I was asked to cover Linux Permissions and plan to cover both basic permissions as well as sticky bits and sharing directories / files.
If you are not familiar with the basics please see :
I also plan to cover sticky bits and acl :
Smart ACL management with Eiciel
1 [00:00] <bodhi_zazen> Are we ready to start ?
2 [00:00] * Snova is here
3 [00:00] <bodhi_zazen> weee hooo
4 [00:00] * tim_sharitt is ready
5 [00:00] <bodhi_zazen> first, sorry about the confusion re time and date
6 [00:01] <bodhi_zazen> again, I will do these Q&A sessions every 2 weeks or so
7 [00:01] <bodhi_zazen> I was asked to cover permissions today and to make it interesting will add in sticky bits and acl :)
8 [00:01] * RachedTN is ready too :)
9 [00:02] <bodhi_zazen> This is a good time to mention the shared ssh session
10 [00:02] <bodhi_zazen> http://paste.ubuntu.com/147955/
11 [00:02] <bodhi_zazen> we can use that for a hands on demo
12 [00:02] <bodhi_zazen> but if you are interested , please ssh in when you get a chance
13 [00:02] <bodhi_zazen> so you are ready to go when we start
14 [00:02] * Geek`N`Proud thought he'd stick around
15 [00:02] <Pretto> 404
16 [00:02] <bodhi_zazen> if you need help, ask and someone will answer in a PM
17 [00:02] <Daisuke-Ido> The requested URL /beginners/ufbt-guest was not found on this server.
18 [00:03] <bodhi_zazen> http://paste.ubuntu.com/147955/
19 [00:03] <WastePotato> Am I late?
20 [00:03] <Snova> No.
21 [00:03] <WastePotato> Ok.
22 [00:03] <bodhi_zazen> Ah, my mistake, lol
23 [00:03] <bodhi_zazen> http://bodhizazen.net/ufbt/ufbt-guest
24 [00:03] * bodhi_zazen bad
25 [00:04] <WastePotato> Yay. SSHing into bodhi_zazen's computer. \o/
26 [00:04] <bodhi_zazen> sweet :)
27 [00:04] <Snova> Or as close to it as you'll ever get...
28 [00:04] <bodhi_zazen> OK, lets start with the basics
29 [00:04] <bodhi_zazen> permissions often frustrate new users
30 [00:05] <bodhi_zazen> and it is a BIG change if you come from Windows
31 [00:05] <Daisuke-Ido> i'm going to pop back over to gnome
32 [00:05] <bodhi_zazen> Every file and directory has an owner (the one who made it), a group, and "other"
33 [00:05] <bodhi_zazen> permission are rwx - read, write, and execute
34 [00:05] <bodhi_zazen> and so are listed with ls -l
35 [00:05] <bodhi_zazen> as 3 sets :
36 [00:06] <bodhi_zazen> rwxrwxrwx
37 [00:06] <bodhi_zazen> for owner:group:other
38 [00:06] <bodhi_zazen> a - means you do not have the permission
39 [00:06] <bodhi_zazen> so r--r--r-- is read only
40 [00:07] <bodhi_zazen> You can also see permissions graphically by right clicking a file
41 [00:07] <bodhi_zazen> and selecting the permissions tab
42 [00:07] <bodhi_zazen> To change permissions from the command line you can use "octals"
43 [00:07] <bodhi_zazen> which are listed here : http://www.zzee.com/solutions/linux-permissions.shtml
44 [00:08] <bodhi_zazen> or if you can not use the octals, use +rwx
45 [00:08] <bodhi_zazen> so, with the chmod command
46 [00:08] <bodhi_zazen> chmod o+rwx foo
47 [00:08] <bodhi_zazen> chmod g+r foo
48 [00:08] <bodhi_zazen> chomd 755 foo
49 [00:09] <bodhi_zazen> you change the group with chown or chgrp
50 [00:09] <bodhi_zazen> chown owner:group foo
51 [00:09] <bodhi_zazen> chown owner.group foo
52 [00:09] <bodhi_zazen> period works as well as a : , although it id depreciated >:)
53 [00:09] <bodhi_zazen> With the gui tools use the pull down menu
54 [00:10] <bodhi_zazen> The thing that is odd, directories
55 [00:10] <bodhi_zazen> you need to set the x to list the contents of a directory
56 [00:10] <bodhi_zazen> chmod a+x bar
57 [00:10] <bodhi_zazen> allows people to ls bar
58 [00:10] <bodhi_zazen> again see http://www.zzee.com/solutions/linux-permissions.shtml
59 [00:11] <bodhi_zazen> Questions about basic permissions ?
