Jump to content
pyth0n3

Advanced File Permissions (extended attributes)

By pyth0n3, in Tutoriale in engleza

Recommended Posts

pyth0n3 Newbie

pyth0n3

Posted
Posted (edited)

The linux ext* filesystem support some extra attributes for files

and directories

These attributes provide a range of additional capabilities that can be

activated for each file, some of them can only be set by the administrator,

in particular those which allow special access restrictions.

The command "ls" will display only the standard UNIX/LINUX style file

permissions, in this case the special attributes of the file can not be

displayed with "ls" but this can be done using the "lsattr" command.

"lsattr" will list file attributes on a Unix / Linux system second extended file

system (this means that not all file systems support this option, like i said

before the ext* has the support for extra flags )

Example: 

[pyth0n3@mc:~]$ lsattr test
------------------- test

The output shows us that no special attribute is set to the file "test"

List of special attributes:

"A" This will block the update time of the file, when a file with the 'A'

attribute set is accessed, its atime record is not modified.

"a" This will permit to open the file only in append mode for writing,

the current content can not be changed

Note: Only the superuser can set or clear this attribute

"c" The file using this attribute is automatically compressed on the disk by

the kernel .A read from this file returns uncompressed data ,a

write to this file compresses data before storing them on the disk.

"D" When a directory with this attribute set is modified the changes

are written synchronously on the disk

"d" The file using this attribute is not candidate for backup when the

dump(8) program is run

"E" Will report an error in compression if a compressed file has a compression

error it is activated

Note : This will only work if the compression is activated

"e" This attribute indicates that the file is using extents for mapping

the blocks on disk

"I" is used by the htree code to indicate that a directory is being indexed

using hashed trees

"h" This attribute indicates the file is storing its blocks in units of

the filesystem blocksize instead of in units of sectors

"i" A file using this attribute cannot be modified: it cannot be deleted

or renamed, no link can be created to this file and no data can be

written to the file

Note:The file using this attribute cannot be deleted even by the superuser, to

do this the attribute must be removed first

Only the superuser can set or clear this attribute.

"s" When a file using this attribute is deleted its blocks are

zeroed and written back to the disk

Note:This feature in some case could be important ,since by default the kernel

will simply mark the block as free but does not erase the contents

"S" When a file with this attribute is modified the changes are

written synchronously on the disk

"u" When a file with this attribute set is deleted its contents are

saved. This allows the user to ask for its undeletion

"X" It allows direct access to the contents of the compressed file by

disabling decompression (aw contents of a compressed file can be accessed

directly)

"Z" This attribute is used by the experimental compression patches to

indicate a compressed file is dirty

The command used to set special attributes is "chattr"

"chattr" takes as first argument a string that identifies which

attributes to enable or disable and subsequent arguments as a list of files

Note:

The chattr command uses the logical operator "+" to enable the attribute,

otherwise use the logical operator "-" to disable the attribute.

Purpose:

Set an immutable parameter to a file 

[root@mc:pyth0n3]# chattr +i test

Display results:

[root@mc:pyth0n3]# lsattr test
----i-------------- test

Now the file test cannot be changed or deleted even by the superuser

To do this the attribute must be removed first


[root@mc:pyth0n3]# rm -rf test
rm: cannot remove `test': Operation not permitted

Note:

To delete a file the "rm" command uses a system call called "unlink" and in

fact does not erase the data file ,it just simply delete the entry from the

directory and decreases the reference number of the inode

To delete files safely you should use another command like srm

secure remove (secure_deletion toolkit)

References:

man lsattr , man chattr

Source:No Security: Advanced File Permissions (extended attributes)

Edited by pyth0n3
  • Upvote 1
Nytro Mentor

Nytro

Posted
Posted

Foarte util, mai ales acel atributele "a-c-i-s" :)

Deci daca setez "+s", cand sterg un fisier, pe langa faptul ca va fi sters din ierarhia de fisiere, spatiul ocupat pe hard va fi setat la 0? Adica datele nu vor mai putea fi "recuperate".

hammerfall Newbie

hammerfall

Posted
Posted

@nytro, din cate am citit eu acolo, da, sterge toate blocurile de pe HDD si le supra scrie cu "gol". E misto ideea si cred ca deja i-am gasit utilitate. :D Avantajul de a lucra in interfata grafica a terminalului. =))

Mersi de lista, bookmarked and learned. :P

LE: +A inseamna ca daca eu editez un fisier, data nu i se modifica sau e valabil doar pentru accesare?

