Last active
February 6, 2024 00:38
-
-
Save shmup/df4debf1df4d5032051028aa5b87b3d9 to your computer and use it in GitHub Desktop.
linux perm/group/selinux notes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
█▓▒░ PERMISSION THINGS ░▒▓█ | |
chgrp pissgroup file | change file's group to pissgroup | |
chmod 755 directory | set r/w/execute for owner, r/execute for group and others on dir | |
chown username:groupname file | change owner and group of file | |
getent group wheel | list all users of a group | |
gpasswd -a username piss | add user to the group piss (alternative) | |
gpasswd -d username piss | remove user from the group piss | |
groupadd piss | create a new group named piss | |
groupdel piss | delete the group named piss | |
groups username | list groups for user | |
usermod -a -G piss username | add user to the group piss | |
usermod -aG wheel username | add user to wheel group for sudo privileges | |
0 - no permissions | |
1 - execute | |
2 - write | |
3 - write and execute | |
4 - read | |
5 - read and execute | |
6 - read and write | |
7 - read, write, and execute | |
█▓▒░ SELINUX STUFF ░▒▓█ | |
getenforce - check current SELinux mode | |
setenforce 0 - set SELinux into permissive mode (temporarily) | |
setenforce 1 - set SELinux back to enforcing mode | |
chcon -Rt httpd_sys_content_t /path/to/webcontent | |
- change the SELinux type of web content files (temporary) | |
restorecon -Rv /home/user/public_html | |
- apply SELinux context to file system | |
semanage fcontext -a -t httpd_sys_content_t '/home/user/public_html(/.*)?' | |
- add SELinux context to serve files from home directory | |
ls -lZ $HOME/proj1 | |
display selinux context for files and dirs | |
ps -eZ | grep caddy | |
show context under caddy process | |
█▓▒░ CADDY PERM EXAMPLE ░▒▓█ | |
1. ensure jtm in caddy group | |
usermod -a -G caddy jtm | |
2. set proj1 dir group to jtm or caddy if other users need access | |
chgrp -R jtm $HOME/proj1 | |
3. set dir perms for group access | |
chmod 750 $HOME/proj1 | |
4. files inside need read by group | |
chmod 640 $HOME/proj1/* | |
5. adjust selinux for httpd service | |
semanage fcontext -a -t httpd_sys_content_t "$HOME/proj1(/.*)?" | |
restorecon -Rv $HOME/proj1 | |
█▓▒░ GETENV OUTPUT ░▒▓█ | |
$ getent group wheel | |
⮱ wheel:x:10:piss | |
wheel - group name | |
x - indicates group has password set and stored in a shadow file (/etc/gshadow) | |
10 - the numerical group ID (GID) for the wheel group | |
piss - The username of a member of the wheel group | |
█▓▒░ LS SECURITY CONTEXT ░▒▓█ | |
ls -lZ | list files with SELinux contexts | |
ls -ldZ /path/to/dir | display attributes/SELinux context for specified dir only | |
⮱ drwxr-xr-x. 1 jtm jtm unconfined_u:object_r:container_file_t:s0:c537,c936 20 Sep 18 00:25 dir | |
drwxr-xr-x. => file permissions (d=directory, r=read, w=write, x=execute) | |
1 => Number of hard links to the file/directory | |
jtm => Owner of the file/directory | |
jtm => Group owner of the file/directory | |
[security context, user:role:type:level] | |
system_u => User role in SELinux | |
object_r => Type role in SELinux | |
container_file_t => Type for container files in SELinux | |
[sensitivity level and category in SELinux Multi-Level Security (MLS)] | |
s0:c537,c936 | |
size | |
modification date/time | |
crawl => name | |
d | directory flag (absent for files) | |
r | read permission | |
w | write permission | |
x | execute/search permission (directories) | |
s | setuid/setgid bit (u/g position) + execute bit set; S if not executable. | |
t | sticky bit + execute bit set; T if not executable. | |
user | SELinux user identity part of context. | |
role | Role field in context. | |
type | Type field indicating the type of object or domain. | |
level | Sensitivity level and categories for MLS. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment