LFCS Phase 1 Part 20: Understanding Write Permissions and Access Control

You've just started working with Linux and tried to create a file in /root, only to see "Permission denied" flash across your screen. Frustrated, you wonder: Why can't I write here? Where AM I allowed to write? Understanding file access and write permissions is one of the most fundamental skills in Linux system administration—and absolutely critical for the LFCS certification.

💡

🎯 What You'll Learn:

Where regular users can and cannot write files in Linux
Understanding the /tmp directory for temporary files
Your personal /home/username workspace
Using touch to test write access anywhere on the system
Decoding "Permission denied" errors
Why critical directories like /root, /etc, and /var/log are protected
Security implications of file access control
Testing and verifying write permissions effectively

Series: LFCS Certification - Phase 1 (Post 20 of 52) Previous Post: Understanding /var and /etc Explained Next Post: Using Wildcards for Efficient File Management

Understanding Linux File Access Control

Before we dive into where you can write files, let's understand the fundamental concept: Linux is a multi-user operating system built on security and access control. Not everyone can write files everywhere—and that's a good thing!

The Multi-User Security Model

Imagine an apartment building where every tenant has:

Their own apartment (home directory) where they can do anything
Shared common areas (like /tmp) where everyone can temporarily place items
Restricted areas (like the maintenance room or manager's office) where only authorized personnel can enter

Linux works exactly like this:

Linux File Access Zones

✅ Your Personal Space

/home/username - Full control, create/delete/modify anything

🔄 Shared Temporary Space

/tmp - Everyone can write, but files don't persist across reboots

👁️ Read-Only for Regular Users

/etc, /usr, /bin, /boot - You can read and execute, but not modify

🚫 Completely Restricted

/root, /var/log (some files) - Cannot read, write, or access without sudo

Where Regular Users CAN Write Files

Let's explore the areas where you, as a regular user, have write permissions.

1. Your Home Directory: /home/username

Your home directory is your personal workspace. Here, you have complete control.

# Check your home directory
whoami
# Output: centos9

pwd
# Output: /home/centos9

# You can create files and directories freely
touch myfile.txt
mkdir myproject
echo "Hello World" > test.txt
ls -l

Example output:

-rw-r--r--. 1 centos9 centos9    0 Dec  7 10:00 myfile.txt
drwxr-xr-x. 2 centos9 centos9    6 Dec  7 10:00 myproject
-rw-r--r--. 1 centos9 centos9   12 Dec  7 10:00 test.txt

Notice that:

You own these files (owner: centos9)
You created them without needing sudo
You can modify or delete them anytime

2. The /tmp Directory: Temporary File Playground

The /tmp directory is a shared space for temporary files accessible to all users.

# Navigate to /tmp
cd /tmp

# Create a temporary file
touch mytemp.txt
echo "Temporary data" > mytemp.txt

# List the file
ls -l mytemp.txt
# Output: -rw-r--r--. 1 centos9 centos9 15 Dec  7 10:05 mytemp.txt

⚠️

Important: Files in /tmp are typically deleted on system reboot or after a certain period. Never store important data here!

Why /tmp Exists

The /tmp directory serves several purposes:

Application temporary files: Programs create temporary working files here
Installation scripts: Software installers often use /tmp during installation
User experiments: Safe place to test commands without affecting your home directory
Cross-user sharing: Users can create files here for temporary sharing (with proper permissions)

# Example: Creating a temporary directory for a project
mkdir /tmp/myproject
cd /tmp/myproject
touch file1.txt file2.txt file3.txt

ls -la
# You can work freely here without cluttering your home directory

3. Other Writable Locations

While less common, there are a few other places where regular users might have write access:

# /var/tmp - Like /tmp but survives reboots
ls -ld /var/tmp
# Output: drwxrwxrwt. 8 root root 172 Dec  6 15:30 /var/tmp

# You can write here too
touch /var/tmp/test.txt
ls -l /var/tmp/test.txt

Key difference between /tmp and /var/tmp:

Directory	Persistence	Typical Use	Cleanup
`/tmp`	Cleared on reboot	Very short-term storage	Automatic (on boot)
`/var/tmp`	Survives reboots	Longer-term temporary storage	Manual or scheduled

Where Regular Users CANNOT Write Files

Understanding where you cannot write is just as important as knowing where you can.

1. The Root User's Home: /root

# Try to access /root
cd /root
# Output: bash: cd: /root: Permission denied

# Try to list /root
ls /root
# Output: ls: cannot open directory '/root': Permission denied

# Try to create a file in /root
touch /root/test.txt
# Output: touch: cannot touch '/root/test.txt': Permission denied

Why is /root protected?

The /root directory is the home directory of the root user (the system administrator). It contains:

Root's personal configuration files
Administrative scripts
Sensitive system information
SSH keys and credentials

Analogy: Think of /root as the CEO's private office. Regular employees (users) don't have access—only the CEO (root) does.

# You need sudo to access /root
sudo ls /root
# Output: anaconda-ks.cfg

# This works because sudo runs the command AS root

2. System Configuration: /etc

# You can READ /etc files
cat /etc/hostname
# Output: centos

# But you CANNOT modify them directly
echo "newhostname" > /etc/hostname
# Output: bash: /etc/hostname: Permission denied

# You need sudo to modify system configuration
sudo bash -c "echo newhostname > /etc/hostname"
# This works (but be careful!)

Why is /etc protected?

The /etc directory contains critical system configuration files:

/etc/passwd - User account information
/etc/shadow - Password hashes
/etc/fstab - Filesystem mount configuration
/etc/hostname - System hostname
/etc/hosts - Hostname to IP mappings

If regular users could modify these files, they could:

Create unauthorized admin accounts
Change system behavior
Break system boot process
Compromise security

3. System Logs: /var/log

# Check /var/log permissions
ls -ld /var/log
# Output: drwxr-xr-x. 10 root root 4096 Dec  7 09:00 /var/log

# You can READ some logs
cat /var/log/messages
# Output: cat: /var/log/messages: Permission denied
# (This particular file requires root)

# Try to create a file
touch /var/log/mylog.txt
# Output: touch: cannot touch '/var/log/mylog.txt': Permission denied

Why is /var/log protected?

System logs contain sensitive information:

Authentication attempts (successful and failed logins)
System errors and warnings
Security events
Application behavior

If users could modify logs:

They could hide their tracks after unauthorized access
Delete evidence of security breaches
Corrupt troubleshooting information

# View logs with sudo
sudo tail /var/log/messages
# This shows the last 10 lines of system messages

# Or use journalctl (doesn't require sudo for some info)
journalctl -n 20
# Shows last 20 journal entries

4. System Binaries: /bin, /usr/bin, /sbin, /usr/sbin

# Check permissions on /bin
ls -ld /bin
# Output: lrwxrwxrwx. 1 root root 7 Jul 20 15:17 /bin -> usr/bin

ls -ld /usr/bin
# Output: dr-xr-xr-x. 2 root root 73728 Nov  5 12:00 /usr/bin

# Try to create a file there
touch /usr/bin/myscript
# Output: touch: cannot touch '/usr/bin/myscript': Permission denied

# Try to delete a system command
rm /usr/bin/ls
# Output: rm: cannot remove '/usr/bin/ls': Permission denied

Why are binary directories protected?

These directories contain system commands and programs:

If users could modify them, they could replace ls with a malicious version
Delete critical system tools
Install trojans or backdoors
Break the entire system

5. Boot Files: /boot

# Check /boot
ls -ld /boot
# Output: dr-xr-xr-x. 5 root root 4096 Nov  3 10:20 /boot

# Try to modify kernel files
touch /boot/test.txt
# Output: touch: cannot touch '/boot/test.txt': Permission denied

The /boot directory contains:

Linux kernel files
Initial ramdisk images
Bootloader configuration

Modifying these files incorrectly = unbootable system!

Testing Write Access with the touch Command

The touch command is your best friend for testing write access anywhere on the system.

