**My studies about: Permissions, ACL, Extended-Attributes, Capabilities**
tricky bulk commands find
**OMV: Users, groups .. Permissions, Privileges and ACL **
ejemplos
--
stat getfattr setfattr getcap setcap getfacl setfacl
{{{
{ doc
# ls -l -- show a + as last permission letter if there are any ACL, (no capabilities)
# Detailled: https://wiki.archlinux.org/index.php/File_permissions_and_attributes
# s - (4000) for user --> chmod u+s, setuid, should has x: https://en.wikipedia.org/wiki/Setuid#Sticky_bit
# s - (2000) for group --> chmod g+s, setguid, should has x, for dirs set group for new items and inherite it for folders.
# t - (1000) for Sticky bit --> chmod +t / chmod -t, /tmp only owner can delete it, https://en.wikipedia.org/wiki/Sticky_bit
ls -l
ls -lad /sharedfolders/*
stat --format "(%4a/%A) (%5u/%10U) (%5g/%10G) %n" /sharedfolders/*
# shows any attribute (Capabilities [security.capability=], ACL [system.posix_acl_ ..=])
# of the files (but not normal ones of owner, group, others)
#
# -d dump , -m "-" all attributes (default is show none !!).
# -R recursive
# in general used by tools do copy attributes (owner, group, others + attributes)
# **very good** explanation, but from 2005, mainly up to date: http://vanemery.net/Linux/ACL/linux-acl.html
getfattr -d -m "-" --absolute-names /usr/bin/fping /usr/bin/tail
getfattr -R -d -m "-" --absolute-names /usr/bin/fping
setfattr -n user.comment -v "this is a comment" hello1.txt
# https://www.insecure.ws/linux/getcap_setcap.html
# get file / folder capabilities -- lo de comportarse como root, ping
# -r recursive ; -v display all items even if it has no file-capabilities.
getcap /bin/ping /usr/bin/fping /usr/bin/fping6
getcap -r /
# setcap - capabilities, used in very few cases
# https://unix.stackexchange.com/questions/389879/how-to-set-capabilities-with-setcap-command
# ver:
# Command: https://linux.die.net/man/8/setcap
# Available: https://linux.die.net/man/7/capabilities
# Syntax: https://linux.die.net/man/3/cap_from_text
setcap cap_net_raw,cap_net_admin+ep eth_dump
# get ACL (access control lists) for files / folders
# --absolute-names - otherwise are relatives.
# -s, --skip-base -- Skip files that only have the base ACL entries (owner, group, others).
# -t, --tabular -- Use an alternative tabular output format: acl default, very helpfull but does not show s and t flags
# In uppercase/capitalized: Owner user and group, and ineffective permission due to mask
# -R recursive
getfacl --absolute-names -s /usr/bin/fping /usr/bin/tail
getfacl --absolute-names -s -t /usr/bin/fping /usr/bin/tail
getfacl --absolute-names /usr/bin/fping /usr/bin/tail
# set ACL - it's very complex, normal, default, especifics, mask ..
# https://jlk.fjfi.cvut.cz/arch/manpages/man/setfacl.1
# Here, it explains default and mask rules.
#
# -b remove all ACL,
# -m u:lisa:r file -- add/modify user lisa ACL
# -x g:staff file -- remove group staff entries,
# -d apply to defaults, only for folders,
#
# -dm "entry"
setfacl -m u:lisa:r file
# for a quickview
ls -lad /sharedfolders/*
getfacl --absolute-names -s -t /sharedfolders/*
OMV ACL Permissions and Privileges
{
http://openmediavault.readthedocs.io/en/latest/administration/access_rights_management.html#id8
Incompleta, ver los post de subzero79 más abajo.
Grupo sudo para ser administrador
Shared folders - are created as root:users , and permissions as selected but with g+s (27xx).
LBR:
Shared folders : --a_share-- : ACL - up-left (Directory) - folder to work with.
Shared folders : --a_share-- : ACL - up-right (User/Group *permissions*) - ACL for the selected folder: rw / r / no-access
Shared folders : --a_share-- : ACL - bottom (Extra option) - Owner/group and privileges for the selected folder.
--> this write info to disk
--> Regla dejar u/g: root/Users y permisos rwx/rwx/rwx o rwx/rwx/r--
Pero no cambiar de grupo Users o los demonios no podrán dejar ficheros ahí ver.
