333.1 Discretionary Access Control (weight: 3)

Tech Tutorial: 333.1 Discretionary Access Control (weight: 3) #

Introduction #

In Linux systems, Discretionary Access Control (DAC) is a type of security model in which the access rights to files and directories are determined by the identity of the users and/or the groups to which they belong. This tutorial will cover the key concepts, commands, and utilities related to DAC in Linux, focusing on how permissions are managed and manipulated to secure resources.

Exam Objective: #

  • Understand and manage file permissions and ownership.

Key Knowledge Areas: #

  • File and directory permissions
  • Permission types (read, write, execute)
  • Changing permissions and ownership
  • Special permissions (setuid, setgid, and sticky bit)

Utilities: #

  • chmod
  • chown
  • chgrp
  • umask
  • ls -l and ls -ld

Step-by-Step Guide #

1. Understanding File and Directory Permissions #

Every file and directory in Linux has a set of permissions associated with it, which determine who can read, write, or execute the file. The permissions are displayed using the ls -l command.

Detailed Code Examples: #

# List files with detailed permissions
ls -l

# Sample output:
# -rw-r--r-- 1 user group 0 Sep 29 12:00 example.txt

In this output:

  • -rw-r--r-- represents the permission bits.
  • The first character identifies the file type (- for regular files, d for directories).
  • The next three characters (rw-) show the owner’s permissions.
  • The following three (r--) for the group.
  • The last three (r--) for others.

2. Changing Permissions and Ownership #

Using chmod #

The chmod command is used to change the file’s mode (permissions).

Examples: #
# Add execute permission to the owner
chmod u+x filename

# Remove write permission for the group
chmod g-w filename

# Set read and write permissions for the owner, and read permission for others
chmod 600 filename

Using chown #

The chown command changes the owner and/or group ownership of a file.

Examples: #
# Change the owner of a file
chown newowner filename

# Change the owner and group of a file
chown newowner:newgroup filename

Using chgrp #

The chgrp command changes the group ownership of a file.

Examples: #
# Change the group ownership of a file
chgrp newgroup filename

3. Special Permissions #

SetUID, SetGID, and Sticky Bit #

SetUID #

When set on an executable file, allows users to execute the file with the permissions of the file’s owner.

# Set the setuid bit
chmod u+s filename
SetGID #

When set on a directory, files created within the directory inherit the directory’s group, not the creating user’s primary group.

# Set the setgid bit on a directory
chmod g+s directoryname
Sticky Bit #

Often set on directories to prevent users from deleting files owned by other users.

# Set the sticky bit
chmod +t directoryname

4. umask #

The umask command sets the default file creation permissions. The system subtracts the umask value from the default permissions to determine the new file’s permissions.

Example: #

# Set the default permissions to allow read and write for the owner, and read for group and others
umask 022

Conclusion #

Understanding and managing DAC via file permissions and ownership in Linux is crucial for system security and proper data management. By mastering the use of commands like chmod, chown, chgrp, and umask, system administrators can effectively control who can access and modify files and directories, enhancing the overall security posture of the system.