http://dougvitale.wordpress.com/2013/02/16/linux-file-permissions-and-chmod
When you view files and directories on Linux hosts, how can you tell
which users have access? And how do you determine the extent of their
access? Before approaching the sizable (but very important) subject of
Linux (and Unix) file permissions, it is helpful to review the
definitions of key terms which IT professionals need to be familiar
with. Before proceeding, let’s define these terms clearly.
Common across all operating system (OS) platforms, files are the objects or things that OSes and user applications work with. More specifically, a file is a distinct collection of data that has a name and properties, or characteristics. Files can take the form of text documents, graphics, music, scripts, etc. If you prefer the geeky definition, Wikipedia states that a computer file is “a block of arbitrary information, or resource for storing information, which is available to a computer program and is usually based on some kind of durable storage.”
Computer files can be created, edited, deleted, moved, and stored. The orderly arranging of files is accomplished by means of directories, which are simply containers for files and other directories. On the Windows operating system, directories are often called “folders” because they are visually represented by icons resembling the paper folders which you would find in filing cabinets. This method of depicting directories as paper folders has also been adopted by Linux desktop environments, such as KDE and GNOME.
Directories are arranged in a hierarchical model. Users and software can use these directories to navigate the file system to find certain files. Files are often logically co-located based on type and usage.
Operating systems support access control restrictions on files and directories because it is not a best practice to permit the same level of system access to all users of a host or network. Users may not want other users to access their files for reasons of privacy and separation of duties, while system administrators often do not want non-administrative personnel to be able to change or possibly delete critical files needed for proper OS function. Therefore, file permissions are designed to prevent the unwanted viewing, editing, or deletion of files and folders. Within the popular discretionary access control (DAC) model, file owners can adjust the access permissions of the files they own. That is, file owners can determine who can read, change, or delete the files belonging to them. On a Unix-like OS like Linux, we will examine how to work with these file permissions.
Jump to:
The types of rights include read, write, and execute.
Read means the ability to view a file; to read a directory is to view a listing of its contents.
Write means the ability to change or delete a file, or create, change, or delete the contents of a directory. A user with write access to a directory can delete files in the directory even if he does not have write permissions on those files being deleted.
Execute means the ability to run or launch a file, or to enter or search a directory and access any subdirectories (but not view the directory’s contents unless the read permission is also granted; however, files can still be directly accessed if you can provide the full path).
Field 1 (drwxr
Field 2 (1): the link count. The link count of a file specifies the total number of hard links to the file.
Field 3 (doug): the owner of the file.
Field 4 (Domain Users): the associated group for the file.
Field 5: the size of the file in bytes.
Field 6-8: these three fields show the date of last modification (format can vary).
Field 9 (AppData): the name of the file or directory. For links, the path to the file which the link points to appears here.
Looking again at Field 1, the permissions there are represented by symbolic notation (e.g., -rw-rw-r
Read (r) = 4
Write (w) = 2
Execute (x) = 1
No Access (-) = 0.
Let’s look at some examples to spell this out. The symbolic notation -rwxr-x
Here’s another example, -rw-r
Question 2: Given the ls -l output for this file:
We can tell that user1, the members of group1, and all other users have read and execute privileges on filename.txt. Who then would be able to modify (aka, write to) the file?
Answer: the root account (UID 0). However, you should realize that users and groups with write access to the directory containing filename.txt would be able to delete the file and create a new file with the same name. Why would they do this? They could copy the file to a new name with their changes, delete the old file, and rename the new file to the old name, thereby circumventing their lack of write privileges to the file itself.
Question 3: You take the following steps.
1. You create a new directory in your home folder with the command:
2. Invoking root privileges, you create a new directory in the one you just created:
3. Again as root, you create a file in root_directory:
4. In your home folder, you run this command as yourself:
Answer: Permission to delete the directory will be denied because you don’t own root_file.txt (even though you own the the parent ‘my_directory’ folder).
Now that we understand how Linux file permissions are represented, let’s look at how we could change them.
The command to change the permission flags is chmod. There are two ways to use the chmod command and by now you should be familiar with both: with symbolic notation or with numeric notation (be aware that only the owner of a file/directory can change its permissions). The basic syntax of a chmod command is:
For example:
[Who] can be:
[Operator] can be:
.
chmod a-x backup.sh
Clears (-) the execute bit for all users.
chmod g+w backup.sh
Gives the file’s group the write privilege.
chmod g= backup.sh
Removes all access rights from the group to the file.
chmod ug+x backup.sh
Gives the file’s owner and group the execute privilege.
chmod o=r backup.sh
Gives the ‘others’ only read access to the file.
chmod +x backup.sh
Makes the script executable.
chmod -x chmod
This would make the chmod command itself non-executable by all users. Avoid!