Basic touch Usage

# Syntax: touch filename
touch testfile.txt

# This does TWO things:
# 1. If file doesn't exist → creates an empty file
# 2. If file exists → updates its timestamp

Using touch as a Write Permission Test

# Test if you can write in your home directory
cd ~
touch test1.txt
# If successful: no output (file created)
# If failed: "Permission denied" error

Example: Testing various directories

# Test /tmp (should succeed)
touch /tmp/test.txt
echo $?
# Output: 0 (success)

# Test /root (should fail)
touch /root/test.txt
# Output: touch: cannot touch '/root/test.txt': Permission denied
echo $?
# Output: 1 (failure)

# Test /etc (should fail)
touch /etc/test.txt
# Output: touch: cannot touch '/etc/test.txt': Permission denied
echo $?
# Output: 1 (failure)

# Test /var/log (should fail)
touch /var/log/test.txt
# Output: touch: cannot touch '/var/log/test.txt': Permission denied
echo $?
# Output: 1 (failure)

💡

Pro Tip: The $? variable contains the exit status of the last command:

0 = Success
1 (or any non-zero) = Failure

This is useful in scripts for checking if operations succeeded!

Systematic Write Access Testing

Here's a practical script to test write access across the filesystem:

#!/bin/bash

echo "Testing write access across filesystem..."
echo

# Define directories to test
dirs=(
    "$HOME"
    "/tmp"
    "/var/tmp"
    "/root"
    "/etc"
    "/var/log"
    "/usr/bin"
    "/boot"
)

# Test each directory
for dir in "${dirs[@]}"; do
    testfile="$dir/write_test_$$"

    if touch "$testfile" 2>/dev/null; then
        echo "✅ WRITE: $dir"
        rm -f "$testfile"
    else
        echo "❌ NO WRITE: $dir"
    fi
done

Run the script:

chmod +x test_write_access.sh
./test_write_access.sh

Expected output:

Testing write access across filesystem...

✅ WRITE: /home/centos9
✅ WRITE: /tmp
✅ WRITE: /var/tmp
❌ NO WRITE: /root
❌ NO WRITE: /etc
❌ NO WRITE: /var/log
❌ NO WRITE: /usr/bin
❌ NO WRITE: /boot

Understanding "Permission Denied" Errors

Let's decode what "Permission denied" really means.

Anatomy of a Permission Error

touch /root/testfile
# Output: touch: cannot touch '/root/testfile': Permission denied

Let's break this down:

touch: cannot touch '/root/testfile': Permission denied

touch - The command you ran

cannot touch - What failed (creating/updating file)

'/root/testfile' - The target file path

Permission denied - Why it failed (insufficient permissions)

Common Permission Denied Scenarios

Scenario 1: Cannot Read Directory

ls /root
# Output: ls: cannot open directory '/root': Permission denied

Meaning: You don't have execute permission on the /root directory. In Linux, you need execute (x) permission on a directory to "enter" it and list its contents.

Scenario 2: Cannot Create File

mkdir /data/myproject
# Output: mkdir: cannot create directory '/data/myproject': Permission denied

Meaning: You don't have write permission on the /data directory (or it doesn't exist, and you can't create /data itself).

Solution:

# Option 1: Use sudo
sudo mkdir -p /data/myproject

# Option 2: Create it in a writable location
mkdir ~/myproject
# or
mkdir /tmp/myproject

Scenario 3: Cannot Read File

cat /etc/shadow
# Output: cat: /etc/shadow: Permission denied

Meaning: The /etc/shadow file has restricted read permissions. Only root can read password hashes.

# Check the permissions
ls -l /etc/shadow
# Output: ----------. 1 root root 1234 Dec  6 10:00 /etc/shadow
#         ^^^^^^^^^
#         No permissions for anyone except root (owner)

# Read with sudo
sudo cat /etc/shadow
# This works (but be careful with sensitive files!)

Scenario 4: Cannot Modify File

echo "test" >> /etc/hostname
# Output: bash: /etc/hostname: Permission denied

Meaning: You don't have write permission on /etc/hostname.

# Check permissions
ls -l /etc/hostname
# Output: -rw-r--r--. 1 root root 8 Nov  3 10:00 /etc/hostname
#                        ^  ^
#                        |  |
#                        |  +-- Others (you): read only
#                        +----- Group: read only
#         Owner (root): read + write

# Modify with sudo
sudo bash -c "echo newhostname > /etc/hostname"

The Permission Hierarchy

Understanding the permission check order helps debug "Permission denied" errors:

Linux Permission Check Order

Are you the owner?

Use owner permissions (first 3 characters: rwx)

↓

Are you in the group?

Use group permissions (middle 3 characters: rwx)

↓

You're "others"

Use other permissions (last 3 characters: rwx)

Example:

ls -l /etc/hostname
# Output: -rw-r--r--. 1 root root 8 Nov  3 10:00 /etc/hostname
#         -rw-r--r--
#          ^^^ ^^^ ^^^
#          ||| ||| |||
#          ||| ||| +++-- Others: read only (r--)
#          ||| +++------ Group (root): read only (r--)
#          +++---------- Owner (root): read + write (rw-)

# You (centos9) are not:
# - The owner (root)
# - In the group (root)
# Therefore: You get "others" permissions = read only
# Result: Permission denied for write operations

Why This Access Control Matters

Understanding write permissions isn't just academic—it's critical for:

1. System Security

Scenario: An attacker gains access to your user account.

Without proper access control:

They could modify /etc/passwd and create admin accounts
Change /etc/sudoers to grant themselves sudo access
Replace system binaries with trojans
Corrupt logs to hide their activity

With proper access control:

Attacker is limited to your home directory
Cannot modify system files
Cannot escalate privileges (without exploiting a vulnerability)
All system-level actions require sudo (which requires your password)

2. System Stability

Scenario: You're experimenting with a new script.

Without access control:

Accidental rm -rf /etc could delete all system configuration
Buggy script could corrupt /boot and make system unbootable
Typo in path could delete critical binaries

With access control:

Scripts run in your home directory or /tmp by default
System files are protected from accidental deletion
Explicit sudo required for dangerous operations (gives you a chance to reconsider)

3. Multi-User Systems

Scenario: Multiple developers working on a shared server.

Without access control:

User A could delete User B's files
Anyone could read anyone else's SSH keys
No privacy or data protection

With access control:

Each user confined to their own /home/username
Private files stay private
Shared resources (like /tmp) available when needed

4. LFCS Exam Success

For the LFCS certification, understanding file access is essential because:

Permission troubleshooting: "Why can't this application write to /var/log?"
Proper file creation: Knowing where to create files for different purposes
Security best practices: Understanding when sudo is necessary vs. when it's dangerous
Service configuration: Many services require specific permissions to function
User management: Setting up users with appropriate access

Practical Examples and Use Cases

Example 1: Creating a Temporary Working Directory

Task: You need to extract a large archive for testing.

# DON'T do this in your home directory (clutter)
cd ~
tar -xzf bigarchive.tar.gz  # Messy!

# DO this in /tmp (automatically cleaned up)
cd /tmp
mkdir myproject
cd myproject
tar -xzf ~/bigarchive.tar.gz
# Work with files...
# After reboot, everything is cleaned up automatically!

Example 2: Testing a Script Before System-Wide Installation

Task: You wrote a backup script and want to test it.

# Step 1: Test in your home directory
cd ~
cat > backup.sh << 'EOF'
#!/bin/bash
echo "Running backup..."
tar -czf backup.tar.gz Documents/
echo "Backup complete!"
EOF

chmod +x backup.sh
./backup.sh
# Output: Backup complete!

# Step 2: After testing, install system-wide (requires sudo)
sudo cp backup.sh /usr/local/bin/backup
sudo chmod +x /usr/local/bin/backup

# Now all users can run: backup

Example 3: Debugging "Permission Denied" in Application Logs

Task: An application is failing with permission errors.

