To understand this article you should to be familiar with Linux adva-
nced file permissions, otherwise go throw bellow link before following
this article.
Advanced File Permissions
My Obejective:
I have a folder which I want to share with "rw" permissions for a
selected group of users. Let's say the folder is /home/project and I
want to share it with the group development. What I want is not only
having users accessing files in /home/project with rw access, but also
to ensure that all files created in /home/project will have ownership
username:development and permissions -rw-rw-r--.
Sharing a directory among users in same group is one of the essential
tasks.To let a group of users work on a set of files without infringing
on security, you'll have to do this:
1.Create a common group for these users in /etc/group
# groupadd development
check group created or not
# tail -1 /etc/group
development:x:501:
2.Add user project administrator (padmin) and setup password
# useradd -g development -d /home/project -c "Project Admin" \
-m padmin
# tail -1 /etc/passwd
padmin:x:501:501:Project Admin:/home/project:/bin/bash
#passwd padmin
3.Create separate user accounts for the rest of users but specify the
same home directory.
# useradd -d /home/project/ -g development user1
# passwd user1
Add another user:
# useradd -d /home/project/ -g development user2
# passwd user2
Create as many user accounts as you want.
4.Make sure the home directory and all subdirectories are not owned by
any of the users. Use chown to surrender ownership to padmin.
# chown padmin:development /home/project/
# ls -ld /home/project/
drwxrwxr-x 18 padmin development 4096 Mar 28 16:18 /home/project/
5.Make the directories group-writable and set their SGID and Sticky
Bits with chmod 3775 (1 for sticky and 2 for SGID).
# chmod -R 3775 /home/project/
# ls -ld /home/project/
drwxrwsr-t 18 padmin development 4096 Mar 28 18:22 /home/project/
In this scenario, every user of the group has write permission on the
directory and can create files and directories, but can only delete
those he owns. SGID bit ensures that all files created in
/home/project will have ownership username:development and Sticky bit
ensures that only owner can delete files those he owns
Note that setting the SGID permission on a directory only affects the
groupID of new files and subdirectories created after the SGID bit is
set, and is not applied to existing entities. Setting the setgid bit
on existing subdirectories must be done manually.
Can You Inherit File Permissions?
When you create a file or directories under a directory the default
permission for them will be determined by your umask, files or
directories won't inherit parent directory permissions, only SGID bit
inherited by newly created directories under it. So even your shared
directory has group writable, you can't edit other users files.
Login as user1 and create a temp file.
# su – user1
$ touch temp ; ls -l temp
-rw-r--r-- 1 user1 development 0 Mar 28 18:54 temp
Now logins as user2 and try to edit temp file.
# su - user2
$ cat > temp
-bash: temp: Permission denied
There is no way to inherit permissions from a directory, it's contro-
lled by the process's umask. But there is a way to make file permissi-
ons group writable when it is created.Add umask 002 command to .bashrc
file if it exist, otherwise create it and add the command.
# su - padmin
$ ls -l .bashrc
-rwxrwsr-t 1 padmin development 124 Mar 28 13:05 .bashrc
$ cat >> .bashrc
umask 002
Ctrl+d
Now login as user1 and create a temp file.
# su - user1
$ touch temp ; ls -l temp
-rw-rw-r-- 1 user1 development 0 Mar 28 19:38 temp
File created with default group writable permissions.
Note: Inform already logged in users to logout and login again.
Have you thought about using ACLs? They will give you much finer
grained control over the permissions you can set on files and directo-
ries. ACLs will also allow you to set a default mask for any given
directory.
To know more about ACLs(Access Control Lists) Google it as Linux acls
or wait for my next article.
Sunday, March 28, 2010
Posted by venu k
6 comments | 11:26 AM
Saturday, March 27, 2010
Posted by venu k
84 comments | 10:51 AM
After you have worked for a while with Linux you discover probably
that there is much more to file permissions than just the "rwx" bits.
When you look around in your file system you will see "s" and "t"
$ ls -ld /tmp
drwxrwxrwt 29 root root 36864 Mar 21 19:49 /tmp
$ which passwd
/usr/bin/passwd
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 22984 Jan 6 2007 /usr/bin/passwd
What is this "s" and "t" bit? The vector of permission bits is really
4 * 3 bits long. Yes there are 12 permission bits,not just 9.The first
three bits are special and are frequently zero. And you almost always
learn about the trailing 9 bits first.Some people stop there and never
learn those first three bits.
