Monday, February 18, 2013

Linux file permissions and chmod

http://dougvitale.wordpress.com/2013/02/16/linux-file-permissions-and-chmod

When you view files and directories on Linux hosts, how can you tell which users have access? And how do you determine the extent of their access? Before approaching the sizable (but very important) subject of Linux (and Unix) file permissions, it is helpful to review the definitions of key terms which IT professionals need to be familiar with. Before proceeding, let’s define these terms clearly.
Common across all operating system (OS) platforms, files are the objects or things that OSes and user applications work with. More specifically, a file is a distinct collection of data that has a name and properties, or characteristics. Files can take the form of text documents, graphics, music, scripts, etc. If you prefer the geeky definition, Wikipedia states that a computer file is “a block of arbitrary information, or resource for storing information, which is available to a computer program and is usually based on some kind of durable storage.”
Computer files can be created, edited, deleted, moved, and stored. The orderly arranging of files is accomplished by means of directories, which are simply containers for files and other directories. On the Windows operating system, directories are often called “folders” because they are visually represented by icons resembling the paper folders which you would find in filing cabinets. This method of depicting directories as paper folders has also been adopted by Linux desktop environments, such as KDE and GNOME.
Directories are arranged in a hierarchical model. Users and software can use these directories to navigate the file system to find certain files. Files are often logically co-located based on type and usage.
File system hierarchy
A simple example of a file system hierarchy
Operating systems support access control restrictions on files and directories because it is not a best practice to permit the same level of system access to all users of a host or network. Users may not want other users to access their files for reasons of privacy and separation of duties, while system administrators often do not want non-administrative personnel to be able to change or possibly delete critical files needed for proper OS function. Therefore, file permissions are designed to prevent the unwanted viewing, editing, or deletion of files and folders. Within the popular discretionary access control (DAC) model, file owners can adjust the access permissions of the files they own. That is, file owners can determine who can read, change, or delete the files belonging to them. On a Unix-like OS like Linux, we will examine how to work with these file permissions.

Jump to:


Displaying file permissions

When you open a shell on a Linux host, you acquire the ability to interact with the files which that host is storing. So let’s return to the original question of how you would view and configure file permissions on Linux. Let’s say you open a bash shell and are presented with the shell prompt, aka the command line interface. Then you issue the ls -l command to tell bash to display the contents of your current working directory (for example, your home folder located at /home/your_account_name). You will see output similar to this example (I entered ls -l on my Windows home folder using Cygwin).
drwxr--r-- 1 doug Domain Users 0 Nov 19 16:13 AppData
drwx------ 1 doug Domain Users 0 Jan 10 12:39 Desktop
drwx------ 1 doug Domain Users 0 Jan 22 10:49 Documents
drwx------ 1 doug Domain Users 0 Jan 9 11:08 Favorites
-rwx------ 1 doug Domain Users 12 Jan 22 10:49 key.txt
-rwx------ 1 doug Domain Users 130048 Jan 9 10:59 metadata.db
drwx------ 1 doug Domain Users 0 Nov 19 16:13 Music
lrwxrwxrwx 1 SYSTEM SYSTEM 35 Nov 19 16:13 My Documents -> /cygdrive/c/Users/doug/Documents
-rwx------ 1 doug Domain Users 3670016 Feb 14 15:01 NTUSER.DAT
-rwx------ 1 SYSTEM SYSTEM 20 Nov 19 16:13 ntuser.ini
drwx------ 1 doug Domain Users 0 Dec 27 14:25 Pictures
lrwxrwxrwx 1 SYSTEM SYSTEM 66 Nov 19 16:13 Recent -> /cygdrive/c/Users/doug/AppData/Roaming/Microsoft/Windows/Recent
drwx------ 1 doug Domain Users 0 Nov 19 16:41 Searches
lrwxrwxrwx 1 SYSTEM SYSTEM 66 Nov 19 16:13 SendTo -> /cygdrive/c/Users/doug/AppData/Roaming/Microsoft/Windows/SendTo
drwx------ 1 doug Domain Users 0 Dec 28 13:13 Software
lrwxrwxrwx 1 SYSTEM SYSTEM 70 Nov 19 16:13 Start Menu -> /cygdrive/c/Users/doug/AppData/Roaming/Microsoft/Windows/Start Menu
drwx------ 1 doug Domain Users 0 Feb 14 13:47 Temp
drwx------ 1 doug Domain Users 0 Nov 27 15:46 Videos



