Linux File Permissions
- February 26, 2008
- 0 Comment
- Guides
- Posted by Gee
In a multi user system you need a way to protect each user from another. One of the reasons is that a user can abuse the system for his needs, or be able to read/modify/delete another users work. Even if your using your linux box in a single-user mode you need to protect your self from making deadly mistakes that can damage your system.
Permissions on files and directories
On a plain file their are three permission attributes: read (r), write (w), and execute (x). Read permission let you read the data from a file. Write permission let you write new data to a file. Execute permission let you use the file as a program or a shell sctipt.
Same permission attributes apply fot directories but they have a different meaning. If a directory has read permission you can see what files are in the directory (using the ls command without arguments or options), write permission to a directory means you can add, remove or rename files in the directory (providing you have the permission to cd into that directory). Execute permission (also called the “search bit”) allow you to use the directory name when accessing files inside that directory (to cd into the direcroty).
Of curse this was the “plain” meaning. Lets do a more in-depth discussion about the differences between the permissions on files and on directoried.
On a regular file the Read bit allow the file to be opened and read. Write bit allows the content of the file to be modified or truncated. Deleting and Renaming of the file are controlled by the permission on its parent directory.
Execute bit allow the file to be executed. Executable bit for a directory, which is also called the “search bit”, allows the directory to be entered, but not to be listed (this is common error for many people) using the ls command with options or/and arguments. Only when you combine read and executable access bits together to a directory you allow the content to be listed using ls with options like ls -l.
What is the difference between Read access on a Directory and Read and Executable access on Directory?
In a *NIX operating system every thing is treated as a file, even the hardware is treated as a file. The file contains an index, an inode number which point to some important informaiton about the file, such as the permissions of the file, the size of the file, when the file was last accessed, when the file was last modyfied, and were phisically on the Hard Disk the information for the file is stored.
A directory is no more than a file with a list of files it contains. If we have the Read bit set on a file which is a directory in our file system, we can read the content of this file and see which files it contains, but to access the inode information we will need the Execute Bit set on that directory. So if we use ls on a directory having only the Read bit set we will see file names the directory contains. If we have both Read and Executable bits set we can use options and arguments with the ls command that will access the inode information for that file and display it for us.
$ls -l
dr——– 2 ofir ofir 1024 Apr 20 03:47 demo/
Inside the demo directory their are two files:
-rw-r–r– 1 ofir ofir 0 Apr 20 03:49 demo.html
-rw-r–r– 1 ofir ofir 0 Apr 20 03:49 ofir.html
When we use the ls command without any options we see the following results:
$ls demo
/bin/ls: demo/ofir.html: Permission denied
/bin/ls: demo/demo.html: Permission denied
If you have set write and executable permission to a directory you allow files to be created, deleted & renemed within the directory.
Remark: if you have an execute permission only to a directory you can still execute files or shell scripts in that directory. You need to know the exact file name (in advance) and to have the appropriate permissions set for the files.
Displaying & understanding the permissions information using ls -l
The information about who can read, write and execute the contents of the file, together with three other bits that affect the operation of executable programs, and four bits of file-type information are stored on the files inode.
We can see those permissions using the ls -l command:
-rwxr-xr-x 4 mia users 1024 Nov 19 07:44 tempfile
(-rwxr-xr-x are the files type and permissions; 4 number of links to the file; mia is the user ID of the file owner; users is the group ID of the group that the file belongs to; 1024 file size in bytes; Nov 19 07:44 Last modification date of the file; tempfile is the name of the file/directory)
-rwxr-xr-x
The type of the file is determind by the first character of the ls -l listing as folows:
Filetypes listed by ls -l
Filetype Symbol
Regular file –
Directory d
Character device file c
Block device file b
Unix domain socket s
Named pipe p
Symbolic link l
The next nine permission bits are used to determind what operations may be performed on a file and by whom. Their are three sets of read/write/execute permissions. The first set (marked with blue) is for the owner of the file (with octal values of 400,200,100). The second set (marked with red) is for the group of the file (with octal values of 40,20,10) and the third set (marked with navy) is for the world (with octal values of 4,2,1). If the permission is not true, a dash points lack of privlage. A user can fit into one set of the three permissions sets. The permissions used are those that are classwise most restrictive.
If the users ID does not match the owners ID, than we check for a match between the users group ID to the files group ID, if still we do not have a match the user would be given the world permissions.
What is the “umask”
How is the file permissions are set in the first place?