The forth permission bit is used only when a special mode of a file
needs to be set. It has the value 4 for SUID, 2 for SGID and 1 for the
sticky bit. The other 3 bits have their usual significance.
Here we will discuss about the 3 special attributes other than the
common read/write/execute:
1.Set-User-Id (SUID)
2.Set-Group-Id (SGID)
3.Sticky Bit
Set-User_Id (SUID): Power for a Moment:
By default, when a user executes a file, the process which results in
this execution has the same permissions as those of the user. In fact,
the process inherits his default group and user identification.
If you set the SUID attribute on an executable file, the process res-
ulting in its execution doesn't use the user's identification but the
user identification of the file owner.
The SUID mechanism,invented by Dennis Ritchie,is a potential security
hazard. It lets a user acquire hidden powers by running such a file
owned by root.
$ ls -l /etc/passwd /etc/shadow /usr/bin/passwd
-rw-r--r-- 1 root root 2232 Mar 15 00:26 /etc/passwd
-r-------- 1 root root 1447 Mar 19 19:01 /etc/shadow
The listing shows that passwd is readable by all, but shadow is unre-
adable by group and others. When a user running the program belongs to
one of these two categories (probably, others), so access fails in the
read test on shadow. suppose normal user wants to change his password,
How can he do that? He can do that by running /usr/bin/passwd. Many
UNIX/Linux programs have a special permission mode that lets users
update sensitive system files –like /etc/shadow --something they can't
do directly with an editor. This is true of the passwd program.
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 22984 Jan 6 2007 /usr/bin/passwd
The s letter in the user category of the permission field represents a
special mode known as the set-user-id (SUID). This mode lets a process
have the privileges of the owner of the file during the instance of
the program. Thus when a non privileged user executes passwd, the eff-
ective UID of the process is not the user's, but of root's – the owner
of the program. This SUID privilege is then used by passwd to edit
/etc/shadow.
What is effective user-id:
Every process really has two user IDs: the effective user ID and the
real user ID. (Of course, there's also an effective group ID and real
group ID.Just about everything that's true about user IDs is also true
about group IDs) Most of the time,the kernel checks only the effective
user ID. For example, if a process tries to open a file, the kernel
checks the effective user ID when deciding whether to let the process
access the file.
Save the following script under the name reids.pl and make it
executable (chmod 755 reids.pl).
#!/usr/bin/perl
# print real UID
print "Real UID: $<\n";
# print real GID
print "Real GID: $(\n";
# print effective UID
print "Effective UID: $>\n";
# print effective GID
print "Effective GID: $)\n";
check file permissions:
$ ls -l reids.pl
-rwxr-xr-x 1 venu venu 203 Mar 24 10:40 reids.pl
Note: For security reasons the s-bit works only when used on binaries
(compiled code) and not on scripts (an exception are perl scripts).
Scripts,i.e. programs that cannot be executed by the kernel directory
but need an interpreter such as the Bourne shell or Java,can have
their setuid bit set, but it doesn't have any effect. There are some
platforms that honor the s bits even on scripts ( some System V vari-
ants, for example), but most systems don't because it has proven such
a security headache - most interpreters simply aren't written with
much security in mind. Set the SUID bit on shell script is useless,
that's why I am using perl script here.
When you run the script you will see that the process that runs it
gets your user-ID and your group-ID:
$ ./reids.pl
Real UID: 500
Real GID: 500 500
Effective UID: 500
Effective GID: 500 500
Note: If you get an error like this:
Can't do setuid (cannot exec sperl)
In Debian install perl-suid using following command:
apt-get install perl-suid
In Centos install perl-suidperl using following command:
yum install perl-suidperl
Now change owner ship to another user (Do it as an administrator).
# chown king /home/venu/reids.pl
# ls -l /home/venu/reids.pl
-rwxr-xr-x 1 king venu 203 Mar 24 10:40 /home/venu/reids.pl
Now run the script again.
$ ./reids.pl
Real UID: 500
Real GID: 500 500
Effective UID: 500
Effective GID: 500 500
What you observed, the output of the program depends only on the user
that runs it and not the one who owns the file.
