104.5. Manage file permissions and ownership
Weight: 3
Description: Candidates should be able to control file access through the proper use of permissions and ownerships.
Key Knowledge Areas:
Manage access permissions on regular and special files as well as directories
Use access modes such as suid, sgid and the sticky bit to maintain security
Know how to change the file creation mask
Use the group field to grant file access to group members
Terms and Utilities:
chmod
umask
chown
chgrp
Users, groups and file ownership
By now, you know that Linux is a multiuser system and that each user belongs to one primary group and possibly additional groups. It is also possible to log in as one user and become another user using the su
commands. Ownership of files in Linux and access authority are closely related to user ids and groups.
User and groups
To start, let’s review some basic user and group information via some commands
whoami : It displays the username of the current user (ubuntu16.04)
groups: We can find out what groups you are in by using the
groups
command.
id : We can find out both user and group information using the
id
command.
It can show numeric ID’s (UID or group ID) of the current user or any other user in the server.
users and groups information are stored in /etc/passwd and /etc/group along other information.
File ownership and permissions
Every file on a Linux system has one owner and one group associated with it.
Use the ls -lls-l
command to display the owner and group.
As you can see, the file1 belongs to user1 and a group called user1.
The first character of a long listing describes the type of object. "-" for a regular file, "d" for a directory, "l" for a symbolic link(we will see them).
Permissions are specified separately for the file’s owner, members of the file’s group, and everyone else.
The Linux permission model has three types of permission for each filesystem object.
The permissions are read (r), write (w), and execute (x). Write permission includes the ability to alter or delete an object. A -
indicates that the corresponding permission is not granted. example:
As you can see fsck can be read, written and executed by its owner (root) and all root group members, but others can just read and execute that(probably with limited results )
Directories ownership and permissions
Directories use the same permissions flags as regular files, but they are interpreted differently.
Read permission for a directory allows a user with that permission to list the contents of the directory.
Write permission means a user with that permission can create or delete files in the directory.
Execute permission allows the user to enter the directory and access any subdirectories.
Without execute permission on a directory, the filesystem objects inside the directory are not accessible. Without read permission on a directory, the filesystem objects inside the directory are not viewable in a directory listing, but these objects can still be accessed as long as you know the full path to the object on disk. example:
The first charcter indicates that this a directory. The owner (user1) has read,write, execute access but other members of user1 group and others have just read and execute access on this directory, (as we mentioned, execute lets them to see files inside it )
Changing permissions
chmod
The command you use to change the permissions on files is called chmod , which stands for “change mode". There are to ways to tell this command what you want to do:
using short codes
using ocatl codes
1- using short codes: That is easier way.
reference can be
u as user (file's owner)
g as group (users who are members of the file's grou)
o as others (users who are not the file's owner / members of the file's group)
a as all (All three of the above, same as ugo)
Operator can be
+ Adds the specified modes to the specified classes
- Removes the specified modes from the specified classes
= The modes specified are to be made the exact modes for the specified classes
obviously modes might be
r :Permission to read the file
w :Permission to write (or delete) the file.
x : Permission to execute the file, or, in the case of a directory, search it.
If we want to set different permissions for user, group, or other, we can separate different expressions by commas —for example,
ug=rwx,o=rx
using a as ugo with = operator to set exact mode easier
2- using ocatl codes : So far we have used symbols (ugoa and rxw) to specify permissions. we can also set permissions using octal numbers instead of symbols.
For using octal codes with chmod we have to create an octal string, and that's is nothing more than a simple sum of numbers:
Symbolic | note | Octal |
rwx | 4+2+1 | 7 |
rw- | 4+2 | 6 |
r-x | 4+1 | 5 |
r-- | 4 | 4 |
-wx | 2+1 | 3 |
-w- | 2 | 2 |
--x | 1 | 1 |
--- | 0 | 0 |
To change permissions recursively on directories and files use -R
option:
Access modes
When we log in, the new shell process runs with your user and group IDs. This usually means that you cannot access files belonging to others and cannot write system files. From the other side, users are totally dependent on other programs to perform operations.
An important example is the /etc/passwd file, which cannot be changed by normal users directly, because write permission is enabled only for root. However, normal users need to be able to modify /etc/passwd somehow:
So, if the user is unable to modify this file, how can this be done? What is that "s"?
suid , guid
The Linux permissions model has two special access modes called suid (set user id) and sgid (set group id). When an executable program has the suid access modes set, it will run as if it had been started by the file’s owner, rather than by the user who really started it. Similarly, with the sgid access modes set, the program will run as if the initiating user belonged to the file’s group rather than to his own group.
