Permissions
Permissions determine what files and directories a user/process can access.
Permission Types
Each file or directory has three basic permission types:
- read – The Read permission refers to a user’s capability to read the contents of the file.
- write – The Write permissions refer to a user’s capability to write or modify a file or directory.
- execute – The Execute permission affects a user’s capability to execute a file or view the contents of a directory.
Viewing Permissions
The file/folder permissions can be viewed by running the command ls -l on a given path. For example the output could be:
-rw-------. 1 root root 5589 Jan 13 21:54 fileA.txt -rw-r--r--. 1 root root 3745201 May 1 10:46 fileB.txt drwxr-xr-x. 6 root root 259 May 1 19:20 folderA
Permissions structure
The permission component is represented by the first 4 columns. For example:
-rwxrwxrwx. 1 root root
The first sections indicates the permission types and has four parts to it. The first part indicates if the filesystem element is a directory. The second part indicates the file permission for the owner. The third part indicates the permissions for the group. The fourth indicates the permissions for other users.
d rwx rwx rwx | | | |-- The All Users permissions apply to all other users on the system, this is the permission group that you want to watch the most. | | |------ The Group permissions apply only to the group that has been assigned to the file or directory, they will not effect the actions of other users. | |---------- The Owner permissions apply only the owner of the file or directory, they will not impact the actions of other users. |------------- Special permission flag that varies.
User and Group
After the permission types comes the user and group that the file or folder belongs to user:group. For example the following
-rw-------. 1 markus devs
Indicates that the user is 'markus' and belongs to the group 'devs'.
Changing Permissions
The permissions for the owner, group and other users can be changed using the chmod command. For example the command
chmod 0700 index.html
will change will give only the owner of the file read, write and execute permission.
The numbers represent the read, write, execute permissions:
- 4 - write
- 2 - read
- 1 - execute
The value 7 indicates that (write + read + execute) permission is given. The values 0 through to 7 indicate all possible combinations.
The first number in the string 0700 represents the special bit. The second is for the owner. The third is for the group. The fourth is for other users.
Change owner and group
The owner and group can be changed using the chown command.
chown markus a.txt // Sets the owner of file a.txt to 'markus'. chown markus:dev a.txt // Sets the owner of file a.txt to 'markus' and the group to 'dev'
Security Context
(Note: this is a very basic overview. It is recommended to search online for a detailed explanation of how this works and what can be done. This section is merely intended to show how to deal with permission issues that may happen when running apache).
Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. It works in addition to the normal Linux permissions.
With SELinux resources (files/directories/processes) have some meta data associated with it which to control access.
Viewing security context
To view the security context of a file use the Z flag with the ls command ls -Z. This would give example output:
unconfined_u:object_r:public_content_rw_t:s0 administrative_areas unconfined_u:object_r:public_content_rw_t:s0 afflictions.json unconfined_u:object_r:public_content_rw_t:s0 agrozone_mappings unconfined_u:object_r:public_content_rw_t:s0 crops_by_value_chain
This output shows that the files/folders have the context type 'public_content_rw_t'.
Files labeled with the public_content_t type allow them to be read by FTP, Apache HTTP Server, Samba, and rsync. Files labeled with the public_content_rw_t type can be written to by FTP.
Another example of running the ls -Z command could show:
system_u:object_r:httpd_sys_content_t:s0 bootstrap.php
unconfined_u:object_r:httpd_sys_content_t:s0 composer-installer.php
system_u:object_r:httpd_sys_content_t:s0 composer.json
system_u:object_r:httpd_sys_content_t:s0 composer.lock
Here the context type is 'httpd_sys_content_t'. This means that the httpd (apache) process can read content.
Setting the context type
For apache to be able to read files it is necessary to set the context type to 'httpd_sys_content_t'. This can be done using the command chcon -t httpd_sys_content_t /path/to/folder/or/file.
The -R flag can be used to apply the change recursively.
If apache needs to write to a file/directory then the 'httpd_sys_rw_content_t' type should be used.
If apache needs to write to a file/directory that has the 'public_content_rw_t' type set then a SELinux security boolean needs to be set. Run the command: setsebool -P allow_httpd_anon_write 1. After this apache can read and write to those files/folders.
NOTE: Remember that setting the context type alone is not enough for apache to have access to a file. Check that the file/folder/owner/group permissions are correct!