When you create a new file the shell variable umask determinds the default permissions set for the new file.
We can see the default permission if we use the following command:
$ umask
022
umask is specified as a three digit octal value that represents the new files permissions. The first digit is for the owner permissions the second digit is for the group permissions and the third digit is for world permissions.
umask represent what is not allowed for the new file by default. If we examine our default permission for the owner we see he has zero assigned to him. This means he is allowed to do everything since nothing is forbidden. The Group permissions has the number 2 assigned to it. This means that the Write permission is not set by default for the group permission. How do we calculate this? Read has the value of 4, Write the value of 2, and execute has the value of 1. The same goes with the default permission for the world. Here the owner will have Read and Write Permission to the newly created file, the group and world permissions would be Read. Why the executable bit vanished?
Why is this? where went the value 1 for the executable? By default a new file is not given an executable permission. This is done to distinguish between regular files to programs (binary files) and shell scripts.
For directories the executable permission is set since with no executable set we cannot cd into the directory.
How do you set the value of umask?
$umask 027
This will set all new files created by you to default permission of read, and write for the owner (since nothing is forbidden and this is a file). Read for the group and no permission at all for world permission. The mathematics for a file is 666-026=640.
If this was a Directory newly created by us, than the permissions for the owener were Read, Write, and Execute. Permissions for the Group were Read and Execute, and no permissions at all for the world.
Permission encoding for umask
Octal Permission
0 rwx
1 rw-
2 r-x
3 r–
4 -wx
5 -w-
6 –x
7 —
Group permissions
When you work on a project with other system users, you may need to grant access to your team mates to modify the files on the team project directory. You need also to block access from other (world) users or restrice them in a way they could not harm your the teams work.
How does the group permission is determind by the different *NIXs?
* System V based systems, your primary-group membership determinds the ownership of the files you create (Linux as well).
* BSD UNIX, files are owned by the group that owns the directory in which you create the file.
* Sun OS 4.x & System V release 4 – system administrator decides which of the two above methods a filesystem will use for group pwnership.
The bits with octal value 4000 and 2000 are the setuid and setgid bits. The bits allow programs to access files and programs that would be otherwise off-limit to the user that runs them. When you are executing a program with the setuid bit set you are granted with the owners permissions to this program until you are finished with it. When you are executing a program with the setgid bit set you are granted with the groups permissions to this program until you finish executing the program.
If the setgid is set, BSD rule apply’s if the bit is not set, the System V rule apply. (We set the setgid with chmod g+s and remove it with chmod s-g as you will see later in this editorial).
The Sticky Bit
If a user has write permission on a directory he can rename and remove files on that directory even if those files not belong to him. How can we prevent this? The owner of a directory can set the directory’s “sticky bit”, octal value 1000, which will give the rename and remove permissions of any file in that directory to the fileowner, the directory owner, and the superuser (in this order).
If you examine your / directory using the command ls -l, you will notice your /tmp directory has the sticky bit on.
drwxrwxrwt 4 root root 50176 Apr 20 04:50 tmp/
This allow different users to use this directory for temporary files, when only the file owner can delete his files (the directory owner for /tmp is the root user and he can also delete files). This prevents other users from deleting temporary files created by others and harming their work.
Changing permissions
The chmod command is used to change the file permissions. The file owner and the root user can change the files permissions. The command syntex is:
chmod new-mode file(s)
You can use two modes with chmod – symbolic mode and numberic mode.
With symbolic mode:
chmod symbolic modes
Which user?
u user/owner
g group
o others
a all
Action performed
– remove this permission
+ add this permission
= set exactly this permission
Permissions
r read access
w write access
x execute access
s set user or group ID (+,-)
t set the “sticky bit”
Examples:
chmod a+r myfile
Gives all users read access to the file myfile.
chmod +r myfile
Same as the above (if no argument is set before the {+,-,=} than the default is all).
chmod og-x myfile
Remove execute permission from others and group.
chmod g+rx myfile
Let the group read and execute permissions to myfile.
chmod o=r myfile
Set other permission to read-only regardless of what other bits are set.
chmod g=o myfile
Set the group permission to be exactly as the other permissions.
chmod g+x,o+w myfile
You allowed to combine two or more specifications seperated by commas. This command adds execute permissions to the group and write permission to the owner of myfile.
chmod -R permissions dirname
You can also set, recursivly, all files under a directory to the same permissions.
chmod g+x *
You can use wildcards as well with chmod. This will add execute permission for group on all files at the directory the command will be performed on.
