Controlling Access,to,Files
Controlling Access to Files
Chapter Objectives
- Understand Linux file permissions and permission categories (user, group, other).
- Use
ls -l to view file permissions and interpret the output. - Change file permissions using
chmod (symbolic and octal methods). - Manage file and directory ownership using
chown and chgrp. - Apply special permissions (setuid, setgid, sticky bit) to enhance security.
- Configure default file permissions using
umask.
Linux File System Permissions - Overview
- Every file and directory in Linux is owned by a user and a group.
- Permissions control read, write, and execute capabilities of the file.
- Three Permission Categories:
- User (Owner): The file owner. Permissions apply to this person first.
- Group: Members of the file's group. Permissions apply if the user isn't the owner.
- Other (World): Everyone else on the system. Applied if the user isn't in the group.
Permission Types
- Permission Types: Read, Write, Execute
| Permission | Symbol | Effect on Files | Effect on Directories |
|
|---|
| Read | r | View file contents | List directory contents |
|
| Write | w | Modify or delete file | Create/delete files inside |
|
| Execute | x | Run file as a program | Access directory contents | |
| | | | |
Understanding Permission Categories | | | | |
- User (u): File owner. Applies first.
- Group (g): Group members. Checked if user matches group.
- Other (o): Everyone else. Checked last. Permission checking stops at the first matching category. If the user is the owner, group and other permissions are ignored.
Permission Precedence
- Most specific permissions are checked first:
- Check if user is the file owner. Apply USER permissions.
- Check if user is a member of the owning group. Apply GROUP permissions.
- If neither owner nor in group, apply OTHER permissions.
- Example: If owner has 'r--' but group has 'rwx', the owner can only read as ownership permissions are checked first.
Viewing File Permissions
Reading the ls -l Output
- The
ls -l Command: - Command:
ls -la - Example Output:
total 24
drwxr-xr-x 3 root root 4096 Mar 10 2023 .
drwxr-xr-x 13 root root 4096 Mar 10 2023 ..
-rw-r--r-- 1 root root 1234 Mar 10 2023 file.txt
-rwxr-xr-x 1 root root 5678 Mar 10 2023 script.sh
drwxr-x--- 2 admin dba 4096 Mar 10 2023 private
- Output Columns (left to right):
- Permissions (10 chars: file type + 3 permission groups)
- Link count
- Owner username
- Owner group
- File size in bytes
- Last modification date
- File or directory name
File Type Characters
- Character | File Type | Description
- : Regular file, normal file containing data d : Directory, contains files and subdirs l : Symbolic link, shortcut to another file c : Character device, device like terminal (/dev/tty) b : Block device, device like disk (/dev/sda) p : Named pipe, used for inter-process communication s : Socket, used for inter-process communication
Reading Permission Strings
- For example, breakdown of
-rwxr-x---:- indicates file type (regular file).rwx indicates User (owner) permissions (full permissions).r-x indicates Group permissions (read and execute, no write).--- indicates Other (world) permissions (no permissions).
Permission Scenario - Setup
Users and Directory Example
- Four Users:
operator1: user in group 'dba' and 'wheel' database1: user in group 'dba' database2: user in group 'dba' contractor1: user in no special groups
- Directory:
drwxr-x--- 2 operator1 dba 4096 Mar 10 /tmp/dir - Permissions: User (rwx) | Group (r-x) | Other (---)
- Owned by
operator1, group of dba, others have no access.