How to assign SUID permission:
The SUID for any file can be set (mostly by the superuser) with a
special syntax of the chmod command. This syntax uses the character s
as the permission. Now add SUID permission to the script reids.pl :
# chmod u+s /home/venu/reids.pl (Do it from root account)
Now return from the super user mode to the usual non privileged mode.
$ ls -l reids.pl
-rwsr-xr-x 1 king venu 203 Mar 24 10:40 reids.pl
To assign SUID in an absolute manner, simply prefix 4 to whatever
octal string you would otherwise use (like 4755 instead of 755).
The file reids.pl is owned by king and has the s-bit set where norma-
lly the x is for the owner of the file. This causes the file to be
executed under the user-ID of the user that owns the file rather than
the user that executes the file. If venu runs the program then this
looks as follows:
$ perl reids.pl
Real UID: 500
Real GID: 500 500
Effective UID: 503
Effective GID: 500 500
Effective user id of process is 503, this is not the venu's , but of
king's - the owner of the program. As you can see this is a very powe-
rful feature especially if root owns the file with s-bit set. Any user
can then do things that normally only root can do.
Caution: When you write a SUID program then you must make sure that
it can only be used for the purpose that you intended it to be used.
As administrator, you must keep track of all SUID programs owned by
root that a user may try to create or copy. The find command easily
locate them:
# find /home -perm -4000 -print | mail root
The extra octal bit (4) signifies the SUID mode, but find treats the
"–" before 4000 as representing any other permissions.
Set-Group_Id (SGID):
The set-group-id (SGID) is similar to SUID except that a program with
SGID set allows the user to have the same power as the group which
owns the program. The SGID bit is 2,and some typical examples could be
chmod g+s reids.pl or chmod 2755 reids.pl.
You can remove SGID bit using following commands:
$ chmod g-s reids.pl
$ chmod 755 reids.pl (Absolute manner)
It is really useful in case you have a real multi-user setup where
users access each others files. As a single homeuser I haven't really
found a lot of use for SGID. But the basic concept is the same as the
SUID,Similar to SUID, SGID also grants privileges and access rights to
the process running the command, but instead of receiving those of the
file's owner it receives those of the file's group. In other words,the
process group owner will be set to the file's group.
I explain it with an example. I have created two user accounts king
and venu with same home directory project. king belongs to king and
development groups, venu belongs to venu and development groups.
# groups king venu
king : king development
venu : venu development
venu's default group is venu and king's default group is king.
Login as king and create reids.pl file again and make it executable
(using chmod 755 reids.pl) .
$ id
uid=503(king) gid=503(king) groups=501(development),503(king)
$ ls -l reids.pl
-rwxr-xr-x 1 king development 203 Mar 25 19:00 reids.pl
Now login as venu and run the program:
$ id
uid=501(venu) gid=504(venu) groups=501(development),504(venu)
$ perl reids.pl
Real UID: 501
Real GID: 504 504 501
Effective UID: 501
Effective GID: 504 504 501
The effective GID of the process is the venu's,but not of the king's
-the owner of the program.
Now login as king and assign SGID bit to reids.pl program:
$ chmod 2755 reids.pl; ls -l reids.pl
-rwxr-sr-x 1 king development 203 Mar 25 19:00 reids.pl
Now login as venu and run the reids.pl program:
$ perl reids.pl
Real UID: 501
Real GID: 504 504 501
Effective UID: 501
Effective GID: 501 504 501
Real GID and Effective GID are different,here Effective GID is the
king's - the owner of the program.
Set SGID on a directory:
When SGID is set on a directory it has a special meaning. Files crea-
ted in a directory with SGID set will inherit the same group ownership
as the directory itself,not the group of the user who created the file.
If the SGID is not set the file's group ownership corresponds to the
user's default group.
In order to set the SGID on a directory or to remove it, use the
following commands:
$ chmod g+s directory or $ chmod 2755 directory
$ chmod g-s directory or $ chmod 755 directory
As I mentioned earlier venu and king's home directory is same that is
/home/project. I changed group ownership of /home/project directory
to development.
# ls -ld /home/project/
drwxrwxr-x 16 root development 4096 Mar 26 00:22 /home/project/
Now login as king and create a temp file.