# Check application error
cat /var/log/myapp/error.log
# Output: [ERROR] Cannot write to /etc/myapp/config.ini: Permission denied

# Diagnose: Check permissions
ls -l /etc/myapp/config.ini
# Output: -rw-r--r--. 1 root root 256 Dec  5 10:00 /etc/myapp/config.ini

# Problem: Application runs as 'myapp' user, but config is owned by root
# Solution: Change ownership or permissions
sudo chown myapp:myapp /etc/myapp/config.ini
# or
sudo chmod 666 /etc/myapp/config.ini  # Less secure, but fixes the issue

Example 4: Safely Experimenting with System Files

Task: You want to test modifying /etc/hosts without breaking the original.

# DON'T modify the system file directly!
# sudo nano /etc/hosts  # Risky!

# DO this: Copy to your home directory for testing
cp /etc/hosts ~/hosts.test

# Experiment freely
nano ~/hosts.test
# Add entries, test syntax, etc.

# When ready, apply to system
sudo cp ~/hosts.test /etc/hosts

# Or, make a backup first
sudo cp /etc/hosts /etc/hosts.backup
sudo cp ~/hosts.test /etc/hosts

# If something breaks:
sudo cp /etc/hosts.backup /etc/hosts

Quick Reference: Write Permission Zones

Directory	User Write?	Purpose	Persistence	Typical Use
`/home/username`	✅ Yes	Personal workspace	Permanent	Documents, projects, configs
`/tmp`	✅ Yes	Temporary files	Cleared on reboot	Testing, temp extraction
`/var/tmp`	✅ Yes	Temp (persistent)	Survives reboot	Longer-term temp storage
`/root`	❌ No	Root's home	Permanent	Admin files (sudo needed)
`/etc`	❌ No	System config	Permanent	Config files (sudo to edit)
`/var/log`	❌ No	System logs	Permanent	Log viewing (sudo to view)
`/usr/bin`	❌ No	System binaries	Permanent	System commands (read/execute)
`/boot`	❌ No	Boot files	Permanent	Kernel, bootloader (read only)

🧪 Practice Labs

Time to practice testing and understanding write permissions! These labs progress from basic exploration to advanced troubleshooting scenarios.

Lab 1: Explore Your Home Directory Write Access (Beginner)

Task: Verify that you have full write access in your home directory.

Steps:

Navigate to your home directory
Create three test files using different methods
Create a test directory
Verify all operations succeeded

Show Solution

Solution:

# Navigate home
cd ~
pwd
# Output: /home/centos9

# Method 1: touch command
touch testfile1.txt

# Method 2: echo redirect
echo "Test content" > testfile2.txt

# Method 3: Using cat with heredoc
cat > testfile3.txt << EOF
Line 1
Line 2
EOF

# Create directory
mkdir testdir

# Verify all created successfully
ls -la
# Look for: testfile1.txt, testfile2.txt, testfile3.txt, testdir/

# Check you own them
ls -l testfile1.txt
# Output shows your username as owner and group

# Cleanup
rm testfile*.txt
rmdir testdir

Key Learning: In your home directory, you have complete control—create, modify, delete anything!

Lab 2: Test /tmp Directory Access (Beginner)

Task: Create temporary files in /tmp and understand their characteristics.

Steps:

Create a file in /tmp
Check its permissions and ownership
Verify other users can't modify your file
Create a test directory in /tmp

Show Solution

Solution:

# Create file in /tmp
touch /tmp/mytest.txt
echo "Temporary data" > /tmp/mytest.txt

# Check permissions
ls -l /tmp/mytest.txt
# Output: -rw-r--r--. 1 centos9 centos9 15 Dec  7 10:30 /tmp/mytest.txt
# Notice: You own it, even though it's in a shared directory

# Check /tmp directory itself
ls -ld /tmp
# Output: drwxrwxrwt. 15 root root 4096 Dec  7 10:30 /tmp
#                    ^
#                    't' = sticky bit (important!)

# The sticky bit means: Only owner can delete their own files
# Even though everyone can write to /tmp, they can't delete YOUR files

# Create directory
mkdir /tmp/myproject
ls -ld /tmp/myproject
# Output: drwxr-xr-x. 2 centos9 centos9 6 Dec  7 10:32 /tmp/myproject

# Cleanup
rm /tmp/mytest.txt
rmdir /tmp/myproject

Key Learning: /tmp is shared but protected—everyone can create files, but can only modify/delete their own!

Lab 3: Test Write Access to Protected Directories (Beginner)

Task: Systematically test which directories deny write access.

Steps:

Try to create files in /root, /etc, /var/log, and /boot
Document the error messages
Understand why each directory is protected

Show Solution

Solution:

# Test /root
touch /root/test.txt
# Output: touch: cannot touch '/root/test.txt': Permission denied

# Test /etc
touch /etc/test.txt
# Output: touch: cannot touch '/etc/test.txt': Permission denied

# Test /var/log
touch /var/log/test.txt
# Output: touch: cannot touch '/var/log/test.txt': Permission denied

# Test /boot
touch /boot/test.txt
# Output: touch: cannot touch '/boot/test.txt': Permission denied

# Test /usr/bin
touch /usr/bin/test.txt
# Output: touch: cannot touch '/usr/bin/test.txt': Permission denied

# Why are these protected?
ls -ld /root /etc /var/log /boot /usr/bin

# Output analysis:
# /root: drwx------. (only root has any access)
# /etc: drwxr-xr-x. (root owns, others can only read)
# /var/log: drwxr-xr-x. (root owns, others can only read)
# /boot: dr-xr-xr-x. (read-only even for root on some systems)
# /usr/bin: dr-xr-xr-x. (read and execute only)

Key Learning: System directories are protected to prevent accidental or malicious modification!

Lab 4: Use sudo to Write to Protected Directories (Intermediate)

Task: Learn how to properly write to system directories using sudo.

Steps:

Attempt to create a file in /etc without sudo
Successfully create it with sudo
Verify ownership of the created file
Clean up responsibly

Show Solution

Solution:

# Attempt without sudo (will fail)
touch /etc/test.conf
# Output: touch: cannot touch '/etc/test.conf': Permission denied

# Attempt with sudo (will succeed)
sudo touch /etc/test.conf

# Verify it was created
ls -l /etc/test.conf
# Output: -rw-r--r--. 1 root root 0 Dec  7 10:40 /etc/test.conf
# Notice: Owner is 'root' not your username!

# When you use sudo, the file is created AS root

# Add content with sudo
sudo bash -c "echo 'test configuration' > /etc/test.conf"

# View it (no sudo needed for reading)
cat /etc/test.conf
# Output: test configuration

# IMPORTANT: Clean up after yourself!
sudo rm /etc/test.conf

# Verify deletion
ls -l /etc/test.conf
# Output: ls: cannot access '/etc/test.conf': No such file or directory

Key Learning: sudo runs commands as root, so created files are owned by root!

Lab 5: Understand Permission Denied vs. File Not Found (Intermediate)

Task: Learn to distinguish between different types of errors.

Steps:

Try to access a file that doesn't exist
Try to access a file that exists but you can't read
Try to write to a directory that doesn't exist
Try to write to a directory that exists but is protected

Show Solution

Solution:

# Error 1: File doesn't exist
cat /home/centos9/nonexistent.txt
# Output: cat: /home/centos9/nonexistent.txt: No such file or directory

# Error 2: File exists but can't read
cat /etc/shadow
# Output: cat: /etc/shadow: Permission denied

ls -l /etc/shadow
# Output: ----------. 1 root root 1234 Dec  6 10:00 /etc/shadow
# No read permissions for anyone except root!