Permission Scenario - File Listing
- Files in
/tmp/dir:-rw-r--r-- 1 operator1 dba sales.txt -rw-r----- 1 database1 dba payroll.txt -rw------- 1 database2 dba secret.txt -rw-r--r-- 1 contractor1 users report.txt - Ownership of Files:
sales.txt: owner=operator1, group=dba, perms=rw-r--r--payroll.txt: owner=database1, group=dba, perms=rw-r-----secret.txt: owner=database2, group=dba, perms=rw-------report.txt: owner=contractor1, group=users, perms=rw-r--r--
Permission Scenario - Examples (Part 1)
| User | File | Action | Result |
|
|---|
| operator1 | sales.txt | Read | YES |
| |
| operator1 | payroll.txt | Read | YES |
| |
| database1 | sales.txt | Read | YES |
| |
| database1 | payroll.txt | Write | YES |
| |
| database2 | secret.txt | Write | YES |
| |
| contractor1 | secret.txt | Read | NO | | |
| | | | | |
Permission Scenario - Examples (Part 2) | | | | | |
| User | Action | Result |
|
|---|
| operator1 | Delete sales.txt from /tmp/dir | YES |
| |
| database1 | Delete sales.txt from /tmp/dir | YES |
| |
| contractor1 | Read /tmp/dir contents | NO |
| |
| contractor1 | Delete report.txt from /tmp/dir | NO | | |
To delete a file, you need write (w) and execute (x) permissions on the DIRECTORY, not the file itself. | | | | |
| | | | |
Managing File Permissions | | | | |
Using chmod to Control Access
The chmod Command - Overview
chmod (change mode) command modifies file and directory permissions.- Two Methods for Specifying Permissions:
- Symbolic Method:
- Uses letters:
u (user), g (group), o (other), a (all) - Operations:
+ (add), - (remove), = (set exactly) - Examples:
chmod g+w file
- Octal Method:
- Uses digits: 0-7
- 4=read, 2=write, 1=execute
- Examples:
chmod 755 file
Symbolic Method - Who/What/Which
| Symbol | Meaning |
|
|---|
| u | User (file owner) |
| |
| g | Group owner |
| |
| o | Others (world) |
| |
| a | All (u, g, o) |
| |
| + | Add permission |
| |
| - | Remove permission |
| |
| = | Set to exactly this |
| |
| r | Read |
| |
| w | Write |
| |
| x | Execute | | |
| | | |
Symbolic Method - Examples | | | |
chmod go-rw file: Remove read/write from group and others.chmod a+x script.sh: Add execute to all (user, group, other).chmod u=rwx,go=rx file: User gets rwx, group/others get rx.chmod -R g+rwx directory/: Add rwx to group, recursively in directory.chmod u-w file: Remove write permission from owner.chmod o=: Remove all permissions from others.
The X (Capital) Permission
- Capital
X applies execute only to directories, not regular files, useful for recursive changes. - Example:
chmod -R g+rwX directory/ will add g+rw to files and also add execute to directories.
Octal Method - Overview
- Octal permissions use 3-digit (or 4 for special) numbers.
- Common Values:
755 (executable), 644 (file), 700 (private), 750 (group access).
- Example:
chmod 755 file:- User: 7 (
rwx), Group: 5 (r-x), Other: 5 (r-x). - Calculation:
r=4, w=2, x=1.
Octal Method - Common Values
| Octal | Symbolic | Use Case |
|
|---|
| 755 | rwxr-xr-x | Executable files and directories |
| |
| 644 | rw-r--r-- | Regular data files |
| |
| 700 | rwx------ | Private files/directories |
| |
| 750 | rwxr-x--- | Group access, no other |
| |
| 600 | rw------- | Owner-only file |
| |
| 777 | rwxrwxrwx | All permissions (rarely used) | | |
| | | | |
Octal Method - Examples | | | | |
chmod 644 file.txt: rw-r--r-- Readable by all, writable by owner.chmod 755 script.sh: rwxr-xr-x Executable by all, writable by owner.chmod 700 private: rwx------ Only owner can access.chmod 750 directory/: rwxr-x--- Group can enter/read, others blocked.chmod 600 secret.key: rw------- Owner-only key file.
Changing File Ownership
Using chown and chgrp
The chown Command
chown changes file and directory ownership (user and/or group).- Syntax and Examples:
chown newuser file: Change owner to newuser.chown newuser:newgroup file: Change both owner and group.chown -R newuser directory/: Change owner recursively.chown :newgroup file: Change group only.chown -R user:group /data/: Change ownership recursively on /data.
Changing Group Ownership
- Change group ownership with
chown or chgrp: - Using
chown with colon: chown :sales file.txt (to sales). - Using
chgrp: chgrp sales file.txt. - Using
chgrp -R marketing /data/: Change group recursively.
- Only the file owner or root can change ownership. Regular users can change group if they're a member of the target group.
Ownership Rules
- Who can change what:
- Root user: Change owner and group of any file.
- File owner: Change group (to groups they belong to).
- Regular user: Cannot change ownership of files they own. Once ownership is changed, it cannot be taken back unless performed by root.
- Common Use Case: Change group ownership to allow team members to edit shared files without adjusting permissions.
Special Permissions
setuid, setgid, and Sticky Bit
Special Permissions Overview
- Permission | Symbol | Octal | Effect on Files | Effect on Directories
- --- | --- | --- | --- | ---
- setuid | s (user) | 4000 | Run as owner, not executor | Ignored
- setgid | s (group) | 2000 | Run as owner's group | New files inherit group
- Sticky bit | t (other) | 1000 | Ignored | Only owner can delete files
- Special permissions are less common but essential for security. They appear as 's' (setuid/setgid) or 't' (sticky bit) in the permission string.
setuid Permission
- setuid (set user ID): Allows a file to run with the permissions of its owner, not the executor.
- Example:
/usr/bin/passwd with permission -rwsr-xr-x:- The 's' in the user execute position indicates setuid is set.
- When any user runs
passwd, it executes as root (the owner). - This allows non-root users to change their passwords in
/etc/shadow.
- Security Risk: Use setuid only on trusted applications. The uppercase 'S' indicates setuid without execute permission.
setgid Permission
- setgid (set group ID) has different effects on files vs. directories:
- On Files: Runs as owner's group, e.g.,
-rwxr-sr-x 1 root mail sendmail indicates setgid. - On Directories: New files inherit directory's group, e.g.,
drwxrwsr-x shared_folder project_group where files created in this directory become part of project_group.
- Use setgid on directories for collaborative file sharing to maintain team-related access.
Sticky Bit
- The sticky bit prevents users from deleting files they don't own in shared directories.
- Example:
/tmp directory shows drwxrwxrwt root root /tmp, with 't' indicating sticky bit.- Everyone can write to
/tmp, but only file owners (and root) can delete their files. - User A cannot delete User B's file in
/tmp, preventing unnecessary interference.
- The uppercase 'T' means sticky without execute permission on the directory. The sticky bit is vital for shared directories to avoid accidental deletions.
Setting Special Permissions
| Permission | Symbolic | Octal (4-digit) | Example |
|
|---|
| setuid | u+s | 4000 | chmod 4755 file |
| |
| setgid | g+s | 2000 | chmod 2755 directory |
| |
| sticky bit | o+t | 1000 | chmod 1777 /tmp |
| |
| setuid+setgid | u+s,g+s | 6000 | chmod 6755 file | | |
| The first digit in octal indicates special permissions, remaining three indicate user/group/other. | | | | | |
| | | | | |
Default Permissions | | | | | |
Understanding and Configuring umask
Default File Permissions
- When a file or directory is created, Linux assigns default permissions which are modified by
umask:- Object Type Initial Permission
- Regular file:
0666 (rw-rw-rw-), no execute by default for safety. - Directory:
0777 (rwxrwxrwx), execute needed to enter the directory.
- Umask acts like a 'permission mask' removing permissions from the initial defaults.
How umask Works
- Umask subtracts (masks) permissions from the default permissions.
- Example usage:
$ umask # Display current umask
0022
$ umask 0027 # Set new umask
$ umask # Verify
0027
- Umask is displayed and set as a 4-digit octal number (default format:
0022). - The three rightmost digits correspond to user (0), group (2), and other (2).
- Final permission calculation: Initial permission - umask.
- Example: file
0666 - umask 0022 = 0644 (rw-r--r--).
umask Examples
| umask | File Result | Dir Result | Use Case |
|
|---|
| 0022 | 0644 (rw-r--r--) | 0755 (rwxr-xr-x) | Default on most systems |
| |
| 0027 | 0640 (rw-r-----) | 0750 (rwxr-x---) | More restrictive, group/other limited |
| |
| 0002 | 0664 (rw-rw-r--) | 0775 (rwxrwxr-x) | Group can write files |
| |
| 0077 | 0600 (rw-------) | 0700 (rwx------) | Most restrictive, owner-only | | |
| | | | | |
Configuring umask | | | | | |
- Set umask in your shell profile for new sessions:
- In
~/.bashrc or ~/.bash_profile: umask 0027 - In
/etc/login.defs (system-wide, RHEL 9): UMASK 0027 with UMASK_COMPAT no. - In
/etc/profile (system-wide, other systems): umask 0022.
- RHEL 9+ uses
/etc/login.defs for umask, older systems use /etc/profile or /etc/profile.d/.
umask Calculation Examples
Example 1: umask 0022 on a regular file:
- Initial file permission:
0666 - Umask:
-0022 - Final permission:
0644 (rw-r--r--)
Example 2: umask 0022 on a directory:
- Initial directory permission:
0777 - Umask:
-0022 - Final permission:
0755 (rwxr-xr-x)
Example 3: umask 0027 on a regular file:
- Initial file permission:
0666 - Umask:
-0027 - Final permission:
0640 (rw-r-----)
Summary - Part 1
Basic Permissions
- Files owned by user + group.
- Permission precedence: user > group > other.
- Use
ls -l to view permissions.
chmod Commands
- Symbolic:
chmod u+x file. - Octal:
chmod 755 file. - Recursive:
chmod -R 755 dir/. - Use X to apply execute to directories only.
Ownership Changes
- Execute
chown user:group file. - Use
chgrp group file. - Root can change owner.
- Users can change group (if a member).
Summary - Part 2
Special Permissions
- setuid (4000): Run as owner.
- setgid (2000): Group inherit.
- Sticky bit (1000): Prevent deletion.
- Set with:
chmod 4755 file.
Default Permissions
- File:
0666 before umask. - Directory:
0777 before umask. - Umask: Permission mask; view with
umask.
Best Practices
- Keep files private (600 or 644).
- Make directories accessible (755 or 750).
- Use setgid for shared directories.
- Use a sticky bit on
/tmp-like directories.