LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Trouble regarding unix permissions (bug maybe?) (https://www.linuxquestions.org/questions/linux-security-4/trouble-regarding-unix-permissions-bug-maybe-4175436236/)

joaquin.65 11-08-2012 05:40 AM
Trouble regarding unix permissions (bug maybe?)
 
Hi!

I found something rather strange while applying unix permissions to some folder.
First things first, i'm a total n00b, and I'm in charge of some small business server.

I made a script to fix all the permissions of the folders accesible by the samba shares, and here is the problem:


At some part of the code I do
Code:
chmod -R 755 /mnt/AMYQ/SECTEC/MACROS
ls -l
Code:
drwxrwxr-x+ 2 netadm netadm  4096 nov  8 08:47 MACROS
For testing purposes I changed the code to
Code:
chmod -R 000 /mnt/AMYQ/SECTEC/MACROS
ls -l
Code:
d---rwx---+ 2 netadm netadm  4096 nov  8 08:47 MACROS
Very strange...

Here's my code: (the problem is around tag #SECTEC)
Code:
#!/bin/sh

# OPENING
chmod -R 771 /mnt/AMYQ
setfacl -R -kb /mnt/AMYQ

# ADMIN
setfacl -R -m g:1001:rx /mnt/AMYQ/ADMIN
setfacl -R -m g:1009:rwx /mnt/AMYQ/ADMIN

# SECTEC
setfacl -R -m g:1013:rx /mnt/AMYQ/SECTEC
setfacl -R -m g:1013:rwx /mnt/AMYQ/SECTEC/3.-\ TRATAMIENTO\ RESIDUOS
setfacl -R -m g:1002:rwx /mnt/AMYQ/SECTEC/2.-\ QUIMICO
setfacl -R -m g:1003:rwx /mnt/AMYQ/SECTEC/1.-\ MICROBIOLOGIA
setfacl -R -m g:1009:rwx /mnt/AMYQ/SECTEC/1.-\ MICROBIOLOGIA/1.-\ DATOS\ CRUDOS
setfacl -R -m g:1009:rwx /mnt/AMYQ/SECTEC/2.-\ QUIMICO/1.-\ DATOS\ CRUDOS
chmod -R 755 /mnt/AMYQ/SECTEC/MACROS
setfacl -R -m u:jbenitez:rwx /mnt/AMYQ/SECTEC/MACROS
setfacl -R -m u:mportas:rwx /mnt/AMYQ/SECTEC/MACROS

# DT
setfacl -R -m g:1009:rx /mnt/AMYQ/DT
setfacl -R -m g:1009:rwx /mnt/AMYQ/DT/1.-\ PARA\ FIRMAR
setfacl -R -m g:1009:rwx /mnt/AMYQ/DT/2.-\ FIRMADOS
setfacl -R -kb /mnt/AMYQ/DT/CONFIDENCIAL
setfacl -R -m g:1019:rwx /mnt/AMYQ/DT

# RRHH
setfacl -R -m g:1017:rwx /mnt/AMYQ/RRHH

# GESTION
setfacl -R -m g:1020:rwx /mnt/AMYQ/GESTION

# MEMORY
setfacl -R -m g:1009:rwx /mnt/AMYQ/MEMORY

# VARIOS
chmod -R 777 /mnt/AMYQ/VARIOS

# BACKUP
setfacl -R -m u:1014:rwx /mnt/backups

# ENDING
chown -R netadm /mnt/AMYQ
setfacl -R -m u:jbenitez:rwx /mnt/AMYQ
setfacl -R -m u:mportas:rwx /mnt/AMYQ
chmod -R 771 /mnt/AMYQ/VARIOS/JOAQUIN
I'd appreciate any help you can give me.
Thanks in advance!

Joaquín.

tronayne 11-08-2012 10:05 AM
Perhaps it would be useful to explore some basics about permissions.

Generally, directories are created with a default mask 755 and files are created with a default mask of 644; that is a directory will be
Code:
drwxr-xr-x  2 owner group    4096 Jan 13  2010 test/
and files will be
Code:
-rw-r--r--  1 owner group    1484 Oct 26  2009 testing.sql
There are three groups of permissions, owner, group and public (reading left to right).

