Task 1: Unix permissions

In Unix, the kernel is the program that has unrestricted access to the whole machine. All other programs (subjects) run as a specific identity and their access to files and devices (objects) is mediated by the kernel.

User and group id

Access decisions are made on the basis of the userid/groupid associated with the program.

If the user is root (userid = 0), access is always granted by the kernel.

Users have a primary group which usually have same id ad name as the user id, but they may belong to several additional groups. By joining an existing group, a user inherits the permissions it grants. Command id displays information about user and group id:

alice:~$ id
uid=1000(alice) gid=1000(alice) groups=1000(alice),1003(student)

alice:~$ groups 
alice student

Explanation:

  • uid is the user id, for alice it is number 1000
  • gid is the primary group id, for alice it is the same as uid, i.e., 1000. This group is the one assigned at login and is used when files are created (see below)
  • groups lists all the groups alice belongs to: alice(the default group) and student

In the docker container you have three users (alice, bob, carol), plus root. Use su command to switch from one user to the other. You start as alice. Passwords for bob, carol and root are the same as the username:

alice:~$ su bob
Password: 

bob:/home/alice$ exit
exit

alice:~$

su bob starts a shell as bob. With exit you go back to alice shell.

Unix permissions

Using the ls -l command we can display the Unix permissions set to a file or a directory:

alice:~$ touch myfile # creates an empty file named myfile

alice:~$ ls -l myfile
total 0
-rw-r--r-- 1 alice alice 0 Oct  3 08:08 myfile

Explanation:

  • The fields displayed from left to right are:
    • file permissions -rw-rw-r--,
    • number of links 1,
    • owner name alice,
    • owner group alice, (the primary group is used when creating a new file)
    • file size 0,
    • time of last modification Oct 3 08:08, and
    • file/directory name myfile
  • Apart from the first - (which represents the type of the file), file permission rw-rw-r-- is made of 3 triads defining the permissions granted to the owner, to the group and to all the other users, respectively. Each permission triad is commonly made up of the following characters:
    • r: the file can be read / the directory’s contents can be shown
    • w: the file file can be modified / the directory’s contents can be modified
    • x: the file can be executed / the directory can be traversed
    • s: the file is SUID if s is found in the user triad (SGID if s is in the group triad). Implies x. Enables the file to run with the privileges of its owner (or group).

Example 1

In the following example file rootfile1 is owned by root and has group student. It gives read and write permissions to root and only read permission to student:

alice@3545200f0b11:~$ ls -l  rootfile1
-rw-r----- 1 root student 39 Oct  3 08:26 rootfile1

alice@3545200f0b11:~$ id
uid=1000(alice) gid=1000(alice) groups=1000(alice),1003(student)

alice@3545200f0b11:~$ cat rootfile1     # read access
This file is readable by student group

alice@3545200f0b11:~$ cat > rootfile1   # write access
bash: rootfile1: Permission denied

Explanation:

  • rw-r----- gives read/write permissions to owner (root) and only read permission to group student
  • cat rootfile1 prints the file content (read access) and this is allowed since alice belong to group  student
  • cat > rootfile1 writes from stdin into the file (write access) and this is not allowed since student group permissions are r--

Example 2

File rootfile2 has the same permissions as rootfile1 but group is  root, so it can only be read by root:

alice@3545200f0b11:~$ ls -l rootfile2 
-rw-r----- 1 root root 35 Oct  3 08:26 rootfile2

alice@3545200f0b11:~$ cat rootfile2   # read access
cat: rootfile2: Permission denied

alice@3545200f0b11:~$ cat > rootfile2 # write access
bash: rootfile2: Permission denied 

Exercise

Look for a file in /tmp/ that is accessible by alice. It contains the password to Task 2!