In Solaris, file and directory permissions control who can access data and what actions they can perform. This permission system is one of the core security mechanisms in UNIX-based systems.
Every file, directory, device file, and socket in Solaris has ownership and permission attributes stored in its inode (index node). The kernel checks these attributes every time a process tries to access a file.
1. Ownership Concept in Solaris
Each file or directory has three ownership components:
i. User Owner (UID)
- The user who owns the file.
- Stored internally as a numeric UID.
- Usually the user who created the file.
- Only root can change file ownership.
ii. Group Owner (GID)
- The group associated with the file.
- Determines access for users who belong to that group.
iii. Others
All users who are neither the owner nor in the group.
You can view ownership using:
ls -l filename
Example:
-rwxr-xr-- 1 sunadm staff 2048 Feb 10 10:00 script.sh
sunadm → Owner
staff → Group
1 → Link count
2048 → File size in bytes
2. Permission Types (r, w, x)
Solaris uses three basic permission types:
Read (r)
For Files:
Allows viewing file contents.
Required for commands like cat, more, less.
For Directories:
Allows listing directory contents (ls).
Write (w)
For Files:
Allows modifying file contents.
Required to delete a file (with directory write permission).
For Directories:
Allows creating, deleting, or renaming files inside the directory.
Write alone is not enough; execute permission is also required.
Execute (x)
For Files:
Allows executing the file as a program or script.
For scripts, the interpreter must also have execute permission.
For Directories:
Allows entering (cd) into the directory.
Allows accessing file metadata inside the directory.
Important:
To access a file inside a directory, execute permission is required on every parent directory in the path.
3. Understanding Permission Strings
Example:
-rwxr-xr--
Breakdown:
| Position | Meaning |
|---|---|
| - | File type |
| rwx | Owner permissions |
| r-x | Group permissions |
| r-- | Others permissions |
First character meaning:
| Symbol | File Type |
|---|---|
| - | Regular file |
| d | Directory |
| l | Symbolic link |
| c | Character device |
| b | Block device |
| s | Socket |
| p | Named pipe |
4. Numeric (Octal) Representation
Permissions use binary bits:
| Permission | Value |
|---|---|
| Read | 4 |
| Write | 2 |
| Execute | 1 |
Add them together:
Number Meaning
| Number | Meaning |
|---|---|
| 7 | rwx |
| 6 | rw- |
| 5 | r-x |
| 4 | r-- |
| 3 | -wx |
| 2 | -w- |
| 1 | --x |
| 0 | --- |
Example:
chmod 755 directory
Means:
- Owner: 7 → rwx
- Group: 5 → r-x
- Others: 5 → r-x
Common permission sets:
| Mode | Usage |
|---|---|
| 644 | Standard file |
| 600 | Private file |
| 755 | Executable or directory |
| 700 | Private directory |
5. How the Kernel Checks Permissions
When a process tries to access a file:
- Kernel checks effective UID of the process.
- If UID matches file owner → owner permissions apply.
- Else check group membership.
- If GID matches → group permissions apply.
- Otherwise → others permissions apply.
- If root (UID 0) → bypasses most permission checks.
The kernel always uses numeric UID/GID, not usernames.
6. Modifying Permissions
Symbolic Mode:
chmod u+rwx file
chmod g-w file
chmod o+x file
chmod a+r file
Add permission:
chmod g+x script.sh
Remove permission:
chmod o-w file.txt
Set exact permission:
chmod u=rwx,g=rx,o=r file.txt
Numeric Mode:
chmod 754 file.txt
Recursive Permission Change
Be careful:
chmod -R 755 /export/home/sunadm
Risk:
Recursive changes may break application permissions.
7. Changing Ownership
Change owner:
chown sunadm file.txt
Change group:
chgrp staff file.txt
Change both:
chown sunadm:staff file.txt
Recursive:
chown -R sunadm:staff /export/home/sunadm
Only root can change file ownership.
8. Special Permission Bits
Solaris supports three special bits:
i. Setuid (SUID)
Symbol: s (in owner execute position)
Example:
-rwsr-xr-x
Meaning:
When executed, program runs with file owner’s privileges.
Common example:
/usr/bin/passwd
Security risk:
Improper SUID programs can cause privilege escalation.
Set SUID:
chmod u+s file
Numeric:
chmod 4755 file
ii. Setgid (SGID)
Symbol: s (in group execute position)
For files:
Executes with group privileges.
For directories:
New files inherit directory group.
Set SGID:
chmod g+s directory
Numeric:
chmod 2755 directory
iii. Sticky Bit
Symbol: t (others execute position)
Common on:
/tmp
Example:
drwxrwxrwt
Meaning:
Users can delete only their own files.
Set sticky bit:
chmod +t /shared
Numeric:
chmod 1777 /tmp
9. Default Permissions and umask
When a user creates a file, default permissions are determined by:
umask
Example:
umask 022
Default base permissions:
Files: 666
Directories: 777
Apply umask subtraction:
777 - 022 = 755
666 - 022 = 644
Set umask permanently in:
~/.profile
/etc/profile
10. Access Control Lists (ACLs)
Standard permissions allow only 3 categories: user, group, others.
ACLs provide fine-grained control.
View ACL:
ls -V file.txt
Example output:
user:sunadm:rw-
group:staff:r--
Add ACL entry:
chmod A+user:sunadm:read_data file.txt
Remove ACL:
chmod A-user:sunadm:read_data file.txt
ACLs are useful when:
Multiple specific users need custom access.
You want exceptions beyond standard permissions.
11. Permission Inheritance in Directories
New files inside a directory inherit:
- Owner → creator’s UID
- Group → parent directory group (if SGID set)
- Permissions → based on umask
SGID on shared directories ensures consistent group ownership.
12. Hard Links and Permissions
Hard links share the same inode.
Changing permission on one hard link affects all links.
Check link count:
ls -l
Second column shows link count.
13. Best Practices
- Use 755 for directories
- Use 644 for normal files
- Avoid 777 unless absolutely required
- Limit SUID programs
- Use SGID for shared project directories
- Use ACLs instead of 777
- Regularly audit world-writable files
Find world-writable files:
find / -perm -0002 -type f
Find SUID files:
find / -perm -4000
Find SGID files:
find / -perm -2000
No comments:
Post a Comment