Sudo and file permissions
I am configuring sudo on a server and have the following question. I only want a user group to run the /sbin/ifconfig . I have configured sudo:
User_Alias NETWORK = user1 Cmnd_Alias NETWORKING = /sbin/ifconfig Host_Alias MYHOSTS = localhost NETWORK MYHOSTS = (root) NETWORKING It works well for user user1: sudo ifconfig asks the password. But, I see that any computer user can run ifconfig also because the permissions on this file in /sbin are 755. Is it right? Should I also change the file permissions?
Usually every user can run ifconfig , but cannot make modifications like ifconfig eth0 down which requires root/sudo.
Then sudo command not completely blocked, but only certain actions. Although this is not a user in the sudo file permissions will continue having regular file, is that correct?
Correct, if I understand you right. In my own words: sudo only checks permissions if a command is executed via sudo command . Otherwise only the file system permissions (or other security mechanisms) are obeyed.
@aelbaz: What do you mean by ‘permissions will continue having regular file’? The effect of sudo /sbin/ifconfig (. ) is to run the /sbin/ifconfig command as user root , who can do more with that command than a regular user can, not because of the permissions set on /sbin/ifconfig or because of the lines in the sudo configuration, but because of permissions set on other files that are used by /sbin/ifconfig .
1 Answer 1
sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.
That does not affect the regular (file system) permissions. So, if an executable has permissions 755 ( -rwxr-xr-x ) every user on the system can execute it. But — depending on the executable — for some operations you get a permission denied error:
$ ls -l /sbin/ifconfig -rwxr-xr-x 1 root root 67912 May 11 2013 /sbin/ifconfig $ whoami user $ /sbin/ifconfig eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29886 errors:0 dropped:0 overruns:0 frame:0 TX packets:17383 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3706932 (3.5 MiB) TX bytes:34965406 (33.3 MiB) $ /sbin/ifconfig eth0 down SIOCSIFFLAGS: Operation not permitted $ sudo /sbin/ifconfig eth0 down [sudo] password for user: - no error - $
Please note that changing the permissions of /sbin/ifconfig to 700 ( -rwx—— ) will prevent normal users to execute it, but there might be others means to gain the information. E. g. the IP address via ip address or the /proc file system.
File Permissions in Linux – How to Use the chmod Command
Arunachalam B
Just as with other operating systems, multiple users can create user accounts and share the same machine running Linux OS.
But whenever different users share a system, problems of privacy can easily arise. The first user may not wish the next user to view, edit, or delete their files, for example.
The Linux Terminal possesses some superpowers when it comes to handling file permissions. You can grant or revoke permissions for every file and directory from your Linux Terminal.
What are File Permissions in Linux?
File permissions control which actions can be performed by which users. Read, Write, and Execute are the three actions possible for every file.
Users are classified under three broad categories: Normal users, Groups, and Others. Linux allows users to set permissions at a very granular level. You can secure your file or directory in every possible location of a file system.
There are three important commands you’ll use when managing file permissions:
Among these, chmod is one of the most important commands. We’ll discuss the chmod command in this tutorial, and I’ll get into the others in upcoming articles.
Let’s deep dive into the chmod command 🏊.
Actions you can perform on a file
Before we proceed further, I want to make sure you’re clear about how the Read, Write, and Execute actions of a file work. Read and write are pretty are self-explanatory – they determine whether a user can read or write to a file.
But, what’s an executable file?
A file is said to be executable if it has a sequence of instructions to achieve something. A good example is scripting files (Shell Scripts).
What is the chmod Command?
chmod is a command that lets you change the permissions of a file or directory to all types of users.
Here’s the syntax of the chmod command:
Now it is executable. He stared at me as if I was a hacker 😂. But really, it’s a pretty simple and basic concept.
How to Remove Permissions from a File in Linux
I work with my colleague Divad on lots of projects, and he likes to try to fool me. We work together on many hobby projects and we often write shell scripts for quick deployment.
Whenever he writes shell scripts, he always removes all the permissions from the file and pushes the changes to the remote repo. So every time I have to grant permissions using the above commands for whatever action I have to do.
Let’s have a quick look at the command he uses to remove file permissions.
Here we have a file named install.sh which has all permissions (Read, Write, Execute). Let’s remove the execute permission for this script file.
You’ll not be able to execute this file now. Trying so will give you an error as shown in the above screenshot.
Let’s remove the read permission from the file.
The same applies to removing write permission from the file:
You can achieve all the above together using the below command:
But, did you know that I can create another directory inside locked_directory named dir1 and read the files and folders in dir1 ?
Then what’s the purpose of the command we just ran before? Removing the read permission on the parent should remove the same on child directories too, right?
Well. That’s the exact thing I told you earlier. Linux manages a very granular level of file permissions.
If you want to apply the permissions to the parent directory and all its child directories, you need to pass an exclusive flag with the chmod command.
That flag is -R . It basically means applying the same permissions recursively to all sub-directories (child directories). So this permission will apply to the end child of a file/directory.
Here’s the syntax for that:
From the above screenshot, you can see that trying to view the child directory files has failed after removing the read permission recursively from the parent directory.
Another Way to Handle File Permissions in Linux
Alternatively, you can use Octal representation to control the file permissions.
We can use numbers to represent file permissions (the method most commonly used to set permissions). When you change permissions using the Octal mode, you represent permissions for each triplet using a number (4, 2, 1, or combination of 4, 2, and 1).
Let’s see the syntax for using octal mode:
Look at the first part of the output ( -rwxrwxrwx ) from the above screenshot. Let’s explore what it means:
The first character indicates the type of input.
- «-» indicates a file
- «d» indicates a directory
- «i» indicates a link (a symlink, which is a shortcut to a file/directory)
You group the next set of letters, at a maximum of 3 for each group. These groups represents corresponding permissions for user, group, and others.
Conclusion
In this article, you have learned about handling basic file and folder permissions.
I hope you enjoyed reading this tutorial. I have one request to all: give it a try on your own with some complicated scenarios like having permutations and combinations of permissions 😂. It’ll definitely be helpful in your entire career.
Subscribe to my newsletter by visiting my site and also have a look at the consolidated list of all my blogs.