# Error 3: Directory doesn't exist
touch /nonexistent/test.txt
# Output: touch: cannot touch '/nonexistent/test.txt': No such file or directory
# (Can't create file in directory that doesn't exist)

# Error 4: Directory exists but is protected
touch /root/test.txt
# Output: touch: cannot touch '/root/test.txt': Permission denied

# Compare error messages:
# "No such file or directory" = doesn't exist
# "Permission denied" = exists but you lack permission

# This distinction is CRITICAL for troubleshooting!

Key Learning: Different error messages mean different things—learn to recognize them!

Lab 6: Test Write Access Using Exit Codes (Intermediate)

Task: Write a script that uses exit codes to test write access programmatically.

Steps:

Create a script that tests write access
Use $? to check success/failure
Build a conditional test

Show Solution

Solution:

# Create the script
cat > ~/test_write.sh << 'EOF'
#!/bin/bash

# Function to test write access
test_write() {
    local dir=$1
    local testfile="$dir/write_test_$$"

    if touch "$testfile" 2>/dev/null; then
        echo "✅ CAN WRITE: $dir"
        rm -f "$testfile"
        return 0
    else
        echo "❌ CANNOT WRITE: $dir"
        return 1
    fi
}

# Test various directories
echo "=== Testing Write Access ==="
test_write "$HOME"
test_write "/tmp"
test_write "/root"
test_write "/etc"

# Alternative: Using $? directly
echo
echo "=== Using Exit Code Checks ==="

touch /tmp/test.txt 2>/dev/null
if [ $? -eq 0 ]; then
    echo "/tmp is writable"
    rm -f /tmp/test.txt
else
    echo "/tmp is not writable"
fi

touch /root/test.txt 2>/dev/null
if [ $? -eq 0 ]; then
    echo "/root is writable"
    rm -f /root/test.txt
else
    echo "/root is not writable"
fi
EOF

# Make executable
chmod +x ~/test_write.sh

# Run it
./~/test_write.sh

Key Learning: Exit codes ($?) allow scripts to programmatically check operation success!

Lab 7: Explore /var/tmp vs /tmp Differences (Intermediate)

Task: Understand the persistence difference between /tmp and /var/tmp.

Steps:

Create test files in both locations
Check their permissions
Note the difference in cleanup policies

Show Solution

Solution:

# Create file in /tmp
touch /tmp/test_tmp.txt
echo "Created: $(date)" > /tmp/test_tmp.txt
ls -l /tmp/test_tmp.txt

# Create file in /var/tmp
touch /var/tmp/test_vartmp.txt
echo "Created: $(date)" > /var/tmp/test_vartmp.txt
ls -l /var/tmp/test_vartmp.txt

# Compare directory permissions
ls -ld /tmp /var/tmp
# Both have sticky bit (t) and are world-writable

# Key differences:
echo "=== /tmp vs /var/tmp ==="
echo "/tmp:"
echo "  - Cleared on reboot"
echo "  - Use for very temporary files (seconds to hours)"
echo "  - Example: extraction of archives, compilation temp files"
echo
echo "/var/tmp:"
echo "  - Survives reboots"
echo "  - Use for temporary files that might be needed across reboots"
echo "  - Example: large downloads, package manager temp files"

# Practical example: Check what's actually in each
echo
echo "Files in /tmp:"
ls -lt /tmp | head -10

echo
echo "Files in /var/tmp:"
ls -lt /var/tmp | head -10

# Cleanup
rm /tmp/test_tmp.txt /var/tmp/test_vartmp.txt

Key Learning: /tmp vs /var/tmp differs in persistence, not permissions!

Lab 8: Create a Safe Testing Environment (Intermediate)

Task: Set up a personal testing directory structure that mimics system directories.

Steps:

Create a test directory in your home
Create subdirectories that mirror system layout
Practice operations safely

Show Solution

Solution:

# Create test environment
mkdir -p ~/test_system/{etc,var/log,usr/bin,tmp,root}

# Verify structure
tree ~/test_system
# or use: find ~/test_system -type d

# Now you can safely practice:

# 1. Practice creating config files
touch ~/test_system/etc/myapp.conf
echo "setting=value" > ~/test_system/etc/myapp.conf

# 2. Practice log management
echo "[INFO] Application started" > ~/test_system/var/log/app.log
echo "[ERROR] Connection failed" >> ~/test_system/var/log/app.log

# 3. Practice script installation
cat > ~/test_system/usr/bin/myscript << 'EOF'
#!/bin/bash
echo "This is my script"
EOF
chmod +x ~/test_system/usr/bin/myscript

# 4. Test without risking real system
rm ~/test_system/etc/myapp.conf
# No risk! It's just your test environment

# This is MUCH safer than experimenting on real /etc or /var!

# When you're confident, apply to real system:
# sudo cp ~/test_system/etc/myapp.conf /etc/
# sudo cp ~/test_system/usr/bin/myscript /usr/local/bin/

Key Learning: Create safe test environments to practice before modifying real system directories!

Lab 9: Diagnose Application Permission Problems (Advanced)

Task: Troubleshoot why a script fails with permission errors.

Steps:

Create a script that tries to write to various locations
Run it and analyze failures
Fix the script to work properly

Show Solution

Solution:

# Create a problematic script
cat > ~/buggy_backup.sh << 'EOF'
#!/bin/bash

# Buggy backup script
LOG_DIR="/var/log/myapp"
BACKUP_DIR="/backup"
CONFIG_FILE="/etc/myapp.conf"

# Try to create log
echo "Starting backup..." > $LOG_DIR/backup.log

# Try to create backup directory
mkdir -p $BACKUP_DIR

# Try to read config
cat $CONFIG_FILE

echo "Backup complete"
EOF

chmod +x ~/buggy_backup.sh

# Run it (will fail)
./~/buggy_backup.sh
# Output: Multiple permission denied errors

# Analyze the problems:
echo "=== Problem Analysis ==="

# Problem 1: Can't write to /var/log
ls -ld /var/log
# Output: drwxr-xr-x. root root (not writable by regular user)

# Problem 2: Can't create /backup
ls -ld /backup 2>/dev/null || echo "/backup doesn't exist, can't create in /"

# Problem 3: Config file doesn't exist
ls -l /etc/myapp.conf
# Output: No such file or directory

# Create FIXED version
cat > ~/fixed_backup.sh << 'EOF'
#!/bin/bash

# Fixed backup script
LOG_DIR="$HOME/myapp_logs"      # Use home directory instead
BACKUP_DIR="$HOME/backups"      # Use home directory instead
CONFIG_FILE="$HOME/.myapp.conf" # Use home directory instead

# Create directories if they don't exist
mkdir -p $LOG_DIR
mkdir -p $BACKUP_DIR

# Create log
echo "Starting backup at $(date)" > $LOG_DIR/backup.log

# Create/read config
if [ ! -f $CONFIG_FILE ]; then
    echo "backup_source=$HOME/Documents" > $CONFIG_FILE
fi

cat $CONFIG_FILE

echo "Backup complete" | tee -a $LOG_DIR/backup.log
EOF

chmod +x ~/fixed_backup.sh

# Run fixed version
./~/fixed_backup.sh
# Output: Success!

# Verify
ls -la ~/myapp_logs ~/backups
cat ~/myapp_logs/backup.log

Key Learning: Applications should use writable directories or request elevated permissions!

Lab 10: Create Files with Specific Ownership (Advanced)

Task: Understand how file ownership is determined when using sudo.

Steps:

Create files with and without sudo
Compare ownership
Learn to change ownership if needed

Show Solution

Solution:

# Create file as regular user
touch ~/userfile.txt
ls -l ~/userfile.txt
# Output: -rw-r--r--. 1 centos9 centos9 0 Dec  7 11:00 userfile.txt
# Owner: centos9, Group: centos9

# Create file with sudo
sudo touch ~/rootfile.txt
ls -l ~/rootfile.txt
# Output: -rw-r--r--. 1 root root 0 Dec  7 11:01 rootfile.txt
# Owner: root, Group: root (even though it's in YOUR home!)

