Files on a Linux system always have associated "permissions" - controlling who has access and what sort of access. You'll have bumped into this in various ways already - as an example, yesterday while logged in as your "ordinary" user, you could not upload files directly into /var/www or create a new folder at /.
The Linux permission system is quite simple, but it does have some quirky and subtle aspects, so today is simply an introduction to some of the basic concepts.
This time you really do need to work your way through the material in the RESOURCES section!
First let's look at "ownership". All files are tagged with both the name of the user and the group that owns them, so if we type "ls -l" and see a file listing like this:
-rw------- 1 steve staff 4478979 6 Feb 2011 private.txt
-rw-rw-r-- 1 steve staff 4478979 6 Feb 2011 press.txt
-rwxr-xr-x 1 steve staff 4478979 6 Feb 2011 upload.bin
Then these files are owned by user "steve", and the group "staff".
Looking at the '-rw-r--r--" at the start of a directory listing line, (ignore the first "-" for now), and see these as potentially three groups of "rwx": the permission granted to the user who owns the file, the "group", and "other people".
For the example list above:
- private.txt - Steve has "rw" (ie Read and Write) permission, but neither the group "staff" nor "other people" have any permission at all
- press.txt - Steve can Read and Write to this file too, but so can any member of the group "staff" - and anyone can read it
- upload.bin - Steve can write to the file, all others can read it. Additionally all can "execute" the file - ie run this program
You can change the permissions on any file with the chmod
utility. Create a simple text file in your home directory with vim
(e.g. tuesday.txt) and check that you can list its contents by typing: cat tuesday.txt
or less tuesday.txt
.
Now look at its permissions by doing: ls -ltr tuesday.txt
-rw-rw-r-- 1 ubuntu ubuntu 12 Nov 19 14:48 tuesday.txt
So, the file is owned by the user "ubuntu", and group "ubuntu", who are the only ones that can write to the file - but any other user can read it.
Now let’s remove the permission of the user and "ubuntu" group to write their own file:
chmod u-w tuesday.txt
chmod g-w tuesday.txt
...and remove the permission for "others" to read the file:
chmod o-r tuesday.txt
Do a listing to check the result:
-r--r----- 1 ubuntu ubuntu 12 Nov 19 14:48 tuesday.txt
...and confirm by trying to edit the file with nano
or vim
. You'll find that you appear to be able to edit it - but can't save any changes. (In this case, as the owner, you have "permission to override permissions", so can can write with :w!
). You can of course easily give yourself back the permission to write to the file by:
chmod u+w tuesday.txt
On most modern Linux systems there is a group created for each user, so user "ubuntu" is a member of the group "ubuntu". However, groups can be added as required, and users added to several groups.
To see what groups you're a member of, simply type: groups
On an Ubuntu system the first user created (in your case ubuntu
), should be a member of the groups: ubuntu
, sudo
and adm
- and if you list the /var/log
folder you'll see your membership of the adm
group is why you can use less
to read and view the contents of /var/log/auth.log
The "root" user can add a user to an existing group with the command:
usermod -a -G group user
so your ubuntu
user can do the same simply by prefixing the command with sudo
. For example, you could add a new user fred
like this:
adduser fred
Because this user is not the first user created, they don't have the power to run sudo
- which your user has by being a member of the group sudo
.
So, to check which groups fred
is a member of, first "become fred" - like this:
sudo su fred
Then:
groups
Now type "exit" to return to your normal user, and you can add fred
to this group with:
sudo usermod -a -G sudo fred
And of course, you should then check by "becoming fred" again and running the groups
command.
Just for fun, create a file: secret.txt in your home folder, take away all permissions from it for the user, group and others - and see what happens when you try to edit it with vim
.
Research:
umask
and test to see how it's setup on your server- the classic octal mode of describing and setting file permissions. (e.g.
chmod 664 myfile
)
Look into Linux ACLs:
Also, SELinux and AppArmour:
- SELinux man page
- SELinux User's and Administrator's Guide
- SELinux For Mere Mortals
- Securing Ubuntu 18 04 with Apparmor
Copyright 2012-2021 @snori74 (Steve Brorens). Can be reused under the terms of the Creative Commons Attribution 4.0 International Licence (CC BY 4.0).