Users, groups, and access rights

In the Linux OS, each file and directory is assigned access rights based on the owner of the file, the members of the file’s group (possibly including the owner), and everybody else (others). By default, the user who creates a file becomes its owner. All members of a file’s group have the same permissions on the file. All users belong to at least one group. From a security perspective, you should pay particular attention to permissions set for the ‘Others’, i.e. all those users who are not the owner and not in the group associated with the file or directory in question.
The types of rights include read, write, and execute.
Read means the ability to view a file; to read a directory is to view a listing of its contents.
Write means the ability to change or delete a file, or create, change, or delete the contents of a directory. A user with write access to a directory can delete files in the directory even if he does not have write permissions on those files being deleted.
Execute means the ability to run or launch a file, or to enter or search a directory and access any subdirectories (but not view the directory’s contents unless the read permission is also granted; however, files can still be directly accessed if you can provide the full path).


Symbolic notation of file permissions

Let’s return to ls -l above. Now that we understand the concepts behind User (owner), Group, Others and the read (r), write (w), and execute (x) permissions, we can make sense of all this output. Each of the eighteen lines above can be broken down into nine fields. Let’s look at the first line.
drwxr--r-- 1 doug Domain Users 0 Nov 19 16:13 AppData
Field 1 (drwxr--r--): a set of ten permission flags. After the first character, these flags can be r (read), w (write), x (execute), or - (no access granted). The first character reveals the type of object: d stands for directory, l stands for link, and - means a file (there are other possibilities for the first character, but they won’t be covered here). If - appears outside of the first character slot, it means that no permission for that particular slot has been set (i.e., no access granted). The last nine characters are divided into three triads. The first triad represents the owner’s permissions on the object, the second triad represents the group’s permissions, and the last triad represents everyone else’s permissions. So in this example, the object AppData is a directory (d) (if the permissions were -rwxr--r--, it would mean that AppData is a file as shown by - as the first character). The the next three characters, rwx, show that the owner has read, write, and execute permissions. The second triad, r--, shows that the group permissions are read only (because the write and execute fields are blank, or set to -). The third triad, r--, shows that all users besides the relevant owner and group have permissions that are read only.
Field 2 (1): the link count. The link count of a file specifies the total number of hard links to the file.
Field 3 (doug): the owner of the file.
Field 4 (Domain Users): the associated group for the file.
Field 5: the size of the file in bytes.
Field 6-8: these three fields show the date of last modification (format can vary).
Field 9 (AppData): the name of the file or directory. For links, the path to the file which the link points to appears here.


Numeric (octal) notation of file permissions


Looking again at Field 1, the permissions there are represented by symbolic notation (e.g., -rw-rw-r--). An alternative way to express permissions is numeric notation (also called octal notation). Numeric notation refers back to the aforementioned three triads that appear within the symbolic notation. Numeric notation substitutes a number for each triad. This is accomplished by assigning a numeric value to each character in the nine total slots that comprise the three triads:
Read (r) = 4
Write (w) = 2
Execute (x) = 1
No Access (-) = 0.
Let’s look at some examples to spell this out. The symbolic notation -rwxr-x--x first needs to be broken up into the three triads which are: rwx, r-x, and --x (remember, the first – means that the object is a file, not a directory). The first triad, rwx, adds up to 7 (4+2+1=7). The second triad, r-x, adds up to 5 (4+0+1=5), and the last triad, --x, adds up to 1 (0+0+1=1). Therefore, another way to express -rwxr-x--x is 751.
Here’s another example, -rw-r--r-x. First, break out the triads: rw-, r--, and r-x. Recall each character’s value: r=4, w=2, x=1, and -=0. The first triad equals 6, the second equals 4, and the third equals 5. Therefore the numeric notation of -rw-r--r-x is 645. Other examples include:
  • rwxrwxrwx = 777
  • rwxr-xr-x = 755
  • rw-rw-rw- = 666
  • rw-r--r– = 644
  • rw------- = 600
Question 1: Taking the preceding examples into account, do you think it would be advisable to set your files to 744 and your directories to 755? How about 644 for your files? Or 700 for your home directory?
Question 2: Given the ls -l output for this file:
-r-xr-xr-x 1 user1 group1 date time filename.txt
We can tell that user1, the members of group1, and all other users have read and execute privileges on filename.txt. Who then would be able to modify (aka, write to) the file?
Answer: the root account (UID 0). However, you should realize that users and groups with write access to the directory containing filename.txt would be able to delete the file and create a new file with the same name. Why would they do this? They could copy the file to a new name with their changes, delete the old file, and rename the new file to the old name, thereby circumventing their lack of write privileges to the file itself.
Question 3: You take the following steps.
1. You create a new directory in your home folder with the command: mkdir my_directory.
2. Invoking root privileges, you create a new directory in the one you just created: sudo mkdir my_directory/root_directory.
3. Again as root, you create a file in root_directory: sudo touch my_directory/root_directory/root_file.txt.
4. In your home folder, you run this command as yourself: rm -Rf my_directory. What happens?
Answer: Permission to delete the directory will be denied because you don’t own root_file.txt (even though you own the the parent ‘my_directory’ folder).
Now that we understand how Linux file permissions are represented, let’s look at how we could change them.