# Problem: You can't modify root-owned file
echo "test" >> ~/rootfile.txt
# Output: bash: ~/rootfile.txt: Permission denied

# Solution 1: Use sudo to modify
sudo bash -c "echo test >> ~/rootfile.txt"

# Solution 2: Change ownership to yourself
sudo chown centos9:centos9 ~/rootfile.txt
ls -l ~/rootfile.txt
# Output: -rw-r--r--. 1 centos9 centos9 5 Dec  7 11:02 rootfile.txt

# Now you can modify it
echo "more data" >> ~/rootfile.txt
# Success!

# Best Practice: If creating files in your home, don't use sudo
# Only use sudo when writing to system directories

# Cleanup
rm ~/userfile.txt ~/rootfile.txt

Key Learning: sudo creates files owned by root—change ownership if you need to modify them as regular user!

Lab 11: Test Directory Traversal Permissions (Advanced)

Task: Understand that you need execute permission on ALL parent directories to access a file.

Steps:

Try to access a file deep in a protected directory
Understand the permission chain
Test with sudo

Show Solution

Solution:

# Try to access root's bash history
cat /root/.bash_history
# Output: cat: /root/.bash_history: Permission denied

# Is it the FILE or the DIRECTORY that's blocked?
ls -l /root/.bash_history
# Output: ls: cannot access '/root/.bash_history': Permission denied

# It's the directory! Check /root permissions
ls -ld /root
# Output: dr-xr-x---. 2 root root 135 Dec  7 10:00 /root
#                  ^^^
#                  No execute permission for others!

# In Linux, to access /root/.bash_history, you need:
# 1. Execute permission on / (you have it)
# 2. Execute permission on /root (you DON'T have it)
# 3. Read permission on .bash_history (doesn't matter, you can't reach it)

# With sudo, you can access it
sudo cat /root/.bash_history
# This works (if the file exists)

# Real-world example: Web server directory permissions
# For a web server to serve /var/www/html/site/page.html:
# - Execute permission on /var
# - Execute permission on /var/www
# - Execute permission on /var/www/html
# - Execute permission on /var/www/html/site
# - Read permission on page.html
# If ANY directory in the chain lacks execute, access fails!

Key Learning: Directory execute permission is required to traverse through it!

Lab 12: Simulate Multi-User File Conflicts (Advanced)

Task: Understand how multiple users interact with shared directories.

Steps:

Create files in /tmp as your user
Try to simulate another user's perspective
Understand the sticky bit protection

Show Solution

Solution:

# Create a file in /tmp
echo "User centos9's data" > /tmp/centos9_file.txt
ls -l /tmp/centos9_file.txt
# Output: -rw-r--r--. 1 centos9 centos9 20 Dec  7 11:10 /tmp/centos9_file.txt

# Check /tmp permissions
ls -ld /tmp
# Output: drwxrwxrwt. 15 root root 4096 Dec  7 11:10 /tmp
#                    ^
#                    't' = sticky bit

# The sticky bit means:
# - Everyone can create files (rwx for all)
# - But only the owner can delete their own files

# Try to delete your own file (works)
rm /tmp/centos9_file.txt
# Success!

# Recreate it
echo "User centos9's data" > /tmp/centos9_file.txt

# If you were another user, you COULD:
# - Read the file (if permissions allow)
cat /tmp/centos9_file.txt
# Output: User centos9's data

# - Create your own file
touch /tmp/another_file.txt

# But you COULD NOT:
# - Delete centos9's file (even though /tmp is world-writable!)
# - Modify centos9's file (unless permissions allow)

# This is what the sticky bit prevents!

# Without sticky bit, any user could delete ANY file in a shared directory
# With sticky bit, users can only delete their OWN files

# Real-world: This is why /tmp is safe for multi-user systems!

# Cleanup
rm /tmp/centos9_file.txt /tmp/another_file.txt

Key Learning: The sticky bit on /tmp prevents users from deleting each other's files!

Lab 13: Build a Write Access Testing Tool (Advanced)

Task: Create a comprehensive script to audit write access across the entire filesystem.

Steps:

Write a script that tests common directories
Generate a report
Save results to a file

Show Solution

Solution:

cat > ~/write_access_audit.sh << 'EOF'
#!/bin/bash

# Write Access Audit Tool
# Tests common directories and generates a report

OUTPUT_FILE="$HOME/write_access_report_$(date +%Y%m%d_%H%M%S).txt"

echo "==================================" | tee $OUTPUT_FILE
echo "Linux Write Access Audit Report" | tee -a $OUTPUT_FILE
echo "Date: $(date)" | tee -a $OUTPUT_FILE
echo "User: $(whoami)" | tee -a $OUTPUT_FILE
echo "==================================" | tee -a $OUTPUT_FILE
echo | tee -a $OUTPUT_FILE

# List of directories to test
test_dirs=(
    "$HOME"
    "$HOME/Documents"
    "/tmp"
    "/var/tmp"
    "/root"
    "/etc"
    "/var/log"
    "/usr/bin"
    "/usr/local/bin"
    "/boot"
    "/var/www"
    "/opt"
)

writable=0
not_writable=0

echo "Testing write access to common directories..." | tee -a $OUTPUT_FILE
echo | tee -a $OUTPUT_FILE

for dir in "${test_dirs[@]}"; do
    testfile="$dir/.write_test_$$"

    if [ ! -d "$dir" ]; then
        printf "%-30s DOES NOT EXIST\n" "$dir" | tee -a $OUTPUT_FILE
        continue
    fi

    if touch "$testfile" 2>/dev/null; then
        printf "%-30s ✅ WRITABLE\n" "$dir" | tee -a $OUTPUT_FILE
        rm -f "$testfile"
        ((writable++))
    else
        printf "%-30s ❌ NOT WRITABLE\n" "$dir" | tee -a $OUTPUT_FILE
        ((not_writable++))
    fi
done

echo | tee -a $OUTPUT_FILE
echo "==================================" | tee -a $OUTPUT_FILE
echo "Summary:" | tee -a $OUTPUT_FILE
echo "  Writable: $writable" | tee -a $OUTPUT_FILE
echo "  Not Writable: $not_writable" | tee -a $OUTPUT_FILE
echo "==================================" | tee -a $OUTPUT_FILE
echo | tee -a $OUTPUT_FILE
echo "Report saved to: $OUTPUT_FILE" | tee -a $OUTPUT_FILE
EOF

chmod +x ~/write_access_audit.sh

# Run the audit
./~/write_access_audit.sh

# View the report
cat ~/write_access_report_*.txt

Key Learning: Systematic testing helps understand your access level across the entire filesystem!

Lab 14: Understand Implications of Running Scripts as Root (Advanced)

Task: Learn why running scripts with sudo can be dangerous.

Steps:

Create a script that writes files
Run it as regular user vs. with sudo
Compare ownership and implications

Show Solution

Solution:

# Create a script that generates files
cat > ~/generate_files.sh << 'EOF'
#!/bin/bash

mkdir -p ~/output
cd ~/output

for i in {1..5}; do
    echo "File $i content" > file$i.txt
done

echo "Created files in ~/output"
ls -l ~/output
EOF

chmod +x ~/generate_files.sh

# Run as regular user
./~/generate_files.sh

# Check ownership
ls -l ~/output
# Output: All files owned by centos9

# Clean up
rm -rf ~/output

# Now run with sudo (BAD IDEA!)
sudo ./home/centos9/generate_files.sh

# Check ownership
ls -l ~/output
# Output: All files owned by ROOT!

# Problem: Now YOU can't modify your own files!
echo "test" >> ~/output/file1.txt
# Output: Permission denied

# This is a common mistake!

# Why this happens:
# - sudo runs the ENTIRE script as root
# - When script uses ~/, it expands to the user running the script
# - But since sudo runs as root, ~ = /root in some contexts
# - Files created are owned by root

# Lesson: DON'T run personal scripts with sudo unless necessary!

# Fix: Change ownership back
sudo chown -R centos9:centos9 ~/output

# Or: Rewrite script to create files without sudo
# Only use sudo for operations that REQUIRE it

# Cleanup
rm -rf ~/output

Key Learning: Running scripts with sudo creates root-owned files—avoid unless necessary!

