Sunday 29 July 2018

Linux Extended-Attributes - My studies about: Permissions, ACL, Extended-Attributes, Capabilities -- OMV: Users, groups

20180729
 **My studies about:  Permissions, ACL, Extended-Attributes, Capabilities**
  tricky bulk commands find
 **OMV: Users, groups .. Permissions, Privileges and ACL **
 ejemplos
 --
 stat getfattr setfattr getcap setcap getfacl setfacl


{{{

{ doc

# ls -l -- show a + as last permission letter if there are any ACL, (no capabilities)
# Detailled: https://wiki.archlinux.org/index.php/File_permissions_and_attributes
# s - (4000) for user --> chmod u+s, setuid, should has x: https://en.wikipedia.org/wiki/Setuid#Sticky_bit
# s - (2000) for group --> chmod g+s, setguid, should has x, for dirs set group for new items and inherite it for folders.
# t - (1000) for Sticky bit --> chmod +t / chmod -t, /tmp only owner can delete it, https://en.wikipedia.org/wiki/Sticky_bit
ls -l
ls -lad /sharedfolders/*
stat --format "(%4a/%A) (%5u/%10U) (%5g/%10G) %n"  /sharedfolders/*

# shows any attribute (Capabilities [security.capability=], ACL [system.posix_acl_ ..=])
# of the files (but not normal ones of owner, group, others)
#
# -d dump , -m "-" all attributes (default is show none !!).
# -R recursive
# in general used by tools do copy attributes (owner, group, others + attributes)
#  **very good** explanation, but from 2005, mainly up to date: http://vanemery.net/Linux/ACL/linux-acl.html
getfattr -d -m "-" --absolute-names /usr/bin/fping /usr/bin/tail
getfattr -R -d -m "-" --absolute-names /usr/bin/fping

setfattr -n user.comment -v "this is a comment" hello1.txt


# https://www.insecure.ws/linux/getcap_setcap.html
# get file / folder capabilities -- lo de comportarse como root, ping
# -r recursive  ; -v display all items even if it has no file-capabilities.
getcap /bin/ping /usr/bin/fping /usr/bin/fping6
getcap -r /

# setcap - capabilities, used in very few cases
# https://unix.stackexchange.com/questions/389879/how-to-set-capabilities-with-setcap-command
# ver:
# Command: https://linux.die.net/man/8/setcap
# Available: https://linux.die.net/man/7/capabilities
# Syntax: https://linux.die.net/man/3/cap_from_text
setcap cap_net_raw,cap_net_admin+ep eth_dump


# get ACL (access control lists) for files / folders
# --absolute-names  - otherwise are relatives.
# -s, --skip-base -- Skip files that only have the base ACL entries (owner, group, others).
# -t, --tabular -- Use an alternative tabular output format: acl default, very helpfull but does not show s and t flags
#                        In uppercase/capitalized: Owner user and group, and ineffective permission due to mask
# -R recursive
getfacl --absolute-names -s /usr/bin/fping /usr/bin/tail
getfacl --absolute-names -s -t /usr/bin/fping /usr/bin/tail
getfacl --absolute-names /usr/bin/fping /usr/bin/tail

# set ACL - it's very complex, normal, default, especifics, mask ..
# https://jlk.fjfi.cvut.cz/arch/manpages/man/setfacl.1
# Here, it explains default and mask rules.
#
# -b remove all ACL,
# -m u:lisa:r file  -- add/modify user lisa ACL
# -x g:staff file -- remove group staff entries,
# -d apply to defaults, only for folders,
#
# -dm "entry"

-- allow all files or directories to inherit ACL entries from the directory it is within
setfacl -m u:lisa:r file


# for a quickview
ls -lad /sharedfolders/*
getfacl --absolute-names -s -t /sharedfolders/*



OMV ACL Permissions and Privileges
{
http://openmediavault.readthedocs.io/en/latest/administration/access_rights_management.html#id8
Incompleta, ver los post de subzero79 más abajo.
Grupo sudo para ser administrador
Shared folders - are created as root:users , and permissions as selected but with g+s (27xx).
LBR:
Shared folders : --a_share-- : ACL - up-left (Directory) - folder to work with.
Shared folders : --a_share-- : ACL - up-right (User/Group *permissions*) - ACL for the selected folder: rw / r / no-access
Shared folders : --a_share-- : ACL - bottom (Extra option) - Owner/group and privileges for the selected folder.
--> this write info to disk
--> Regla dejar u/g: root/Users y permisos rwx/rwx/rwx o rwx/rwx/r--
Pero no cambiar de grupo Users o los demonios no podrán dejar ficheros ahí ver.
Para uso normal no canbiar de usuario, grupo o permisos. ver
https://forum.openmediavault.org/index.php/Thread/7215-OMV-General-POSIX-File-System-Permission-Balance-chmod-%E2%80%93-chown-%E2%80%93-setgid-umask-co/
https://forum.openmediavault.org/index.php/Thread/6309-Privileges-and-permissions-explained-under-OMV/