60 [00:11] <bodhi_zazen> otherwise I am going to move on to sticky bits >:)
61 [00:12] <bodhi_zazen> Sticky bits are not hard to understand, but they are odd
62 [00:12] <bodhi_zazen> They are also called SUID and SGID
63 [00:12] <bodhi_zazen> if you have an executable file or binary
64 [00:13] <bodhi_zazen> and you suid it, it runs with the permissions of the OWNER of the file, not the user who runs the script / binary
65 [00:13] <bodhi_zazen> so ...
66 [00:13] <bodhi_zazen> if the file is owned by root
67 [00:13] <bodhi_zazen> and you then chmod 755
68 [00:13] <bodhi_zazen> anyone can run the file
69 [00:14] <bodhi_zazen> if you run the script as a use, the process has permissions of the user who called it
70 [00:14] <bodhi_zazen> If, however, you chmod u+s foo
71 [00:14] <bodhi_zazen> now anyone can run the script and , as it is owned by root, it runs as if root called the script
72 [00:15] <bodhi_zazen> no password is required
73 [00:15] <bodhi_zazen> do no do this
74 [00:15] <bodhi_zazen> any script to be run by root should be owned by root and, IMO, called with sudo
75 [00:15] <bodhi_zazen> same thing applies to SGID
76 [00:15] <bodhi_zazen> if the SGID bit is set, the script runs with permissions of the group that owns the file
77 [00:16] <bodhi_zazen> with me so far ?
78 [00:16] <bodhi_zazen> One last bit, +t
79 [00:16] <bodhi_zazen> +t is the "sticky bit"
80 [00:16] <Spreadsheet> Can I talk?
81 [00:16] <bodhi_zazen> in the past it meant keep the script in memory
82 [00:16] <bodhi_zazen> Spreadsheet: yes
83 [00:16] <bodhi_zazen> anyone can break in at any time
84 [00:17] <Spreadsheet> Ok, I have a question
85 [00:17] <bodhi_zazen> this is an open session
86 [00:17] <bodhi_zazen> please :)
87 [00:17] <Spreadsheet> This is sorta related to the topic
88 [00:17] <Spreadsheet> Sometimes i use chown, and it doesn't work
89 [00:17] <Spreadsheet> Then i use it a couple more times and it does work...
90 [00:17] <Spreadsheet> Is this a bug?
91 [00:17] <pleia2> :)
92 [00:17] <bodhi_zazen> You can not chown a file or directory you do not own
93 [00:17] <bodhi_zazen> hey pleia2 :)
94 [00:18] <Spreadsheet> bodhi_zazen: All of the files on this comp belong to me...
95 [00:18] <bodhi_zazen> this makes sense in that a user can not chown a file owned by root
96 [00:18] <Spreadsheet> Oh wait
97 [00:18] <Pretto> never happened to me :D
98 [00:18] <bodhi_zazen> LMAO Spreadsheet
99 [00:18] <Spreadsheet> Ok, the file is owned by root
100 [00:18] <Spreadsheet> So then I use sudo
101 [00:18] <bodhi_zazen> to change a file woned by root you need sudo
102 [00:19] <bodhi_zazen> but you should not change ownership or permisssions of system files
103 [00:19] <Spreadsheet> It's not a system file
104 [00:19] <bodhi_zazen> sudo -e /etc/fstab for example
105 [00:19] <Spreadsheet> /var/www/
106 [00:19] <bodhi_zazen> yea, that *should* be owned by www-data
107 [00:19] <Spreadsheet> ehh... go on
108 [00:19] <bodhi_zazen> so, add your user to www-data
109 [00:19] <bodhi_zazen> :)
110 [00:20] <bodhi_zazen> OK, we were talking sticky bits
111 [00:20] <bodhi_zazen> the most common use of a sticky bit is on a directory
112 [00:20] <bodhi_zazen> if a sticky pit is set on a shared directory (one with say permissions of 777)
113 [00:21] <bodhi_zazen> users can not delete file they do not own
114 [00:21] <bodhi_zazen> even though group or other permissions may allow rw access to a file
115 [00:21] <bodhi_zazen> There is a very nice review of sticy bits here : http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html
116 [00:22] <bodhi_zazen> and here : http://www.linuxdevcenter.com/pub/a/linux/lpt/22_06.html
117 [00:22] <bodhi_zazen> questions ?