Lab 15: Practice Safe System File Modification (Advanced)

Task: Learn the safe workflow for modifying system configuration files.

Steps:

Create backup before modification
Make changes carefully
Verify changes
Have a rollback plan

Show Solution

Solution:

# Example: Safely modifying /etc/hosts

# Step 1: ALWAYS backup first
sudo cp /etc/hosts /etc/hosts.backup.$(date +%Y%m%d)

# Verify backup exists
ls -l /etc/hosts.backup.*

# Step 2: Copy to your home for editing (safer)
cp /etc/hosts ~/hosts.new

# Step 3: Edit in your home directory (no risk to system)
nano ~/hosts.new
# Add test entry: 127.0.0.1  test.local

# Step 4: Verify your changes
diff /etc/hosts ~/hosts.new
# Shows what changed

# Step 5: Apply to system
sudo cp ~/hosts.new /etc/hosts

# Step 6: Test the change
ping -c 1 test.local
# Should resolve to 127.0.0.1

# Step 7: If something breaks, rollback is easy
# sudo cp /etc/hosts.backup.YYYYMMDD /etc/hosts

# Best Practice Workflow Summary:
echo "=== Safe System File Modification Workflow ==="
echo "1. sudo cp /etc/file /etc/file.backup.\$(date +%Y%m%d)"
echo "2. cp /etc/file ~/file.new"
echo "3. nano ~/file.new (edit safely)"
echo "4. diff /etc/file ~/file.new (verify changes)"
echo "5. sudo cp ~/file.new /etc/file (apply)"
echo "6. Test functionality"
echo "7. If broken: sudo cp /etc/file.backup.YYYYMMDD /etc/file"

# Cleanup (careful here!)
# sudo cp /etc/hosts.backup.* /etc/hosts
# sudo rm /etc/hosts.backup.*
# rm ~/hosts.new

Key Learning: Always backup, edit locally, verify, then apply to system!

Lab 16: Explore Read-Only Filesystem Directories (Advanced)

Task: Understand directories that are intentionally mounted read-only.

Steps:

Identify read-only directories
Understand why they're read-only
Learn when they become writable

Show Solution

Solution:

# Check mounted filesystems
mount | grep -E '/boot|/usr'

# /boot is often read-only or restricted
ls -ld /boot
# Output: dr-xr-xr-x. or drwxr-xr-x. with root owner

# Try to write
touch /boot/test.txt
# Output: Permission denied (or "Read-only file system" if mounted ro)

# Why is /boot protected?
echo "=== Why /boot is critical ==="
ls /boot
# Contains: vmlinuz (kernel), initramfs, grub config

# If /boot gets corrupted:
# - System won't boot
# - Kernel can't load
# - Recovery requires rescue media

# Some systems mount /boot as read-only by default
# It's only mounted read-write during kernel updates

# Check if mounted read-only
mount | grep /boot
# Look for "ro" (read-only) vs "rw" (read-write)

# During kernel updates, package manager will:
# 1. Remount /boot as read-write
# 2. Update kernel files
# 3. Remount /boot as read-only

# You can manually remount (if needed):
# sudo mount -o remount,rw /boot  # Make writable
# sudo mount -o remount,ro /boot  # Make read-only again

# But for normal users, /boot should NEVER be writable!

Key Learning: Some directories are read-only by design for system protection!

Lab 17: Test Write Access After sudo Password Timeout (Intermediate)

Task: Understand sudo password caching and timeouts.

Steps:

Use sudo to create a file
Wait for timeout
Try again and observe password prompt

Show Solution

Solution:

# Check current sudo timeout setting
sudo -V | grep timeout
# Default is usually 5 minutes (300 seconds)

# Use sudo to write to /etc
sudo touch /etc/test1.txt
# Enter password

# Immediately use sudo again (within timeout)
sudo touch /etc/test2.txt
# No password prompt! Cached from previous command

# Check timeout remaining (there's no direct command, but you can test)
sudo -n touch /etc/test3.txt 2>&1
# -n = non-interactive (fail if password needed)
# If succeeds: still in timeout window
# If fails: timeout expired

# To clear sudo cache immediately
sudo -k
# Kills the credential cache

# Now try again
sudo touch /etc/test4.txt
# Password prompt again

# Why this matters:
echo "=== Sudo Timeout Security Implications ==="
echo "1. Timeout allows multiple commands without re-entering password"
echo "2. But means unlocked terminal = potential security risk"
echo "3. Use 'sudo -k' when leaving terminal unattended"
echo "4. Or configure shorter timeout in /etc/sudoers"

# View sudo config (timeout setting)
sudo cat /etc/sudoers | grep timeout
# Look for: Defaults timestamp_timeout=5

# Cleanup
sudo rm /etc/test*.txt

Key Learning: Sudo caches credentials—use sudo -k when leaving terminal!

Lab 18: Create a File Access Decision Matrix (Advanced)

Task: Build a reference guide for deciding where to create files.

Steps:

Create a structured decision guide
Test scenarios against the guide
Save for future reference

Show Solution

Solution:

cat > ~/file_access_guide.md << 'EOF'
# File Access Decision Matrix

## Quick Decision Guide

### Personal Data or Project Files
- **Location**: `~/` (your home directory)
- **Example**: `~/Documents/project/data.txt`
- **Why**: Full control, persistent, backed up
- **sudo needed**: No

### Temporary Working Files (Short-term)
- **Location**: `/tmp`
- **Example**: `/tmp/extraction/archive_contents/`
- **Why**: Shared, auto-cleaned on reboot
- **sudo needed**: No
- **Warning**: Don't store important data here!

### Temporary Files (Across Reboots)
- **Location**: `/var/tmp`
- **Example**: `/var/tmp/large_download.iso`
- **Why**: Persists across reboots, shared
- **sudo needed**: No

### System Configuration Files
- **Location**: `/etc`
- **Example**: `/etc/myapp/config.ini`
- **Why**: System-wide configuration
- **sudo needed**: YES
- **Best Practice**: Edit copy in ~/ first, then sudo cp to /etc

### System-wide Scripts/Binaries
- **Location**: `/usr/local/bin`
- **Example**: `/usr/local/bin/backup-script`
- **Why**: Available to all users, in PATH
- **sudo needed**: YES
- **Alternative**: `~/bin` (personal scripts)

### Application Logs
- **Location**: `/var/log` OR `~/logs/`
- **Why**: System logs in /var/log (need sudo), app logs in ~/
- **sudo needed**: YES for /var/log, No for ~/logs
- **Best Practice**: Use ~/logs for personal applications

### Web Server Content
- **Location**: `/var/www/html`
- **Why**: Web server document root
- **sudo needed**: YES
- **Alternative**: Configure virtual host pointing to ~/public_html

## Decision Flowchart

1. Is this a system configuration?
   - YES → /etc (with sudo)
   - NO → Continue

2. Should all users access this?
   - YES → /usr/local or /opt (with sudo)
   - NO → Continue

3. Is this temporary data?
   - YES, very short-term → /tmp
   - YES, might need after reboot → /var/tmp
   - NO → Continue

4. Is this your personal data?
   - YES → ~/
   - NO → Reconsider if you should be creating this file!

## Common Mistakes

1. ❌ Running personal scripts with sudo
   - Creates root-owned files in your home directory

2. ❌ Storing important data in /tmp
   - Will be deleted on reboot!