Para uso normal no canbiar de usuario, grupo o permisos. ver
https://forum.openmediavault.org/index.php/Thread/7215-OMV-General-POSIX-File-System-Permission-Balance-chmod-%E2%80%93-chown-%E2%80%93-setgid-umask-co/
https://forum.openmediavault.org/index.php/Thread/6309-Privileges-and-permissions-explained-under-OMV/
Shared folders : --a_share-- : *Privileges** - This apply **only for Sharing protocols** and to it's top folder.
For example if a user has rwx privileges and you set No access, he/she will not be able to access the file by sharing,
no change on file system.
LBR I think that you can be more restricted with this way, not grant more access.
==> muy bien explicado: https://awasu.com/weblog/omv-bpi/managing-permissions-in-omv/
}
# tricky bulk commands
# tricky bulk commands
# tricky bulk commands
# Find Sticky bit files / folders:
find / -mount -perm /1000
# Find setuid-root files:
find /usr/bin /usr/lib -perm /4000 -user root
# Find setgid-root files:
find /usr/bin /usr/lib -perm /2000 -group root
# To chmod only directories to 755:
find directory -type d -exec chmod 755 {} \;
# To chmod only files to 644:
find directory -type f -exec chmod 644 {} \;
} fin doc
{{ **OMV: Users, groups .. Permissions, Privileges and ACL **
OMV change password
Access the server with your user and there is an option to change your password.
http://openmediavault.readthedocs.io/en/latest/administration/access_rights_management.html#acl-access-control-list
Incompleta, ver los post de subzero79 más abajo
Grupo sudo para ser administrador
**Permissions, Privileges and ACL?**
OMV General POSIX File System Permission Balance: chmod – chown – setgid - umask concepts
by subzero79, Jan 12th 2015 https://forum.openmediavault.org/index.php/Thread/7215-OMV-General-POSIX-File-System-Permission-Balance-chmod-%E2%80%93-chown-%E2%80%93-setgid-umask-co/
--> **fundamental**, usuarios, grupos, permisos
by subzero79, Oct 29th 2014 https://forum.openmediavault.org/index.php/Thread/6309-Privileges-and-permissions-explained-under-OMV/
--> **fundamental**, muy bueno, default 2775 y con algunos trucos para situaciones complicadas (BONUS Track:) 27xx
by tekkb, Jul 21st 2015 https://forum.openmediavault.org/index.php/Thread/10574-Permissions-Privileges-and-ACL/
--> demasiado directo y refiere al anterior.
by taka, 4th October 2015 https://awasu.com/weblog/omv-bpi/managing-permissions-in-omv/
https://forum.openmediavault.org/index.php/Thread/19182-Understanding-basic-security-ACL-on-shared-folders/?postID=150666#post150666
--> bonitos pero incompleto
daemon umask ver arriba (OMV General POSIX File System..)
transmission umask / 022 octal -> 18 -- parece el inverso .. y es lo inverso perm & ~ umask
https://github.com/transmission/transmission/wiki/Editing-Configuration-Files
https://forum.openmediavault.org/index.php/Thread/7081-No-write-access-rights-for-transmission-created-folders/
subzero79 - umask in transmission to 2 (775 mode) or 0 (777 world writable) mode in the webui
https://forum.openmediavault.org/index.php/Thread/7081-No-write-access-rights-for-transmission-created-folders/?postID=65077#post65077
--> **Genial** https://askubuntu.com/questions/44542/what-is-umask-and-how-does-it-work
File permissions and attributes
https://wiki.archlinux.org/index.php/File_permissions_and_attributes
https://wiki.archlinux.org/index.php/Access_Control_Lists
https://forum.openmediavault.org/index.php/Thread/2652-What-is-the-difference-between-Privileges-and-ACL/
}} fin de **OMV: Users, groups .. Permissions, Privileges and ACL **
{{ ejemplos
{
# para un vistazo rápido
ls -lad /sharedfolders/*
getfacl --absolute-names -s -t /sharedfolders/*
root@omv4vm:/sharedfolders#
root@omv4vm:/sharedfolders#
root@omv4vm:/sharedfolders# ls -lad /sharedfolders/*
drwxr-sr-x 2 root users 4096 Jul 7 11:55 /sharedfolders/Almacen
drwxr-xr-x 2 root root 4096 May 27 21:57 /sharedfolders/Backup-4-server
drwxr-sr-x 2 root users 4096 May 27 22:41 /sharedfolders/Backups
drwxrwsr-x 3 root users 4096 Jul 8 11:19 /sharedfolders/BORRAR
drwxr-sr-x 2 root users 4096 May 27 22:41 /sharedfolders/Descargas
drwxrws---+ 7 backupUser users 100 Jul 7 10:06 /sharedfolders/lacie-n2-BackupEspacio
drwxrwsr-x+ 4 root users 35 May 20 19:04 /sharedfolders/Servidor_historico
root@omv4vm:/sharedfolders#
root@omv4vm:/sharedfolders#
root@omv4vm:/sharedfolders# getfacl --absolute-names -s -t /sharedfolders/*
# file: /sharedfolders/lacie-n2-BackupEspacio
USER backupUser rwx rwx
user luis rwx rwx
user backupUser rwx rwx
GROUP users r-- r--
mask rwx rwx
other --- ---
# file: /sharedfolders/Servidor_historico
USER root rwx rwx
user luis rwx rwx
user backupUser rwx rwx
GROUP users r-- r--
mask rwx rwx
other r-x --- -- THIS x SEEMS TO BE AN ERROR !!
