Sudo is a Linux program meant to allow a user to use root privileges for a limited timeframe to users and log root activity. The basic thought is to give as few privileges as possible to a user while allowing the user to accomplish a task. The term “Sudo” means substitute user, and do. It is a program used for managing of user permission based on a system configuration file. It allows users to run programs with the privileges of another user, by default, the superuser. The program is supplied for most UNIX and Linux-based operating systems.
Adding a user and granting that user root privileges is one of the many tasks of a system admin. Once a user has been added and granted root privileges they’ll be able to login to your Ubuntu VPS and perform vital functions for the upkeep of the system. Afterward, they’ll be able to use sudo before commands to perform elevated tasks. In this quick tutorial, we’ll show you how to add a new user and grant root permissions.
Umask, or the user file-creation mode, is a Linux command that is used to assign the default file permission sets for newly created folders and files. The term mask references the grouping of the permission bits, each of which defines how its corresponding permission is set for newly created files. The bits in the mask may be changed by invoking the umask command.
When using the term Umask, we are referring to one of the following two meanings:
The user file creation mode mask that is used to configure the default permissions for newly created files and directories
The command “umask” which is used to set the umask value
As you probably already know, all Unix-based operating systems have a set of properties that are used to define who is allowed to read, write, or execute specific files or directories. There are three categories called “permissions classes” to which these permissions apply, and they are noted as follows.
User: The User, by default, is the owner or creator of a file or folder. The ownership of the new file defaults to this user.
Group: A Group is a set of users that share the same access level or permissions to a file or folder.
Other: The Other group is defined as any user not included in the previous two categories. These users have not created a file or folder, nor do they belong to a specific usergroup. This group includes everyone not identified as a user or as being part of an usergroup. When we set the permission level of a file or folder to Other, it gives permissions level access to anyone that accesses the file or folder.
So, what happens when a user creates new files and directories? The system automatically assigns the following permissions a file if using the touch command.
The complete manpage entry for umask is as follows.
umask [-p] [-S] [mode]
The user file-creation mask is set to mode.
If mode begins with a digit, it is interpreted as an octal number; otherwise it is interpreted as a symbolic mode mask similar to that accepted by chmod(1). If mode is omitted, the current value of the mask is printed.
The -S option causes the mask to be printed in symbolic form; the default output is an octal number.
If the -p option is supplied, and mode is omitted, the output is in a form that may be reused as input. The return status is 0 if the mode was successfully changed or if no mode argument was supplied, and false otherwise.
To view the current umask value, we use the umask command. Running the umask command by itself provide the default permissions that are assigned when a file or folder is created.
[root@host ~]# umask
To change these values, we will use the following command.
[root@host ~]# umask ###
[root@host ~]# umask 022
The ### symbols in the first command are used in lieu of an actual octal number.
Below, we can see the translated values of the octal and how they are related.
So, when we run a ls command, the octal or symbolic permissions values are shown at the beginning of the output.
The permissions set for the test directory is 755 or ‘rwx’ ‘r-x’ ‘r-x’. The permissions set for the test.txt file is 644 or ‘rw -‘ ‘r – -‘ ‘r – -‘. A dash signifies a 0 value.
--- no permission
-wx write and execute
r-x read and execute
rw- read and write
rwx read, write and execute
0 --- no permission
1 --x execute
2 -w- write
3 -wx write and execute
4 r-- read
5 r-x read and execute
6 rw- read and write
7 rwx read, write and execute
How Umask Works
The umask command masks permission levels by qualifying them with a certain value. To explain further how the umask value is applied, we will illustrate with an example. Let’s say that we want to set the default permissions for all new files or folders to 644 and 755. We would then use the following command.
[root@host ~]# umask 022
The number “2” permission (write permission) will be “filtered” from the system’s default permissions of 666 and 777 (hence the name “mask.”) From now on, the system will now assign the default permissions of 644 and 755 on new files and directories. Simply put, to calculate the permission bits for a new file or directory, we just subtract the umask value from the default value, like so.
666 – 022 = 644
777 – 022 = 755
Octal value : Permission
0 : read, write and execute
1 : read and write
2 : read and execute
3 : read only
4 : write and execute
5 : write only
6 : execute only
7 : no permissions
We can use above information to calculate our file permissions. For example, if our umask is set to 077, the permission can be calculated as follows:
read, write and execute
0 : read, write and execute 7 : no permissions 7 : no permissions
A umask of 000 will make newly created directories readable, writable and executable by everyone (the permissions will be 777).
Umask Configuration Location
In most Linux distributions, the umask value can be found and configured in the following locations:
/etc/profile – this is where system-wide default variables are stored
/etc/bash.bashrc – this is where default shell configuration files are stored
As noted in the umask man page above, we can use specific symbols to specify permission values we want to set. To preview the currently set umask value in symbols, we use the following command:
To change it, we can use the command in which the letters “u,” “g,” and “o” represent the user, group, and other or world, as shown below.
umask u=$, g=$, o=$
When settings permissions this way, we supplement each “$” placeholder with the desired permission symbol(s). The equal “=” sign is not the only operator at our disposal when setting umask with symbolic values. We can use plus “+” and minus “–” operators as well.
The = symbol allows permissions to be enabled, prohibiting unspecified permissions
The + symbol allows permissions to be enabled, ignoring unspecified permissions
The – symbol prohibits permissions from being enabled, ignoring unspecified permissions
Using spaces after commas won’t work, and bash will display the “invalid symbolic mode operator” error message.
There’s an additional symbol that can be used when we want to set the same permission for all permissions classes at once (user, group, and other), and that is:
Now that we better understand the function of the user file mode creation mask, we can put it to good use. Not only does it save us precious time and improve security, but it also provides us with better permission management capabilities.
Get Started Today!
Still have questions about how to utilize umask? Give us a call at 800.580.4985, or open a chat or ticket with us to speak with one of our knowledgeable Solutions Team or an experienced Hosting Advisors today!
Samba is an open-source software package that is released under a GPL (General Public License). It allows us to access a shared network drive and printers across various operating systems using the SMB/CIFS protocol. Samba has both client and server components. Samba uses the SMB protocol, which is necessary when accessing assets on a file server from a Microsoft computer. Samba can also work as a domain controller that is compatible with Microsoft Active Directory.
Setuid, Setgid and Sticky Bits are special types of Unix/Linux file permission sets that permit certain users to run specific programs with elevated privileges. Ultimately the permissions that are set on a file determine what users can read, write or execute the file. Linux provides more advanced file permissions that allow you to do more specific things with a file, or directory. Typically, these file permissions are used to allow a user to do certain tasks with elevated privileges (allow them to do things they normally are not permitted to do). This is accomplished with three distinct permission settings. They are setuid, setgid, and the sticky bit.
In this article, we will denote the security best practices for 2020 and beyond. Because security is such a challenging subject for many, it often goes unheeded, and as such, many are caught unaware when an issue arises. By following these best practices, you can significantly lower your risk of being compromised by a malicious actor.
Reading Time: < 1minuteWhen using PhpMyAdmin, it’s essential to have the correct user permissions to create edits/writes to the database. Otherwise, insufficient permissions can lead to errors like the ones pictured below “#1044 – Access denied for user …[using password: YES]” and “#1045 – Access denied for user…[using password: YES]”. In our tutorial, we’ll show you how to correct this issue using the command line terminal. Let’s get started! Continue reading “Troubleshooting: MySQL/MariaDB Error #1044 & #1045 Access Denied for User”→
Reading Time: 6minutesWhen investigating site infections or defacing on a Windows VPS Server, the most common root cause is poor file security or poor configuration choices when it comes to how IIS should access file content. The easiest way to prevent this is to start with a secure site.
Setting up a website in IIS is exceedingly easy, but several of the default settings are not optimum when it comes to security or ease of management. Further, some practices that used to be considered necessary or standards are no longer or were never necessary, to begin with. As such, we recommend that you follow these steps to set up a website to ensure that it is set up correctly and securely. And while some of these setting or permission changes may seem nitpicky, they go a long way on systems that host multiple domains or multiple tenants as they prevent any cross-site file access.
Add the Site to IIS
To add a website in IIS (Internet Information Services), open up the IIS manager, right-click on Sites, and select Add Website.When adding a site to IIS, we typically recommend using the domain name as the “Sitename” for easy identification. Next, under “Physicalpath”, you will need to supply the path to where your website content is located or use the “…” to navigate to and select the folder. Configuration options under “Connectas…” and “Test Settings…” do not need to be modified.
When it comes to configuring site bindings, popular belief suggests that you should select a specific IP from the “IP address” drop dropdown; however, that is based on out of date practices typically in relation to how SSLs used to require dedicated IPs. This is no longer necessary and can actually cause issues when getting into any eplicated or highly available configuration, so it is best to leave IP addresses set to All Unassigned and type the domain name you plan to host in the “Hostname” field. Do note that you can only supply one value here; additional host names can be added after creating the site by right-clicking on the site and going to Bindings. Further, depending on your needs, you may opt to select “https” instead of “http”. To host a site with an SSL, please visit our article on the subject after setting up the site to add an SSL and configure it.
Set the Anonymous User
Technically that is all you need to do to set up a site in IIS; however, the site may or may not work, and the security settings on the site are not optimum. The next step in securing your site is to configure the IIS user that will access your files. To do this, you will need to change the associated Anonymous user and make a few security changes on the website’s content folder.
