The Linux file system permissions system is fundamental to securing files and directories by controlling access based on user identity and roles. It enforces who can read, write, or execute files, forming a critical part of the Linux security model.
Beyond the classic permissions, Linux supports extended attributes (xattr), which allow additional metadata to be associated with files, enhancing control and security.
Basic Linux File System Permissions
Linux organizes file access permissions into three categories based on the user:
Owner (User): The creator or designated owner of the file.
Group: Users who share a common group membership.
Others: Everyone else not included in owner or group.
Each category has three types of permissions:
Read (r): Ability to view the file's contents or list directory contents.
Write (w): Permission to modify or delete the file or add/remove files within a directory.
Execute (x): Ability to run the file as a program/script or traverse a directory.
Permission Representation
1. Symbolic format: Files show permissions like -rwxr-xr--
First character indicates file type (e.g., - for file, d for directory).
Next nine characters represent permissions for owner, group, others, grouped in threes.
2. Numeric (octal) format: Permissions are encoded as numbers, for example:
7 = read (4) + write (2) + execute (1)
5 = read (4) + execute (1)
chmod 755 file means owner has full permissions, group and others have read and execute.
Special Permissions Bits
1. Setuid (s): Executes a file with the file owner's permissions.
2. Setgid (s): For files, executes with file group permissions. For directories, newly created files inherit the directory's group.
3. Sticky bit (t): Applied to directories, it restricts file deletion within the directory to the file owner, directory owner, or root.
Extended Attributes (xattr)
Extended attributes provide a way to associate extra metadata with files beyond standard permissions. They enable enhanced security controls and other management capabilities.
Purpose and Uses
They can store security labels used by frameworks like SELinux, enabling the enforcement of fine-grained access controls. Additionally, they allow the addition of user-defined metadata for organizational or operational purposes, helping to categorize and manage files more effectively.
Extended attributes also enhance system auditing by tagging files with additional context, providing deeper insights into file usage, access patterns, and compliance requirements.
Managing Extended Attributes
Viewing: Use getfattr or lsattr commands to view xattr on files.
Setting: Use setfattr command to add or modify extended attributes.
Examples:
setfattr -n user.comment -v "Confidential file" confidential.txt
getfattr -d confidential.txtCommon Attribute Namespaces
user.: User-defined attributes.
security.: Attributes related to security modules like SELinux.
system.: System software attributes.
Integration with Security
Extended attributes play a crucial role in enhancing system security, particularly through their integration with Mandatory Access Control (MAC) solutions such as SELinux. These attributes enable files to be tagged with specific security contexts, which can override or supplement traditional Unix permissions.
By leveraging extended attributes, SELinux and similar systems can enforce detailed and fine-grained access policies, ensuring that security rules are applied consistently and effectively across the system.