root@omv4vm:/sharedfolders#
}
{
ls -lad /usr/bin/fping /usr/bin/tail
stat --format "(%4a/%A) (%5u/%10U) (%5g/%10G) %n" /usr/bin/fping /usr/bin/tail
getfattr -d -m "-" --absolute-names /usr/bin/fping /usr/bin/tail
getcap /usr/bin/fping /usr/bin/tail
getfacl --absolute-names -s /usr/bin/fping /usr/bin/tail
getfacl --absolute-names -s -t /usr/bin/fping /usr/bin/tail
getfacl --absolute-names /usr/bin/fping /usr/bin/tail
root@omv4vm:~#
root@omv4vm:~# ls -lad /usr/bin/fping /usr/bin/tail
-rwxr-xr-x 1 root root 39232 Jan 11 2017 /usr/bin/fping -- ** NO ESPECIAL MARK HERE **
-rwxr-xr-x 1 root root 68584 Feb 22 2017 /usr/bin/tail
root@omv4vm:~#
root@omv4vm:~#
root@omv4vm:~# stat --format "(%4a/%A) (%5u/%10U) (%5g/%10G) %n" /usr/bin/fping /usr/bin/tail
( 755/-rwxr-xr-x) ( 0/ root) ( 0/ root) /usr/bin/fping
( 755/-rwxr-xr-x) ( 0/ root) ( 0/ root) /usr/bin/tail
root@omv4vm:~#
root@omv4vm:~#
root@omv4vm:~# getfattr -d -m "-" --absolute-names /usr/bin/fping /usr/bin/tail
# file: /usr/bin/fping
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA=
root@omv4vm:~#
root@omv4vm:~#
root@omv4vm:~# getcap /usr/bin/fping /usr/bin/tail
/usr/bin/fping = cap_net_raw+ep
root@omv4vm:~#
root@omv4vm:~#
root@omv4vm:~# getfacl --absolute-names -s /usr/bin/fping /usr/bin/tail
root@omv4vm:~#
root@omv4vm:~# getfacl --absolute-names -s -t /usr/bin/fping /usr/bin/tail
root@omv4vm:~#
root@omv4vm:~# getfacl --absolute-names /usr/bin/fping /usr/bin/tail
# file: /usr/bin/fping
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: /usr/bin/tail
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
root@omv4vm:~#
root@omv4vm:~#
}
{
ls -lad /sharedfolders/*
stat --format "(%4a/%A) (%5u/%10U) (%5g/%10G) %n" /sharedfolders/*
getfattr -d -m "-" --absolute-names /sharedfolders/*
getcap /sharedfolders/*
getfacl --absolute-names -s /sharedfolders/*
getfacl --absolute-names -s -t /sharedfolders/*
getfacl --absolute-names /sharedfolders/*
root@omv4vm:/bin#
root@omv4vm:/bin# ls -lad /sharedfolders/*
drwxr-sr-x 2 root users 4096 Jul 7 11:55 /sharedfolders/Almacen
drwxr-xr-x 2 root root 4096 May 27 21:57 /sharedfolders/Backup-4-server
drwxr-sr-x 2 root users 4096 May 27 22:41 /sharedfolders/Backups
drwxrwsr-x 3 root users 4096 Jul 8 11:19 /sharedfolders/BORRAR
drwxr-sr-x 2 root users 4096 May 27 22:41 /sharedfolders/Descargas
drwxrws---+ 7 backupUser users 100 Jul 7 10:06 /sharedfolders/lacie-n2-BackupEspacio -- ** ESPECIAL MARK HERE **
drwxrwsr-x+ 4 root users 35 May 20 19:04 /sharedfolders/Servidor_historico -- ** ESPECIAL MARK HERE **
root@omv4vm:/bin#
root@omv4vm:/bin#
