LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-08-2012, 05:40 AM   #1
joaquin.65
LQ Newbie
 
Registered: Jun 2012
Posts: 6

Rep: Reputation: Disabled
Unhappy Trouble regarding unix permissions (bug maybe?)


Hi!

I found something rather strange while applying unix permissions to some folder.
First things first, i'm a total n00b, and I'm in charge of some small business server.

I made a script to fix all the permissions of the folders accesible by the samba shares, and here is the problem:


At some part of the code I do
Code:
chmod -R 755 /mnt/AMYQ/SECTEC/MACROS
ls -l
Code:
drwxrwxr-x+ 2 netadm netadm   4096 nov  8 08:47 MACROS
For testing purposes I changed the code to
Code:
chmod -R 000 /mnt/AMYQ/SECTEC/MACROS
ls -l
Code:
d---rwx---+ 2 netadm netadm   4096 nov  8 08:47 MACROS
Very strange...

Here's my code: (the problem is around tag #SECTEC)
Code:
#!/bin/sh

# OPENING
chmod -R 771 /mnt/AMYQ
setfacl -R -kb /mnt/AMYQ

# ADMIN
setfacl -R -m g:1001:rx /mnt/AMYQ/ADMIN
setfacl -R -m g:1009:rwx /mnt/AMYQ/ADMIN

# SECTEC
setfacl -R -m g:1013:rx /mnt/AMYQ/SECTEC
setfacl -R -m g:1013:rwx /mnt/AMYQ/SECTEC/3.-\ TRATAMIENTO\ RESIDUOS
setfacl -R -m g:1002:rwx /mnt/AMYQ/SECTEC/2.-\ QUIMICO
setfacl -R -m g:1003:rwx /mnt/AMYQ/SECTEC/1.-\ MICROBIOLOGIA
setfacl -R -m g:1009:rwx /mnt/AMYQ/SECTEC/1.-\ MICROBIOLOGIA/1.-\ DATOS\ CRUDOS
setfacl -R -m g:1009:rwx /mnt/AMYQ/SECTEC/2.-\ QUIMICO/1.-\ DATOS\ CRUDOS
chmod -R 755 /mnt/AMYQ/SECTEC/MACROS
setfacl -R -m u:jbenitez:rwx /mnt/AMYQ/SECTEC/MACROS
setfacl -R -m u:mportas:rwx /mnt/AMYQ/SECTEC/MACROS

# DT
setfacl -R -m g:1009:rx /mnt/AMYQ/DT
setfacl -R -m g:1009:rwx /mnt/AMYQ/DT/1.-\ PARA\ FIRMAR
setfacl -R -m g:1009:rwx /mnt/AMYQ/DT/2.-\ FIRMADOS
setfacl -R -kb /mnt/AMYQ/DT/CONFIDENCIAL
setfacl -R -m g:1019:rwx /mnt/AMYQ/DT

# RRHH
setfacl -R -m g:1017:rwx /mnt/AMYQ/RRHH

# GESTION
setfacl -R -m g:1020:rwx /mnt/AMYQ/GESTION

# MEMORY
setfacl -R -m g:1009:rwx /mnt/AMYQ/MEMORY

# VARIOS
chmod -R 777 /mnt/AMYQ/VARIOS

# BACKUP
setfacl -R -m u:1014:rwx /mnt/backups

# ENDING
chown -R netadm /mnt/AMYQ
setfacl -R -m u:jbenitez:rwx /mnt/AMYQ
setfacl -R -m u:mportas:rwx /mnt/AMYQ
chmod -R 771 /mnt/AMYQ/VARIOS/JOAQUIN
I'd appreciate any help you can give me.
Thanks in advance!

Joaquín.

Last edited by joaquin.65; 11-08-2012 at 05:42 AM.
 
Old 11-08-2012, 10:05 AM   #2
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 2,873

Rep: Reputation: 700Reputation: 700Reputation: 700Reputation: 700Reputation: 700Reputation: 700Reputation: 700
Perhaps it would be useful to explore some basics about permissions.

Generally, directories are created with a default mask 755 and files are created with a default mask of 644; that is a directory will be
Code:
drwxr-xr-x   2 owner group     4096 Jan 13  2010 test/
and files will be
Code:
-rw-r--r--   1 owner group     1484 Oct 26  2009 testing.sql
There are three groups of permissions, owner, group and public (reading left to right).

Now, in the case of a file, the owner can read it and write to it (as in using an editor to change the content or removing it entirely), the group can read it (only) and public (anybody else) can read it (only). The three digits are owner, group, public.