$ whoami
king
$ pwd
/home/project/
$ touch temp; ls -l temp
-rw-r--r-- 1 king king 0 Mar 26 12:34 temp
You can see from the ls output that the group owner for project is
development, and that the SGID bit has not been set on the directory
yet. When king creates a file in project, the group for the file is
king (king's primary gid).
Set SGID bit on project directory. For that login as administrator
and set SGID bit using following command:
# chmod g+s /home/project/
# ls -ld /home/project/
drwxrwsr-x 15 root development 4096 Mar 26 12:34 /home/project/
From the ls output above, you know the SGID bit is set because of the
s in the third position of the group permission set,which replaces the
x in the group permissions.
Now login as king and create temp2 file.
$ whoami
king
$ touch temp2; ls -l temp2
-rw-r--r-- 1 king development 0 Mar 26 13:49 temp2
Notice the group ownership for temp2 file. It inherits group permiss-
ion from the parent directory.
Enabling SGID on a directory is extremely useful when you have a
group of users with different primary groups working on the same set
of files.
For system security reasons it is not a good idea to set many
program's set user or group ID bits any more than necessary,since this
can allow an unauthorized user privileges in sensitive system areas.If
the program has a flaw that allows the user to break out of the inten-
ded use of the program, then the system can be compromised.
Sticky bit:
The sticky bit(also called the saved text bit) is the last permission
bit remaining to be discussed. It applies to both regular files and
directories. When applied to a regular file, it ensures that the text
image of a program with the bit set is permanently kept in the swap
area so that it can be reloaded quickly when the program's turn to use
the CPU arrives. Previously, it made sense to have this bit set for
programs like vi and emacs. Today,machines with ultra-fast disk drives
and lots of cheap memory don't need this bit for ordinary files and
that is also useless.
However, the sticky bit become a useful security feature when used
with a directory. The UNIX/Linux system allows users to create files
in /tmp, but none can delete files not owned by him. That's possible
because sticky bit set for /tmp directory.
The /tmp directory is typically world-writable and looks like this
in a listing:
# ls -ld /tmp
drwxrwxrwt 32 root root 36864 Mar 27 12:38 /tmp
Everyone can read,write and access the directory.The t indicates that
only the user (root and owner of the directory,of course) that created
a file in this directory can delete that file.
In order to set or to remove the sticky bit, use the following
commands:
$ chmod +t directory or $ chmod 1754 directory
$ chmod -t directory or $ chmod 754 directory
Note: 754 permissions for a directory are powerful enough to guard
your directories from intruders with malicious intentions, that's why
I used 754 as default,if yow want you can change it.
Example:
I logged in as king and created a temp file.
$ whoami
king
$ pwd
/home/project/
$ touch temp; ls -l
-rw-r--r-- 1 king king 0 Mar 27 13:44 temp
Now logged in as venu and try to delete temp file.
$ whoami
venu
$ rm temp
rm: remove write-protected regular empty file `temp'? Y
$ ls temp
ls: temp: No such file or directory
So what happened? venu deleted file owned by king.
Assign sticky bit to the project directory.As a owner of the directory
or administrator.
# chmod +t /home/project
# ls -ld /home/project/
drwxrwxr-t 15 root development 4096 Mar 27 13:46 /home/project/
From the ls output above, you know the sticky bit is set because of
the t in the third position of the other permission set,which replaces
the x in the other permissions.
Now repeat same steps again,then you get the following message:
$ whoami
venu
$ ls -l temp
-rw-r--r-- 1 king king 0 Mar 27 17:36 temp
$ rm temp
rm: remove write-protected regular empty file `temp'? y
rm: cannot remove `temp': Operation not permitted
Observation: Login as normal user and create a file.
[venu@localhost ~]$ touch sample
[venu@localhost ~]$ ls -l sample
-rw-rw-r-- 1 venu venu 0 Dec 21 03:41 sample
Now change permissions to 644
[venu@localhost ~]$ chmod 644 sample
[venu@localhost ~]$ ls -l sample
-rw-r--r-- 1 venu venu 0 Dec 21 03:41 sample
Now assign SUID permission.
[venu@localhost ~]$ chmod u+s sample
[venu@localhost ~]$ ls -l sample
-rwSr--r-- 1 venu venu 0 Dec 21 03:41 sample
After setting SUID, if you see 'S' then it means that the file has no
executable permissions for that user.