Shared folders : --a_share-- : *Privileges** - This apply **only for Sharing protocols** and to it's top folder.
For example if a user has rwx privileges and you set No access, he/she will not be able to access the file by sharing,
no change on file system.
LBR I think that you can be more restricted with this way, not grant more access.

==> muy bien explicado: https://awasu.com/weblog/omv-bpi/managing-permissions-in-omv/
}



# tricky bulk commands
# tricky bulk commands
# tricky bulk commands

# Find Sticky bit files / folders:
find / -mount -perm /1000

# Find setuid-root files:
find /usr/bin /usr/lib -perm /4000 -user root

# Find setgid-root files:
find /usr/bin /usr/lib -perm /2000 -group root



# To chmod only directories to 755:
find directory -type d -exec chmod 755 {} \;

# To chmod only files to 644:
find directory -type f -exec chmod 644 {} \;

} fin doc



{{ **OMV: Users, groups .. Permissions, Privileges and ACL **

OMV change password
Access the server with your user and there is an option to change your password.
http://openmediavault.readthedocs.io/en/latest/administration/access_rights_management.html#acl-access-control-list
Incompleta, ver los post de subzero79 más abajo
Grupo sudo para ser administrador

**Permissions, Privileges and ACL?**

OMV General POSIX File System Permission Balance: chmod – chown – setgid - umask concepts
by subzero79, Jan 12th 2015 https://forum.openmediavault.org/index.php/Thread/7215-OMV-General-POSIX-File-System-Permission-Balance-chmod-%E2%80%93-chown-%E2%80%93-setgid-umask-co/
--> **fundamental**, usuarios, grupos, permisos

by subzero79, Oct 29th 2014 https://forum.openmediavault.org/index.php/Thread/6309-Privileges-and-permissions-explained-under-OMV/
--> **fundamental**, muy bueno, default 2775 y con algunos trucos para situaciones complicadas (BONUS Track:) 27xx

by tekkb, Jul 21st 2015 https://forum.openmediavault.org/index.php/Thread/10574-Permissions-Privileges-and-ACL/
--> demasiado directo y refiere al anterior.

by taka, 4th October 2015 https://awasu.com/weblog/omv-bpi/managing-permissions-in-omv/
https://forum.openmediavault.org/index.php/Thread/19182-Understanding-basic-security-ACL-on-shared-folders/?postID=150666#post150666
--> bonitos pero incompleto


daemon umask ver arriba (OMV General POSIX File System..)

transmission umask / 022 octal -> 18 -- parece el inverso .. y es lo inverso  perm & ~ umask
https://github.com/transmission/transmission/wiki/Editing-Configuration-Files
https://forum.openmediavault.org/index.php/Thread/7081-No-write-access-rights-for-transmission-created-folders/

subzero79 - umask in transmission to 2 (775 mode) or 0 (777 world writable) mode in the webui
https://forum.openmediavault.org/index.php/Thread/7081-No-write-access-rights-for-transmission-created-folders/?postID=65077#post65077
--> **Genial** https://askubuntu.com/questions/44542/what-is-umask-and-how-does-it-work

File permissions and attributes
https://wiki.archlinux.org/index.php/File_permissions_and_attributes

https://wiki.archlinux.org/index.php/Access_Control_Lists

https://forum.openmediavault.org/index.php/Thread/2652-What-is-the-difference-between-Privileges-and-ACL/


