Permissions
Access to every file on Linux is controlled using file permissions. These permissions control who can perform certain actions on files on the Linux file system and are broken down into:
- Read;
- Write; and
- Execute
For example, a user with read and execute permissions on a file would be able to read the file as well as execute it; however, this user would not be able to save any edits they make to the file, as they do not have write permissions.
Reading permissions
You may not have been aware, but you’ve already seen file permissions if you’ve completed the previous labs in this series. When running the command ‘ls -la’, you’re presented with a list of files in your current directory. One of the characteristics displayed in this list is the permissions of a file, displayed as a set of 10 characters:
drwxr-xr-x 1 linux linux 4096 Jun 1 11:23
drwxr-xr-x 1 root root 4096 May 10 2018
Let’s break it down:
The first character in our permissions **(d)** tells us that the files are actually both directories. If this character was a hyphen character **(-)** we know that it’s a regular file.
The next three characters (rwx in our above example) identify the permissions for the user who owns the file. The owner of the file is identified by looking at the third column in the file list. In the above example, the user linux owns the current directory (also known as ‘.’) and the user root owns the parent directory (aka ..). The permissions rwx tell us that the owners of these folders have read, write, and execute permissions on their respective directories.
The second set of three characters (r-x above) identify the permissions for users who are part of a specific group. In the above examples, users in the linux group have read and execute permissions on the current directory, and users in the root group have read and execute permissions on the parent directory.
Finally, the last three characters identify the permissions for everyone else on the system. If the user isn’t the owner of a file, or part of the group that owns the file, these are the permissions that apply to that user.
Numerical Notation
Sometimes, Linux file permissions are represented by a numerical value instead of the 10 characters explained above. Each file permission variant has a different numerical value associated with it (see below table) which can be converted into the text representation for permissions.
0 | ---
1 | --x
2 | -w-
3 | -wx
4 | r--
5 | r-x
6 | rw-
7 | rwx
For example, if given the numerical representation 754, you can convert each digit into the relevant file permission. 7 represents rwx, 5 represents r-x, and 4 represents r--. So we know…
- The owner of the file has read, write, and execute permissions
- The group members have read and execute permissions
- Everyone else has only read permissions.
Setting permissions
A user with write permissions on a file can change its permissions to enable or restrict access to it. Typically, the chmod command is used to update permissions of a file or folder.
The chmod command can change the permissions of a file based on the parameters you specify. You can either specify a numerical value (e.g., chmod 755 file) or, if you’re updating permissions for the current user, based on the action you wish to perform. For example, chmod -g +x file would add the executable file permission to all group members for a file. Similarly, removing the write permissions for the current user would be via the command chmod -w file.
Special File Permissions
There are three special permissions that can be used to override some behaviours. Each has its own use case.
Set User ID (SUID)
When this special permission is applied, it forces that file to run as the file owner, not as the user who started the file. When reading file permissions, the SUID bit can be seen as an S in place of the owner’s execute permission, as seen in the example below:
-rwSr--r-- 1 root root 4096 May 10 2018 myFile
Set Group ID (SGID)
Essentially, this is the same as the SUID permission, only this is set at a group level not a user level. As with SUID, this is shown as an S character in place of the execute permission – but this time, it’s the group permission changed.
-rw-r-Sr-- 1 root root 4096 May 10 2018 anotherFile
StickyBit
When creating files and directories, permissions are inherited from the parent. There are times when it is necessary to create a file that cannot be deleted in a user’s directory. StickyBit allows this as it is a special mode, meaning only the owner of the file can delete it. It is denoted by a ‘t’ at the end of the permissions string, shown in the example below.
-rwxr-xr-t 1 root root 4096 May 10 2018 stickyFile
Commands Overview
chmod [permissions] [file] – change the permissions of the file specified.
In this lab
In this lab, use the Linux terminal window to read the permissions of various files, and see how each of the permissions discussed can be represented on the command line. Use the information contained above to identify files with specific characteristics and convert file permissions from one format to another.
passwords
$ chage netadmin will allow one to set basic password checking parameters you could also look in to /etc/pam.d/
find
find / -name APPConsole.log -print 2>/dev/null
users
cat /etc/passwd | grep -i phantom getent
service
/bin/systemctl status nginx.service
strace
strace strace is super useful but A) requires root and B) has a lot of options you need to know and C) prints to STDERR instead of STDOUT so you have to specify 2> /output/file.txt or 2>&1 |tee or some such to get its information off the machine also strace typically gets the -f file to make it follow child processes you may as well learn ltrace too since you’re at it, both have similar options strace -f /opt/phantom/bin/phenv python2.7 /opt/phantom/bin/setup_warm_standby.pyc —standby-mode —off 2>&1 > /tmp/phantomstracestuff.txt
How to diagnose almost anything that hangs: strace -f -p >/tmp/strace.out 2>&1, or omit –p and run the executable in its place. If you can’t spot something hanging to use with –p, what you want to do is collect some sample JSON to test with, and run it all kinda like ”strace -f /opt/phantom/bin/phenv python2.7 /opt/phantom/…./cx_oracle_connector.pyc >/tmp/strace.out 2>&1”. It will send voluminous amounts of output to STDERR, which with the dup will send it to /tmp/strace.out, which you can then read with your favorite text editor.