Now, in the case of a file, the owner can read it and write to it (as in using an editor to change the content or removing it entirely), the group can read it (only) and public (anybody else) can read it (only). The three digits are owner, group, public.

If you want to make a file executable (it's a shell or binary program), you would
Code:
chmod 755 file
Which would then be
Code:
-rwxr-xr-x  1 owner group    8336 Nov  1  2009 file*
That is, read, write, execute for the owner, read, execute for the group, and execute for anybody else.

Again, the defaults are 755 for directories, 644 for files (on most systems).

Now, owner is the user account name -- the log in name -- of an individual user that created or has been assigned as owner. Group is the default group that all users belong to (it's usually users). The way you use group identities is that any user can belong to one or more groups and you can add specific user accounts to additional group(s) so they can access thing you don't want just everybody to get at.

The permission are called a mask and keep in mind that permission on a directory are different from those of a file; here's some masks for directories:
  • 755 - owner: read, write, execute; group read, execute; public read, execute
    750 - owner: read, write, execute; group read, execute; public none
    775 - owner: read, write, execute; group read, write, execute; public read, execute
    770 - owner: read, write, execute; group read, write, execute; public none
Generally, you'd leave a directory at 755 unless you had a specific reason not to.

Files:
  • 644 - owner: read, write; group: read; public: read
    640 - owner: read, write; group: read; public: none
    755 - owner: read, write, execute; group: read, execute; public read, execute
    750 - owner: read, write, execute; group: read, execute; public none
    775 - owner: read, write, execute; group: read, write, execute; public read, execute
See how it work? If you did 666 on a file that's read, write for everybody; 600 on a file is read, write for the owner and nobody else can see anything. 777 on a directory is read, write, execute for everybody (and you really don't usually want to do that).

Now, what's an easy way to set permission on mass?

We have a couple of nifty utilities for doing that; one is the find utility. As the name implies, find, uh, finds things (like files and directories). Say you want to find all the files in your directory tree:
Code:
find /mnt/AMYQ/SECTEC/MACROS -type f
You'll see a list of only the files (preceded by /mnt/AMYQ/SECTEC/MACROS/). Better would be
Code:
cd /mnt/AMYQ/SECTEC/MACROS/
find . -type f
Let's say you want to change the access permission of every file so they're the default 644 permission:
Code:
cd /mnt/AMYQ/SECTEC/MACROS/
find . -type f -exec chmod 644 {}\;
Or, if you wanted to change the access permission of every file so they're executable (755):
Code:
cd /mnt/AMYQ/SECTEC/MACROS/
find . -type f -exec chmod 755 {}\;
What to change the owner or group name?
Code:
cd /mnt/AMYQ/SECTEC/MACROS/
find . -type f -exec chown user.group {}\;
You'd do the same thing with directories:
Code:
cd /mnt/AMYQ/SECTEC/MACROS/
find . -type d -exec chmod 755 {}\;
You may have figured out that the "find dot" is start in the current directory.

Might be a little easier than fiddling around with setfacl?

Oh, yeah, if you set either a directory or file with a mask of 000, well, it is inaccessible by anybody (except root) and ain't a good idea to be doing that.

Hope this helps some.

rknichols 11-08-2012 11:06 AM
If you are using ACLs, the output from "ls -l" can be a bit confusing since the displayed permissions include a merging of the ACL permissions. If there is an ACL setting for the owner, then those permissions will be shown in place of whatever owner permissions you might have set with chmod. If there are ACL settings for any other user or any group, then all of those permissions will be ORed into the group permissions set by chmod. To indicate that there are ACLs affecting the displayed permissions, there will be a "+" sign appended to the permissions field.

joaquin.65 11-08-2012 12:19 PM
Thanks for the reply, both of you!

Tomorrow I'll read in detail and try to fix it.

Thanks again!

Joaquín.


All times are GMT -5. The time now is 03:44 AM.