Re: The most dangerous command a new admin learns

TudorRaduta

The Temptation of `chmod 777`

Happy Wednesday, everyone!

It's time for our weekly "Problem & a Polish," where we talk about a common mistake that teaches us an important lesson. Today's topic: the most tempting and dangerous command a new sysadmin learns.

The Problem: You’re setting up an application, and it keeps failing with a "Permission denied" error. You're frustrated and you just want it to work. So you run the magic command: chmod -R 777 /path/to/app. It works! But you've just created a massive security hole.

Instead of opening the floodgates, the real sysadmin skill is to diagnose the specific permission needed. This is the principle of "least privilege."

The Polish: The Right Way to Troubleshoot

Check Ownership: First, see who owns the file with ls -l. Maybe the real fix is a quick chown.
Check Group: Is the user in the correct group? Check with groups username. Maybe the fix is chgrp.
Apply Correct Permissions: Grant only the exact permissions needed. For a config file, that might be chmod 640.

Your Turn!

What was the first "permission denied" puzzle that really forced you to learn chmod, chown, and chgrp properly?
What's your go-to command for quickly checking permissions and ownership?

Share your stories and tips in the comments!

Blue_bird

Well, I encounter 'Permission Denied' Messages..When running a search across a larger part of the file system and/or accessing specific config files like /etc/shadow...etc. I commonly use ls -l command to check permissions, if that didn't help then I go with getfacl.

Thanks

TudorRaduta

@Blue_bird thanks for sharing your troubleshooting process! That's a great real-world example.

The /etc/shadow file is a perfect case of a file that should give a normal user a 'Permission Denied' error. It's a great reminder of why some files are so heavily protected and why we have tools like sudo.

I'm really glad you brought up getfacl. That's the perfect 'next step' when the output of ls -l doesn't seem to tell the whole story.

You've opened up an excellent advanced topic here: Access Control Lists (ACLs). Instead of just talking about it, let's turn it into a mini-challenge for the weekend.

HERE'S THE CHALLENGE:

Imagine user 'susan' has a directory at /home/susan/projectX. The web server, running as user 'apache', needs read and execute access to that directory and its contents. You CANNOT change the owner (susan) or the group (susan).

What is the one setfacl command you would run to grant the 'apache' user the correct permissions?

Great contribution for taking the conversation to this level. Let's see those solutions!

Chetan_Tiwary_

@Blue_bird glad that you brought up "getfacl" !

Brian_Drexler

If the file is an executable, how about the special permission SetUID: chmod u+s /path/file

This way we can enable the executable for members of the Owning Group, even Other if the scenario requires it, without giving them explicit execute permissions.

TudorRaduta

@Brian_Drexler that's a fantastic point and a perfect follow-up to our discussion. Thanks for bringing up special permissions like SetUID! It's a powerful and important concept for the RHCSA.

You've highlighted a really interesting detail about how SetUID interacts with the standard execute permission. My understanding is that a user actually still needs the regular execute (x) permission to be able to run the file in the first place. The SetUID (s) bit then takes over and elevates the privilege of the running process to that of the file's owner (which is usually root).

So they work as a team: x lets you run it, and s determines as whom it runs. The classic example is the passwd command, which needs to run as root to do its job safely.

This is a great dive into advanced permissions! It makes me wonder about the others:

Has anyone here had to use SetGID (g+s) on a directory or the Sticky Bit (+t) in a real-world scenario?

Seriously, great topic to bring up. This is exactly the kind of deep dive that helps everyone prepare.

Chetan_Tiwary_

Not to forget that "s" denotes that the setuid or setgid bit and the corresponding executable bit are both set.

"S" denotes that the setuid or setgid bit is set but the corresponding executable bit is not set.

Brian_Drexler

I don't think it makes sense to have SetUID = S as that means Owning User does not have Execute permission, and since the whole point of SetUID is to execute as the Owning User, it should be implied. So while technically possbile to see S in the 3rd bit, that just does not make sense (at least not to me). Now SetGID, sure, that can legitimately be S.

Chetan_Tiwary_

@Brian_Drexler You are right that it does not server any purpose.

The "S" actually is a flag that points out something is “odd” i.e the special bit is present, but the normal x bit is absent - pointing an admin / user to correct the things. A useful indicator to rectify a mistake!

Chetan_Tiwary_

Apart from ls , if you want more detailed information about the file - like access mode, selinux context : stat is another goto utility :

or else you have namei utility :