Nytro Mentor

Nytro

Posted
Posted 

nytro@rst:/tmp/test$ echo "Plm" > plm
nytro@rst:/tmp/test$ ls
plm
nytro@rst:/tmp/test$ chattr +i plm
chattr: Operation not permitted while setting flags on plm
nytro@rst:/tmp/test$ su
Password: 
root@rst:/tmp/test# chattr +i plm
root@rst:/tmp/test# rm plm
rm: cannot remove `plm': Operation not permitted
root@rst:/tmp/test# ls -la
total 12
drwxr-xr-x  2 nytro nytro 4096 2011-05-20 01:18 .
drwxrwxrwt 13 root  root  4096 2011-05-20 01:17 ..
-rw-r--r--  1 nytro nytro    4 2011-05-20 01:18 plm
root@rst:/tmp/test# lsattr plm
----i------------e- plm
root@rst:/tmp/test# chattr +A plm
root@rst:/tmp/test# lsattr plm
----i--A---------e- plm
root@rst:/tmp/test# cat plm
Plm
root@rst:/tmp/test# ls -la
total 16
drwxr-xr-x  2 nytro nytro 4096 2011-05-20 01:20 .
drwxrwxrwt 13 root  root  4096 2011-05-20 01:20 ..
-rw-r--r--  1 nytro nytro    4 2011-05-20 01:18 plm
root@rst:/tmp/test# touch plm
touch: cannot touch `plm': Permission denied
root@rst:/tmp/test#

Pentru +A, nu se poate modifica data ultimei accesari.

Si eu nu am "+XEZ"

root@rst:/tmp/test# chattr +Z plm
Usage: chattr [-RVf] [-+=AacDdeijsSu] [-v version] files...

Dar imi place :)

pyth0n3 Newbie

pyth0n3

Posted
  • Author
Posted
din cate am citit eu acolo, da, sterge toate blocurile de pe HDD si le supra scrie cu "gol". E misto ideea si cred ca deja i-am gasit utilitate.

Presupun ca te referi la atributul "s" , oricum p?rerea mea este ca in sistemele de fisiere care utilizeaz? o tehnologie numita journaling chiar daca vine setat asta nu inseamna ca fisierul pe care vrei sa il stergi o sa dispar? in mod definitiv

In sistemele Unix/Linux pe lîng? permisiile ordinare exista diverse alte tipuri de permisii , unele le-am descris mai sus acestea pot fi activate doar in unele sisteme de fisiere cum ar fi ext*

Permisiile ordinare vin grupate în blocuri de 3 bi?i în octal, pe langa acestea exista inca 3 permisii chemate speciale

"suid" Cu acest atribut activat fisierul va rula cu drepturile user-ului a carui apartine

Un exemplu este comand-ul "passwd" care permite modificarea password-ului oricarui user pe care il foloseste dar ruleaza cu drepturi administrative

Atentie cum folositi acest atribut .

"sgid" Cu acest atribut activat asupra unui director fi?ierele create vor mo?teni grupul directorului unde vin create in loc sa le fie atribuit grupul user-ului cu care vin create

"sticky" Cu acest atribut activat asupra unui director , oricare fisier se afla in acest director poate fi sters doar de catre userul pe care l-a creat

Un exemplu este directorul "tmp" , daca ii observati atent permisiile veti vedea un "t"

Toate permisiile specificate in acest tutorial fac parte dintrun Access Control numit DAC (Discretionary access control) care vine de default cu majoritatea sistemelor Unix/Linux

Este un sistem simplu, traditional , root nu are nici un fel de restric?ie

Deci kernelul identifica fiecare user in baza UID , daca e divers de 0 vine supus la restric?iile care vin impuse daca nu inseamna ca userul e root si nu vine supus la nici un fel de restrictie

Mai simplu explicat: Daca UID = null nu vine efectuat nici un fel de control (asta inseamna ca userul e root)

De aceea DAC vine considerat un sistem de acces simplu

Daca un intrus obtine root face ce vrea el

Un alt tip de Access Control vine numit MAC (Mandatory Access Control) , pe aceasta baza a fost construit un modul chemat Selinux care permite restrictii mult mai complicate

Se poate restrictiona access-ul si pentru user-ul root in multe locuri

Mandatory Access Control este un sistem complex care merita studiat , iar acest topic estre prea mic pentru a explica fiecare feature

Pentru cei care cunosc SELINUX stiu foarte bine despre ce vorbesc

Apropo , vine implementat de default cu optiunea enforcing in sistemele RedHat based

Un alt tip de restrictii MAC se pot gasi in sistemele SUSE Linux (AppArmor)

Pentru a intelege diferentele intre DAC si MAC uitati-va peste urmatoarele link-uri

Discretionary access control - Wikipedia, the free encyclopedia

Mandatory access control - Wikipedia, the free encyclopedia

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...