}} fin de  **OMV: Users, groups .. Permissions, Privileges and ACL **

{{ ejemplos

{
# para un vistazo rápido
ls -lad /sharedfolders/*
getfacl --absolute-names -s -t /sharedfolders/*



root@omv4vm:/sharedfolders#
root@omv4vm:/sharedfolders#
root@omv4vm:/sharedfolders# ls -lad /sharedfolders/*
drwxr-sr-x  2 root       users 4096 Jul  7 11:55 /sharedfolders/Almacen
drwxr-xr-x  2 root       root  4096 May 27 21:57 /sharedfolders/Backup-4-server
drwxr-sr-x  2 root       users 4096 May 27 22:41 /sharedfolders/Backups
drwxrwsr-x  3 root       users 4096 Jul  8 11:19 /sharedfolders/BORRAR
drwxr-sr-x  2 root       users 4096 May 27 22:41 /sharedfolders/Descargas
drwxrws---+ 7 backupUser users  100 Jul  7 10:06 /sharedfolders/lacie-n2-BackupEspacio
drwxrwsr-x+ 4 root       users   35 May 20 19:04 /sharedfolders/Servidor_historico
root@omv4vm:/sharedfolders#
root@omv4vm:/sharedfolders#
root@omv4vm:/sharedfolders# getfacl --absolute-names -s -t /sharedfolders/*
# file: /sharedfolders/lacie-n2-BackupEspacio
USER   backupUser  rwx  rwx
user   luis        rwx  rwx
user   backupUser  rwx  rwx
GROUP  users       r--  r--
mask               rwx  rwx
other              ---  ---

# file: /sharedfolders/Servidor_historico
USER   root        rwx  rwx
user   luis        rwx  rwx
user   backupUser  rwx  rwx
GROUP  users       r--  r--
mask               rwx  rwx
other              r-x  --- -- THIS x SEEMS TO BE AN ERROR !!

root@omv4vm:/sharedfolders#
}


{
ls -lad /usr/bin/fping /usr/bin/tail
stat --format "(%4a/%A) (%5u/%10U) (%5g/%10G) %n"  /usr/bin/fping /usr/bin/tail
getfattr -d -m "-" --absolute-names /usr/bin/fping /usr/bin/tail
getcap /usr/bin/fping /usr/bin/tail
getfacl --absolute-names -s /usr/bin/fping /usr/bin/tail
getfacl --absolute-names -s -t /usr/bin/fping /usr/bin/tail
getfacl --absolute-names /usr/bin/fping /usr/bin/tail


root@omv4vm:~#
root@omv4vm:~# ls -lad /usr/bin/fping /usr/bin/tail
-rwxr-xr-x 1 root root 39232 Jan 11  2017 /usr/bin/fping -- ** NO ESPECIAL MARK HERE **
-rwxr-xr-x 1 root root 68584 Feb 22  2017 /usr/bin/tail
root@omv4vm:~#
root@omv4vm:~#
root@omv4vm:~# stat --format "(%4a/%A) (%5u/%10U) (%5g/%10G) %n" /usr/bin/fping /usr/bin/tail
( 755/-rwxr-xr-x) (    0/      root) (    0/      root) /usr/bin/fping
( 755/-rwxr-xr-x) (    0/      root) (    0/      root) /usr/bin/tail
root@omv4vm:~#
root@omv4vm:~#
root@omv4vm:~# getfattr -d -m "-" --absolute-names /usr/bin/fping /usr/bin/tail
# file: /usr/bin/fping
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA=

root@omv4vm:~#
root@omv4vm:~#
root@omv4vm:~# getcap /usr/bin/fping /usr/bin/tail
/usr/bin/fping = cap_net_raw+ep
root@omv4vm:~#
root@omv4vm:~#
root@omv4vm:~# getfacl --absolute-names -s /usr/bin/fping /usr/bin/tail
root@omv4vm:~#
root@omv4vm:~# getfacl --absolute-names -s -t /usr/bin/fping /usr/bin/tail
root@omv4vm:~#
root@omv4vm:~# getfacl --absolute-names /usr/bin/fping /usr/bin/tail
# file: /usr/bin/fping
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

# file: /usr/bin/tail
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

root@omv4vm:~#
root@omv4vm:~#
}




{
ls -lad /sharedfolders/*
stat --format "(%4a/%A) (%5u/%10U) (%5g/%10G) %n"  /sharedfolders/*
getfattr -d -m "-" --absolute-names /sharedfolders/*
getcap /sharedfolders/*
getfacl --absolute-names -s /sharedfolders/*
getfacl --absolute-names -s -t /sharedfolders/*
getfacl --absolute-names /sharedfolders/*

