| File permissions/security | ||
|---|---|---|
|
Chapter 4. Essentials |  |
| File permissions/security | ||
|---|---|---|
|
|
Chapter 4. Essentials | |
We learnt about file mode permissions earlier. Now we're going to look at some of the tools that can be used to manipulate them.
As a reminder the permissions field was the 9 digits after the file type field. In a long listing of your files above the permission mode was set be default system wide and user wide. This is set up for you by a parameter called umask which we will discuss later on.
Let us look at the permission values and see what they mean on files and directory files - this is a revision section. Although the permissions have obvious effects for regular files, directories and their associated permissions can sometimes be confusing.
A directory for which you are allowed "read" access can have its contents listed by you. Using, say, "ls".
However, you are only allowed to change into ("cd") a directory for which you have the "execute" permission, also called the "directory search bit".
If we breakdown the permissions field for a regular file as follows:
Table 4.3. File Permissions example 1
| File type | Owner | Group | Other/public or everyone else on the system |
| - | rwx | rwx | rwx |
This would mean that the file is a regular file and that anyone using the system can access the file read it, write and change it and execute it as a program (if relevant as not all regular files are programs.)
Again:
Table 4.4. File Permissions example 2
| File type | Owner | Group | Other/public or everyone else on the system |
| - | rw- | r-- | --- |
This would mean that the file is a regular file and the owner can read and write to the file, the group can only read the file and anyone else on the system has no permissions on that file at all.
Now with a directory file:
Table 4.5. File Permissions example 3
| File type | Owner | Group | Other/public or everyone else on the system |
| d | rwx | r-x | r-x |
Here the owner of the directory file can list the contents of the directory, change (edit and save) files within the directory or make new files, remove files, they can also cd into the directory or perform a find command that can search that directory with no permission errors.
The group and general public can list the contents of the directory and cd into the directory but cannot change (edit and save), remove, or write a new file into that directory.
Something that you should maybe beware of is that you may be getting permission errors on a directory, you have checked that directory and you have full permissions. Look again at the parent directory you probably do not have permissions on that directory and that will stop you doing what you want or need to do even in the child directory.
You can use this command to change the mode of the file;
Syntax:
chmod mode file-name(s)
|
The octal format is supposedly a more difficult method (some find it easier than the symbolic method), but it is the way in which the modes are actually stored by the operating system, and is also the mode more widely used in documentation and in script files, and so is useful to know.
Each permission bit a number associated with it:
r = 4 w = 2 x = 1 |
These numbers are then added together to form the set of modes that you want, for example if you want "rw-" permissions set then:
r + w = rw 4 + 2 = 6 |
There is a grouping of three sets of permissions and the octal method expresses all three fields (owner, group and public). Thus, a mode of "660" means that the user, and group, have "rw" access, and everyone else has no access (-rw-rw----).
The first digit ("6") is the mode, which applies to the user (rw-), the second digit ("6") applies to the group (rw-) and the third digit ("0") applies to everyone else (---).
student@debian:~/dataset$ ls -l one.txt -rw-r--r-- 1 student student 321 Feb 19 03:10 one.txt student@debian:~/dataset$ chmod 660 one.txt student@debian:~/dataset$ ls -l one.txt -rw-rw---- 1 student student 321 Feb 19 03:10 one.txt |
You must use one character out of each column to form a triple, with no spaces between the three characters.
Syntax: chmod permission-mode filename |
Table 4.6. Symbolic File Permission switches
| Owners | Add, Remove or Set | Permission |
| u owner permissions | + adds the permission | r read |
| g group permissions | - removes the permission | w write |
| o other or world permissions | = sets the permission | x execute |
| a all of the above |
You can use a comma (",") to separate operands, but don't use any spaces!
student@debian:~$ ls -l
total 8
drwxr-xr-x 2 student student 1024 Feb 19 05:08 dataset
drwxr-xr-x 2 student student 1024 Feb 19 05:01 dataset2
student@debian:~$ chmod ug=rw,o= dataset2
student@debian:~$ ls -l
total 8
drwxr-xr-x 2 student student 1024 Feb 19 05:08 dataset
drw-rw---- 2 student student 1024 Feb 19 05:01 dataset2
student@debian:~$ chmod u=rx,g-w,o+r dataset
student@debian:~$ ls -l
total 8
dr-xr-xr-x 2 student student 1024 Feb 19 05:08 dataset
drw-rw---- 2 student student 1024 Feb 19 05:01 dataset2
student@debian:~$ chmod a+rx,u=w dataset
student@debian:~$ ls -l
total 8
d-w-r-xr-x 2 student student 4096 Feb 19 05:08 dataset
drw-rw---- 2 student student 4096 Feb 19 05:01 dataset2
student@debian:~$ cd dataset
bash: cd: dataset: Permission denied
student@debian:~$ cd dataset2
bash: cd: dataset2: Permission denied
|
You cannot change into either of the directories because the owner (student) does not have "execute" or "search bit" access to either of them.
student@debian:~$ chmod u+x dataset* student@debian:~$ ls -l total 8 d-wxr-xr-x 2 student student 4096 Feb 19 05:08 dataset drwxrw---- 2 student student 4096 Feb 19 05:01 dataset2 student@debian:~$ cd dataset student@debian:~/dataset$ ls ls: .: Permission denied student@debian:~/dataset$ cd .. |
Now we've given ourselves back search bit access, but we still don't have read access to "dataset", which means that while we can "cd" into it, we cannot get a listing of its contents!
Can you still "cat" files inside dataset, even though you only have "x" and not "r"?
Correct the permissions on the directories to what they should be.
Only the root user may use the "chown" command; we will cover this command in detail in the System Administration section.
You can change both the owner and the group by using the following Syntax:
Syntax: chown user:group <file> |
This changes the user and group associated with the file.
A normal user may change the group to which a file belongs, provided that they are a member of that group and also own the file, by using the chgrp command.
The umask determines what the default permissions will be on a file that is created, either system-wide or user based if specified in the home directory log in files. When using the bash shell, this is a builtin command.
It understands octal and symbolic representations of permissions.
To see what the current umask is, just type "umask":
student@debian:~$ umask 0022 student@debian:~$ umask -S u=rwx,g=rx,o=rx |
As you can see, the octal values for the umask are not the same as those for chmod.
In the umask above (0022), the first "0" we will not explain right now - suffice it to say that this relates to setting an additional permission bit (SUID, SGID or Sticky Bit).
In umask the permission mode is calculated by subtracting from a full permission set of read write and execute permission bits as follows: (r + w + x = 4 + 2 + 1 = 7)
A value of zero (0) in the umask means then full permissions (7 - 0 = 7).
A value of 2 in the umask means read (4) and execute (1) permissions (7 - 2 = 5).
To change the current umask:
student@debian:~$ touch file1 student@debian:~$ ls -l file1 -rw-r--r-- 1 student student 0 Feb 19 02:39 file1 student@debian:~$ umask u=rwx,g=rx,o= (OR umask 0027) student@debian:~$ touch file2 student@debian:~$ ls -l -rw-r----- 1 student student 0 Feb 19 02:39 file2 |
You'll notice that umask is clever enough to only apply the +x (execute) bit to directories, and not regular files as above. Regular files will not be executable by default.
student@debian:~$ mkdir dir1 student@debian:~$ ls -l file1 dir1 drwxr-x--- 2 student student 512 Jan 14 02:40 dir1 -rw-r--r-- 1 student student 0 Jan 14 02:39 file1 |
|
|
 |
|
| Files and Directories |  |
File Redirection, Named and un-named pipes |