If you want to make a file executable (it's a shell or binary program), you would
Code:
chmod 755 file
Which would then be
Code:
-rwxr-xr-x   1 owner group     8336 Nov  1  2009 file*
That is, read, write, execute for the owner, read, execute for the group, and execute for anybody else.

Again, the defaults are 755 for directories, 644 for files (on most systems).

Now, owner is the user account name -- the log in name -- of an individual user that created or has been assigned as owner. Group is the default group that all users belong to (it's usually users). The way you use group identities is that any user can belong to one or more groups and you can add specific user accounts to additional group(s) so they can access thing you don't want just everybody to get at.

The permission are called a mask and keep in mind that permission on a directory are different from those of a file; here's some masks for directories:
  • 755 - owner: read, write, execute; group read, execute; public read, execute
    750 - owner: read, write, execute; group read, execute; public none
    775 - owner: read, write, execute; group read, write, execute; public read, execute
    770 - owner: read, write, execute; group read, write, execute; public none
Generally, you'd leave a directory at 755 unless you had a specific reason not to.

Files:
  • 644 - owner: read, write; group: read; public: read
    640 - owner: read, write; group: read; public: none
    755 - owner: read, write, execute; group: read, execute; public read, execute
    750 - owner: read, write, execute; group: read, execute; public none
    775 - owner: read, write, execute; group: read, write, execute; public read, execute
See how it work? If you did 666 on a file that's read, write for everybody; 600 on a file is read, write for the owner and nobody else can see anything. 777 on a directory is read, write, execute for everybody (and you really don't usually want to do that).

Now, what's an easy way to set permission on mass?

We have a couple of nifty utilities for doing that; one is the find utility. As the name implies, find, uh, finds things (like files and directories). Say you want to find all the files in your directory tree:
Code:
find /mnt/AMYQ/SECTEC/MACROS -type f
You'll see a list of only the files (preceded by /mnt/AMYQ/SECTEC/MACROS/). Better would be
Code:
cd /mnt/AMYQ/SECTEC/MACROS/
find . -type f
Let's say you want to change the access permission of every file so they're the default 644 permission:
Code:
cd /mnt/AMYQ/SECTEC/MACROS/
find . -type f -exec chmod 644 {}\;
Or, if you wanted to change the access permission of every file so they're executable (755):
Code:
cd /mnt/AMYQ/SECTEC/MACROS/
find . -type f -exec chmod 755 {}\;
What to change the owner or group name?
Code:
cd /mnt/AMYQ/SECTEC/MACROS/
find . -type f -exec chown user.group {}\;
You'd do the same thing with directories:
Code:
cd /mnt/AMYQ/SECTEC/MACROS/
find . -type d -exec chmod 755 {}\;
You may have figured out that the "find dot" is start in the current directory.

Might be a little easier than fiddling around with setfacl?

Oh, yeah, if you set either a directory or file with a mask of 000, well, it is inaccessible by anybody (except root) and ain't a good idea to be doing that.

Hope this helps some.
 
1 members found this post helpful.
Old 11-08-2012, 11:06 AM   #3
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 1,180

Rep: Reputation: 511Reputation: 511Reputation: 511Reputation: 511Reputation: 511Reputation: 511
If you are using ACLs, the output from "ls -l" can be a bit confusing since the displayed permissions include a merging of the ACL permissions. If there is an ACL setting for the owner, then those permissions will be shown in place of whatever owner permissions you might have set with chmod. If there are ACL settings for any other user or any group, then all of those permissions will be ORed into the group permissions set by chmod. To indicate that there are ACLs affecting the displayed permissions, there will be a "+" sign appended to the permissions field.
 
Old 11-08-2012, 12:19 PM   #4
joaquin.65
LQ Newbie
 
Registered: Jun 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thanks for the reply, both of you!

Tomorrow I'll read in detail and try to fix it.

Thanks again!

Joaquín.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NFS permissions - possibly a bug geustace Linux - Server 8 03-16-2009 09:50 AM
LXer: Developer fixes 33-year-old Unix bug LXer Syndicated Linux News 3 07-12-2008 09:51 AM
first /home/user directory: permissions bug! rino.caldelli Ubuntu 11 04-21-2007 12:37 AM
LXer: Speaking UNIX, Part 4: Setting and managing permissions on UNIX LXer Syndicated Linux News 0 10-21-2006 01:54 AM
Home directory permissions bug Ammad Linux - General 1 03-02-2006 04:08 AM


All times are GMT -5. The time now is 03:12 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration