神刀安全网

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Introduction to chapter 6 of module-1 of RHCSA

In this last chapter of module-1 of RHCSA we will discuss about File permissions, SUID, SGID, sticky bit, acl, nmcli, and nmtui which are a very important aspect of RHCSA examination. Till date we have discussed basics of RHCSA certificate examination, basic command lines which are required for Red Hat Administration, user and group management, vim file editor and other file management tools, you can go through following links to have a look on previously published articles of the series:

http://www.unixmen.com/everything-know-rhcsa-certification/

http://www.unixmen.com/basics-must-know-rhcsa-exam-preparation/

http://www.unixmen.com/learn-man-vim-editor-file-globbing-rhcsa/

http://www.unixmen.com/learn-file-management-commnad-line-required-rhcsa /

http://www.unixmen.com/hard-soft-links-user-group-management-rhcsa/

For today we will cover following topics.

  1. Linux file permissions using basic permissions, specials permissions  with SUID, SGID, Sticky bit and ACL in Red hat Linux.
  2. Managing network services configuration in Red hat Linux using nmcli and nmtui.
  3. Secured remote access via ssh.

    Managing basic file permissions in  Red Hat Linux

    User could have read, write or execute permission on any directory or file, additionally there are some special permissions i.e. SUID, SGID or ACLs. Have a look on various aspects of file or directory permissions.

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Go to /home directory and list contents

# cd /home && ls -l

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Latter d means it is a directly, then we have rwx on first three positions which means user have read (r), write (w) and execute (x) permission with the directory, next three -(minus) shows that group do not have any permissions and further next three – (minus) spaces shows that there no permission for others which means rest of the world which is not the part of this group. These r ead, w rite and e x ecute permissions can also be denominated by numerical values of 4 (read),2(write) and 1(execute). These permission can be applied for u ser, g roup and o ther or ugo .

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA Example

Create a file and change its permissions, use chmod command to change permissions.

# touch examplefile # chmod 754 examplefile

The above command will set read, write and execute permissions for user (4+2+1), read and execute permission  (4+1) for group and read (4) for others.

Let us change permissions for by another method using rwx

Remove execute permission from group for examplefile

# chmod g-x examplefile

Have a look

# ls -l examplefile  -rw-r--r--. 1 root root 0 May 31 03:57 examplefile

Add execute permissions to user group and others

# chmod ugo+x examplefile

Have a look

# ls -l examplefile  -rwxr-xr-x. 1 root root 0 May 31 03:57 examplefile

It  is recommended to use digital method for changing file permissions as this method is simple and less confusing.

Understanding special permissions using SUID, SGID and sticky bit

Sometimes files required execute permissions for users which are not the members of the owner’s group, in that case you will be required to provide special execute permissions. When SUID is set then user can run any program like owner of the program. SUID means set user ID and SGID means set group ID.

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

SUID have a value of 4 or use u+s. SGID has value of 2 or use g+s similarly sticky bit has a value of 1 or use +t to apply the value.

Managing SUID in Red Hat Linux

Let us have a look in passwd command program which is executable by all users, you can notice a small ‘s’ in permission of the file, due to SUID set for the program, every user can change their own passwd by executing that passwd file.

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Create some shell script as root.

# vim um.sh

Put some contents in that file

#! /bin/bash echo "hi do you want to list contents of /root?" read rm -rf /

Now this is a very dangerous file,  give execute permission to the file.

# chmod +x um.sh

Run that file with some non root user,  file will be executed but there will be permission issue.

Let us assign special permission for that file using suid, now user can run that file like owner, which can give some serious damage.

# chmod +s um.sh

Have a look to the permissions now

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

The red highlighted area indicate that the file is possessed with suid.

Important:The above script is for example only, do not run this script on your system at all, you are never recommended to use SUID, it is never used in routine administration life, avoid to give  special permission using SUID. Set user id is only used in some of system files like passwd command.

Managing SGID in Red Hat Linux

A special permission given to the user for a directory, it is a temporary permission which give rights of group membership so that the other user can use that file like member of the owner’s group.

Example

Create a directory named /datashare

# mdkir /datashare

Create a new user named guest1

# useradd gst1

Create a group sales

# groupadd sales

Change group ownership of /datashare to sales group

# chgrp sales /datashare

Now, add user guest1 to group sales

# usermod -G guest1,sales guest1

Create a new file in /datashare directory as user guest1

# su - guest1 -c  "touch /datashare/hi.txt"

Have a look in permissions, this file belongs to group guest1

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Now change group id for the folder /datashare

# chown g+s /datashare

or

# chown 2775 /datashare

Again create some file in /datashare

# su - guest1 -c  "touch /datashare/echo.txt"

Have a look on ownership again

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

You can see that ownership of file is changed to group sales.

Using Sticky bit in Red Hat Linux 7

Sticky bit is a permission bit that will only let the owner of the directory to delete or rename the contents. /tmp comes with a sticky bit by default so that all of the user can access that directory, but file created by one user can not be deleted by some another user. Have a look

# ls -ld /tmp

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA You can see that although /tmp have read, write and execute permissions for all but sticky bit is enabled which is represent by t so that only owner of the file can  delete or rename that file.

