The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?

Click the "C Language and CPP Programming" above, select "Follow/Pin/Star the public account"

Useful benefits delivered first!
Recently, some friends said they did not receive the article push for the day. This is because WeChat has changed the push mechanism, causing those who have not starred the public account to miss the articles pushed on that day, and they cannot receive some practical knowledge and information. Therefore, it is recommended that everyone star ⭐️ the account, so you can receive the push immediately in the future.
Link: https://blog.csdn.net/GGDxianv/article/details/144171476?

☞ Liang Xu's course has completely exploded! ☜

Linux Permissions (A Detailed Understanding of Linux Permissions)

  • 1. Two Types of Users in Linux
    • Superuser (root) and Regular User
      • su Command
      • sudo Command
  • 2. Linux Permission Management
    • 2.1 File Accessors
        • Owner
          • Group
          • Others
      • 2.2 File Types and Access Permissions
        • File Types
          • Representation of File Permission Values
          • Methods for Setting File Access Permissions (chmod)
          • Changing File Owner or Group (chown and chgrp)
      • 2.3 Directory Permissions
      • 2.4 Default Permissions
        • umask Permission Mask
      • 2.5 Sticky Bit

1. Two Types of Users in Linux

Superuser (root) and Regular User

There are two types of users in Linux: the superuser (root) and regular users.The superuser can do anything in Linux without restrictions.Regular users are limited in what they can do in Linux.

You can check whether you are a superuser or a regular user by using the whoami command.

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?

You can see that the command prompt for the superuser is #, while the command prompt for regular users is $.

su Command

How do we switch users under different accounts?We can switch users using the su command. If switching from the superuser to a regular user, you can do so by using su + the username of the regular user. If switching from a regular user to the superuser, simply use the su command and enter the superuser’s password to complete the switch.

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?

sudo Command

Temporarily elevate privileges for specific commands for regular users.When we use sudo to elevate privileges, we may encounter errors. This is because there is something similar to a whitelist; the current user does not have sudo privileges.To use sudo, your current user must be configured in the /etc/sudoers file. At this point, the administrator needs to add the current user to the user group allowed to use sudo (usually sudo or wheel). This is not a big issue, but if you want to know more, you can check this blog Detailed Explanation of the Linux Command sudo.

2. Linux Permission Management

2.1 File Accessors

In simple terms, the essence of permissions is what can and cannot be done. Permissions primarily restrict roles, and the target must have the corresponding attributes.Linux permissions consist of roles and target permission attributes.Permissions = Role + Target Permission AttributesRoles include Owner, Group, and Others.

Roles:

  1. 1. Owner 2. Group 3. Others

Owner (User, u): The owner of the file or directory.Group (Group, g): The user group to which the file or directory belongs.Others (Others, o): All users other than the file owner and user group.

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?

Owner

The owner is the current user in Linux, whether superuser or regular user. The owner of the file or directory.

Group

The users in the group to which the file or directory owner belongs. More refined permission management requires more detailed identity roles.

Others

Other users. However, we find that Others are not recorded.Others do not need to be recorded due to log redundancy and excessive auditing issues, as Others include all users who are not the file owner or group, and operations are frequent and difficult to record accurately. The focus of auditing is different; administrators are more concerned about specific users, groups, and command executions, rather than every change in Others permissions. In terms of security and permission management, changes to Others permissions are usually infrequent and should not occur often, so they generally do not need to be specially recorded.

2.2 File Types and Access Permissions

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here
The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here

File Types

d indicates a directory, – indicates a file.

Representation of File Permission Values

r indicates read permission, w indicates write permission, x indicates executable permission.

drwxr-xr-x  2 root root 4096 Dec  1 17:53 code/

In the above example, the owner has read, write, and execute permissions, the group has read and execute permissions but not write, and others have read and execute permissions but not write.

Numeric Expression

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here

These rwx are binary states, either allowed or not allowed. Therefore, if it is rw-rw-r–, the binary is 110 110 100, and the octal is 664.

