Practice Exercise: Mastering Linux File Permissions

Objective

Gain a solid understanding of Linux file permissions, including how to view, set, and manage them effectively.

Task 1: Understanding File Permissions

• Open a terminal window.
• Use the ls -l command to list files and directories in your current location.
• Examine the output to understand the file permission format and what each part represents (e.g., -rwxr-xr--).
• Identify the owner, group, and other permissions for various files and directories in the listing.

  [intern@intern-a1t-inf-lnx1 ~]$ ls -l
  total 5124
  -rw-rw-r--  1 intern intern     131 Sep 18 14:53 '#emacs_code.c#'
  drwxr-xr-x  2 root   root      4096 Dec 30  2022  bin
  drwxrwxr-x 18 intern intern    4096 Dec 30  2022  cri-dockerd
  -rw-rw-r--  1 intern intern     123 Sep 18 14:07  emacs_code.c
  -rw-rw-r--  1 intern intern      76 Sep 18 06:52  emacs_code.c~
  drwxrwxr-x  3 intern intern    4096 Dec 30  2022  go
  

Task 2: Changing File Permissions

• Create a new directory using the mkdir command.
• Use the touch command to create a few text files inside the directory.
• Use the chmod command with symbolic notation to change the permissions of one of the files (e.g., make it read-only for all users).
• Use the chmod command with numeric notation to change the permissions of another file (e.g., give read and write permissions to the owner).

  [intern@intern-a1t-inf-lnx1 ~]$ mkdir new_directory
  [intern@intern-a1t-inf-lnx1 ~]$ touch new_directory/new_text.txt
  [intern@intern-a1t-inf-lnx1 ~]$ chmod o=r new_directory/new_text.txt
  [intern@intern-a1t-inf-lnx1 ~]$ ls -l new_directory/new_text.txt
  -rw-rw-r-- 1 intern intern 0 Sep 19 11:26 new_directory/new_text.txt
  [intern@intern-a1t-inf-lnx1 ~]$ touch new_directory/new_text2.txt
  [intern@intern-a1t-inf-lnx1 ~]$ chmod 600 new_directory/new_text2.txt
  [intern@intern-a1t-inf-lnx1 ~]$ ls -l new_directory/new_text2.txt
  -rw------- 1 intern intern 0 Sep 19 11:27 new_directory/new_text2.txt
  

Task 3: Managing File Ownership

• First let's create another user
• Create a new text file using the touch command.
• Use the chown command to change the owner of the file to another user (e.g., sudo chown user: user myfile.txt).
• Let's also add another group
• Use the chgrp command to change the group of the file to a different group.
• Verify the changes by listing the file's details with ls -l.

  [intern@intern-a1t-inf-lnx1 ~]$ sudo useradd another_user
  [intern@intern-a1t-inf-lnx1 ~]$ touch new_directory/new_text3.txt
  [intern@intern-a1t-inf-lnx1 ~]$ sudo chown another_user: new_directory/new_text3.txt
  [intern@intern-a1t-inf-lnx1 ~]$ ls -l new_directory/new_text3.txt
  -rw-rw-r-- 1 another_user another_user 0 Sep 19 11:29 new_directory/new_text3.txt
  [intern@intern-a1t-inf-lnx1 ~]$ sudo groupadd another_group
  [intern@intern-a1t-inf-lnx1 ~]$ sudo chown :another_group new_directory/new_text3.txt
  [intern@intern-a1t-inf-lnx1 ~]$ ls -l new_directory/new_text3.txt
  -rw-rw-r-- 1 another_user another_group 0 Sep 19 11:29 new_directory/new_text3.txt
  

Task 4: Special Permissions and SetUID/SetGID

• Try listing the permission of /usr/bin/passwd

  [intern@intern-a1t-inf-lnx1 ~]$ ls -l /usr/bin/passwd
  -rwsr-xr-x 1 root root 55544 Nov 24  2022 /usr/bin/passwd
  

• As you can see you have s rather than x in the owner permission
• And by running passwd you can modify the /etc/passwd file even though you only have read privileges in it.

  [intern@intern-a1t-inf-lnx1 ~]$ ls -l /etc/passwd
  -rw-r--r-- 1 root root 1624 Sep 19 11:31 /etc/passwd
  [intern@intern-a1t-inf-lnx1 ~]$ passwd
  New password:
  Retype new password:
  passwd: password updated successfully
  [intern@intern-a1t-inf-lnx1 ~]$ ls -l /etc/passwd
  -rw-r--r-- 1 root root 1624 Sep 19 11:31 /etc/passwd
  

• Experiment with the SetGID bit by creating a new directory and setting the SetGID bit on it.

Task 5: Permission Denials and sudo

• Try to create a file in the root directory (e.g., sudo touch /myrootfile.txt).
• Understand the permission denial message.
• Use the sudo command to create the file successfully.
• Explore the /etc/sudoers file and understand how it controls sudo access for users.

  [intern@intern-a1t-inf-lnx1 ~]$ touch /myrootfile.txt
  touch: cannot touch '/myrootfile.txt': Permission denied
  [intern@intern-a1t-inf-lnx1 ~]$ sudo touch /myrootfile.txt
  [intern@intern-a1t-inf-lnx1 ~]$ ls -l /myrootfile.txt
  -rw-r--r-- 1 root root 0 Sep 19 13:08 /myrootfile.txt
  [intern@intern-a1t-inf-lnx1 ~]$ sudo cat /etc/sudoers
  #
  # This file MUST be edited with the 'visudo' command as root.
  #
  # Please consider adding local content in /etc/sudoers.d/ instead of
  # directly modifying this file.
  #
  # See the man page for details on how to write a sudoers file.
  #
  Defaults    env_reset
  Defaults    mail_badpass
  Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
  Defaults    use_pty
  
  # This preserves proxy settings from user environments of root
  # equivalent users (group sudo)
  #Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
  
  # This allows running arbitrary commands, but so does ALL, and it means
  # different sudoers have their choice of editor respected.
  #Defaults:%sudo env_keep += "EDITOR"
  
  # Completely harmless preservation of a user preference.
  #Defaults:%sudo env_keep += "GREP_COLOR"
  
  # While you shouldn't normally run git as root, you need to with etckeeper
  #Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
  
  # Per-user preferences; root won't have sensible values for them.
  #Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
  
  # "sudo scp" or "sudo rsync" should be able to use your SSH agent.
  #Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
  
  # Ditto for GPG agent
  #Defaults:%sudo env_keep += "GPG_AGENT_INFO"
  
  # Host alias specification
  
  # User alias specification
  
  # Cmnd alias specification
  
  # User privilege specification
  root    ALL=(ALL:ALL) ALL
  
  # Members of the admin group may gain root privileges
  %admin ALL=(ALL) ALL
  
  # Allow members of group sudo to execute any command
  %sudo   ALL=(ALL:ALL) ALL
  
  # See sudoers(5) for more information on "@include" directives:
  
  @includedir /etc/sudoers.d
  

Conclusion

In this lab exercise, you've delved into the world of Linux file permissions. You've learned how to view and interpret permissions, change file permissions and ownership, work with special permissions, and use sudo to manage permissions effectively. Understanding file permissions is crucial for maintaining security and access control in a Linux environment.