10 - the Other permissions
                     
                ----------------------------------------------------
                r - Read
                w - Write
                x - eXectable
                
                
                          file                    dir
                 r      cat,lp,cp                  ls 
                 w      mv,rm,vi                 mkdir,rmdir,cp or mv into
                 x      run it                     cd into it
                          
                
                
                ----------------------------------------------
                I work on several projects, so I can switch the "current group"
                and that changes permissions I can use
                
                however...
                I would love to switch to the root group, but I am not allowed
                
                the groups I can user are:
                1) the group listed in /etc/passwd
                2) any group listed in /etc/group that has my userid listed there
                
                a password can be required when switching groups (newgrp)
                
                
                ---------------------------------------------------
                
                initial permissions:
                
                a new file has:  -rw-rw-rw- (666)
                and then a mask is applied to remove selected permissions
                
                a new dir has: drwxrwxrwx  (777)
                and the same mask is applied to remove selected permissions
                
                this mask is named: umask
                
                this mask uses a bit flag to remove the selected prrmissions
                
                r - 4
                w - 2
                x - 1
                
                so... this file:
                -rwxr-xr-x 1 jonathan jonathan  259 Jan 29  2021 zipper

                translates to:
                
                User = rwx = 4+2+1 = 7
                Group = r-x = 4+1 = 5
                Other = r-x = 4+1 = 5
                
                so.. the permissions are: 755
                
                a new file starts out as:      666
                the mask is                    022
                the resulting permission are:  644  = -rwxr--r--
                
                umask is NOT math
                umask also applies when a cp command creats a new file
                
                644 -rw-r--r--
                022  umask
                
                when I cp this file I end up with a new file as
                
                644
                022
                644 <- the new file umask is NOT MATH
                
                I can change umask on the command line, or I can set it up
                in my login profile (local or global)
                ~/.bash_profile   /etc/profile
                
                If I am paranoid I can set umask to 077
                most system will set umask to ..7 or ..3 
                
                ------------------------------------------------------
                
                I can change permissions to a file/dir 
                
                w the chmod command
                
                the chmod command has 2 formats:
                
                1) use the Octal numbers:
                    chmod 755 aFile <- u=rwx,g=rx,o=rx
                    chmod 700 * <- paranoia setting
                    
                2) use symbols
                    chmod u=rwx,g=rx,o=rx aFile
                    
                    symbols:
                    
                    u = User
                    g = Group
                    o = Other
                    a = all 
                    
                    = = assign
                    + = add
                    - = remove
                    
                    chmod u+x,g-rw,o=  aFile
                       User add eXecute
                       Group loses read, Write
                       Other is assigne to nothing
                       
                
                ---------------------------------------------------
                
                Unix/Linux alos offer "extend" permissions
                
                1) SetUID/SetGID/Sticky Bit
                
                2) ACL (Access Control Lists)
                
                ---------------------------------------------
                
                I have a problem:
                
                I am a regular User (not root) and I want to change my password
                that mean I need write permission to the /etc/shadow file
                
                that is an issue!!!!!
                
                the problem boils down to:
                I need to run a program, and that program needs runs as it
                root was running it
                
                that is SetUID
                
                type passwd
                passwd is /usr/bin/passwd  <- the program I need to run
                
                ls -l /usr/bin/passwd
                -rwsr-xr-x 1 root root 26688 Sep 10  2015 /usr/bin/passwd
                   ^ see that 's' it is in the User Execute field
                   that is SetUID is turned on
                
                this flag means, that when I run this program, there is now
                a second UID set:  Effective UID vs the Real UID
                when this program use the EUID is root, so the program can change
                the /etc/shadow file, without me calling the SysAdm
                
                
                How do we do this?
                
                chmod has 4 flags, not 3
                
                chmod 0755 * <- that first flag (defaults to zero)
                                 is the SetUID/SetGID/Sticky Bit flag
                                 
                  SetUID = 4
                  SetGID = 2
                  Sticky Bit = 1
                  
                chmod 6744 data/*
                
                chmod 1755 data/Humor <- turn on Sticky Bit
                
                drwsr-sr-t 2 student00A students 4096 May 10 18:28 Humor
                         ^ the 't' means the Sticky Bit is turned on
                
                Sticky Bit currenlt only applies to dirs
                and it means, regandless of the permissions
                only the Owner of a file in that dir can delete it
                it is used for /tmp (temp dir)
                
                
                as an auditor I need to know which files have SetUID/SetGID
                turned on, and then compare that list to a "approved" list
                
                I use a "special" find command to list these permissions
                
                 find / -perm -4000 -print  <- -4000 means SetUID
                                               -2000 means SetGID
                         
                         
                   
                -----------------------------------------------
                
                ACL Access Control List
                
                the problem, I have 2 groups I want to set permission for
                basic Unix/Linux does not allow that:
                
                User, Group, Other
                
                I also have a co-worker I am mad at, and want to remove
                the workers permission, without removing the rest of the group
                
                ACL to the rescue
                
                I just created a new file
                -rw-r--r-- 1 student00A students    0 May 11 17:24 q
                
                666 that apply the umask (0022)
                
                $ getfacl q
                # file: q
                # owner: student00A
                # group: students
                user::rw-
                group::r--
                other::r--
                
                $ setfacl -m u:student00B:r q
                
                after I set file ACL and run ls-l
                I get:
                
                -rw-r--r--+ 1 student00A students 0 May 11 17:24 q
                          ^ that flag means there are ACL set
                
                I then run getfacl q

                $ getfacl q
                # file: q
                # owner: student00A
                # group: students
                user::rw-
                user:student00B:r--
                group::r--
                mask::r--
                other::r--

                
                $  setfacl -m g:training:rwx q
                
                $  getfacl q
                # file: q
                # owner: student00A
                # group: students
                user::rw-
                user:student00B:r--
                group::r--
                group:training:rwx
                mask::rwx
                other::r--





                
                
                
                
                
                
                
                
                
                
                
                
                
                
