Skip to main content

Section 7.4 Lab: Linux File Permissions

In this lab we are going to explore UNIX-style file permissions and determine what they can do and why they are limited. Finally we will see how Linux ACLs provide more flexibility in assigning permissions.
We will be working in a vanilla Ubuntu container and installing software and adding users manually. Let’s start up the container, install the packages we need, and add some users to work with.

Subsection 7.4.1 Linux Permissions in a Github Codespace

Go github.com/pearcej/security-linux
 1 
github.com/pearcej/security-linux
. Then:
  1. Fork this codespace into your own Github repository.
  2. Navigate to your repository on GitHub.
  3. Click the green Code button and select Codespaces.
  4. Click "Create codespace on main".
  5. Wait for the codespace to be created.
Be sure to either stop or delete this codespace when you are done by clicking the "Stop" button or the "Delete" button in the Codespaces tab of your repository.
Next, please skip the next section and follow the directions in Subsection 7.4.3.

Subsection 7.4.2 Linux Permissions in a Local Docker installation

Start a vanilla container by running docker run -it ubuntu bash to get an Ubuntu container.

Subsection 7.4.3 Lab Instructions for Linux Permissions

Let’s run some updates and install the ACL package using the following commands sudo apt-get update followed by sudo apt-get install acl. This will ensure that we have the latest package information and the ACL package installed. Note that we will use the sudo command, which is used in Unix-like operating systems and allows a user to run programs with the security privileges of another user, typically the superuser. It originally stood for "superuser do" and is commonly used to perform administrative tasks without needing to log in as the root user. It is not necessary if you are already logged in as the root user, but it is a good practice to use it for commands that require elevated privileges.
root@11ce9e5ee80e:/# sudo apt-get update
<snip>
root@11ce9e5ee80e:/# sudo apt-get install acl
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  acl
0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 37.8 kB of archives.
After this operation, 197 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 acl amd64 2.2.53-6 [37.8 kB]
Fetched 37.8 kB in 0s (94.1 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package acl.
(Reading database ... 4127 files and directories currently installed.)
Preparing to unpack .../acl_2.2.53-6_amd64.deb ...
Unpacking acl (2.2.53-6) ...
Setting up acl (2.2.53-6) ...
Next, let’s add some users to our system. We will create four users: alice, bob, carol, and dave. We will use the useradd command to create these users. The useradd command requires superuser privileges, so we will use sudo to run it.
root@11ce9e5ee80e:/# sudo useradd alice
root@11ce9e5ee80e:/# sudo useradd bob
root@11ce9e5ee80e:/# sudo useradd carol
root@11ce9e5ee80e:/# sudo useradd dave
Traditional UNIX-style file permissions support user and group ownership of a file. Read, write, and execute permissions for a file can be set for the user, group, or others. You can view the permissions of a file with the ls -l command. Let’s make home directories for Alice, Bob, and Carol and view the default permissions. First run cd home and then create the directories with mkdir alice bob carol. Finally, run ls -l to view the permissions of the directories you just created.
root@11ce9e5ee80e:/# cd home
root@11ce9e5ee80e:/home# sudo mkdir alice bob carol
root@11ce9e5ee80e:/home# ls -l
total 12
drwxr-xr-x 2 root root 4096 Oct 28 01:28 alice
drwxr-xr-x 2 root root 4096 Oct 28 01:28 bob
drwxr-xr-x 2 root root 4096 Oct 28 01:28 carol
The text drwxr-xr-x tells us that these files are directories, the owner has read/write/execute permission, the group has read/execute permission, and other users have read/execute permission. It is important to note that execute permissions are required for viewing the contents of a directory.
Files owners and a groups are set with the chown command, following the format chown <user>.<group> <filename>. Let’s try to use this command to make the home directories of alice, bob, and carol private. Do this by running each of the following commands:
root@11ce9e5ee80e:/home# sudo chown alice:alice alice
root@11ce9e5ee80e:/home# sudo chown bob:bob bob
root@11ce9e5ee80e:/home# sudo chown carol:carol carol
Now let’s view the permissions again by running ls -l:
You should see the following output:
root@11ce9e5ee80e:/home# ls -l
root@11ce9e5ee80e:/home# ls -l
total 12
drwxr-xr-x 2 alice alice 4096 Oct 28 01:28 alice
drwxr-xr-x 2 bob   bob   4096 Oct 28 01:28 bob
drwxr-xr-x 2 carol carol 4096 Oct 28 01:28 carol
When a user is added to a UNIX system with the useradd command a group with their name is created. This allows us to pass a group to chown that only they will have access to. While this is a good start, others still have the ability to read and execute these directories, meaning anyone can view the contents. To prove this, lets assume the role of dave switching to the user dave by typing su dave and then do an ls on each of the directories as follows:
root@11ce9e5ee80e:/home# su dave (1)
$ ls alice
$ ls bob
$ ls carol
$ exit

Note 7.4.1.

