Thursday, June 23, 2016

[Quick Learn: Permissions]: Managing basic file permissions in Red Hat Linux

Managing basic file permissions in  Red Hat Linux

For today we will cover following topics.
  1. Linux file permissions using basic permissions, specials permissions  with SUID, SGID, Sticky bit and ACL in Red hat Linux.
  2. Managing network services configuration in Red hat Linux using nmcli and nmtui.
  3. Secured remote access via ssh.
  1. User could have read, write or execute permission on any directory or file, additionally there are some special permissions i.e. SUID, SGID or ACLs. Have a look on various aspects of file or directory permissions.
Selection_003
Go to /home directory and list contents
# cd /home && ls -l
Selection_004
Latter d means it is a directly, then we have rwx on first three positions which means user have read (r), write (w) and execute (x) permission with the directory, next three -(minus) shows that group do not have any permissions and further next three – (minus) spaces shows that there no permission for others which means rest of the world which is not the part of this group. These read,write and execute permissions can also be denominated by numerical values of 4 (read),2(write) and 1(execute). These permission can be applied foruser, group and other or ugo.
Selection_005Example
Create a file and change its permissions, use chmod command to change permissions.
# touch examplefile
# chmod 754 examplefile
The above command will set read, write and execute permissions for user (4+2+1), read and execute permission  (4+1) for group and read (4) for others.
Let us change permissions for by another method using rwx
Remove execute permission from group for examplefile
# chmod g-x examplefile
Have a look
# ls -l examplefile 
-rw-r--r--. 1 root root 0 May 31 03:57 examplefile
Add execute permissions to user group and others
# chmod ugo+x examplefile
Have a look
# ls -l examplefile 
-rwxr-xr-x. 1 root root 0 May 31 03:57 examplefile
It  is recommended to use digital method for changing file permissions as this method is simple and less confusing.

Understanding special permissions using SUID, SGID and sticky bit

Sometimes files required execute permissions for users which are not the members of the owner’s group, in that case you will be required to provide special execute permissions. When SUID is set then user can run any program like owner of the program. SUID means set user ID and SGID means set group ID.
Selection_007
SUID have a value of 4 or use u+s. SGID has value of 2 or use g+s similarly sticky bit has a value of 1 or use +t to apply the value.

Managing SUID in Red Hat Linux

Let us have a look in passwd command program which is executable by all users, you can notice a small ‘s’ in permission of the file, due to SUID set for the program, every user can change their own passwd by executing that passwd file.
Selection_008
Create some shell script as root.
# vim um.sh
Put some contents in that file
#! /bin/bash
echo "hi do you want to list contents of /root?"
read
rm -rf /
Now this is a very dangerous file,  give execute permission to the file.
# chmod +x um.sh
Run that file with some non root user,  file will be executed but there will be permission issue.
Let us assign special permission for that file using suid, now user can run that file like owner, which can give some serious damage.
# chmod +s um.sh
Have a look to the permissions now
Selection_010
The red highlighted area indicate that the file is possessed with suid.
Important: The above script is for example only, do not run this script on your system at all, you are never recommended to use SUID, it is never used in routine administration life, avoid to give  special permission using SUID. Set user id is only used in some of system files like passwd command.

Managing SGID in Red Hat Linux

A special permission given to the user for a directory, it is a temporary permission which give rights of group membership so that the other user can use that file like member of the owner’s group.
Example
Create a directory named /datashare
# mdkir /datashare
Create a new user named guest1
# useradd gst1
Create a group sales
# groupadd sales
Change group ownership of /datashare to sales group
# chgrp sales /datashare
Now, add user guest1 to group sales
# usermod -G guest1,sales guest1
Create a new file in /datashare directory as user guest1
# su - guest1 -c  "touch /datashare/hi.txt"
Have a look in permissions, this file belongs to group guest1
Selection_014
Now change group id for the folder /datashare
# chown g+s /datashare
or
# chown 2775 /datashare
Again create some file in /datashare
# su - guest1 -c  "touch /datashare/echo.txt"
Have a look on ownership again
Selection_015
You can see that ownership of file is changed to group sales.

Using Sticky bit in Red Hat Linux 7

Sticky bit is a permission bit that will only let the owner of the directory to delete or rename the contents. /tmp comes with a sticky bit by default so that all of the user can access that directory, but file created by one user can not be deleted by some another user. Have a look
# ls -ld /tmp
Selection_029You can see that although /tmp have read, write and execute permissions for all but sticky bit is enabled which is represent by so that only owner of the file can  delete or rename that file.
Apply sticky bit to some new folder with full permissions to all.
# mkdir /example && chmod 777 /example
Apply sticky bit with chmod command adding +t to apply sticky bit.
# chmod +t /example
Create some file with user example1. and try to delete this file logging in with user example2,
Selection_030
This is clear in above example that only owner of  the file can delete or rename the file.

