Permissions

See also: Firewalls, Security

Users and Groups

su

Usage

Explanation

- <USER>

invokes their bash profile

<USER> -c

runs a command as the user

Example

Explanation

- root

switch to the root user

bob -c ‘crontab -l’

view the crontab for a user by executing a single command as that user

sg

Temporarily change the current user’s primary group.

id

Show user and group information about a user.

groupmems

Usage

Explanation

-g <GROUP> -l

show the members in a group

useradd

Create a new user.

Usage

Explanation

-d

specify different home directory; default is /home/$USER

-e <DATE>

specify when the account expires

-f

specify when the password expires

-G

adds the user to additional groups

-m

creates home dir using /etc/skel files

-u

provide a custom UID

-g

provide a custom GID

-p

specify an encrypted password

-s

choose their default shell

-Z

set the SELinux user for the user’s login

usermod

Modify an existing user.

Usage

Explanation

-l

change the username

-L

lock an account

-U

unlock an account

-a -G <GROUP> <USER>

add a user to a group

-g

change a user’s default group

-Z

add an SELinux user to the user’s login

-Z “”

removes an SELinux user from the user’s login

userdel

Delete users.

Usage

Explanation

-r

remove all home and mail related files

passwd

Manage the password for a user.

Usage

Explanation

–stdin

use a password from piped standard input

-d

delete a user’s password and make the account usable without a password

Example

Explanation

echo ‘newpass’ | passwd –stdin

non-interactively set a password for a user

groupadd

Create a new group.

groupmod

Usage

Explanation

-n

rename the group

-g

change the GID

groupdel

Delete a group.

gpasswd

Usage

Explanation

<GROUP>

change the password for a group

chage

Manage password expiration.

Usage

Explanation

-l

list a specified user’s account and password expirations

-E YYYY-MM-DD

set an expiration date for the account

-M

set the maximum amount of days before a user’s password is required to change

pwck

Check for any syntax errors in the /etc/passwd and /etc/shadow. Also verifies if user home directories exist.

vipw

Usage

Explanation

-p

edit the /etc/passwd file; creates a lock file to prevent changes from “user*” commands

-s

edit the /etc/shadow file

-g

edit the /etc/group file

authconfig-tui

Terminal user-interface for managing LDAP authentication.

capabilities

Used to modify special root-specific permissions for files.

Ownership

stat

Package: coreutils

Display detailed access and modify time stamp details, full sticky permissions, and some file attributes.

chown

Package: coreutils

Change the user and/or group ownership of a file or directory.

Usage

Explanation

<USER>.<GROUP>

change file ownership

chmod

Package: coreutils

Change the octal permissions for user/group/other (ugo) access to a file or directory.

    • = Add permissions.

    • = Remove permissions.

  • = = Set exact permissions.

  • a = Modify permissions for user, group, and other (all of them).

  • u = User only.

  • g = Group only.

  • o = Other only.

  • r = Read.

  • w = Write.

  • x = Executable.

Usage

Explanation

a+X

modify all users permissions to provide X permission (r, w, and/or x)

u+s OR 4XXX

setuid; files with this permission are executed as the owner; replace “XXX”

g+s OR 2XXX

setgid; folders will create files owned to its group; files with this permission are executed as the group; replace “XXX”

o+t OR 1XXX

sticky bit; replace “XXX”

getfacl

Package: acl

Displays all of the access control lists tied to the file or directory.

Usage

Explanation

-R

recursively

Example

Explanation

-pR /home

show extended ACLs for all files and directories under /home

setfacl

Package: acl

Change access control lists.

Usage

Explanation

-m u:<USER>:rwx

give the user full permissions, even if they do not own the file

-m g:<GROUP>:rw

give the group read and write permissions

-b

remove all ACLs from the file

umask

Set the default file and folder permissions for creation. The default is 666 for files and 777 for directories. The input value is then subtracted from the respective number.

Usage

Explanation

022

666 - 022 = 644 permissions for files; 777 - 022 = 755 for folders

-S

shows symbolic permissions

lsattr

List file attributes.

chattr

Package: e2fsprogs

Change file attributes.

Usage

Explanation

+a

makes the file appendable only

+C

disables copy-on-write (CoW) file system operations on a file or directory

+i

makes a file immutable; it cannot be modified or deleted

+u

makes a file undeletable

-R

recursively through multiple files

-V

output is verbose

Example

Explanation

-R +a /var/log*

make logs only appendable, they cannot be truncated

setfattr

Package: attr

Create and modify custom file attributes.

Usage

Explanation

-n

provide a name for a new attribute

-v

provide the value for that attribute

-x

delete an attribute based on it’s name

SELinux

getenforce

View the current SELinux mode.

setenforce

Temporarily change the current SELinux mode.

Usage

Explanation

0

permissive

1

enforcing

sealert

Package: setroubleshoot-server

View SELinux warnings and suggested workarounds.

Usage

Explanation

-a

specify an SELinux audit log

Example

Explanation

-a /var/log/audit/audit.log

view SELinux warnings from the default log file

semanage

Package: policycoreutils-python-utils

Usage

Explanation

-h

show helpful information about the current semanage option

boolean -l

list SELinux file policies and their status

boolean -m –on

turn on a SELinux policy

port -l

list SELinux port policies and their status

port -m -t <POLICY> -p <PROTO> <PORT>

add an extra port to the specified policy

{enforcing|permissive} -a

temporarily enable or disable SELinux for a specified context

login -l

shows SELinux users

Example

Explanation

fcontext

use the file context permissions…

-a

…and add a new permission…

-t

..with the specified SELinux type and then provide the file to change

chcon

Temporarily modify SELinux file or directory permissions.

Usage

Explanation

-R

recursively apply new SELinux permissions

–reference=

copy the SELinux permissions from the referenced file or directory

restorecon

Restore SELinux file permissions.

Usage

Explanation

-R

recursively apply original SELinux permissions

setsebool

Usage

Explanation

-P

make changes permanent

Usage

Explanation

-P httpd_use_nfs on

allow Apache to utilize NFS mounts for serving HTTP content

History