3. ❌ Editing /etc files directly without backup
   - Always: sudo cp /etc/file /etc/file.backup.$(date +%Y%m%d)

4. ❌ Creating files in / (root directory)
   - Use specific subdirectories instead

5. ❌ Using sudo when not needed
   - Principle of least privilege: only elevate when necessary
EOF

# View the guide
cat ~/file_access_guide.md

echo
echo "Guide saved to: ~/file_access_guide.md"
echo "Use: cat ~/file_access_guide.md anytime for reference"

Key Learning: Having a decision matrix helps make correct file location choices quickly!

Lab 19: Troubleshoot Real-World Permission Scenario (Advanced)

Task: Debug a realistic scenario where an application fails due to permissions.

Steps:

Set up a scenario with permission problems
Diagnose the issue systematically
Implement the correct fix

Show Solution

Solution:

# Scenario: You're setting up a backup script that should run via cron

# Create the problematic setup
cat > ~/backup_app.sh << 'EOF'
#!/bin/bash
LOG_FILE="/var/log/backup.log"
BACKUP_DIR="/backups"
SOURCE_DIR="$HOME/Documents"

echo "[$(date)] Starting backup..." >> $LOG_FILE
mkdir -p $BACKUP_DIR
tar -czf $BACKUP_DIR/backup_$(date +%Y%m%d).tar.gz $SOURCE_DIR
echo "[$(date)] Backup complete" >> $LOG_FILE
EOF

chmod +x ~/backup_app.sh

# Try to run it
./~/backup_app.sh
# Output: Multiple permission errors!

# Let's diagnose systematically:
echo "=== Diagnosis Process ==="

# Problem 1: Can't write to /var/log/backup.log
echo "1. Testing log file access:"
touch /var/log/backup.log
# Output: Permission denied

ls -ld /var/log
# Output: drwxr-xr-x. root root (not writable)

echo "   Solution: Use ~/logs instead of /var/log"

# Problem 2: Can't create /backups
echo "2. Testing backup directory creation:"
mkdir /backups
# Output: Permission denied

echo "   Solution: Use ~/backups instead of /backups"

# Problem 3: Even if we use sudo, cron won't have the password
echo "3. This script won't work in cron with sudo!"

# Create FIXED version
cat > ~/backup_app_fixed.sh << 'EOF'
#!/bin/bash

# Fixed version using user-accessible locations
LOG_DIR="$HOME/logs"
BACKUP_DIR="$HOME/backups"
SOURCE_DIR="$HOME/Documents"

# Create directories if they don't exist
mkdir -p $LOG_DIR
mkdir -p $BACKUP_DIR

# Log file path
LOG_FILE="$LOG_DIR/backup.log"

# Perform backup
echo "[$(date)] Starting backup..." >> $LOG_FILE

if tar -czf $BACKUP_DIR/backup_$(date +%Y%m%d).tar.gz $SOURCE_DIR 2>>$LOG_FILE; then
    echo "[$(date)] Backup complete: $BACKUP_DIR/backup_$(date +%Y%m%d).tar.gz" >> $LOG_FILE
else
    echo "[$(date)] Backup FAILED!" >> $LOG_FILE
    exit 1
fi

# Optional: Clean old backups (keep last 7 days)
find $BACKUP_DIR -name "backup_*.tar.gz" -mtime +7 -delete

echo "[$(date)] Cleanup complete" >> $LOG_FILE
EOF

chmod +x ~/backup_app_fixed.sh

# Test fixed version
./~/backup_app_fixed.sh
# Success!

# Verify it worked
ls -lh ~/backups/
cat ~/logs/backup.log

# Now this can be added to cron:
echo "To add to cron: crontab -e"
echo "Add line: 0 2 * * * $HOME/backup_app_fixed.sh"

# Cleanup
rm -rf ~/backups ~/logs

Key Learning: Always design scripts to use writable locations or properly handle privilege escalation!

Lab 20: Master the Complete Write Access Workflow (Advanced)

Task: Demonstrate complete understanding by creating a comprehensive reference script.

Steps:

Build a master script that tests all concepts
Document findings
Create actionable recommendations

Show Solution

Solution:

cat > ~/master_write_access_check.sh << 'EOF'
#!/bin/bash

# Master Write Access Analysis Tool
# Comprehensive check of Linux file access control

REPORT_DIR="$HOME/access_reports"
REPORT_FILE="$REPORT_DIR/access_report_$(date +%Y%m%d_%H%M%S).txt"

mkdir -p $REPORT_DIR

# Header
{
    echo "========================================"
    echo "  Linux Write Access Master Report"
    echo "========================================"
    echo "Generated: $(date)"
    echo "Hostname: $(hostname)"
    echo "User: $(whoami)"
    echo "UID: $(id -u)"
    echo "Groups: $(id -Gn)"
    echo "========================================"
    echo

    # Section 1: User Writable Locations
    echo "SECTION 1: USER WRITABLE LOCATIONS"
    echo "------------------------------------"

    for dir in "$HOME" "$HOME/Documents" "/tmp" "/var/tmp"; do
        if touch "$dir/.test_$$" 2>/dev/null; then
            printf "✅ %-30s WRITABLE\n" "$dir"
            rm -f "$dir/.test_$$"
        else
            printf "❌ %-30s NOT WRITABLE\n" "$dir"
        fi
    done

    echo

    # Section 2: Protected System Locations
    echo "SECTION 2: PROTECTED SYSTEM LOCATIONS"
    echo "--------------------------------------"

    for dir in "/root" "/etc" "/var/log" "/usr/bin" "/boot"; do
        if touch "$dir/.test_$$" 2>/dev/null; then
            printf "⚠️  %-30s WRITABLE (UNEXPECTED!)\n" "$dir"
            rm -f "$dir/.test_$$"
        else
            printf "✅ %-30s PROTECTED (correct)\n" "$dir"
        fi
    done

    echo

    # Section 3: Directory Permissions Analysis
    echo "SECTION 3: DIRECTORY PERMISSIONS"
    echo "---------------------------------"

    for dir in "/" "/home" "$HOME" "/tmp" "/root" "/etc" "/var/log"; do
        if [ -d "$dir" ]; then
            perms=$(ls -ld "$dir" 2>/dev/null | awk '{print $1, $3, $4}')
            printf "%-20s %s\n" "$dir" "$perms"
        fi
    done

    echo

    # Section 4: Sudo Access Check
    echo "SECTION 4: SUDO ACCESS CHECK"
    echo "----------------------------"

    if sudo -n true 2>/dev/null; then
        echo "✅ Sudo credentials cached (no password needed)"
    else
        if groups | grep -qE 'wheel|sudo'; then
            echo "✅ User is in sudo/wheel group (can use sudo)"
        else
            echo "❌ User is NOT in sudo/wheel group"
        fi
    fi

    echo

    # Section 5: Common Writable Directories Summary
    echo "SECTION 5: RECOMMENDATIONS"
    echo "--------------------------"
    echo "Personal Data:        $HOME"
    echo "Temporary Files:      /tmp (cleared on reboot)"
    echo "Persistent Temp:      /var/tmp (survives reboot)"
    echo "System Config:        /etc (requires sudo)"
    echo "System Scripts:       /usr/local/bin (requires sudo)"
    echo "System Logs:          /var/log (requires sudo)"
    echo
    echo "Quick Tips:"
    echo "- Test write access: touch /path/to/dir/testfile"
    echo "- Check permissions: ls -ld /path/to/dir"
    echo "- Clear sudo cache: sudo -k"
    echo "- Safe system edit: cp /etc/file ~/file.new && edit && sudo cp ~/file.new /etc/file"

    echo
    echo "========================================"
    echo "Report saved to: $REPORT_FILE"
    echo "========================================"

} | tee $REPORT_FILE

echo
echo "✅ Master analysis complete!"
echo "📄 Report available at: $REPORT_FILE"
EOF

chmod +x ~/master_write_access_check.sh

# Run the master check
./~/master_write_access_check.sh

# View the report
cat ~/access_reports/access_report_*.txt | tail -50

Key Learning: Systematic analysis and documentation of file access control provides a complete picture!