Strace works on more or less anything that isn’t in kernel space; just be sure and use -f to follow children. The library equivalent ltrace is equally useful for when you hit dependency issues.
filediff
First if necessary convert to plain text: textutil -convert filetype filename Conversion options are txt, rtf, rtfd, html, doc, docx, odt, wordml, and webarchive, here’s sample syntax converting a text file named test.txt to an rtf: textutil -convert rtf test.txt diff (file input 1) (file input 2) diff bash.txt bash2.txt The -w flag can be handy for plain text files because it tells diff to ignore white space when comparing files. And of course you can use a full path to the files to compare as well if need be, for example to compare an edited hosts file with another version elsewhere: diff -w /etc/hosts ~/Downloads/BlockEverythingHosts.txt Sample output may look something like the following: $ diff -w /etc/hosts ~/Downloads/BlockEverythingHosts.txt Comparing directories: diff -ur mypiplist.txt mypiplist-dep.txt Or diff -rqServicesdf -k mypiplist.txt mypiplist-dep.txt
ntp
ntpstat ntpq -p chkconfig —list ntp date +%T -s 13:30:30 -u
sysstats
history |grep -i prox du -sxm * |sort -n dmidecode -t memory
dmidecode -t system
dmidecode -t processor
free -m
netstat -apn
mount ISO:
mkdir /mnt/disk mount -o loop /home/netadmin/Check_Point_R80.40_T294.iso /mnt/disk/mnt/disk/linux/p1_install/mds_setup
Manipulating text
You know how to edit files in text editors using the command line, but these editors aren’t the most efficient way to make multiple edits at once. For that, the tools tr and sed are incredibly useful.
Translate (tr)
You can use the tr command to manipulate text without needing to make multiple changes manually – think of the find and replace feature in a Word document. tr takes input and replaces all instances of a specific string with another, with the command tr [original_string] [string_to_replace]. For example, the command tr [a] [b] would replace every letter a with the letter b.
If you entered the command tr [a] [b] in your terminal, it would look like nothing is happening. This is because tr waits for input from the terminal to perform its replacement by default. If we wanted to make tr act on a file, we would need to use redirection operators: the less than (<) and greater than (>) characters.
By adding < file to our original tr [a] [b] command, tr would perform any replacement on the file’s content rather than wait for input from the command line. You can also add > filename to the command if you’d rather the output be saved directly to a file than output the results to the terminal.
If we put all that together, the command tr [a] [b] < myfile.txt > newfile.txt would:
- Take the contents of the file
myfile.txt - Replace every letter
awith a letterb - Save the results to a file called ‘newfile.txt’. If this file exists, overwrite it.
What makes tr even more powerful is the ability to specify character sets. This allows you to specify specific types of characters rather than having to specify each character.
For example, you may have a file in which you need to convert every lowercase character into uppercase.
Instead of writing tr [abcd...xyz] [ABCD...XYZ], you can use the sets [:lower:] and [:upper:] in the command: tr [:lower:] [:upper:] < lowercase.
Here are some other useful character groupings which tr is aware of:
[:alnum:] All letters and digits (A–Z, a–z, 0–9)
[:alpha:] All letters (A–Z, a–z)
[:digit:] All digits (0–9)
[:punct:] All punctuation characters
You can also use tr to remove character sets from a file. Use the command tr -d [:chars:] to remove a character set.
Overview
Programs execute in the Linux command line across three data streams which can be summed up as handling terminal input, terminal output, and any errors that should be displayed on the terminal. These are typically referred to as:
- stdin: the data going into the terminal
- stdout: ‘normal’ application output
- stderr: any error messages generated by the application
Standard input (stdin)
The stdin stream describes any input given to an application on the terminal. For example, if running command cat myfile, the contents of the file ‘myfile’ is considered to be the input. It is also possible to pass files as input using the < character. For example, the command tr [a] [b] < myfile uses the contents of the file ‘myfile’ as the stdin stream for the tr command.
Standard output (stdout) & standard error (stderr)
The stdout and stderr streams both handle the output generated by an application. Whilse stdout deals with the ‘normal’ output – assuming the application has behaved as expected – stderr is concerned with any error messages or warnings that appear.
Stream Redirection
There are several times where you may wish to redirect these streams and save them in different locations rather than just being output on the terminal.
The ‘>’ character can be used to save the output of a command to a file. However, adding a second ‘>’ character will instead append the output to an existing file, adding the output to the bottom of what already exists in the file.
For example, running the command ls > list would run the command ls and, instead of outputting the results to the terminal, save the results into a file called ‘list’. If the file already exists, it will be overwritten. However, if you were to enter the command ls >> list, the output of the ls command would instead be added to the existing ‘list’ file.
Stream File Descriptors
As seen in the image above each stream has an associated file descriptor number. These can be leveraged directly to control which screen you wish to redirect. This way you can explicitly direct just the stdout stream or just the stderr stream. This can be useful when you want to ignore errors or capture them as part of a log file without printing them directly to the screen. To use the file descriptor simply append the file descriptor number before the ‘>’ character as shown below for the output and error. You can direct each stream into a different file if both are included and you can even redirect one stream into the other to combine the two streams using the ‘&’ character.
some-program 1> output
some-program 2> error
some-program 1> output 2> error
some-program 1> output-and-error 2>&1
In this lab
In this lab you will need to run various commands and redirect the output to a range of different files. On successfully running each command you will generate a token that can be used to answer the corresponding question.