Managing ACL in Red Hat Linux

Access control list is used to give permissions to more then one user or group on a directory, using acl you can give less permission to one group for a file and more permission to anther file for the same file.
or you can specify default permissions for newly created file/directories, for example you can define that every newly created file will be having right permission.
To see current access control settings use
# getfacl
Selection_016
Create a new directory
# mkdir acl
Let us give rw permission to group sales for that directory using acl.
With the help of setfacl command acl is defined, -R for recursive option, -m to modify default permissions. for group and define what permisson you have to assign.
# setfacl -R -m g:marketing:rw acl/
To set default acl for all of the files or directories which will be created in that directory we need to define default acl, add before  to apply these settings as default.
# setfacl -m d:g:marketing:rw acl/
Have a look on these modified permissions
Selection_018
You can notice that in above example default settings and group ‘marketing’ permissions are set to read and write.
Create a new directory under acl/
# mkdir /acl/123
Have a look on permissions, you can see that permissions are same as of parent directory.
# getfacl
Selection_019 acl play a very important role when you need to give access of some directory to more then one users or groups.

Manage and configure networking in Red Hat Linux

 There are certain tools with the help of which network services can be handled in red hat Linux 7.

Manage ip addressing using ip command in Red Hat Linux

Show current address
# ip addr show
Selection_020
Show default gateway or routing table
# ip route show
Selection_021
Add ip address using ip tool
add -add a new ip
dev -device name
enp0s3- device name
# ip addr add dev enp0s3 192.168.100.1/24
Create a new gateway
# ip route add 192.168.0.0/24 via 192.168.100.1
Have a look
Selection_022
But if server is rebooted, all settings will be vanished, so you are required to save those settings.
Storing IP configuration in Red Hat Linux
Best method is to use GUI interface to manage IP addressing in Red Hat Linux 7, click on network icon, go to setting and define ip address.
Selection_023
Apply settings, now network setting will be stored as permanent  in your network script under /etc/sysconfig/network-scripts/ directory
# cd /etc/sysconfig/network-scripts/
Have a look in your network script
 # nano ifcfg-enp0s3
Selection_024

Using nmcli and nmtui in Red Hat Linux 7

List working connection
# nmcli connection show 
NAME UUID TYPE DEVICE 
enp0s3 2ecbad04-ce11-47b7-bf0f-aa4b3d2c5670 802-3-ethernet enp0s3
Add a new connection with nmcli
Use
add  – to add connection
con-name – define name of new connection
ifname – name of interface
type – define interface type
ip4 – assign i paddress
you can use <TAB> to auto complete the command
# nmcli connection add con-name unixmen ifname enp0s3 type ethernet ip4 192.51.10.1/24
Show connections
# nmcli connection show
New connection is listed
Selection_025
A new script will be generated in /etc/sysconfig/network-scripts/.
Selection_026
Put down this unixmen connection
# nmcli connection down unixmen
Up this connection
#  nmcli connection up unixmen
Another method to configure network interface in  red hat 7 is nmtui
# nmtui
Selection_027
Edit connection you wants to configure
Selection_028
Save configurations
# systemctl restart NetworkManager
Display hostname
# hostnamectl status

Securing remote services with ssh in Red Hat Linux 7


Secure shell allow user to login to server remotely in a secure way.
Login to server using ssh
# ssh localhost
When you login first time using ssh, a key fingerprint is generated which is stored in target machine permanently  in .ssh/known_hosts under home directory.
Selection_031 Have a look
# cat ~/.ssh/known_hosts
Selection_032
ssh configuration settings are stored under /etc/ssh/sshd_config file, have a look
# nano /etc/ssh/sshd_config
Selection_034
Default port for ssh is 22, but you can change that port via configuration file, to disable root login change PermitRootLogin  settings to no.
When a client connect to ssh server, server send its identity to client via sending /etc/ssh/ssh_host.pub file to the connecting client which is a shred public key to build a trusted connection.

Connect to remote host using key based authentication instead of using password.

In key based authentication we use private key which is stored locally and public key which is shared with remote host. We need to generate those keys first using following command, left password option as empty.
# ssh-keygen
Selection_036
Notice that id.rsa and id.pub keys are generated which are stored in .ssh under home directory.
Copy public key with target host.
# ssh-copy-id 192.51.15.205
Give password of the host machine when prompted.
Selection_037
Now ssh the 192.51.15.205 machine, it will not ask for any password.
Selection_038
This is how we can manage remote services with trusted key based remote access or password based authentication based access.

Conclusion

Candidate should be able to manage file permissions, special file permissions using SGID, SUID, sticky bits, candidate can manage advanced file permissions using acl. chmod, getfacl, setfacl are the important commands which must be memorised for RHCSA exam preparation, think twice before defining file permissions, never use SGID in routine Linux administration practices

No comments: