dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
16

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

2 recommendations

rchandra to Muldjin

Premium Member

to Muldjin

Re: Linux hacked?! Permissions don't work

I agree with many previous posters. Once compromised, one cannot truly determine if a computer has been scrubbed of the infection unless one takes known good media (CD, DVD, or whatever) and reinstalls everything, including retaining no data whatsoever (which includes making ALL brand new filesystems). It's a somewhat advanced topic, but everything in the boot path has to be rewritten, such as the MBR and anything it accesses.

Unless as leibold See Profile suggests you want to retain the original disks for forensics, the easiest, prepackaged way I know of to do this is to boot up Darik's Boot And Nuke (DBAN). You will be left with absolutely squeaky clean hard disks. For your application, single pass mode will do as you're not likely at all to be doing data recovery. (Plus I've read that with most modern HDDs, multipass doesn't gain you anything, and if you really want industrial espionage/NSA grade unreadability of the platters, physical destruction is the only way.)

Really, seriously...you don't have to be playing around with octal. It's far easier just to think symbolically with ugoa+-=rwx. (Readers' Digest version: u is user, g is group, o is other, a is all, + is add bits, - is take away bits, = is make it exactly this. There are also more arcane bits available, like t and s. man -s 1 chmod for all the details.) So for example chmod a= /tmp/test would be the symbolic equivalent of what you tried. Similar useful constructs would be:

  • chmod a+rx myshellscript

  • chmod u=rwx,go=rx ashellscript

  • chmod go-w FileToRemoveGroupAndOtherWritability

  • chmod o= FileWhereOtherHasNoRights


dennismurphy
Put me on hold? I'll put YOU on hold
Premium Member
join:2002-11-19
Parsippany, NJ

dennismurphy

Premium Member

said by rchandra:

Really, seriously...you don't have to be playing around with octal.

I find Octal much, much easier. Much quicker as well. Most Unix admins I know do; in fact, I don't know of ANY that use the ugoa syntax.

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105

rchandra

Premium Member

Well, now you do (know one). (well....not know well)

Exodus
Your Daddy
Premium Member
join:2001-11-26
Earth

Exodus to dennismurphy

Premium Member

to dennismurphy
Each has their own place. If I went to set static permissions for a folder or file(s), I use the octal. What happens if you want to strip away read access for all "other" users in a folder while keeping other permissions intact? You can't do that with octal.

dennismurphy
Put me on hold? I'll put YOU on hold
Premium Member
join:2002-11-19
Parsippany, NJ

dennismurphy

Premium Member

said by Exodus:

What happens if you want to strip away read access for all "other" users in a folder while keeping other permissions intact? You can't do that with octal.

Huh? chmod 660 - read/write for user, group, not other.
chmod 750 - rwx for user, read/exectute for group, none for other.

What can't you do with octal?
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

Your examples do not leave user+group permissions unchanged. They set them to specific values.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

1 recommendation

leibold to dennismurphy

MVM

to dennismurphy
The u/g/o/a +/-/= r/w/x syntax allows you to add or remove some privileges while keeping the remaining permissions unmodified. This is helpful when you want to change permissions on a large set of files that have different permissions and you need to preserve some of those differences (for example remove the writable attribute from all files in a directory that contains both data files without the execute bit and programs with the execute bit).

Before:

rw-rw-rw- prog.conf
rwxrwxrwx prog.sh

Chmod: a-w *

After:

r--r--r-- prog.conf
r-xr-xr-x prog.sh
jscarville
Premium Member
join:2013-09-21
Glendora, CA

jscarville

Premium Member

Be careful if you have directories that will be included by the "*" wildcard. The chmod command will remove write from them as well. That may not be what you intended.

This only changes attributes for files in the current directory

find . -type f -maxdepth 1 -exec chmod a-w {} \;

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

rchandra

Premium Member

I very rarely if ever use the -exec option. Almost invariably, unless requirements actually necessitate using "{}", I use xargs, and often xargs -t to see what it's doing. If in a GNU environment (such as Linux), often I will add -print0 to find(1) and use xargs -0 -t.

Another thing to note is the capital symbolic modes. For example, X behaves differently for files and directories. For example:
chmod -R ug+X .
It makes directories searchable whilst not altering the executability of files.