8.2.3 File Permission

File System Permissions

Introduction to File System Permissions

  • File system permissions are crucial for securing access to files and directories on a system.
  • Each object in the file system is associated with an Access Control List (ACL).
    • ACL defines the user accounts (or principals) that are allowed to access that resource and specifies their respective permissions.
  • The arrangement of Access Control Entries (ACEs) within the ACL plays a significant role in determining the effective permissions for a particular user account.
  • File systems such as NTFS, ext3/ext4, or ZFS can enforce ACLs.

Configuring Access Control Entries

  • The process to set permissions often involves configuring ACLs specific to resources such as folders and files.
  • Example of a permission dialog box:
    • The configuration allows the principal "Everyone" to have certain permissions applicable to "This folder, subfolders and files".
    • Key permission options include:
    • Full control
    • Traverse folder / execute file
    • List folder / read data
    • Read attributes
    • Read extended attributes
    • Create files / write data
    • Create folders / append data
    • Write attributes
    • Write extended attributes
    • Delete subfolders and files
    • Delete
    • Read permissions
    • Change permissions
    • Take ownership
    • In the example, only certain checkboxes are selected: List folder/read data, Read attributes, Read extended attributes, Read permissions.

Basic File Permissions in Linux

  • Types of Permissions:
    • Read (r): Ability to view file contents or list directory contents.
    • Write (w): Ability to modify a file or create, rename, and delete files in a directory (requires execute permission).
    • Execute (x): Ability to run scripts, programs, or software, and to perform directory tasks like file searching.
  • Permission String Representation:
    • Example: drwxr-xr-x
    • Indicates owner has read (r), write (w), and execute (x) permissions.
    • Group and others have read and execute permissions.
  • Changing Permissions with chmod:
    • The chmod command modifies permissions in either symbolic mode or absolute mode.
    • Symbolic mode alters permissions by appending or removing them:
    • Example command: chmod g+w, o-x home
      • Appends write permission to the group and removes execute permission from others.
    • Absolute mode, such as chmod 755 home, employs octal notation:
    • Permission values: r=4, w=2, x=1
    • Example representation:
      • 755 translates to:
      • Owner: 7 (read + write + execute = 4 + 2 + 1)
      • Group: 5 (read + execute = 4 + 1)
      • Others: 5 (read + execute = 4 + 1)

Windows File Permissions

  • File access on Windows is governed by two types of permissions:
    • Share Permissions:
    • Control access through network connections to a file server.
    • Local access is not governed by share permissions.
    • Levels of Share Permissions:
      • Reader: Read-only access.
      • Contributor: Read and write access.
      • Owner/Co-owner: Full control.
    • Applicable only to folders.
    • NTFS Permissions:
    • Can be applied to drives, folders, and files, controlling both local and network access.
    • Allow granular control with many permission options.
    • Require drives to be formatted in NTFS.
  • Note on DACLs:
    • Both share and NTFS permissions utilize a Discretionary Access Control List (DACL) to manage access.
    • The DACL specifies the users/groups and their permissions for files or directories.
    • Permissions can either be Allow/Permit or Deny, with Deny taking precedence over Allow.

Effective Permissions

  • A user’s effective permissions are determined by:
    • The most restrictive permissions assigned between share and NTFS.
  • If a user has access through a share but lacks corresponding NTFS permissions, the user will not be granted access.
  • Strategy for Combining Permissions:
    • Assign Co-owner share permissions to Everyone, controlling access via NTFS permissions.
    • Employ the principle of least privilege:
    • Assign NTFS permissions only to necessary groups and limit the permissions assigned to these groups.
    • Even with share permissions for Everyone, only users/groups with specific NTFS permissions will gain access.
  • Inheritance of Permissions:
    • Permissions for folders and files can be inherited.
    • Advanced Security settings in Windows indicate when permission inheritance is active.
    • Best practice is to assign permissions to groups rather than individual users to enhance manageability.