root@omv4vm:/bin# stat --format "(%4a/%A) (%5u/%10U) (%5g/%10G) %n" /sharedfolders/*
(2755/drwxr-sr-x) ( 0/ root) ( 100/ users) /sharedfolders/Almacen
( 755/drwxr-xr-x) ( 0/ root) ( 0/ root) /sharedfolders/Backup-4-server
(2755/drwxr-sr-x) ( 0/ root) ( 100/ users) /sharedfolders/Backups
(2775/drwxrwsr-x) ( 0/ root) ( 100/ users) /sharedfolders/BORRAR
(2755/drwxr-sr-x) ( 0/ root) ( 100/ users) /sharedfolders/Descargas
(2770/drwxrws---) ( 1005/backupUser) ( 100/ users) /sharedfolders/lacie-n2-BackupEspacio
(2775/drwxrwsr-x) ( 0/ root) ( 100/ users) /sharedfolders/Servidor_historico
root@omv4vm:/bin#
root@omv4vm:/bin#
root@omv4vm:/bin# getfattr -d -m "-" --absolute-names /sharedfolders/*
# file: /sharedfolders/lacie-n2-BackupEspacio
system.posix_acl_access=0sAgAAAAEABwD/////AgAHAOkDAAACAAcA7QMAAAQABAD/////EAAHAP////8gAAAA/////w==
system.posix_acl_default=0sAgAAAAEABwD/////AgAHAOkDAAACAAcA7QMAAAQABAD/////EAAHAP////8gAAAA/////w==
# file: /sharedfolders/Servidor_historico
system.posix_acl_access=0sAgAAAAEABwD/////AgAHAOkDAAACAAcA7QMAAAQABAD/////EAAHAP////8gAAUA/////w==
system.posix_acl_default=0sAgAAAAEABwD/////AgAHAOkDAAACAAcA7QMAAAQABAD/////EAAHAP////8gAAAA/////w==
root@omv4vm:/bin#
root@omv4vm:/bin#
root@omv4vm:/bin# getcap /sharedfolders/*
root@omv4vm:/bin#
root@omv4vm:/bin# getfacl --absolute-names -s /sharedfolders/*
# file: /sharedfolders/lacie-n2-BackupEspacio
# owner: backupUser
# group: users
# flags: -s-
user::rwx
user:luis:rwx
user:backupUser:rwx
group::r--
mask::rwx
other::---
default:user::rwx
default:user:luis:rwx
default:user:backupUser:rwx
default:group::r--
default:mask::rwx
default:other::---
# file: /sharedfolders/Servidor_historico
# owner: root
# group: users
# flags: -s-
user::rwx
user:luis:rwx
user:backupUser:rwx
group::r--
mask::rwx
other::r-x
default:user::rwx
default:user:luis:rwx
default:user:backupUser:rwx
default:group::r--
default:mask::rwx
default:other::---
root@omv4vm:/bin#
root@omv4vm:/bin#
root@omv4vm:/bin# getfacl --absolute-names -s -t /sharedfolders/*
# file: /sharedfolders/lacie-n2-BackupEspacio
USER backupUser rwx rwx
user luis rwx rwx
user backupUser rwx rwx
GROUP users r-- r--
mask rwx rwx
other --- ---
# file: /sharedfolders/Servidor_historico
USER root rwx rwx
user luis rwx rwx
user backupUser rwx rwx
GROUP users r-- r--
mask rwx rwx
other r-x --- -- THIS x SEEMS TO BE AN ERROR !!
root@omv4vm:/bin#
root@omv4vm:/bin#
root@omv4vm:/bin# getfacl --absolute-names /sharedfolders/*
.. muy largo y no aporta nada ..
root@omv4vm:/bin#
}
}} fin de ejemplos
}}}
No comments:
Post a Comment