Permissions¶
Table of Contents
See also: Firewalls, Security
Users and Groups¶
su¶
Usage |
Explanation |
|---|---|
- <USER> |
invokes their bash profile |
<USER> -c |
runs a command as the user |
Example |
Explanation |
|---|---|
- root |
switch to the root user |
bob -c ‘crontab -l’ |
view the crontab for a user by executing a single command as that user |
useradd¶
Create a new user.
Usage |
Explanation |
|---|---|
-d |
specify different home directory; default is /home/$USER |
-e <DATE> |
specify when the account expires |
-f |
specify when the password expires |
-G |
adds the user to additional groups |
-m |
creates home dir using /etc/skel files |
-u |
provide a custom UID |
-g |
provide a custom GID |
-p |
specify an encrypted password |
-s |
choose their default shell |
-Z |
set the SELinux user for the user’s login |
usermod¶
Modify an existing user.
Usage |
Explanation |
|---|---|
-l |
change the username |
-L |
lock an account |
-U |
unlock an account |
-a -G <GROUP> <USER> |
add a user to a group |
-g |
change a user’s default group |
-Z |
add an SELinux user to the user’s login |
-Z “” |
removes an SELinux user from the user’s login |
passwd¶
Manage the password for a user.
Usage |
Explanation |
|---|---|
–stdin |
use a password from piped standard input |
-d |
delete a user’s password and make the account usable without a password |
Example |
Explanation |
|---|---|
echo ‘newpass’ | passwd –stdin |
non-interactively set a password for a user |
chage¶
Manage password expiration.
Usage |
Explanation |
|---|---|
-l |
list a specified user’s account and password expirations |
-E YYYY-MM-DD |
set an expiration date for the account |
-M |
set the maximum amount of days before a user’s password is required to change |
pwck¶
Check for any syntax errors in the /etc/passwd and /etc/shadow. Also verifies if user home directories exist.
vipw¶
Usage |
Explanation |
|---|---|
-p |
edit the /etc/passwd file; creates a lock file to prevent changes from “user*” commands |
-s |
edit the /etc/shadow file |
-g |
edit the /etc/group file |
authconfig-tui¶
Terminal user-interface for managing LDAP authentication.
capabilities¶
Used to modify special root-specific permissions for files.
Ownership¶
stat¶
Package: coreutils
Display detailed access and modify time stamp details, full sticky permissions, and some file attributes.
chown¶
Package: coreutils
Change the user and/or group ownership of a file or directory.
Usage |
Explanation |
|---|---|
<USER>.<GROUP> |
change file ownership |
chmod¶
Package: coreutils
Change the octal permissions for user/group/other (ugo) access to a file or directory.
= Add permissions.
= Remove permissions.
= = Set exact permissions.
a = Modify permissions for user, group, and other (all of them).
u = User only.
g = Group only.
o = Other only.
r = Read.
w = Write.
x = Executable.
Usage |
Explanation |
|---|---|
a+X |
modify all users permissions to provide X permission (r, w, and/or x) |
u+s OR 4XXX |
setuid; files with this permission are executed as the owner; replace “XXX” |
g+s OR 2XXX |
setgid; folders will create files owned to its group; files with this permission are executed as the group; replace “XXX” |
o+t OR 1XXX |
sticky bit; replace “XXX” |
getfacl¶
Package: acl
Displays all of the access control lists tied to the file or directory.
Usage |
Explanation |
|---|---|
-R |
recursively |
Example |
Explanation |
|---|---|
-pR /home |
show extended ACLs for all files and directories under /home |
setfacl¶
Package: acl
Change access control lists.
Usage |
Explanation |
|---|---|
-m u:<USER>:rwx |
give the user full permissions, even if they do not own the file |
-m g:<GROUP>:rw |
give the group read and write permissions |
-b |
remove all ACLs from the file |
umask¶
Set the default file and folder permissions for creation. The default is 666 for files and 777 for directories. The input value is then subtracted from the respective number.
Usage |
Explanation |
|---|---|
022 |
666 - 022 = 644 permissions for files; 777 - 022 = 755 for folders |
-S |
shows symbolic permissions |
chattr¶
Package: e2fsprogs
Change file attributes.
Usage |
Explanation |
|---|---|
+a |
makes the file appendable only |
+C |
disables copy-on-write (CoW) file system operations on a file or directory |
+i |
makes a file immutable; it cannot be modified or deleted |
+u |
makes a file undeletable |
-R |
recursively through multiple files |
-V |
output is verbose |
Example |
Explanation |
|---|---|
-R +a /var/log* |
make logs only appendable, they cannot be truncated |
SELinux¶
getenforce¶
View the current SELinux mode.
sealert¶
Package: setroubleshoot-server
View SELinux warnings and suggested workarounds.
Usage |
Explanation |
|---|---|
-a |
specify an SELinux audit log |
Example |
Explanation |
|---|---|
-a /var/log/audit/audit.log |
view SELinux warnings from the default log file |
semanage¶
Package: policycoreutils-python-utils
Usage |
Explanation |
|---|---|
-h |
show helpful information about the current semanage option |
boolean -l |
list SELinux file policies and their status |
boolean -m –on |
turn on a SELinux policy |
port -l |
list SELinux port policies and their status |
port -m -t <POLICY> -p <PROTO> <PORT> |
add an extra port to the specified policy |
{enforcing|permissive} -a |
temporarily enable or disable SELinux for a specified context |
login -l |
shows SELinux users |
Example |
Explanation |
|---|---|
fcontext |
use the file context permissions… |
-a |
…and add a new permission… |
-t |
..with the specified SELinux type and then provide the file to change |
chcon¶
Temporarily modify SELinux file or directory permissions.
Usage |
Explanation |
|---|---|
-R |
recursively apply new SELinux permissions |
–reference= |
copy the SELinux permissions from the referenced file or directory |
restorecon¶
Restore SELinux file permissions.
Usage |
Explanation |
|---|---|
-R |
recursively apply original SELinux permissions |