adam's notes

File Permissions

Windows

  • Access Control Lists, or ACLs, are used to assign file and directory permissions
    • Discretionary ACLs, DACLs, is a note that says who can use a file and what they’re allowed to do with it
      • Each file or folder has an owner and one or more DACLs
    • System ACLs, SACLs, allows Windows to log every time a user attempts to access a file or folder
  • View file permissions Right Click > Properties > Security
  • Learn more here

Permissions Types

  • Read lets you see that a file exists, and allows you to read its contents. It also lets you read the files and directories in a directory.
  • Read & Execute lets you read files, and if the file is an executable, you can run the file
    • Includes Read, so if you select Read & Execute, Read will automatically be selected
    • List folder contents
      • this is an alias for Read & Execute on a directory
  • Write lets you make changes to a file
    • Can have write permission without read
    • Lets you create subdirectories and write to files in the directory
  • Modify is an umbrella permission that includes read, execute, and write
  • Full control gives a user full control to do anything with the file
    • Includes all the permissions of modify and adds ability to take ownership of a file and change its ACLs

Improved Change ACLs (ICACLs)

  • icacls, or improved change ACLs, command enables you to see which ACLs are assigned to a file and change them
    • /? for help
    • R = read
    • W = write
    • F = full access
    • OI = object inherit
      • new files or objects within this directory will inherit the DACL
    • CI = container inherit
      • new directories or containers will inherit this DACL

Linux

  • 3 permissions in Linux
    • Read allows a user to read the contents of a file or folder
    • Write allows a user to write information to a file or folder
    • Execute allows a user to execute a program
  • View permissions:
    • file: ls -l file
    • directory: ls -ld directory

Example

-rwxrw-r-- 1 user group 0
  • Section 1: 10 bits
    • First bit:
      • - = regular file
      • d = directory
    • Next 9 bits are permissions
      • Grouped in sets of 3
        • First trio = permissions for the owner of the file
        • Second trio = permissions for the group that the file belongs to
        • Third trio = The permission for all other users
      • - means disabled, anything else means enabled
  • Section 2: number of links file contains
  • Section 3: owner name
  • Section 4: group name
  • Section 5: # of bytes

Modifying Permissions

Windows

  • GUI
    • Right Click > Properties > Security > Edit
      • add a group or user name
      • checkname to verify correct name
      • select permissions
    • Deny column takes precedence over allow
      • if a user is part of a group that is allowed, but the user is denied, then user will be denied permission
  • In PowerShell
    • icacls 'location' /grant 'Everyone:(OI)(CI)(R)'
  • In Command Prompt
    • icacls "location" /grant Everyone:(OI)(CI)(R)

PowerShell Example

Grant permission to users with passwords:

icacls 'C:\Vacation Pictures' /grant 'Authenticated Users:(OI)(CI)(R)'

Remove permissions

icacls 'C:\Vacation Pictures' /remove Everyone

Linux

  • chmod, change mode, command changes file permissions
  • 2 ways of changing permissions
    • symbolic
    • numeric

Info

Using chmod on a directory does not affect the permissions of files within the directory

Symbolic Format

  • Symbolic format is a way to change permissions using symbols
  • Decide which permission set you want to change
    • Owner: u
    • Group: g
    • Other users: o
    • All: a
  • Add permission with +
  • Remove permission with -

Example

chmod u+x file

Numeric format

  • Numeric format is a way to change permissions numerically
    • faster and simpler and enables to change all permissions at once
    • 4 = read
    • 2 = write
    • 1 = execute
    • to combine permissions, simply add the numbers

Example

chmod 754 file

  • 7 = 4+2+1
  • 5 = 4+1
  • 4 = 4

Changing owner of a file

  • chown allows you to change owner of a file
    • sudo chown user file

Changing group of a file

  • sudo chgrp group file

Special Permissions

Windows

  • Simple permissions are sets of special, or specific permissions
  • Simple permission read is actually setting multiple special permissions
    • Read =
      • List folder / read data
      • Read attributes
      • Read extended attributes
      • Read permissions
  • In the permissions settings Advanced shows special permissions
  • Via CLI
    • icacls command then use special permissions

Learn more about Windows special permissions

Linux

Run file as owner

  • SetUID, set owner ID, allows users to run the file with the permissions of the owner
    • s appears in place of a rwx permission bit
  • Usage:
    • Symbolic: sudo chmod u+s file
    • Numeric: sudo chmod 4755 file
      • prepend 4 to permissions
  • SetGID, set group ID, enables running the file as a group member
  • Usage:
    • Symbolic: sudo chmod g+s file
    • Numeric: sudo chmod 2755 file
      • prepend 2 to permissions
  • Sticky bit lets anyone run or write to a folder, but cannot delete anything
    • Only owner or root can delete anything
  • Usage:
    • Symbolic: sudo chmod +t file
    • Numeric: sudo chmod 1755 file

Graph View

Backlinks