Draac.com, CHMOD cheat sheet
GNU.org, Source code for chmod
IBM.com, Learn Linux, 101: Manage file permissions and ownership
Permissions-calculator.org, Unix permissions calculator
Practical Guide to Linux Commands UNIX and Linux Sys Admin Handbook
Essential System Administration The Linux Command Line
Red Hat Linux Certification Study Guide CompTIA Linux+ Study Guide
Common across all operating system (OS) platforms, files are the objects or things that OSes and user applications work with. More specifically, a file is a distinct collection of data that has a name and properties, or characteristics. Files can take the form of text documents, graphics, music, scripts, etc. If you prefer the geeky definition, Wikipedia states that a computer file is “a block of arbitrary information, or resource for storing information, which is available to a computer program and is usually based on some kind of durable storage.”
Computer files can be created, edited, deleted, moved, and stored. The orderly arranging of files is accomplished by means of directories, which are simply containers for files and other directories. On the Windows operating system, directories are often called “folders” because they are visually represented by icons resembling the paper folders which you would find in filing cabinets. This method of depicting directories as paper folders has also been adopted by Linux desktop environments, such as KDE and GNOME.
Directories are arranged in a hierarchical model. Users and software can use these directories to navigate the file system to find certain files. Files are often logically co-located based on type and usage.
Operating systems support access control restrictions on files and directories because it is not a best practice to permit the same level of system access to all users of a host or network. Users may not want other users to access their files for reasons of privacy and separation of duties, while system administrators often do not want non-administrative personnel to be able to change or possibly delete critical files needed for proper OS function. Therefore, file permissions are designed to prevent the unwanted viewing, editing, or deletion of files and folders. Within the popular discretionary access control (DAC) model, file owners can adjust the access permissions of the files they own. That is, file owners can determine who can read, change, or delete the files belonging to them. On a Unix-like OS like Linux, we will examine how to work with these file permissions.
Jump to:
- Displaying file permissions
- Users, groups, and access rights
- Symbolic notation of file permissions
- Numeric (octal) notation of file permissions
- chmod
- chmod usage options
- chmod examples
- Further reference
- Recommended reading
Displaying file permissions
When you open a shell on a Linux host, you acquire the ability to interact with the files which that host is storing. So let’s return to the original question of how you would view and configure file permissions on Linux. Let’s say you open a bash shell and are presented with the shell prompt, aka the command line interface. Then you issue the ls -l command to tell bash to display the contents of your current working directory (for example, your home folder located at/home/your_account_name
). You will see output similar to this example (I entered ls -l on my Windows home folder using Cygwin).drwxr--r-- 1 doug Domain Users 0 Nov 19 16:13 AppData
drwx------ 1 doug Domain Users 0 Jan 10 12:39 Desktop
drwx------ 1 doug Domain Users 0 Jan 22 10:49 Documents
drwx------ 1 doug Domain Users 0 Jan 9 11:08 Favorites
-rwx------ 1 doug Domain Users 12 Jan 22 10:49 key.txt
-rwx------ 1 doug Domain Users 130048 Jan 9 10:59 metadata.db
drwx------ 1 doug Domain Users 0 Nov 19 16:13 Music
lrwxrwxrwx 1 SYSTEM SYSTEM 35 Nov 19 16:13 My Documents -> /cygdrive/c/Users/doug/Documents
-rwx------ 1 doug Domain Users 3670016 Feb 14 15:01 NTUSER.DAT
-rwx------ 1 SYSTEM SYSTEM 20 Nov 19 16:13 ntuser.ini
drwx------ 1 doug Domain Users 0 Dec 27 14:25 Pictures
lrwxrwxrwx 1 SYSTEM SYSTEM 66 Nov 19 16:13 Recent ->
/cygdrive/c/Users/doug/AppData/Roaming/Microsoft/Windows/Recent
drwx------ 1 doug Domain Users 0 Nov 19 16:41 Searches
lrwxrwxrwx 1 SYSTEM SYSTEM 66 Nov 19 16:13 SendTo ->
/cygdrive/c/Users/doug/AppData/Roaming/Microsoft/Windows/SendTo
drwx------ 1 doug Domain Users 0 Dec 28 13:13 Software
lrwxrwxrwx 1 SYSTEM SYSTEM 70 Nov 19 16:13 Start Menu ->
/cygdrive/c/Users/doug/AppData/Roaming/Microsoft/Windows/Start Menu
drwx------ 1 doug Domain Users 0 Feb 14 13:47 Temp
drwx------ 1 doug Domain Users 0 Nov 27 15:46 Videos
Users, groups, and access rights
In the Linux OS, each file and directory is assigned access rights based on the owner of the file, the members of the file’s group (possibly including the owner), and everybody else (others). By default, the user who creates a file becomes its owner. All members of a file’s group have the same permissions on the file. All users belong to at least one group. From a security perspective, you should pay particular attention to permissions set for the ‘Others’, i.e. all those users who are not the owner and not in the group associated with the file or directory in question.The types of rights include read, write, and execute.