root@omv4vm:/bin#
root@omv4vm:/bin# ls -lad /sharedfolders/*
drwxr-sr-x  2 root       users 4096 Jul  7 11:55 /sharedfolders/Almacen
drwxr-xr-x  2 root       root  4096 May 27 21:57 /sharedfolders/Backup-4-server
drwxr-sr-x  2 root       users 4096 May 27 22:41 /sharedfolders/Backups
drwxrwsr-x  3 root       users 4096 Jul  8 11:19 /sharedfolders/BORRAR
drwxr-sr-x  2 root       users 4096 May 27 22:41 /sharedfolders/Descargas
drwxrws---+ 7 backupUser users  100 Jul  7 10:06 /sharedfolders/lacie-n2-BackupEspacio -- ** ESPECIAL MARK HERE **
drwxrwsr-x+ 4 root       users   35 May 20 19:04 /sharedfolders/Servidor_historico -- ** ESPECIAL MARK HERE **
root@omv4vm:/bin#
root@omv4vm:/bin#
root@omv4vm:/bin# stat --format "(%4a/%A) (%5u/%10U) (%5g/%10G) %n" /sharedfolders/*
(2755/drwxr-sr-x) (    0/      root) (  100/     users) /sharedfolders/Almacen
( 755/drwxr-xr-x) (    0/      root) (    0/      root) /sharedfolders/Backup-4-server
(2755/drwxr-sr-x) (    0/      root) (  100/     users) /sharedfolders/Backups
(2775/drwxrwsr-x) (    0/      root) (  100/     users) /sharedfolders/BORRAR
(2755/drwxr-sr-x) (    0/      root) (  100/     users) /sharedfolders/Descargas
(2770/drwxrws---) ( 1005/backupUser) (  100/     users) /sharedfolders/lacie-n2-BackupEspacio
(2775/drwxrwsr-x) (    0/      root) (  100/     users) /sharedfolders/Servidor_historico
root@omv4vm:/bin#
root@omv4vm:/bin#
root@omv4vm:/bin# getfattr -d -m "-" --absolute-names /sharedfolders/*
# file: /sharedfolders/lacie-n2-BackupEspacio
system.posix_acl_access=0sAgAAAAEABwD/////AgAHAOkDAAACAAcA7QMAAAQABAD/////EAAHAP////8gAAAA/////w==
system.posix_acl_default=0sAgAAAAEABwD/////AgAHAOkDAAACAAcA7QMAAAQABAD/////EAAHAP////8gAAAA/////w==

# file: /sharedfolders/Servidor_historico
system.posix_acl_access=0sAgAAAAEABwD/////AgAHAOkDAAACAAcA7QMAAAQABAD/////EAAHAP////8gAAUA/////w==
system.posix_acl_default=0sAgAAAAEABwD/////AgAHAOkDAAACAAcA7QMAAAQABAD/////EAAHAP////8gAAAA/////w==

root@omv4vm:/bin#
root@omv4vm:/bin#
root@omv4vm:/bin# getcap /sharedfolders/*
root@omv4vm:/bin#
root@omv4vm:/bin# getfacl --absolute-names -s /sharedfolders/*
# file: /sharedfolders/lacie-n2-BackupEspacio
# owner: backupUser
# group: users
# flags: -s-
user::rwx
user:luis:rwx
user:backupUser:rwx
group::r--
mask::rwx
other::---
default:user::rwx
default:user:luis:rwx
default:user:backupUser:rwx
default:group::r--
default:mask::rwx
default:other::---

# file: /sharedfolders/Servidor_historico
# owner: root
# group: users
# flags: -s-
user::rwx
user:luis:rwx
user:backupUser:rwx
group::r--
mask::rwx
other::r-x
default:user::rwx
default:user:luis:rwx
default:user:backupUser:rwx
default:group::r--
default:mask::rwx
default:other::---

root@omv4vm:/bin#
root@omv4vm:/bin#
root@omv4vm:/bin# getfacl --absolute-names -s -t /sharedfolders/*
# file: /sharedfolders/lacie-n2-BackupEspacio
USER   backupUser  rwx  rwx
user   luis        rwx  rwx
user   backupUser  rwx  rwx
GROUP  users       r--  r--
mask               rwx  rwx
other              ---  ---

# file: /sharedfolders/Servidor_historico
USER   root        rwx  rwx
user   luis        rwx  rwx
user   backupUser  rwx  rwx
GROUP  users       r--  r--
mask               rwx  rwx
other              r-x  --- -- THIS x SEEMS TO BE AN ERROR !!

root@omv4vm:/bin#
root@omv4vm:/bin#
root@omv4vm:/bin# getfacl --absolute-names /sharedfolders/*
.. muy largo y no aporta nada ..
root@omv4vm:/bin#

}

}} fin de ejemplos

}}}

No comments:

Post a Comment