Skip to content

Permission Management

pada Linux, permissions atau ijin diberikan kepada users dan groups. Setiap user dapat menjadi anggota dari group yang berbeda-beda dan keanggotaan didalam group-group tersebut memberikan user spesifikasi, ijin tambahan (permissions). Setipa file dan folder milik (dapat diakses) oleh user dan group tertentu.Sehingga, permission untuk user dan group yang terdefinisi pada sebuah file juga menjelaskan kepemilikan pemilikinya. Ketika user membuat sebuah file atau folder baru, mereka akan dimiliki oleh group yang user tersebut ada didalammnya dan user itu sendiri.

Ketika user ingin mekases konten dari sebuah direktori pada linux, mereka harus pertama kali menuju ke direktori tersebut yang mana artinya haru menavaigasi ke direktori konten tersebut berada. Hal itu membutuhkan user untuk mengeksekusi permission pada direktori tersebut. Tanpa permission, user tidak dapat mengakses konten dan malah akan ditampilkan pesan error permission Denied.

cry0l1t3@htb[/htb]$ ls -l

drw-rw-r-- 3 cry0l1t3 cry0l1t3   4096 Jan 12 12:30 scripts


cry0l1t3@htb[/htb]$ ls -al mydirectory/

ls: cannot access 'mydirectory/script.sh': Permission denied
ls: cannot access 'mydirectory/..': Permission denied
ls: cannot access 'mydirectory/subdirectory': Permission denied
ls: cannot access 'mydirectory/.': Permission denied
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..
-????????? ? ? ? ?            ? script.sh
d????????? ? ? ? ?            ? subdirectory

Sangat pentin untuk dicatat permission dibuhtuhkan untuk melintasi sebuah direktori, tidak pendulu tingkat akses pada user. Dan, permission pada sebauh direktori tidak dapat membuat user memiliki ijin untuk mengeksekusi atau memodifikasi file atau kontent apapun yang ada dalam direktori tersebut, hanya dapat melintas dan mengakses konten pada direktori tersebut.

Untuk mengeksekusi file pada direktori tersebut, user harus memiliki permission pada file terkaint. Sedangkan untuk memodifikasi konten-konten pada direktori tersebut (seperti, create, delete atau me-rename file dan sub direktori didalamnya) user membutuhkan write permission pada direktori tersebut.

Seluruh permission system pada linux berdasarkanpada ocatal number system dan ada tiga tipe permission pada sebuah fileatau diretori;

  • r - Read
  • w - Write
  • x - Execute

Permission dapat diberikan pada owner, group dan other (pengguna lainya).

cry0l1t3@htb[/htb]$ ls -l /etc/passwd

- rwx rw- r--   1 root root 1641 May  4 23:42 /etc/passwd
- --- --- ---   |  |    |    |   |__________|
|  |   |   |    |  |    |    |        |_ Date
|  |   |   |    |  |    |    |__________ File Size
|  |   |   |    |  |    |_______________ Group
|  |   |   |    |  |____________________ User
|  |   |   |    |_______________________ Number of hard links
|  |   |   |_ Permission of others (read)
|  |   |_____ Permissions of the group (read, write)
|  |_________ Permissions of the owner (read, write, execute)
|____________ File type (- = File, d = Directory, l = Link, ... )

Change Permissions

Kita dapat memodifikasi permission menggunakan perintah chmod, permission group references (u - owner, g - Group, o - Other, a - All users), dan + untuk menambah - menghapus permission. Dibawha ini saya membuat file dengan nama shell.sh

maruffarras@BrownTofu:~/learn/learn-ubuntu$ ls -la
total 8
drwxrwxr-x 2 maruffarras maruffarras 4096 Mar  7 10:57 .
drwxr-xr-x 8 maruffarras maruffarras 4096 Mar  7 10:56 ..
--w--w---- 1 maruffarras maruffarras    0 Mar  7 10:57 shell.sh

Katakan kita ingin memberikan read permission untuk semua user.

maruffarras@BrownTofu:~/learn/learn-ubuntu$ chmod a+r shell.sh  & ls -la
[1] 11796
total 8
drwxrwxr-x 2 maruffarras maruffarras 4096 Mar  7 10:57 .
drwxr-xr-x 8 maruffarras maruffarras 4096 Mar  7 10:56 ..
-rw-rw-r-- 1 maruffarras maruffarras    0 Mar  7 10:57 shell.sh
[1]+  Done                    chmod a+r shell.sh

Contoh lainnya kita ingin memberika execute permission terhadap owner

maruffarras@BrownTofu:~/learn/learn-ubuntu$ chmod u+x shell.sh & ls -la 
[1] 11857
total 8
drwxrwxr-x 2 maruffarras maruffarras 4096 Mar  7 10:57 .
drwxr-xr-x 8 maruffarras maruffarras 4096 Mar  7 10:56 ..
-rwxrw-r-- 1 maruffarras maruffarras    0 Mar  7 10:57 shell.sh
[1]+  Done                    chmod u+x shell.sh