Read means the ability to view a file; to read a directory is to view a listing of its contents.
Write means the ability to change or delete a file, or create, change, or delete the contents of a directory. A user with write access to a directory can delete files in the directory even if he does not have write permissions on those files being deleted.
Execute means the ability to run or launch a file, or to enter or search a directory and access any subdirectories (but not view the directory’s contents unless the read permission is also granted; however, files can still be directly accessed if you can provide the full path).
Symbolic notation of file permissions
Let’s return to ls -l above. Now that we understand the concepts behind User (owner), Group, Others and the read (r), write (w), and execute (x) permissions, we can make sense of all this output. Each of the eighteen lines above can be broken down into nine fields. Let’s look at the first line.drwxr--r-- 1 doug Domain Users 0 Nov 19 16:13 AppData
Field 1 (drwxr
--
r--
): a set of ten permission flags. After the first character, these flags can be r (read), w (write), x (execute), or - (no access granted). The first character reveals the type of object: d stands for directory, l stands for link, and - means a file (there are other possibilities for the first character, but they won’t be covered here). If -
appears outside of the first character slot, it means that no
permission for that particular slot has been set (i.e., no access
granted). The last nine characters are divided into three triads. The
first triad represents the owner’s permissions on the object, the second
triad represents the group’s permissions, and the last triad represents
everyone else’s permissions. So in this example, the object AppData is a
directory (d) (if the permissions were -rwxr--
r--
, it would mean that AppData is a file as shown by - as the first character). The the next three characters, rwx, show that the owner has read, write, and execute permissions. The second triad, r--
, shows that the group permissions are read only (because the write and execute fields are blank, or set to -). The third triad, r--
, shows that all users besides the relevant owner and group have permissions that are read only.Field 2 (1): the link count. The link count of a file specifies the total number of hard links to the file.
Field 3 (doug): the owner of the file.
Field 4 (Domain Users): the associated group for the file.
Field 5: the size of the file in bytes.
Field 6-8: these three fields show the date of last modification (format can vary).
Field 9 (AppData): the name of the file or directory. For links, the path to the file which the link points to appears here.
Numeric (octal) notation of file permissions
Looking again at Field 1, the permissions there are represented by symbolic notation (e.g., -rw-rw-r
--
).
An alternative way to express permissions is numeric notation (also
called octal notation). Numeric notation refers back to the
aforementioned three triads that appear within the symbolic notation.
Numeric notation substitutes a number for each triad. This is
accomplished by assigning a numeric value to each character in the nine
total slots that comprise the three triads:Read (r) = 4
Write (w) = 2
Execute (x) = 1
No Access (-) = 0.
Let’s look at some examples to spell this out. The symbolic notation -rwxr-x
--
x first needs to be broken up into the three triads which are: rwx, r-x, and --
x (remember, the first – means that the object is a file, not a directory). The first triad, rwx, adds up to 7 (4+2+1=7). The second triad, r-x, adds up to 5 (4+0+1=5), and the last triad, --
x, adds up to 1 (0+0+1=1). Therefore, another way to express -rwxr-x--
x is 751.Here’s another example, -rw-r
--
r-x. First, break out the triads: rw-, r--
, and r-x. Recall each character’s value: r=4, w=2, x=1, and -=0. The first triad equals 6, the second equals 4, and the third equals 5. Therefore the numeric notation of -rw-r--
r-x is 645. Other examples include:- rwxrwxrwx = 777
- rwxr-xr-x = 755
- rw-rw-rw- = 666
- rw-r
--
r– = 644 - rw
-------
= 600
Question 2: Given the ls -l output for this file:
-r-xr-xr-x 1 user1 group1 date time filename.txt
We can tell that user1, the members of group1, and all other users have read and execute privileges on filename.txt. Who then would be able to modify (aka, write to) the file?
Answer: the root account (UID 0). However, you should realize that users and groups with write access to the directory containing filename.txt would be able to delete the file and create a new file with the same name. Why would they do this? They could copy the file to a new name with their changes, delete the old file, and rename the new file to the old name, thereby circumventing their lack of write privileges to the file itself.
Question 3: You take the following steps.
1. You create a new directory in your home folder with the command:
mkdir my_directory
.2. Invoking root privileges, you create a new directory in the one you just created:
sudo mkdir my_directory/root_directory
.3. Again as root, you create a file in root_directory:
sudo touch my_directory/root_directory/root_file.txt
.4. In your home folder, you run this command as yourself:
rm -Rf my_directory
. What happens?Answer: Permission to delete the directory will be denied because you don’t own root_file.txt (even though you own the the parent ‘my_directory’ folder).
Now that we understand how Linux file permissions are represented, let’s look at how we could change them.
chmod
The command to change the permission flags is chmod. There are two ways to use the chmod command and by now you should be familiar with both: with symbolic notation or with numeric notation (be aware that only the owner of a file/directory can change its permissions). The basic syntax of a chmod command is:
chmod [who][operator][permissions] FileName
For example:
chmod g+rw FileName
chmod a-w FileName
[Who] can be:
- u, the owner of the file
- g, the group associated with the file
- o, the users who are not the owner (u) or in the group (g)
- a, all possible users (u+g+o)
[Operator] can be:
- +, adds the specified permission(s) to the file
- -, removes the specified permission(s) to the file
- =, applies the specified permission(s) to the file
- r, read a file, or view a directory’s contents
- w, change or delete a file, or add or delete a directory’s contents
- x, execute a file, or enter into a directory and its subdirectories
- X, special execute, which applies execute permissions to directories regardless of their current permissions and applies execute permissions to files which already have at least one execute permission bit already set (either user, group or other).
- s, setuid/setgid. The setuid (SUID) permissions are used to tell the OS to run an executable as the owner with the owner’s permissions. Pay attention: If a binary is owned by the root superuser and has the SUID bit enabled, then that program will always run as root. The setgid permissions allow users to run an executable with the permissions of that executable’s group. When set on a directory, every file and directory created under that directory will automatically inherit the group owner.
- t, sticky bit. When the sticky bit has been
assigned to the permissions on a directory, only the file owners can
rename or delete the files in that directory. The Linux kernel ignores
the sticky bit on files but not on directories. The
/tmp
directory is noteworthy because its permissions are 1777. The “1″ (one) indicates the sticky bit which is enabled by default on/tmp
.
chmod usage options
chmod options |
Description |
---|---|
chmod -c or chmod -changes | Like verbose, but reports only when a change is made, i.e., prints information only about files that are changed. |
chmod -f | Suppresses most error messages. Users won’t be notified about files that chmod cannot change. |
chmod -- help |
Displays the Help message. |
chmod -- no-preserve-root |
Does not treat ‘/’ specially (default). |
chmod -- preserve-root |
Avoid operating recursively on ‘/’. |
chmod -- quiet |
Suppresses most error messages. Users won’t be notified about files that chmod cannot change. |
chmod -R or chmod -- recursive |
Alters file and directory permissions recursively. |
chmod -- reference=RFILE |
Changes permissions to match those associated with the file specified by RFILE. |
chmod -- silent |
Suppresses most error messages. Users won’t be notified about files that chmod cannot change. |
chmod -v or chmod -- verbose |
Outputs a diagnostic for every file processed, i.e., displays information about each file, whether changed or not. |
chmod -- version |
Outputs the chmod version information and exits. |
chmod examples
chmod a-x backup.sh
Clears (-) the execute bit for all users.
chmod g+w backup.sh
Gives the file’s group the write privilege.
chmod g= backup.sh
Removes all access rights from the group to the file.
chmod ug+x backup.sh
Gives the file’s owner and group the execute privilege.
chmod o=r backup.sh
Gives the ‘others’ only read access to the file.
chmod +x backup.sh
Makes the script executable.
chmod -x chmod
This would make the chmod command itself non-executable by all users. Avoid!
Further reference
Catcode.com, Symbolic and numeric permissions converterDraac.com, CHMOD cheat sheet
GNU.org, Source code for chmod
IBM.com, Learn Linux, 101: Manage file permissions and ownership
Permissions-calculator.org, Unix permissions calculator
Recommended reading
If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!Practical Guide to Linux Commands UNIX and Linux Sys Admin Handbook
Essential System Administration The Linux Command Line
Red Hat Linux Certification Study Guide CompTIA Linux+ Study Guide
No comments:
Post a Comment