Now remove SUID permission and change permissions to 744. Then assign
SUID permission. You should see a smaller 's' in the executable permi-
ssion position.
[venu@localhost ~]$ chmod u-s sample
[venu@localhost ~]$ chmod 744 sample
[venu@localhost ~]$ chmod u+s sample
[venu@localhost ~]$ ls -l sample
-rwsr--r-- 1 venu venu 0 Dec 21 03:41 sample
Same is applicable for SGID and Stickybit.
Thursday, March 18, 2010
Posted by venu k
15 comments | 8:41 AM
What are file permissions:
Every file or folder in Linux has access permissions. There are three
types of permissions (what allowed to do with a file):
read access (symbolized by the letter r)
write access (symbolized by the letter w)
execute access (symbolized by the letter x)
Permissions are defined for three types of users:
the owner of the file (symbolized by the letter u )
the group that the owner belongs to (symbolized by the letter g)
other users (symbolized by the letter o)
Thus, Linux file permissions are nine bits of information. The table
below shows the syntax:
1 2 3 4 5 6 7 8 9 10 File User Permissions Group Permissions Other Permissions Type Read Write Execute Read Write Execute Read Write Execute d r w e r w e r w e
- > The first character is not a permission bit, it simply indicates
the type of file as indicated in the table below:
Character Type of file - regular file
d directory l symbolic link s socket p named pipe c character device file (unbuffered) b blocked device file (buffered)
Remaining nine bits are permission bits.
-> Characters 2-4 show owner of the file permissions.
Character 2 indicates read permission, character 3 indicates write
permission, and character 4 indicates execute permission.
-> Characters 5-7 show group permissions(group to which belong the file).
Character 5=read, 6=write, 7=execute .
-> Characters 8-10 show permissions for all other users. (users who are
neither a member of the Group nor the owner of the file)
Character 8=read, 9=write, 10=execute.
Ownership: When you create a file, you automatically become its
owner. The owner has full authority to tamper with a file's contents
and permissions –a privilege not available with others except the root
user.Similarly, You can create, modify or remove files in a directory
if you are the owner of the directory.
Group Ownership: When creating a user account,the system admin-
istrator also assigns the user to some group. People working on a
project are generally assigned a common group, and all files created
by group members (who have separate user ids) will have the same group
owner. However, make no mistake : The privileges of the group are set
by the owner of the file and not by the group members.
ls -l : Listing File Attributes
$ ls -l sample
-rwxr-xr-- 1 king development 0 Mar 15 00:26 sample
ls -l displays most attributes of a file – like its permissions,size
and ownership details. If file is a directory,to list attributes of a
directory use “ls -ld”.
As you can see in this example, the "ls -l" command gives a lot of
information about the file "sample":
- Its name, "sample";
- Its permissions, "-rwxr-xr--";
- Its owner, "king";
- Its group, "development";
- And other information time,size,date etc..
Permissions: rwx r-x r--
r Read access is allowed w Write access is allowed x Execute access is allowed - No permissions
The first group (rwx) has all three permissions.The file is readable,
writable and executable by the owner of the file,King. But do we Know
who the owner is? Yes we do. The third column shows king as the owner
and the first permissions group applies to king. You have to log in
with the username king for these privileges to apply to you.
The second group (r-x) has a hyphen in the middle slot, which indica-
tes the absence of write permission by the group owner of the file.
This group owner is development, and all users belonging to the devel-
opment group have read and execute permissions only.
The third group (r--) has the write and execute bits absent. This set
of permissions is applicable to others i.e., those who are neither the
owner king nor belong to the development group. So this file is not
world writable.
chmod: CHANGING FILE PERMISSIONS
If you are owner of the file you can set different permissions for
the three categories of users --owner,group, and others.It's important
that you understand them because a little learning here can be a
dangerous thing.A faulty file permission is a sure recipe for disaster.
The chmod (change mode) command is used to set the permissions of
one or more files for all three categories of users.It can be run only
by the user(the owner) and the superuser. The command can be used in
two ways:
1.In a relative manner by specifying the changes to the current
permissions.
2.In an absolute manner by specifying the final permissions.
Relative Permissions:
When changing permissions in a relative manner, chmod only changes
the permissions specified in the command line and leaves the other
permissions unchanged. In this mode it uses the following syntax:
chmod category operation permission filename(s).
Bellow table shows letters to represent category, operation and
permission:
Category Operation Permission u User + Assigns permission r Read Permission g Group - Removes permission w Write Permission o Other = Assigns absolute permission x Execute Permission a All(ugo)
Now let's consider an example. First create a file temp.
$ cat > temp
Hello world
Ctrl+d
$ ls -l temp
-rw-r--r-- 1 root root 12 Mar 16 13:32 temp
To assign execute permissions to the User of the file temp, we need
to frame a suitable expression by using appropriate characters from
each of the three columns of above Table. Since the file needs to be
executable only by the user,the expression required is u+x:
$ chmod u+x temp
$ ls -l temp
-rwxr--r-- 1 root root 12 Mar 16 13:32 temp
The command assigns(+) execute(x) permissions to the user(u), but
other permissions remain unchanged. To enable group and others to exe-
cute this file, you have to use multiple characters to represent the
user category(ugo) or simply use a it implies ugo.
$ chmod ugo+x temp
$ ls -l temp
-rwxr-xr-x 1 root root 12 Mar 16 13:32 temp
chmod command also accept more than one file name in the command line.
When you need to assign the same set of permissions to a group files,
all the file names have to be specified with a single chmod command:
$ chmod u+x temp1 temp2 temp3
Permissions are removed with the - operator. To remove the read
permission from both group and others, use the expression go-r:
$ chmod go-r temp ; ls -l temp
-rwx--x--x 1 root root 12 Mar 16 13:32 temp
chmod also accepts multiple expressions delimited by commas. For
instance, to restore the original permissions to the file temp,you
have to remove the execute permission from all(a-x) and assign read
permission to group and others(go+r):
$ chmod a-x,go+r temp; ls -l temp
-rw-r--r-- 1 root root 12 Mar 16 13:32 temp
More than one permission can also be set; u+rwx is a valid chmod
expression.So setting write and execute permissions for others is no
problem:
$ chmod o+rwx temp; ls -l temp
-rw-r--rwx 1 root root 12 Mar 16 13:32 temp
Absolute Permissions:
Some times you don't need to now what a file's current permissions
are,but want to set all nine permission bits explicitly.The expression
used by chmod here is a string of three octal numbers(base 8).Each type
of permission is assigned a number as shown :
I. Read permission - 4
II. Write permission - 2
III. Execute permission - 1
For each category we add the numbers that represent the assigned
permissions. For instance, 6 represents read and write permissions,and
7 represents all permissions.
This table shows what numeric values mean:
Octal digit Text equivalent Meaning 0 --- All types of access are denied 1 --x Execute access is allowed only 2 -w- Write access is allowed only 3 -wx Write and execute access are allowed 4 r-- Read access is allowed only 5 r-x Read and execute access are allowed 6 rw- Read and write access are allowed 7 rwx Everything is allowed
We see that "1" stands for execute only, "2" stands for write only,
"4" stands for read only.To combine the permissions you can simply add
1, 2 and 4 to get a needed combination. For instance, to get read and
write permissions,you add 4 (read) and 2 (write), thus getting 6 (read
and write). To get read and execute permissions, you add 4 (read) and
1 (execute), thus getting 5 (read and execute).
To take a simple example,if a file has read and write permissions for
the user, the octal representation of the user's permissions will be
4 + 2 = 6. When this exercise is repeated for the other categories, the
result will be a three character string representing three octal digi-
ts, with each octal digit indicating the permissions for the category.
The sequence followed is user,group and others. You can use this method
to assign read and write permissions to all three categories.
Examples:
To assign all permissions to the owner,read and write permissions to
the group,and only execute permission to the others, use this:
$ chmod 761 sample ; ls -l sample
-rwxrw---x 1 king development 0 Mar 15 00:26 sample
Assign yourself full access to read and modify the file,allow members
of the group to read it and do not allow any others access:
$ chmod 640 sample ; ls -l sample
-rw-r----- 1 king development 0 Mar 15 00:26 sample
Some octal permissions and their meaning:
Permissions Meaning 644 owner: read and write permissions,
group: only read permissions,
others: only read permissions. 755 owner: read, write and execute permissions,
group: read and execute permissions,
others: read and execute permissions. 754 owner: read, write and execute permissions,
group: read and execute permissions,
others: only read permissions.
As long as you're the owner of a file, you can use the chmod command
to set the permissions any way you like.
umask: Default file and Directory permissions:
The UNIX system has the following default permissions for all files
and directories:
rw-rw-rw-(octal 666) for regular files.
rwxrwxrwx(octal 777) for directories.
However,you don't see these permissions when you create a file or a
directory. To understand this let us first create an empty file called
sample using the touch command and then try to list it.
$ touch sample ; ls -l sample
-rw-r--r-- 1 king development 0 Mar 18 00:41 sample
How come that the file permissions for this file have been set to 644
What Unix does is it uses the value stored in a variable called umask
to decide the default permissions. The umask value tells Unix which of
the three permissions are to be denied rather than granted.The current
value of umask can be easily determined by just typing umask.
# umask
0022 (Default umask value for admin is 0022)
$ umask
0002 (Default umask value for normal user is 0002)
Here, the first 0 indicates that what follows is an octal number.This
octal number which has to be subtracted from the system default to ob-
tain the actual default. This becomes 664 (666-002) for ordinary files
and 775 (755-002) for directories.When you crate a file on this system
,it will have the permissions rw-rw-r--.
umask is a shell built-in command though it also exists as an external
command. A user can also use this command to set a new default. Here's
an extreme setting:
$ umask 000 All read-write permissions on
A umask value of 000 means that you haven't subtracted anything, and
this could be a dangerous. The system's default then applies (666 for
files and 777 for directories). All files and directories are then
writable by all; nothing could be worse than that! However, a mask
value of 666 or 777 doesn't make much sense either; you'll then be cr-
eating files and directories with no permissions.
For instance, if you want all new directories to get permissions
rwxr-xr--- and files to get permissions rw-r----- by default(modes 750
and 640), you'll need to use a umask value which removes all rights to
other,and write permissions to the group : 027. The command to use is:
$ umask 027
One important thing to remember is that,no one not even the administ
rator can turn on permissions not specified in the system wide default
settings. However you can always use chmod as and when required. The
system wide umask setting is placed in one of the machine's startup
scripts, and is automatically made available to all users.
Directory Permissions:
Unix treats every thing as a file, directories too are treated by
Unix as files.A directory, as Unix perceives, is a file which contains
the names of the files present in the directory.Hence a read permission
on a directory allows the listing of the directory contents and
nothing else.
Directories also have their own permissions and the significance
of these permissions differ from those of ordinary files. Read and
write access to an ordinary file are also influenced by the permissio-
ns of the directory housing them. It's possible that a file can't be
accessed even though it has read permission, and can be removed even
when it's is write protected.
Here are some typical permissions required on directories:
To understand permissions first create temp directory and create some
files in that directory.
$ mkdir temp
$ cd temp
$ touch a b
$ pwd
/home/project/temp
$ ls -l
total 8
-rw-r--r-- 1 king development 0 Mar 18 18:56 a
-rw-r--r-- 1 king development 0 Mar 18 18:56 b
-> Execute permission is required for a user to cd into a directory.
change temp directory permissions to 400(Read only permission).
Then try to change directory, you won't be permitted.
$ chmod 400 temp
$ cd temp
cd: temp: Permission denied
$ ls temp
a b
-> Read permission is required for a user to use a command such as ls
to view the files contained in a directory.
$ chmod 300 temp
$ ls temp
ls: temp: Permission denied
$ cd temp
$ pwd
/home/project/temp
-> Execute-only permission allows a user to access the files in a
directory as long as the user knows the names of the files in the
directory, and the user is allowed to read the files.
$ chmod 100 temp
$ ls temp/
ls: temp/: Permission denied
$ cat temp/a
Hello world
-> Write permission allows the user to create, delete, or modify any
files or sub directories, even if the file or sub directory is owned by
another user.
Difference in access permissions for files and
directories:
Access permissions for files and folders mean different things from
the user standpoint. The table below shows the difference.
Access type File Directory Read If the file contents can
be read If the directory listing can
be obtained Write If user or process can
write to the file
(change its contents) If user or process can change
directory contents somehow: create
new or delete existing files in the
directory or rename files. Execute If the file can
be executed If user or process can access the
directory, that is, go to it (make
it to be the current working direc
tory)
Subscribe to:
Posts (Atom)