With numeric mode, syntex:
chmod tyz myfile(s)
tyz is an octal number that represents the permissions to be assigned, and the second argument(s) are names of files which the permissions should be changed on. The first octal digit (t) represents the owner, the second digit (y) represents the group and the third digit (z) represent other. If you need to use the “sticky bit” or setuid or setgid (1000, 2000, 4000 octal values), you use four octal digits, where the three special bits forming the last three digits.
Permission encoding for chmod
0 000 —
1 001 –x
2 010 -w-
3 011 -wx
4 100 r–
5 101 r-x
6 110 rw-
7 111 rwx
Examples:
chmod 720 myfile
Will give read, write & execute permissions to the owner, write permission to the group and no permission at all for other.
chmod 711 myfile
Gives all pemissions to the owner, execute only for group and other.
Changing file ownership WITH chown
The chown command is used to change the file ownership. You need to be either the file owner or the root user to issue this command. The syntex is simple:
chown new_owner file
Changing group ownership with chgrp
chgrp command is used to change the group ownership of a file. You must be either be the file owner and belong to the group you are changing to, or be the superuser.
chgrp new_group file
The group value can be either a group name or a numeric group ID.
How to protect an important file?
One method is to set your file permissions to read-only ( chmod -w filename), and not have a Write permission on the directory permissions. If you have other files in that directory that do require changes, than you’ll have to set the Write permission on the directory back. If you than try to remove the file you will be warned:
-r——– 1 mia users 422 Dec 6 11:12 test2
$rm test2
rm: remove ‘test2’, overiding mode 0400?
You will get a warning also if you’ll try to move a file into another file which is write protected (don’t have write permission), and his directory permission includes the Write permission.
You can bypass this warnings (and not to be warned) if you will use the -f (force) switch with rm & mv.
Setting the correct permissions
Setting the correct permissions to a directory and to a file inside it is very important. Easily you can bypass the files permissions if your directory permissions allow to manipulate them. See the following example as a warning.
Suppose you have a Read access to a file but you do not have write access to it (you can not modify it). But you have write access to the directory. Than you can do as follows:
$ls -l test -r–r–r– 1 mia users 300 Dec 16 14:00 test
When you will try to write the file you will get: ‘test: permission denied’. But:
$cat test > temp
$vi temp
$mv temp test
mv: move overidint mode 400? y
Yes, the file cannot be modified directly since it is write protected BUT the directory has write permission – we can create a new file inside. We can copy the file since we have read access. After that we can edit the file to our heart wish. We can also move the newly created file on top of the test file because the directory got write permission and this allows renaming.
Conclusion: setting directory write access to other might be dangerous.
Advice: set your umask correctly (default is 022 for directories it would give us -rwxr-xr-x, and on files -rw-r–r–).
More about groups
All users are members in at least one group. The membership is created when the system administrator creates your account on the system. You can look at the file /etc/passwd and look at the line that sets your account on the system (This line starts with your login name). The fourth field is your Primary-Group ID (PID):
$ grep mia /etc/passwd
mia /etc/passwd mia :100:100 fir arkin:/home/mia/:/bin/bash
100 is my GID (Group ID). How to find the name behind the GID?
$grep 100 /etc/group
users::100:games
My primary group is users and when i log in my GID is set to 100. You are not limited to one group only, but you belong only to one primary group. To find if you are a member in other groups you can issue the following commands:
$grep user_name /etc/group
or
$groups user_name
The result will include your primary group and if you are a member in other groups as well they will be listed, Your login name will be written as part of the groups members. i.e:
“users:100:mia,fo_twenny,games”
This is the result when i issued the “grep user_name /etc/group” command.
On Linux you are always on one group at a time, even if your a member of several. If you need to access files that are owned by another group that you belong to, you need to use the command newgrp:
$newgrp group_name
If the groupname group has password you will be promped to enter it. Linux approach is like System V approach. After issuing the command your Group ID (GID) would be changed and you would be granted with the permission the group has on the file/diretory.
On BSD systems you are always a member of all your groups and that means you have access to files that owned by all of your groups.
Why is ‘group’ important?
When you are a member of a certain project or belong to a department at your work, you do not want that other people that are not belong to your group will harm your work or even delete it. The group permission play a major rule in restricting access for people that are not belong to your group.
$chmod 770 my_project_dir
This will restrict your project directory to other compeletly, but still your group people will have read, write & execute permissions.
- Tags: Linux, Linux File Permissions, unix