📚 Best Practices for File Access Control

1. Principle of Least Privilege

Always work with the minimum permissions necessary:

# ❌ BAD: Using sudo unnecessarily
sudo touch ~/myfile.txt
# This creates a root-owned file in YOUR home directory!

# ✅ GOOD: Use sudo only when needed
touch ~/myfile.txt
# You own this file and can modify it freely

2. Always Test Before System-Wide Changes

# ❌ BAD: Directly editing system files
sudo nano /etc/important.conf
# One mistake = broken system!

# ✅ GOOD: Test locally first
cp /etc/important.conf ~/important.conf.new
nano ~/important.conf.new
# Test and verify
sudo cp ~/important.conf.new /etc/important.conf

3. Backup Before Modifying System Files

# Always create timestamped backups
sudo cp /etc/hosts /etc/hosts.backup.$(date +%Y%m%d)

# Then make changes
sudo nano /etc/hosts

# If something breaks, rollback is trivial:
sudo cp /etc/hosts.backup.20251207 /etc/hosts

4. Use Appropriate Locations for Different File Types

Personal data → ~/ Temporary files → /tmp System configuration → /etc (with sudo) System-wide scripts → /usr/local/bin (with sudo) Logs → ~/logs/ (personal) or /var/log (system, with sudo)

5. Understand When to Use sudo

Use sudo when:

Modifying system configuration in /etc
Installing software system-wide
Viewing protected logs in /var/log
Managing system services
Accessing other users' files (when authorized)

DON'T use sudo when:

Working in your home directory
Creating temporary files in /tmp
Running personal scripts
Building/compiling software for personal use

6. Clean Up After Testing

# After testing write access, remove test files
touch /tmp/test.txt
# ... testing ...
rm /tmp/test.txt  # Clean up!

# Don't leave temporary files scattered across the filesystem

7. Document Permission Requirements

When creating scripts or applications, document where they need to write:

#!/bin/bash
# backup_script.sh
# REQUIREMENTS:
# - Write access to $HOME/backups (created automatically)
# - Read access to $HOME/Documents
# - No sudo required

# This makes it clear what permissions are needed

🚨 Common Pitfalls to Avoid

1. Using sudo for Home Directory Operations

# ❌ WRONG
sudo touch ~/myfile.txt
# Creates root-owned file in your home!

# ✅ CORRECT
touch ~/myfile.txt
# Creates user-owned file

Impact: Root-owned files in your home directory that you can't modify without sudo.

2. Storing Important Data in /tmp

# ❌ WRONG
cp important_project.tar.gz /tmp/
# System reboots → file deleted!

# ✅ CORRECT
cp important_project.tar.gz ~/backups/
# Permanent storage

Impact: Data loss after system reboot.

3. Editing System Files Without Backup

# ❌ WRONG
sudo nano /etc/fstab
# One typo → system won't boot!

# ✅ CORRECT
sudo cp /etc/fstab /etc/fstab.backup.$(date +%Y%m%d)
sudo nano /etc/fstab
# Easy rollback if needed

Impact: Potentially unbootable system with no easy recovery.

4. Assuming You Have Write Access

# ❌ WRONG (no testing)
cp bigfile.tar.gz /var/backups/
# Permission denied! Now what?

# ✅ CORRECT (test first)
touch /var/backups/test || echo "No write access, use sudo or different location"

Impact: Failed operations in scripts or automated tasks.

5. Ignoring Ownership After sudo Operations

# ❌ WRONG
sudo touch ~/data.txt
echo "test" >> ~/data.txt
# Permission denied!

# ✅ CORRECT
sudo touch ~/data.txt
sudo chown $USER:$USER ~/data.txt
echo "test" >> ~/data.txt
# Now it works!

Impact: Files you can't modify without sudo.

6. Running Scripts with sudo Unnecessarily

# ❌ WRONG
sudo ./personal_script.sh
# All files created are owned by root!

# ✅ CORRECT
./personal_script.sh
# Only use sudo for specific commands that need it inside the script

Impact: Root-owned files everywhere, security risks.

📝 Command Cheat Sheet

Testing Write Access

# Test write access to a directory
touch /path/to/directory/testfile && echo "Writable" || echo "Not writable"

# Test and check exit code
touch /tmp/test.txt
echo $?  # 0 = success, 1 = failure

# Test without creating file (directory execute permission)
test -w /path/to/directory && echo "Writable" || echo "Not writable"

# Non-interactive test (for scripts)
touch /path/testfile 2>/dev/null

Checking Permissions

# Check directory permissions
ls -ld /path/to/directory

# Check file permissions
ls -l /path/to/file

# Check ownership
stat /path/to/file

# Check your current user and groups
whoami
id
groups

Safe System File Modification

# Backup
sudo cp /etc/file /etc/file.backup.$(date +%Y%m%d)

# Edit locally
cp /etc/file ~/file.new
nano ~/file.new

# Verify changes
diff /etc/file ~/file.new

# Apply
sudo cp ~/file.new /etc/file

# Rollback if needed
sudo cp /etc/file.backup.YYYYMMDD /etc/file

Working with sudo

# Check if you can use sudo
sudo -v

# Clear sudo credential cache
sudo -k

# Run command without password prompt (for scripts)
sudo -n command

# Check sudo timeout setting
sudo -V | grep timeout

File Ownership

# Check ownership
ls -l filename

# Change ownership to yourself
sudo chown $USER:$USER filename

# Change ownership recursively
sudo chown -R $USER:$USER directory/

🎯 Key Takeaways

Let's summarize the essential concepts about file access and write permissions in Linux:

Core Concepts

Linux is Multi-User: Not everyone can write everywhere—this is a security feature, not a limitation
Your Home is Your Castle: Full control in /home/username
/tmp is Shared Space: Everyone can write, but the sticky bit protects files
System Directories are Protected: /root, /etc, /var/log, /boot require sudo
touch Tests Write Access: Simple and effective way to check permissions
Permission Denied Errors: Learn to recognize and diagnose them

Practical Skills

Know Where to Write: ~/ for personal, /tmp for temporary, sudo for system
Test Before Assuming: Always verify write access before operations
Use sudo Appropriately: Only when necessary, understand implications
Backup System Files: Before any modification
Understand Ownership: Files created with sudo are owned by root

Security Awareness

Protection is Intentional: System directories are protected for good reasons
Least Privilege Principle: Use minimum permissions necessary
Don't Bypass Security Carelessly: Understand why something is protected before using sudo
Clean Up Test Files: Don't leave debris across the filesystem

LFCS Exam Preparation

For the LFCS certification, you must:

Quickly identify why permission denied errors occur
Know standard writable locations for users
Understand when sudo is required
Be able to test and verify file access
Troubleshoot permission-related application failures

🚀 What's Next?

Congratulations! You now understand the fundamentals of file access control in Linux. You know where you can write files, where you can't, and how to test access using the touch command.

In the next post, we'll dive into Using Wildcards for Efficient File Management. You'll learn how to:

Use * to match multiple files
Use ? for single character matching
Use [...] for character ranges
Combine wildcards for powerful file selection
Apply wildcards with cp, mv, rm, and other commands
Create efficient file management workflows

These skills build directly on your understanding of file access—once you know where you can create files, wildcards help you manage them efficiently!

✅

🎉 Excellent Work!

You've mastered the fundamentals of Linux file access control! You now understand:

Where regular users can and cannot write files
How to test write access with the touch command
The purpose of /tmp, /var/tmp, and your home directory
Why system directories like /root, /etc, and /var/log are protected
How to diagnose and resolve "Permission denied" errors
Safe practices for working with system files using sudo

These skills form the foundation of Linux system administration and are essential for LFCS certification success. Keep practicing, and remember: when in doubt, test write access first!

Practice Reminder: Spend time with the practice labs—they cover real-world scenarios you'll encounter in production environments!

📖 Continue Learning: Next Post: Using Wildcards for Efficient File Management →