Unix Permissions and Security Tutorial

Where Penguins and Daemons chill together in the warmth of the Sun.

Moderators: SecretSquirrel, notfred

Unix Permissions and Security Tutorial

Postposted on Thu Oct 04, 2012 10:46 am

I'm currently teaching myself web server administration using a local Linux Mint-based server. I know one very important step I've kind of been glossing over is managing Unix permissions (including creating and managing users and user groups) and security in general. I was hoping some of you here might know of a good resource for learning the intricacies of it, tailored for someone who knows jack and crap about it and only seriously started learning Linux a month or so ago.
Under Construction Forever~~~
Kurotetsu
Gerbil Elite
 
Posts: 525
Joined: Sun Dec 09, 2007 12:13 pm

Re: Unix Permissions and Security Tutorial

Postposted on Thu Oct 04, 2012 11:46 am

I would read them in the order they are below for Linux permissions.

How Linux file permissions work
http://www.cyberciti.biz/faq/how-linux- ... ions-work/

Linux permissions help
http://www.zzee.com/solutions/linux-permissions.shtml

Learn Linux, 101: Manage file permissions and ownership
http://www.ibm.com/developerworks/linux ... index.html

The Learn Linux, 101 series on IBM Developer Works is a good series on Linux in general.

Other stuff with interesting tidbits:
ArchWiki File Permissions
https://wiki.archlinux.org/index.php/File_Permissions
Flatland_Spider
Gerbil Elite
 
Posts: 809
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: Unix Permissions and Security Tutorial

Postposted on Thu Oct 04, 2012 12:25 pm

In addition to the traditional ownership and permissions there's also the option of ACLs:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-acls.html

Those redhat docs look pretty good.
Fernando!
Your mother ate my dog!
cheesyking
Minister of Gerbil Affairs
 
Posts: 2241
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)

Re: Unix Permissions and Security Tutorial

Postposted on Thu Oct 04, 2012 1:18 pm

Thanks much. I actually think I can use some of this at work too...
Under Construction Forever~~~
Kurotetsu
Gerbil Elite
 
Posts: 525
Joined: Sun Dec 09, 2007 12:13 pm

Re: Unix Permissions and Security Tutorial

Postposted on Thu Oct 04, 2012 1:45 pm

cheesyking wrote:In addition to the traditional ownership and permissions there's also the option of ACLs:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-acls.html

Those redhat docs look pretty good.


Probably a silly question, but I imagine ACLs can be used on any distro and not just Red Hat/CentOS correct?

Also, what are the practical differences between using the standard permissions mechanism and ACLs?
Under Construction Forever~~~
Kurotetsu
Gerbil Elite
 
Posts: 525
Joined: Sun Dec 09, 2007 12:13 pm

Re: Unix Permissions and Security Tutorial

Postposted on Thu Oct 04, 2012 2:39 pm

Kurotetsu wrote:Probably a silly question, but I imagine ACLs can be used on any distro and not just Red Hat/CentOS correct?

Yes.

Kurotetsu wrote:Also, what are the practical differences between using the standard permissions mechanism and ACLs?

The standard permissions mechanism is simpler and coarser-grained.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37475
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Unix Permissions and Security Tutorial

Postposted on Thu Oct 04, 2012 5:14 pm

Learn to use Midnight Commander in a terminal. Makes a lot of that kind of thing very easy to change. You do need to learn the basics though.
Fuji X-E1 Leica Elmar 135 4 XF60mm 2.4 Macro | Zeiss FE 35mm 2.8
http://carnagepro.com
"Everything ... they eat everything, and fear is their bacon bits."
PenGun
Gerbil Elite
 
Posts: 791
Joined: Fri Jun 18, 2004 1:48 pm
Location: BC Canada

Re: Unix Permissions and Security Tutorial

Postposted on Thu Oct 04, 2012 5:33 pm

Kurotetsu wrote:Probably a silly question, but I imagine ACLs can be used on any distro and not just Red Hat/CentOS correct?


The acl mount option will need to be enabled in fstab for Posix ACL permissions to work, and most of the time you're not going to run into them.

The switch is acl for ext filesystems per the mount manpage.

fstab entry without acl: UUID=466a050a-8bd5-4175-afab-082b3c0ff1ff /storage/storage5 ext4 defaults 1 2
fstab entry with acl: UUID=466a050a-8bd5-4175-afab-082b3c0ff1ff /storage/storage5 ext4 defaults,acl 1 2
Flatland_Spider
Gerbil Elite
 
Posts: 809
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: Unix Permissions and Security Tutorial

Postposted on Fri Oct 05, 2012 3:18 pm

Flatland_Spider wrote:
Kurotetsu wrote:Probably a silly question, but I imagine ACLs can be used on any distro and not just Red Hat/CentOS correct?


The acl mount option will need to be enabled in fstab for Posix ACL permissions to work, and most of the time you're not going to run into them.

The switch is acl for ext filesystems per the mount manpage.

fstab entry without acl: UUID=466a050a-8bd5-4175-afab-082b3c0ff1ff /storage/storage5 ext4 defaults 1 2
fstab entry with acl: UUID=466a050a-8bd5-4175-afab-082b3c0ff1ff /storage/storage5 ext4 defaults,acl 1 2


The Red Hat tutorial that was linked mentioned this step. I think you also need the ACL library installed, but most distros will already have that by default?

It seems ACLs are better and in ways easier to learn than the chmod approach, so I'll likely just use that for my server (though I'll still learn chmod for the sake of it).

EDIT:

I noticed in your example entry w/ ACL that you have a comma separating defaults and the acl switch, whereas the Red Hat tutorial example omits that. Is that a typo?
Under Construction Forever~~~
Kurotetsu
Gerbil Elite
 
Posts: 525
Joined: Sun Dec 09, 2007 12:13 pm

Re: Unix Permissions and Security Tutorial

Postposted on Fri Oct 05, 2012 6:52 pm

Is the command below what you're talking about?
Code: Select all
LABEL=/work      /work       ext3    acl        1 2


The comma was intentional. That's the correct syntax for multiple options in fstab. The example from RedHat leaves off the defaults option. I haven't tried an entry like that in fstab, but the de facto convention is to use defaults unless you want to restrict some functions.

Defaults specifies rw, suid, dev, exec, auto, nouser, and async. Check the mount manpage or http://linux.die.net/man/8/mount for an explanation of what each ones does.

Kurotetsu wrote:It seems ACLs are better and in ways easier to learn than the chmod approach, so I'll likely just use that for my server (though I'll still learn chmod for the sake of it).


Using ACLs to control permissions is an odd way to setup a webhost. Most webhosts are setup one of two ways. The first way is where the Apache group is set as the group on the folders/files, and the second way is to add the Apache user to group of the website owner.
Flatland_Spider
Gerbil Elite
 
Posts: 809
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: Unix Permissions and Security Tutorial

Postposted on Sat Oct 06, 2012 9:46 am

Flatland_Spider wrote:Using ACLs to control permissions is an odd way to setup a webhost. Most webhosts are setup one of two ways. The first way is where the Apache group is set as the group on the folders/files, and the second way is to add the Apache user to group of the website owner.

Yup, I agree... there's typically no need for ACLs on a web server. It's massive overkill and just over-complicates things. The "classic" *NIX permissions scheme has enough flexibility to handle most use cases without the need to resort to ACLs.

If you're setting up a dynamic (database driven) web CMS with finer grained controls (e.g. normal users, mods, admins, etc.), then that is handled internally by the web app, not at the file system permissions level.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37475
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer


Return to Linux, Unix, and Assorted Madness

Who is online

Users browsing this forum: No registered users and 1 guest