Garden of KnowledgeApplied Sciences › Computer Science › Software › Security › Certifications › LFCS

q28-permissions-and-acl

Énoncé§

Solve this question on: data-001

On directory /srv/shared, set group ownership to dev and ensure new files inherit that group.
Make /srv/shared writable by dev, with files unreadable by others.
Grant user alice read+write access to /srv/shared/report.txt via ACL.
Find all files with the SUID bit set under /usr/bin and write them into /opt/course/28/suid.

Solution§

Step 1 — Group ownership and SGID§

sudo chgrp dev /srv/shared
sudo chmod 2770 /srv/shared          # leading 2 = setgid on directory
ls -ld /srv/shared
# drwxrws--- 2 root dev ... /srv/shared

With SGID on a directory, every new file or subdir inside inherits the dev group — without it, files take the creator’s primary group.

Step 2 — Numeric and symbolic modes§

Permission digits:

Digit	r	w	x
7	1	1	1
6	1	1	0
5	1	0	1
4	1	0	0

Special bits (leading digit):

Bit	Value	Effect on file	Effect on directory
SUID	4	run as owner	—
SGID	2	run as group	new entries inherit group
Sticky	1	—	only owner can delete (e.g. `/tmp`)

chmod 770 file                       # rwxrwx---
chmod u+x,g-w,o= file                # symbolic
chmod -R g+rwX /srv/shared           # capital X = exec only on dirs / already-exec files
chmod u+s /usr/local/bin/tool        # set SUID
chmod g+s /srv/shared                # set SGID on dir
chmod +t /srv/incoming               # sticky

Step 3 — POSIX ACLs§

Required: filesystem mounted with acl (default on most modern distros).

getfacl /srv/shared/report.txt
sudo setfacl -m u:alice:rw /srv/shared/report.txt        # add user ACL
sudo setfacl -m g:audit:r /srv/shared/report.txt         # add group ACL
sudo setfacl -x u:alice /srv/shared/report.txt           # remove ACL entry
sudo setfacl -b /srv/shared/report.txt                   # strip all ACLs

Default ACLs on directories (inherited by new entries):

sudo setfacl -d -m u:alice:rwx /srv/shared

A + after the mode in ls -l indicates extra ACL entries:

-rw-rw----+ 1 root dev 0 May 24 19:00 report.txt

The “mask” sets the maximum effective permission for named users/groups:

sudo setfacl -m m:rx /srv/shared/report.txt

Step 4 — Find files by permission bits§

sudo find /usr/bin -perm -4000 -type f > /opt/course/28/suid
sudo find / -perm -2000 -type f         # SGID
sudo find /tmp -perm -1000 -type d      # sticky directories
sudo find / -perm 777 -type f           # world rwx (exact)

-perm semantics:

-perm 644 — exactly 644
-perm -644 — at least these bits set
-perm /644 — any of these bits set

umask§

Defines bits removed from default 666 (files) / 777 (dirs):

umask                                   # show current
umask 027                               # files 640, dirs 750

Persistent in /etc/profile, /etc/login.defs (UMASK), or ~/.bashrc.

Ownership§

sudo chown alice:dev file
sudo chown -R alice /srv/alice          # recursive
sudo chown --reference=template.txt file

—The Gardener