commands/sysadmin/linux-desktop/debugging/permissions/debug-folder-permissions.md

# Debug System Folder Permissions

You are helping the user debug systemwide folder permissions and ensure they are set appropriately.

## Your tasks:

1. **Gather information from user:**
   Ask:
   - Are they experiencing specific permission errors?
   - Which directories or operations are affected?
   - What user/group should have access?

2. **Check common system directories:**

   **Root filesystem:**
   ```bash
   ls -ld /
   # Should be: drwxr-xr-x root root
   ```

   **Essential system directories:**
   ```bash
   ls -ld /bin /sbin /usr /usr/bin /usr/sbin /lib /lib64
   # Should be: drwxr-xr-x root root
   ```

   **Variable data:**
   ```bash
   ls -ld /var /var/log /var/tmp
   # /var: drwxr-xr-x root root
   # /var/log: drwxrwxr-x root syslog (or root root)
   # /var/tmp: drwxrwxrwt root root (sticky bit)
   ```

   **Temporary directories:**
   ```bash
   ls -ld /tmp
   # Should be: drwxrwxrwt root root (sticky bit important!)
   ```

   **Home directories:**
   ```bash
   ls -ld /home /home/$USER
   # /home: drwxr-xr-x root root
   # /home/$USER: drwxr-xr-x $USER $USER (or drwx------ for privacy)
   ```

3. **Check for permission issues:**

   **World-writable directories without sticky bit (security risk):**
   ```bash
   sudo find / -type d -perm -0002 ! -perm -1000 2>/dev/null
   ```

   **Files with SUID bit (potential security issue if unexpected):**
   ```bash
   sudo find / -type f -perm -4000 2>/dev/null
   ```

   **Files with SGID bit:**
   ```bash
   sudo find / -type f -perm -2000 2>/dev/null
   ```

4. **Check /etc permissions:**
   ```bash
   ls -la /etc | head -20
   # /etc itself: drwxr-xr-x root root
   # Most files should be 644 (rw-r--r--)
   # Some may be 640 or 600 for security
   ```

   **Sensitive files:**
   ```bash
   ls -l /etc/shadow /etc/gshadow /etc/ssh/sshd_config
   # /etc/shadow: -rw-r----- root shadow
   # /etc/ssh/sshd_config: -rw-r--r-- root root
   ```

5. **Check user home directory structure:**
   ```bash
   ls -la ~/ | grep "^d"
   ```

   Common directories and recommended permissions:
   - `~/.ssh`: 700 (drwx------)
   - `~/.ssh/id_rsa`: 600 (-rw-------)
   - `~/.ssh/id_rsa.pub`: 644 (-rw-r--r--)
   - `~/.ssh/authorized_keys`: 600 (-rw-------)
   - `~/.gnupg`: 700 (drwx------)
   - `~/bin`: 755 (drwxr-xr-x)
   - `~/.local`: 755 (drwxr-xr-x)
   - `~/.config`: 755 (drwxr-xr-x)

6. **Check /opt and /usr/local:**
   ```bash
   ls -ld /opt /usr/local /usr/local/bin
   # Typically: drwxr-xr-x root root
   # But may be group-writable for admin group
   ```

7. **Check mount points:**
   ```bash
   mount | grep "^/" | awk '{print $3}' | while read mp; do
     ls -ld "$mp"
   done
   ```

8. **Check ownership of user files:**
   Find files in home directory not owned by user:
   ```bash
   find ~/ -not -user $USER 2>/dev/null
   ```

9. **Check group memberships:**
   ```bash
   groups
   id
   ```

   Common groups users might need:
   - `sudo` - for administrative access
   - `docker` - for Docker access
   - `video` - for video devices
   - `audio` - for audio devices
   - `plugdev` - for removable devices
   - `dialout` - for serial ports

10. **Fix common issues:**

    **Fix sticky bit on /tmp:**
    ```bash
    sudo chmod 1777 /tmp
    ```

    **Fix ~/.ssh permissions:**
    ```bash
    chmod 700 ~/.ssh
    chmod 600 ~/.ssh/id_rsa
    chmod 644 ~/.ssh/id_rsa.pub
    chmod 600 ~/.ssh/authorized_keys
    chmod 600 ~/.ssh/config
    ```

    **Fix ownership of home directory:**
    ```bash
    sudo chown -R $USER:$USER ~/
    ```

    **Fix common directories:**
    ```bash
    chmod 755 ~/.local ~/.config ~/bin
    ```

11. **Check for ACL (Access Control Lists):**
    ```bash
    getfacl /path/to/directory
    ```

    If ACLs are in use (indicated by `+` in ls -l):
    ```bash
    ls -la | grep "+"
    ```

12. **Check SELinux context (if enabled):**
    ```bash
    getenforce
    ls -Z /path/to/directory
    ```

13. **Check for immutable flags:**
    ```bash
    lsattr /path/to/file
    ```

    If files have `i` flag, they can't be modified even by root:
    ```bash
    sudo chattr -i /path/to/file
    ```

14. **Specific directory recommendations:**

    **/var/www (web server):**
    ```bash
    sudo chown -R www-data:www-data /var/www
    sudo find /var/www -type d -exec chmod 755 {} \;
    sudo find /var/www -type f -exec chmod 644 {} \;
    ```

    **/srv (service data):**
    ```bash
    sudo chown -R root:root /srv
    sudo chmod 755 /srv
    ```

    **Shared directories:**
    ```bash
    sudo chown root:groupname /shared/directory
    sudo chmod 2775 /shared/directory  # SGID bit for group
    ```

15. **Check logs for permission denials:**
    ```bash
    sudo journalctl -p err | grep -i "permission denied"
    dmesg | grep -i "permission denied"
    sudo grep "permission denied" /var/log/syslog
    ```

16. **Report findings:**
    Summarize:
    - Incorrect permissions on system directories
    - Security issues (world-writable without sticky, unexpected SUID)
    - User home directory issues
    - Files/directories with wrong ownership
    - Missing group memberships
    - ACL or SELinux issues

17. **Provide recommendations:**
    - Fix commands for identified issues
    - Whether to add user to specific groups
    - Security improvements for sensitive directories
    - Standard permission schemes for common directories
    - Whether to use ACLs for complex permission needs

## Important notes:
- Always backup or test in safe environment first
- Changing system permissions incorrectly can break the system
- Use sudo carefully when fixing permissions
- Don't recursively chmod/chown system directories without understanding
- Some non-standard permissions may be intentional
- Check application documentation for required permissions
- SELinux/AppArmor may also affect access beyond traditional permissions
- Sticky bit on /tmp is critical for security
- SUID/SGID bits on unexpected files are security risks