chmod


The command to change the permission flags is chmod. There are two ways to use the chmod command and by now you should be familiar with both: with symbolic notation or with numeric notation (be aware that only the owner of a file/directory can change its permissions). The basic syntax of a chmod command is:
chmod [who][operator][permissions] FileName
For example:
chmod g+rw FileName
chmod a-w FileName
[Who] can be:
  • u, the owner of the file
  • g, the group associated with the file
  • o, the users who are not the owner (u) or in the group (g)
  • a, all possible users (u+g+o)
Remember that o stands for ‘others’, not ‘owner’.
[Operator] can be:
  • +, adds the specified permission(s) to the file
  • -, removes the specified permission(s) to the file
  • =, applies the specified permission(s) to the file
[Permissions] can be:
  • r, read a file, or view a directory’s contents
  • w, change or delete a file, or add or delete a directory’s contents
  • x, execute a file, or enter into a directory and its subdirectories
  • X, special execute, which applies execute permissions to directories regardless of their current permissions and applies execute permissions to files which already have at least one execute permission bit already set (either user, group or other).
  • s, setuid/setgid. The setuid (SUID) permissions are used to tell the OS to run an executable as the owner with the owner’s permissions. Pay attention: If a binary is owned by the root superuser and has the SUID bit enabled, then that program will always run as root. The setgid permissions allow users to run an executable with the permissions of that executable’s group. When set on a directory, every file and directory created under that directory will automatically inherit the group owner.
  • t, sticky bit. When the sticky bit has been assigned to the permissions on a directory, only the file owners can rename or delete the files in that directory. The Linux kernel ignores the sticky bit on files but not on directories. The /tmp directory is noteworthy because its permissions are 1777. The “1″ (one) indicates the sticky bit which is enabled by default on /tmp.


chmod usage options


chmod options

Description

chmod -c or chmod -changes Like verbose, but reports only when a change is made, i.e., prints information only about files that are changed.
chmod -f Suppresses most error messages. Users won’t be notified about files that chmod cannot change.
chmod --help Displays the Help message.
chmod --no-preserve-root Does not treat ‘/’ specially (default).
chmod --preserve-root Avoid operating recursively on ‘/’.
chmod --quiet Suppresses most error messages. Users won’t be notified about files that chmod cannot change.
chmod -R or chmod --recursive Alters file and directory permissions recursively.
chmod --reference=RFILE Changes permissions to match those associated with the file specified by RFILE.
chmod --silent Suppresses most error messages. Users won’t be notified about files that chmod cannot change.
chmod -v or chmod --verbose Outputs a diagnostic for every file processed, i.e., displays information about each file, whether changed or not.
chmod --version Outputs the chmod version information and exits.
.


chmod examples


chmod a-x backup.sh
Clears (-) the execute bit for all users.
chmod g+w backup.sh
Gives the file’s group the write privilege.
chmod g= backup.sh
Removes all access rights from the group to the file.
chmod ug+x backup.sh
Gives the file’s owner and group the execute privilege.
chmod o=r backup.sh
Gives the ‘others’ only read access to the file.
chmod +x backup.sh
Makes the script executable.
chmod -x chmod
This would make the chmod command itself non-executable by all users. Avoid!


Further reference

Catcode.com, Symbolic and numeric permissions converter
Draac.com, CHMOD cheat sheet
GNU.org, Source code for chmod
IBM.com, Learn Linux, 101: Manage file permissions and ownership
Permissions-calculator.org, Unix permissions calculator


Recommended reading

If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!
A Practical Guide to Linux Commands on Amazon.com Practical Guide to Linux Commands Unix and Linux System Administration Handbook UNIX and Linux Sys Admin Handbook
Essential System Administration on Amazon Essential System Administration Linux Command Line on Amazon The Linux Command Line
Red Hat Linux Study Guide on Amazon Red Hat Linux Certification Study Guide CompTIA Linux+ Study Guide on Amazon CompTIA Linux+ Study Guide

No comments:

Post a Comment