(1) The switch user or su command allows us to assume the role of anyone, often it is used to assume the role of the superuser by using it without a username as su. In this case we are using su dave to assume the role of dave, who is a regular user.
The ls command was successful even though there were no files to look at. If we weren’t able to view the contents, we would have received a permission denied error. The chmod command is used to modify file permissions for a User ( u), Group ( g), Others ( o), or All ( a). chmod can remove a permission with -, add a permission with +, or set a permission (removing others) with =. Let’s use chmod to actually make these home directories private:
root@11ce9e5ee80e:/home# chmod u=rwx,g=,o= alice
root@11ce9e5ee80e:/home# chmod u=rwx,g=,o= bob
root@11ce9e5ee80e:/home# chmod u=rwx,g=,o= carol
root@11ce9e5ee80e:/home# ls -l
total 12
drwx------ 2 alice alice 4096 Oct 28 01:28 alice
drwx------ 2 bob   bob   4096 Oct 28 01:28 bob
drwx------ 2 carol carol 4096 Oct 28 01:28 carol
Things look much better, but let’s test it and see if Dave can view any of the directories by running the following commands:
root@11ce9e5ee80e:/home# su dave
$ ls alice
ls: cannot open directory 'alice': Permission denied
$ ls bob
ls: cannot open directory 'bob': Permission denied
$ ls carol
ls: cannot open directory 'carol': Permission denied
$ exit
Lastly, lets make sure that Alice can view the contents of her home directory:
root@11ce9e5ee80e:/home# su alice
$ ls alice
$ exit
Looks good!

Question 7.4.2.

Using your first name (all lowercase) add yourself as a user and create a home directory for yourself. Set the permissions such that only you can view the contents. Show the permissions of the home directory and demonstrate that another user cannot view its contents. Take a screenshot showing all of this and submit this as one of your deliverables.
Unfortunately traditional UNIX file permissions often do not provide the granularity needed in a modern system. For example, lets assume that we wanted a web server to be able to view the contents of Alice, Bob, and Carol’s home directories. This is typically done to allow users to place a public_html directory in their home directory and set up a personal web space. We could do this by making their home directories viewable by others, but then we have the same issue we started with. We could also do this by changing the group ownership of their home directories to a group that the web server is part of, but then we open up the home directories to any other users or services that are part of that group.
The solution to this problem is to use Linux ACLs, which allow you to fine tune permissions,, allowing you to set specific access rights for individual users or groups beyond the traditional user, group, and other categories. Two commands, setfacl and getfacl are used to adjust Linux ACLs. As an example let’s add an http user, use the setfacl command to explicitly give the http user read and execute permissions to all three directories, list the new permissions, and list the new ACLs:
root@11ce9e5ee80e:/home# useradd http
root@11ce9e5ee80e:/home# setfacl -m u:http:rx alice bob carol
root@11ce9e5ee80e:/home# ls -l
total 12
drwxr-x---+ 2 alice alice 4096 Oct 28 01:28 alice (2)
drwxr-x---+ 2 bob   bob   4096 Oct 28 01:28 bob
drwxr-x---+ 2 carol carol 4096 Oct 28 01:28 carol
root@11ce9e5ee80e:/home# getfacl alice bob carol
# file: alice
# owner: alice
# group: alice
user::rwx
user:http:r-x
group::---
mask::r-x
other::---

# file: bob
# owner: bob
# group: bob
user::rwx
user:http:r-x
group::---
mask::r-x
other::---

# file: carol
# owner: carol
# group: carol
user::rwx
user:http:r-x
group::---
mask::r-x
other::---

Note 7.4.3.

(2) In drwxr-x---+ 2 alice alice 4096 Oct 28 01:28 alice notice the + sign indicating there are extra permissions.

Question 7.4.4.

Your instructor may want you to take a screenshot showing that the http user has access to each directory.
When you are done, you can type exit to exit bash and stop the container.

Note 7.4.5.

If you chose to use a Github codespace, don’t forget to stop or delete the codespace by clicking the "Stop" button or the "Delete" button in the Codespaces tab of your repository.
You have attempted 1 of 1 activities on this page.