In IIS, select your new site on the left, in the main window double click on Authentication, select AnonymousAuthentication, and then click “Edit…” on the right action bar.
What is IUSR in IIS?
By default, a new site in IIS utilizes the IUSR account for accessing files. This account is a built-in shared account typically used by IIS to access file content. This means that it will use the application pool’s identity (user) to access file content.
It may be okay to leave this configured if you only plan on hosting one domain; however, when it comes to hosting multiple domains, this is not secure as it would then be possible for any site using the same account to access files from another site. As such, and as a standard practice, we recommend switching away from using the IUSR account for sites, and instead selecting “Application pool identity” and clicking OK. Alternately, you could manually create a user on the system for each site; however, then you need to manage credentials for an additional user, need to configure permissions for two users (the anonymous user and the application pool user) and possible complications with password complexity and rotation requirements your server or organization may have.
There is nothing further you need to configure in IIS in terms of security; however, for reference, let’s take a look at the application pool settings really quick. To check the settings on the application pool, in IIS, select Application Pools on the left menu, select the application pool for the site you created (typically the same name as the name of the site), and then click “Advanced Settings…” on the right action bar.
In here, the related setting is the identity, which by default is “ApplicationPoolIdentity”. This means to access file content, IIS and the associated application pool will use a hidden, dynamic user based off the name of the application pool to access files. This user has no associated password, can only be used by IIS, and only has access to files specifically granted to it. As such, it removes the requirement of managing system users and credentials.
Set Folder Permissions in IIS
Now, as mentioned, the “ApplicationPoolIdentity” user has very few permissions, so the next and last step is to ensure that the website files have proper security settings set on them. Browse through your file system and find the folder where you plan on hosting your site’s files. Right-click on the folder and go to properties. In the properties interface, select the Security tab.
By default, there are a number of security permissions set up on the folder that are unnecessary and potentially insecure (there may be more than shown here). To best secure a site, we recommend removing all but the “SYSTEM” and “Administrators” groups and adding the “ApplicationPoolIdentity” user (and possibly any other user you may require, such as an FTP user); however, to do this, you will need to disable inheritance. To do this, click on “Advanced”, then click on “Disable inheritance”.
Here you will get a popup asking if you want to copy the current settings or start with no settings. Either option can work; however, it is easier to copy the current settings and then remove the unnecessary permissions. So select “ConvertConcert inherited permissions into explicit permission on this object” and then click OK.
At this point, to remove the unnecessary permissions, click Edit and remove everything other than the “SYSTEM” and “Administrators” groups. Next, you need to add the “ApplicationPoolIdentity” user to this folder. To do this, click “Add…”. Now, depending on your server configuration, you may get a pop-up asking for you to authenticate to an active directory domain. Simply click the cancel button a few times until you get the Select Users of Groups screen shown below.
On this screen, you will want to make sure that the “Location” selected is your computer. If it is not, click “Locations…” and select your computer (should be at the top; you may also need to click cancel on some authentication windows here as well).
The “ApplicationPoolIdentity” user is a hidden user, so it is not possible to search for this user. As such, you will have to type the username to add it. The username you will need to type is “IIS AppPool\<applicationpoolname>“. Please see the following example and fill yours out accordingly:
Once you type the user name, click OK. Now that you’ve added the user, which is by default only granted read permissions, you will want to verify your security settings look similar to the following image, and then click OK.
And with that, you’re done and have a secure site ready to be viewed by the masses without needing to fear that hackers will deface it.
Securing within Powershell
As a bonus, if you’re looking to get your fingers wet with some Powershell, the steps covered in this article can also be accomplished on a Windows Server 2012 or newer server through Powershell. Simply fill out the first two variables with your domain name and the path to your content, and then run the rest of the PowerShell commands to set up the site in IIS and configure folder permissions.
Additional Notes: In some cases, sites may need additional write or modify permissions on specific files or folders for file uploads, cache files, or other content. It is important that you do not apply modified permissions to the entire site. Instead, modify specific directories or files as needed. To apply these settings, go to the file or folder that needs modification, right-click on it, and select Properties. Switch to the Security tab and click Edit. In there, select the user that has the name of the website (liquidweb.com in my example above), select modify under the Allow column, and then click OK. This will give the ApplicationPoolIdentity and IIS the ability to write to or modify the file(s) or folder(s).
Still need additional protection for your Liquid Web server? Our Server Protection packages provides a suite of security tools especially for Windows servers. You’ll get routine vulnerability scans, hardened server configurations, anti-Virus and even malware cleanup, should your site get hacked. Don’t wait another vunerable minute, check out how we can protect you.