"Every process on your cell runs as a user. Every file belongs to a user and a group. The permission model is not complicated, but operators who cannot read it cold under pressure make mistakes that compromise the grid. This module is non-negotiable before Week 2."
Every process runs as a user. Every file has an owner and a group. The identity of the calling process determines what files it can open, what commands it can run, and what damage it can do.
/etc/passwd format: username:x:UID:GID:comment:home:shell. The x means the hashed password lives in /etc/shadow. Service accounts typically have a shell of /usr/sbin/nologin or /bin/false to prevent interactive login.
Every process on your cell runs as a user. Knowing who owns what is the foundation of every access decision you will make as an operator.
The classic Unix permission model assigns read, write, and execute bits to three categories: owner, group, and others. Read the nine-character string in ls -la output as three triplets.
| Octal | Symbolic | Meaning |
|---|---|---|
| 755 | rwxr-xr-x | Owner full; group + others read/execute |
| 644 | rw-r--r-- | Owner read/write; others read-only |
| 600 | rw------- | Owner read/write; no access for anyone else |
| 700 | rwx------ | Owner full; no access for anyone else |
| 4755 | rwsr-xr-x | SUID set: runs as file owner, not caller |
Special bits: SUID (4) causes execution under the file owner's identity; SGID (2) on a directory causes new files to inherit the directory's group; Sticky (1) on a directory prevents users from deleting files they do not own (the classic use is /tmp).
A misconfigured permission on a critical file is a vulnerability. Operators who cannot read rwxr-xr-- at a glance are not ready for Weeks 2-4.
Ownership determines which permission triplet applies to a process accessing a file. Changing ownership correctly when deploying a new service is part of every cell hardening checklist.
Use -R (recursive) with caution on live service directories. Changing ownership recursively on /var/www/ while nginx is serving requests is safe. Doing it on /etc/ is not. Think before you run any recursive chown as root.
When a new service is deployed into your cell, its files must be owned by the right service account, never by root unless unavoidable.
When classic permissions cannot express the access policy you need (a file readable by two users from different groups), ACLs extend the model without touching group membership.
A + at the end of ls -la output signals that an ACL is present beyond the standard bits. Use getfacl to see the full picture. The d: prefix in setfacl sets a default ACL on a directory, meaning every file created inside inherits that entry automatically.
ACLs let you grant surgical read access to service accounts without changing group membership across the cell.
sudo is the privilege escalation mechanism. The sudoers file defines exactly which commands each user or group may run as root or as another user. Every entry is a potential privilege escalation vector and must follow least privilege.
Drop-in files in /etc/sudoers.d/ are included automatically and are safer than editing /etc/sudoers directly. A NOPASSWD entry removes the password prompt and is appropriate only for automation accounts with tightly scoped commands. Granting ALL=(ALL:ALL) NOPASSWD: ALL to any account is a complete bypass of the access control model.
Every sudo entry is a potential privilege escalation vector. Give only the command, not ALL.
Pluggable Authentication Modules (PAM) is the authentication middleware that sits between applications and the system. When you run sudo or log in via SSH, PAM decides whether to grant access by evaluating a stack of modules in order.
PAM module control flags: required (must pass; failure continues the stack), requisite (must pass; failure stops immediately), sufficient (if it passes, skip remaining required modules), optional (result ignored unless it is the only module). Week 2 adds a TOTP module to this stack to implement 2FA.
Week 2 implements 2FA via PAM. The PAM stack concept must not be new when it matters.
If you are comfortable with all of these, proceed to ALA-R3: Process Authority.