118 [00:22] <bodhi_zazen> Otherwise I am going to talk about acl , or access control lists
119 [00:23] <bodhi_zazen> Please, all questions are welcome and it gets boring seeing a wall of bodhi.zazen speaking >:)
120 [00:23] <Snova> Might want to go into setuid/setgid (though that'd be another wall :P)
121 [00:23] <Snova> Oh wait
122 [00:23] * Snova wasn't here
123 [00:23] <Snova> Well, in that case, what does the sticky bit do on a file?
124 [00:23] <bodhi_zazen> lol Snova :)
125 [00:24] <bodhi_zazen> you mean the -t on a file ?
126 [00:24] <bodhi_zazen> or the SUID
127 [00:24] <Snova> Sticky bit... no idea what "-t" means. :P
128 [00:24] <bodhi_zazen> lol
129 [00:25] <bodhi_zazen> Snova: take a look at this linky : http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html
130 [00:25] <Spreadsheet> g2g
131 [00:25] <bodhi_zazen> I covered the topic just previous and do not want to repeat it ;)
132 [00:26] <bodhi_zazen> OK , acl stands for access control list
133 [00:26] <bodhi_zazen> the idea of an acl list comes into play when you have many, perhaps hundreds of users on a system
134 [00:26] <bodhi_zazen> and so then the "other" permissions get messy
135 [00:27] <bodhi_zazen> you do not want to create hundreds of groups for all the various user shares
136 [00:27] <bodhi_zazen> enter acl
137 [00:27] <bodhi_zazen> acl allows a user to set permissions on a file or directory for each user on the system
138 [00:28] <bodhi_zazen> acl is the backbone of SELinux, and if you understand acl you understand a lot about SELinux
139 [00:28] <bodhi_zazen> acl is installed by default on Ubuntu, but you need to "activate" it
140 [00:28] <bodhi_zazen> it is an option when you mount a file system
141 [00:28] <bodhi_zazen> so you
142 [00:29] <bodhi_zazen> mount /dev/sdxy /media/foo -o acl
143 [00:29] <bodhi_zazen> Or add acl to /etc/fstab in the options column
144 [00:29] <Pretto> so, acl is just for "others" right?
145 [00:29] <bodhi_zazen> yes and no Pretto
146 [00:29] <bodhi_zazen> I will demo it in a sec ...
147 [00:30] <bodhi_zazen> acl is a command line tool
148 [00:30] <bodhi_zazen> although there is a very nice gui tool, Eiciel
149 [00:30] <bodhi_zazen> http://www.linux.com/feature/138169
150 [00:31] <bodhi_zazen> Eiciel is in the Ubuntu repos , but I could not integrate it with Nautilus as in that link
151 [00:31] <bodhi_zazen> after you install it it is in the menu under System
152 [00:31] <bodhi_zazen> want to see acl in action ?
153 [00:31] * jgoguen nods
154 [00:32] <Pretto> yeap
155 [00:32] <bodhi_zazen> OK, everyone ssh into the shared session ?
156 [00:32] <bodhi_zazen> let me show a few things ...
157 [00:33] <bodhi_zazen> OK, permissions of new files are govened by umask
158 [00:33] <bodhi_zazen> so as you can see , the group is govened by the primary or effective group
159 [00:33] <bodhi_zazen> Now lest change groups for a sec
160 [00:34] <bodhi_zazen> the command was newgrp and it spawns a new shell
161 [00:34] <Pretto> :D
162 [00:34] <bodhi_zazen> do you see how that changed the group of the new file ?
163 [00:35] <bodhi_zazen> OK, so if I want a shared directory , I would now need to chmod all those files
164 [00:35] <bodhi_zazen> chomd -R 770 MAD
165 [00:35] <bodhi_zazen> or worse, chmod -R 777 MAD
166 [00:36] <bodhi_zazen> or chgrp and then chown, you get the idea
167 [00:36] <bodhi_zazen> now let us use ACL
168 [00:36] <bodhi_zazen> See the +s in the permissions ?
169 [00:36] <bodhi_zazen> the sgid is set
170 [00:38] <bodhi_zazen> Do you see how the sgid bit made the file "file.admin" owned by the group guru ?
171 [00:38] <bodhi_zazen> >:)
172 [00:38] <bodhi_zazen> OK, now acl ...
173 [00:38] <bodhi_zazen> You list the access list with getfacl file
174 [00:39] <bodhi_zazen> we set the acl with setfacl
175 [00:42] <bodhi_zazen> This changed the behavior of the directory, we set the defaults with -d and the options with -m and long handed rwx permissions
176 [00:42] <jgoguen> bodhi_zazen: so the default ACL entries will override the existing user/group/other permissions?