Kita juga dapat menyetel permission menggunakan ocatal value assignment. Katakan kitaingin membuat group hanya bisa read dan execute sedangkan other user hanya bisa read. 

maruffarras@BrownTofu:~/learn/learn-ubuntu$ chmod 751 shell.sh & ls -la
[1] 12208
total 8
drwxrwxr-x 2 maruffarras maruffarras 4096 Mar  7 10:57 .
drwxr-xr-x 8 maruffarras maruffarras 4096 Mar  7 10:56 ..
-rwxr-x--x 1 maruffarras maruffarras    0 Mar  7 10:57 shell.sh
[1]+  Done                    chmod 751 shell.sh

Wow, bingung ? mari kita ulas bagaimana 751 dapat menyetel permission sesuai dengan permintaa diatas. Dibawah ini adalah penjelasannya

-----------------------------------------------------------|
------------------------------- Owner  | Group   | Other   |
-----------------------------------------------------------|
Permission Representation:      r w x  |  r - x  |  r - -  | #(1)! |
-----------------------------------------------------------|
Binary Representation:          1 1 1  |  1 0 1  |  1 0 0  | #(2)!
-----------------------------------------------------------|
Binary Notation:                4 2 1  |  4 2 1  |  4 2 1  | #(3)!
-----------------------------------------------------------|
Octal Value:                      7    |    5    |    4    | #(4)!
  1. Penentenua permission pada owner, group dan other
  2. Binary (biner), bilang biner 0 jika tidak diberikan akses, dan 1 diberikan akses
  3. Merubah bilangan biner kedalam integer
  4. Jumlahkan integer

Untuk mengubah owner dan atau group yang terdaftar pada file atau direktori dapat menggunakan perintah chown. Syntax <user>:<group> <file/direktori>

Pada contoh dibawha ini, kepemiliki file shell.sh akan kita ganti menjadi user root dan group root.

maruffarras@BrownTofu:~/learn/learn-ubuntu$ sudo chown root:root shell.sh 
[sudo] password for maruffarras: 
maruffarras@BrownTofu:~/learn/learn-ubuntu$ ls -la
total 8
drwxrwxr-x 2 maruffarras maruffarras 4096 Mar  7 10:57 .
drwxr-xr-x 8 maruffarras maruffarras 4096 Mar  7 10:56 ..
-rwxr-x--x 1 root        root           0 Mar  7 10:57 shell.sh

SUID & GUID

Besides assigning direct user and group permissions, we can also configure special permissions for files by setting the Set User ID (SUID) and Set Group ID (GUID) bits. These SUID/GUID bits allow, for example, users to run programs with the rights of another user. Administrators often use this to give their users special rights for certain applications or files. The letter "s" is used instead of an "x". When executing such a program, the SUID/GUID of the file owner is used.

It is often the case that administrators are not familiar with the applications but still assign the SUID/GUID bits, which leads to a high-security risk. Such programs may contain functions that allow the execution of a shell from the pager, such as the application "journalctl."

If the administrator sets the SUID bit to "journalctl," any user with access to this application could execute a shell as root. More information about this and other such applications can be found at GTFObins.

Sticky Bit

Sticky bits are a type of file permission in Linux that can be set on directories. This type of permission provides an extra layer of security when controlling the deletion and renaming of files within a directory. It is typically used on directories that are shared by multiple users to prevent one user from accidentally deleting or renaming files that are important to others.

For example, in a shared home directory, where multiple users have access to the same directory, a system administrator can set the sticky bit on the directory to ensure that only the owner of the file, the owner of the directory, or the root user can delete or rename files within the directory. This means that other users cannot delete or rename files within the directory as they do not have the required permissions. This provides an added layer of security to protect important files, as only those with the necessary access can delete or rename files. Setting the sticky bit on a directory ensures that only the owner, the directory owner, or the root user can change the files within the directory.

When a sticky bit is set on a directory, it is represented by the letter “t" in the execute permission of the directory's permissions. For example, if a directory has permissions “rwxrwxrwt", it means that the sticky bit is set, giving the extra level of security so that no one other than the owner or root user can delete or rename the files or folders in the directory. Syntax - chown

cry0l1t3@htb[/htb]$ ls -l

drw-rw-r-t 3 cry0l1t3 cry0l1t3 4096 Jan 12 12:30 scripts drw-rw-r-T 3 cry0l1t3 cry0l1t3 4096 Jan 12 12:32 reports

In this example, we see that both directories have the sticky bit set. However, the reports folder has an uppercase T, and the scripts folder has a lowercase t.

If the sticky bit is capitalized (T), then this means that all other users do not have execute (x) permissions and, therefore, cannot see the contents of the folder nor run any programs from it. The lowercase sticky bit (t) is the sticky bit where the execute (x) permissions have been set.