Directories and sgidWhen a directory has the sgid mode enabled, any files or directories created in it will inherit the group ID of the directory. This is particularly useful for directory trees that are used by a group of people working on the same project.
sticky bit
We have just seen how anyone with write permission to a directory can delete files in it. This might be acceptable for a group project, but is not desirable for globally shared file space such as the /tmp directory. Fortunately, there is a solution. That is called the sticky bit.
If set stickybit for a directory, it permits only the owning user or the superuser (root) to delete or unlink a file.
Okey lets wrap up what we have learned:
access mode | on file | on directory |
SUID | executes with permissions of file owner | nothing |
GUID | executes with the permissions of group | new files have group membership of directory |
Sticky Bit | nothing | only owner can delete files |
How suid, guid and stickybit are implemented?
As there is no more room for setting Access modes, execution character is used. "s" letter is used for both suid and guid but "t" letter is for stickybit. Again we use +/-
for adding and removing permissions.
As you have probably noticed, if the file or directory is already executable s and t would be displayed after setting access modes.
But if the file or directory hasn't been executable before setting access mode, S and T would be appear.
As an example for suid consider ping command, as ping needs to access network card it needs root permissions, but an ordinary user can use it:
Now we try setting guid on a directory and we will create a file with another user:
And finally lets try how stickybit works on /tmp:
Setting Access Modes via octal codes:
We can also use octal codes to set suid, guid and stickybit:
Access Mode | octal |
SUID | 4000 |
GUID | 2000 |
StickyBit | 1000 |
And again we can use sum of digits.
umask
When a new file or directory is created, the creation process specifies the permissions that the new file or directory should have. Where do they come from? They came from the umask.
We can view your umask setting with the umask
command:
How umask work?
When a new file is created, the creation process specifies the permissions that the new file should have. Often, the mode requested is 0666, which makes the file readable and writable by anyone (but not executable). Directories usually default to 0777. However, this permissive creation is affected by a umask value, which specifies what permissions a user does not want to grant automatically to newly created files or directories. The system uses the umask value to reduce the originally requested permissions.
Usually umask is set system wide (it could be set per user) and we can find its configuration in one of these places (based on your linux distribution):
/etc/profile (usually)
/etc/bashrc (usually)
/etc/logindefs (ubuntu)
as we are using ubuntu here lets take look at /etc/logindefs:
it say umask would be 002 if USERGROUPS_ENAB is set, lets check it out:
which is why umask is 002 in our system.
Setting file owner and group
All files in Linux belong to an owner and a group. We can set the owner by using chown
command, and the group by the chgrp
command.
chown
The root user can change the ownership of a file using the chown
command.We can use user name or user ID.
The file’s group may be changed at the same time by adding a colon and a group name or ID right after the user name or ID.
If only a colon is given, then the user’s default group is used:
the -R option will apply the change recursively and -c
Reports when a file change is made. We can also use other file ownership via --referenece
switch.
chgrp
chgrp command in Linux is used to change the group ownership of a file or directory.
Note1: We need to have administrator permission to add or delete groups
Note2: the owner of file can always change the group of his/her file or directory to its own group or one of the groups that him/her is a member of.
As with many of the commands covered in this tutorial, chgrp
has a -R
option to allow changes to be applied recursively to all selected files and subdirectories.
--refrence Uses the groupname of a reference file to change the group of another file or folder.
.
.
.
Primary and secondary groups
There are actually two types of groups — primary and secondary.
The primary group is the one that’s recorded in the /etc/passwd file, configured when an account is set up. When a user creates a file, it’s their primary group that is associated with it.
Secondary groups are those that users might be added to once they already have accounts. Secondary group memberships show up in the /etc/group file.
A user can change his/her primary group (default group) with newgrp
command, and after that all file/directories the user creates will have that group.
.
.
.
https://developer.ibm.com/tutorials/l-lpic1-104-5/
https://jadi.gitbooks.io/lpic1/content/1045_manage_file_permissions_and_ownership.html
https://www.geeksforgeeks.org/chmod-command-linux/
https://www.geeksforgeeks.org/permissions-in-linux/
https://www.geeksforgeeks.org/chown-command-in-linux-with-examples/
https://www.geeksforgeeks.org/chgrp-command-in-linux-with-examples/
https://www.networkworld.com/article/3409781/mastering-user-groups-on-linux.html
.
.
.
Last updated