177 [00:42] <bodhi_zazen> yes jgoguen
178 [00:43] <bodhi_zazen> with that last command , I over rode the sgid we set
179 [00:43] <bodhi_zazen> the directory is not owned by admin
180 [00:43] <bodhi_zazen> default:group:admin:rwx
181 [00:43] <bodhi_zazen> watch
182 [00:44] <bodhi_zazen> hmm ,not what I expcected, lol
183 [00:44] <Pretto> hhehhehhe. .weird
184 [00:45] <Pretto> so the + means that MAD has an acl?
185 [00:46] <bodhi_zazen> yes Pretto
186 [00:46] <bodhi_zazen> see how acl changed the group of "file" made by root ?
187 [00:46] <bodhi_zazen> from root.root to root.guru ?
188 [00:46] <bodhi_zazen> OK, now lest add a user
189 [00:47] <bodhi_zazen> see, now I added in the user, bodhi, who has rwx to the file MAD/file.guru
190 [00:48] <bodhi_zazen> user:bodhi:rwx
191 [00:48] <bodhi_zazen> and on
192 [00:48] <bodhi_zazen> Obviously acl is a bit complex
193 [00:48] <bodhi_zazen> and I will not claim to be an expert
194 [00:48] <bodhi_zazen> :)
195 [00:49] <bodhi_zazen> oops, apparmor is preventing me from showing you more with acl at the moment
196 [00:49] <bodhi_zazen> lol
197 [00:50] <bodhi_zazen> see : http://www.suse.de/~agruen/acl/linux-acls/online/
198 [00:50] <bodhi_zazen> for more info on acl
199 [00:50] <bodhi_zazen> and man acl
200 [00:50] <bodhi_zazen> and Eiciel
201 [00:51] <bodhi_zazen> Eiciel gives you a gui tool to manage acl
202 [00:51] <bodhi_zazen> Sorry if I rambled on too long about permissions
203 [00:51] <bodhi_zazen> :)
204 [00:51] <bodhi_zazen> we have 10 min left
205 [00:51] <bodhi_zazen> questions ?
206 [00:52] <bodhi_zazen> you like the shared ssh session ?
207 [00:53] <bodhi_zazen> I can demo apparmor if you want :)
208 [00:54] <bodhi_zazen> See how the /tmp directory has +t set ?
209 [00:54] <bodhi_zazen> you should now know what that means :)
210 [00:55] <bodhi_zazen> you should now understand why root kits search for files with the suid bit set
211 [00:58] <jgoguen> bodhi_zazen: back to setuid/setgid...should setgid necessarily be avoided the same as setuid?
212 [00:59] <bodhi_zazen> probably jgoguen
213 [00:59] <bodhi_zazen> although it is not working as I expected
214 [01:00] <bodhi_zazen> if you need to run a script as root, use sudo
215 [01:00] <bodhi_zazen> If you need to give a user limited root access, use sudo and configure with visudo >:)
216 [01:00] <bodhi_zazen> Ah, apparmor is restricting me from further demos :)
217 [01:01] <bodhi_zazen> you will have to check out suid on your own , lol
218 [01:01] <jgoguen> I was thinking more along the lines of having a script write to a log file...but I suppose ACL would also handle that quite nicely :)
219 [01:01] <bodhi_zazen> acl FTW :)
220 [01:02] <bodhi_zazen> Once you learn acl , and you have a multiuser system, you will make good use of it
221 [01:02] <bodhi_zazen> acl does not make sense, however, on a single user system
222 [01:03] <Pretto> thank you for your explanations bodhi_zazen
223 [01:03] <bodhi_zazen> np Pretto :)
224 [01:03] <bodhi_zazen> thank you for coming
225 [01:03] <bodhi_zazen> anyone have a suggestion for next time ?
226 [01:04] <bodhi_zazen> In the long run, we will bring up a moodle site and content will be available for review pre and post sessions
227 [01:04] <bodhi_zazen> the BT is working on it
228 [01:04] <bodhi_zazen> If you have suggestions, add it here
229 [01:05] <bodhi_zazen> https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals
230 [01:05] <bodhi_zazen> thank you everyone for coming
231 [01:05] <bodhi_zazen> please spread the word
232 [01:06] <bodhi_zazen> you should all have been disconnected from the shared session as I closed it :)
233 [01:06] <bodhi_zazen> see you again in 2 weeks
234 [01:06] <jgoguen> \o/ ty bodhi_zazen
235 [01:06] <bodhi_zazen> you are most welcome jgoguen
236 [01:06] <bodhi_zazen> I hope I learned you something