Apply sticky bit to some new folder with full permissions to all.

# mkdir /example && chmod 777 /example

Apply sticky bit with chmod command adding +t  to apply sticky bit.

# chmod +t /example

Create some file with user example1. and try to delete this file logging in with user example2,

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

This is clear in above example that only owner of  the file can delete or rename the file.

Managing ACL in Red Hat Linux

Access control list is used to give permissions to more then one user or group on a directory, using acl you can give less permission to one group for a file and more permission to anther file for the same file.

or you can specify default permissions for newly created file/directories, for example you can define that every newly created file will be having right permission.

To see current access control settings use

# getfacl

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Create a new directory

# mkdir acl

Let us give rw permission to group sales for that directory using acl.

With the help of setfacl command acl is defined, -R for recursive option, -m to modify default permissions. for group and define what permisson you have to assign.

# setfacl -R -m g:marketing:rw acl/

To set default acl for all of the files or directories which will be created in that directory we need to define default acl, add before to apply these settings as default.

# setfacl -m d:g:marketing:rw acl/

Have a look on these modified permissions

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

You can notice that in above example default settings and group ‘marketing’ permissions are set to r ead and w rite.

Create a new directory under acl/

# mkdir /acl/123

Have a look on permissions, you can see that permissions are same as of parent directory.

# getfacl

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA acl play a very important role when you need to give access of some directory to more then one users or groups.

Manage and configure networking in Red Hat Linux

There are certain tools with the help of which network services can be handled in red hat Linux 7.

Manage ip addressing usingipcommand in Red Hat Linux

Show current address

# ip addr show

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Show default gateway or routing table

# ip route show

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Add ip address using ip tool

add -add a new ip

dev -device name

enp0s3- device name

# ip addr add dev enp0s3 192.168.100.1/24

Create a new gateway

# ip route add 192.168.0.0/24 via 192.168.100.1

Have a look

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

But if server is rebooted, all settings will be vanished, so you are required to save those settings.

Storing IP configuration in Red Hat Linux

Best method is to use GUI interface to manage IP addressing in Red Hat Linux 7, click on network icon, go to setting and define ip address.

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Apply settings, now network setting will be stored as permanent  in your network script under /etc/sysconfig/network-scripts/ directory

# cd /etc/sysconfig/network-scripts/

Have a look in your network script

 # nano ifcfg-enp0s3

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Using nmcli andnmtuiin Red Hat Linux 7

List working connection

# nmcli connection show  NAME UUID TYPE DEVICE  enp0s3 2ecbad04-ce11-47b7-bf0f-aa4b3d2c5670 802-3-ethernet enp0s3

Add a new connection with nmcli

Use

add  – to add connection

con-name – define name of new connection

ifname – name of interface

type – define interface type

ip4 – assign i paddress

you can use <TAB> to auto complete the command

# nmcli connection add con-name unixmen ifname enp0s3 type ethernet ip4 192.51.10.1/24

Show connections

# nmcli connection show

New connection is listed

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

A new script will be generated in /etc/sysconfig/network-scripts/.

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Put down this unixmen connection

# nmcli connection down unixmen

Up this connection

#  nmcli connection up unixmen

Another method to configure network interface in  red hat 7 is nmtui

# nmtui

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Edit connection you wants to configure

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Save configurations

# systemctl restart NetworkManager

Display hostname

# hostnamectl status

Securing remote services with ssh in Red Hat Linux 7

Secure shell allow user to login to server remotely in a secure way.

Login to server using ssh

# ssh localhost

When you login first time using ssh, a key fingerprint is generated which is stored in target machine permanently  in .ssh/known_hosts under home directory.

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA Have a look

# cat ~/.ssh/known_hosts

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

ssh configuration settings are stored under /etc/ssh/sshd_config  file, have a look

# nano /etc/ssh/sshd_config

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Default port for ssh is 22, but you can change that port via configuration file, to disable root login change PermitRootLogin settings to no.

When a client connect to ssh server, server send its identity to client via sending /etc/ssh/ssh_host.pub file to the connecting client which is a shred public key to build a trusted connection.

Connect to remote host using key based authentication instead of using password.

In key based authentication we use private key which is stored locally and public key which is shared with remote host. We need to generate those keys first using following command, left password option as empty.

# ssh-keygen

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Notice that id.rsa and id.pub keys are generated which are stored in .ssh under home directory.

Copy public key with target host.

# ssh-copy-id 192.51.15.205

Give password of the host machine when prompted.

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

Now ssh the 192.51.15.205 machine, it will not ask for any password.

File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

This is how we can manage remote services with trusted key based remote access or password based authentication based access.

Conclusion

Candidate should be able to manage file permissions, special file permissions using SGID, SUID, sticky bits, candidate can manage advanced file permissions using acl. chmod, getfacl, setfacl are the important commands which must be memorised for RHCSA exam preparation, think twice before defining file permissions, never use SGID in routine Linux administration practices, this was the last chapter of Module-1 of RHCSA examination preparation guide. From next chapter we will continue with Module-2 of RHCSA.

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » File permissions, SUID, SGID, sticky bit, acl, nmcli, ssh, and nmtui tools for RHCSA

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址