Subsection 7.4.3 Lab Instructions for Linux Permissions
Let’s run some updates and install the ACL package using the following commands
sudo apt-get update
followed by
sudo apt-get install acl
. This will ensure that we have the latest package information and the ACL package installed. Note that we will use the
sudo
command, which is used in Unix-like operating systems and allows a user to run programs with the security privileges of another user, typically the superuser. It originally stood for "superuser do" and is commonly used to perform administrative tasks without needing to log in as the root user. It is not necessary if you are already logged in as the root user, but it is a good practice to use it for commands that require elevated privileges.
root@11ce9e5ee80e:/# sudo apt-get update
<snip>
root@11ce9e5ee80e:/# sudo apt-get install acl
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
acl
0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 37.8 kB of archives.
After this operation, 197 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 acl amd64 2.2.53-6 [37.8 kB]
Fetched 37.8 kB in 0s (94.1 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package acl.
(Reading database ... 4127 files and directories currently installed.)
Preparing to unpack .../acl_2.2.53-6_amd64.deb ...
Unpacking acl (2.2.53-6) ...
Setting up acl (2.2.53-6) ...
Next, let’s add some users to our system. We will create four users: alice, bob, carol, and dave. We will use the
useradd
command to create these users. The
useradd
command requires superuser privileges, so we will use
sudo
to run it.
root@11ce9e5ee80e:/# sudo useradd alice
root@11ce9e5ee80e:/# sudo useradd bob
root@11ce9e5ee80e:/# sudo useradd carol
root@11ce9e5ee80e:/# sudo useradd dave
Traditional UNIX-style file permissions support user and group ownership of a file. Read, write, and execute permissions for a file can be set for the user, group, or others. You can view the permissions of a file with the
ls -l
command. Let’s make home directories for Alice, Bob, and Carol and view the default permissions. First run
cd home
and then create the directories with
mkdir alice bob carol
. Finally, run
ls -l
to view the permissions of the directories you just created.
root@11ce9e5ee80e:/# cd home
root@11ce9e5ee80e:/home# sudo mkdir alice bob carol
root@11ce9e5ee80e:/home# ls -l
total 12
drwxr-xr-x 2 root root 4096 Oct 28 01:28 alice
drwxr-xr-x 2 root root 4096 Oct 28 01:28 bob
drwxr-xr-x 2 root root 4096 Oct 28 01:28 carol
The text
drwxr-xr-x
tells us that these files are directories, the owner has read/write/execute permission, the group has read/execute permission, and other users have read/execute permission. It is important to note that execute permissions are required for viewing the contents of a directory.
Files owners and a groups are set with the
chown
command, following the format
chown <user>.<group> <filename>
. Let’s try to use this command to make the home directories of alice, bob, and carol private. Do this by running each of the following commands:
root@11ce9e5ee80e:/home# sudo chown alice:alice alice
root@11ce9e5ee80e:/home# sudo chown bob:bob bob
root@11ce9e5ee80e:/home# sudo chown carol:carol carol
Now let’s view the permissions again by running
ls -l
:
You should see the following output:
root@11ce9e5ee80e:/home# ls -l
root@11ce9e5ee80e:/home# ls -l
total 12
drwxr-xr-x 2 alice alice 4096 Oct 28 01:28 alice
drwxr-xr-x 2 bob bob 4096 Oct 28 01:28 bob
drwxr-xr-x 2 carol carol 4096 Oct 28 01:28 carol
When a user is added to a UNIX system with the
useradd
command a group with their name is created. This allows us to pass a group to
chown
that only they will have access to. While this is a good start, others still have the ability to read and execute these directories, meaning
anyone can view the contents. To prove this, lets assume the role of dave switching to the user dave by typing
su dave
and then do an
ls
on each of the directories as follows:
root@11ce9e5ee80e:/home# su dave (1)
$ ls alice
$ ls bob
$ ls carol
$ exit
The
ls
command was successful even though there were no files to look at. If we weren’t able to view the contents, we would have received a permission denied error. The
chmod
command is used to modify file permissions for a User (
u
), Group (
g
), Others (
o
), or All (
a
).
chmod
can remove a permission with
-
, add a permission with
+
, or set a permission (removing others) with
=
. Let’s use
chmod
to actually make these home directories private:
root@11ce9e5ee80e:/home# chmod u=rwx,g=,o= alice
root@11ce9e5ee80e:/home# chmod u=rwx,g=,o= bob
root@11ce9e5ee80e:/home# chmod u=rwx,g=,o= carol
root@11ce9e5ee80e:/home# ls -l
total 12
drwx------ 2 alice alice 4096 Oct 28 01:28 alice
drwx------ 2 bob bob 4096 Oct 28 01:28 bob
drwx------ 2 carol carol 4096 Oct 28 01:28 carol
Things look much better, but let’s test it and see if Dave can view any of the directories by running the following commands:
root@11ce9e5ee80e:/home# su dave
$ ls alice
ls: cannot open directory 'alice': Permission denied
$ ls bob
ls: cannot open directory 'bob': Permission denied
$ ls carol
ls: cannot open directory 'carol': Permission denied
$ exit
Lastly, lets make sure that Alice can view the contents of her home directory:
root@11ce9e5ee80e:/home# su alice
$ ls alice
$ exit
Question 7.4.2.
Using your first name (all lowercase) add yourself as a user and create a home directory for yourself. Set the permissions such that only you can view the contents. Show the permissions of the home directory and demonstrate that another user cannot view its contents. Take a screenshot showing all of this and submit this as one of your deliverables.
Unfortunately traditional UNIX file permissions often do not provide the granularity needed in a modern system. For example, lets assume that we wanted a web server to be able to view the contents of Alice, Bob, and Carol’s home directories. This is typically done to allow users to place a
public_html
directory in their home directory and set up a personal web space. We could do this by making their home directories viewable by others, but then we have the same issue we started with. We could also do this by changing the group ownership of their home directories to a group that the web server is part of, but then we open up the home directories to any other users or services that are part of that group.
The solution to this problem is to use Linux ACLs, which allow you to fine tune permissions,, allowing you to set specific access rights for individual users or groups beyond the traditional user, group, and other categories. Two commands,
setfacl
and
getfacl
are used to adjust Linux ACLs. As an example let’s add an http user, use the
setfacl
command to explicitly give the http user read and execute permissions to all three directories, list the new permissions, and list the new ACLs:
root@11ce9e5ee80e:/home# useradd http
root@11ce9e5ee80e:/home# setfacl -m u:http:rx alice bob carol
root@11ce9e5ee80e:/home# ls -l
total 12
drwxr-x---+ 2 alice alice 4096 Oct 28 01:28 alice (2)
drwxr-x---+ 2 bob bob 4096 Oct 28 01:28 bob
drwxr-x---+ 2 carol carol 4096 Oct 28 01:28 carol
root@11ce9e5ee80e:/home# getfacl alice bob carol
# file: alice
# owner: alice
# group: alice
user::rwx
user:http:r-x
group::---
mask::r-x
other::---
# file: bob
# owner: bob
# group: bob
user::rwx
user:http:r-x
group::---
mask::r-x
other::---
# file: carol
# owner: carol
# group: carol
user::rwx
user:http:r-x
group::---
mask::r-x
other::---
Question 7.4.4.
Your instructor may want you to take a screenshot showing that the http user has access to each directory.
When you are done, you can type exit to exit bash and stop the container.