Methods for Setting File Access Permissions (chmod)

Command chmod: sets the access permissions of a file.

chmod u-r code

This modifies the read permission for the owner of the file code, changing it from allowed to not allowed.

root@hcss-ecs-48ab:~/learn/test_12_1# chmod u-r code
The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here

chmod u+r

This modifies the read permission for the owner of the file code, changing it from not allowed to allowed.

root@hcss-ecs-48ab:~/learn/test_12_1# chmod u+r code
The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here

chmod g-r code

This modifies the read permission for the group of the file code, changing it from allowed to not allowed.

root@hcss-ecs-48ab:~/learn/test_12_1# chmod g-r code
The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here

chmod g-r codeThis modifies the read permission for the group of the file code, changing it from allowed to allowed.

root@hcss-ecs-48ab:~/learn/test_12_1# chmod g+r code

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here

Earlier, we learned about numeric expressions and the conversion between binary and octal. When modifying file access permissions, you can also use octal notation.

Octal 666 corresponds to binary 110 110 110, which is rw- rw- rw-.

root@hcss-ecs-48ab:~/learn/test_12_1# chmod 666 code
The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here

Note:

  1. 1. Users can only modify their own file permissions.
  2. 2. Without permission, the system will refuse access.
  3. 3. When determining permission information, the system will determine user roles, and this is only determined once. The determination is made in order from owner, group, to others.
  4. 4. The root user’s permissions are not restricted.
  5. 5. The above describes a series of executions; executable permission != file executable.

Changing File Owner or Group (chown and chgrp)

chown modifies the owner of a file/directory.chgrp modifies the group of a file/directory.

Change the owner of the code file from the root superuser to a regular user.

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here

Change the owner of the code file from a regular user to the superuser.

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here

Change the group of the code file from the superuser to a regular user.

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here

Change the group of the code file from a regular user to the superuser.

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here

Note:When we are regular users, the system defaults to not allowing us to pass files to others. If we want to give files to others, we must elevate permissions. When a user is a regular user, they are not allowed to pass files to others.

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here

2.3 Directory Permissions

We previously learned about directory types; those starting with d are directories, while those starting with – are files.

Note: This refers to regular users; superusers are not restricted.

  1. 1. If a directory does not have r, you cannot view the files inside the directory.
  2. 2. If a directory does not have w, you cannot create files in the directory.
    The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
    Insert image description here

2.4 Default Permissions

For regular files, the initial permission is 666, which does not include executable by default.For directory files, the initial permission is 777, which includes executable by default.

umask Permission Mask

Final permissions = Initial permissions & (-umask)The purpose of umask is that any permissions appearing in umask should not appear in the final permissions.

The default permissions are determined by the operating system and cannot be modified before creation. By using umask, the system can be configured flexibly to meet the required situations. Configuring umask can control the default permissions of files, allowing our code to be manageable.

2.5 Sticky Bit

In a regular user’s directory, creating a regular user file and a superuser file. The access permissions of this regular user’s file relative to the superuser’s file are Others, and under the regular user, operations can be performed on the superuser’s file based on rwx. When the access permissions of the superuser’s file for Others are modified to not writable, not readable, and not executable, the regular user cannot perform any operations on the superuser’s file. However, the regular user can delete this file. This leads to the conclusion that whether a file can be deleted is not related to the file itself, but to the w permission of the directory in which it is located.

When two users need to share a file, the tmp directory is a public directory in a multi-user environment. A public directory is created under the tmp directory. At this point, both users can modify it, and of course, users other than the two can also modify this file. This is where the sticky bit comes into play.

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here

In Linux systems, the sticky bit is a special permission bit primarily used to control the deletion operations of files in specific directories. After setting the sticky bit,the current user can only delete their own shared files and cannot delete another user’s shared files. Only the file owner or root user can delete or move that file, while other users cannot delete or move these files even if they have write permissions.

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?
Insert image description here

When a directory is set to “sticky bit” (using chmod +t)

chmod +t directory  # Set sticky bit for the directory
chmod -t directory  # Remove sticky bit from the directory

Delete shared files in the tmp directory, root deletes.

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?

The Dark Side of Linux Permissions: Why Root Abuse Can Lead to Disaster?

Recommended Reading Click the title to jump

1. C++ Training Camp, here it comes!

2. HarmonyOS Learning Material Sharing (Free Sharing Without Tricks)

I have formed some communities for communication, where there are experts and beginners. If you are interested, you can join the group for discussion.

Feel free to add my WeChat, and I will add you to the technical exchange group. Additionally, I will often share some computer learning experiences and work insights on WeChat, as well as some internal referral opportunities.

Add WeChat to open another window.

Thank you for your sharing, likes, and triple clicks.

Leave a Comment