-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path104-5-Manage-file-permissions-and-ownership
228 lines (173 loc) · 9.8 KB
/
104-5-Manage-file-permissions-and-ownership
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
#####################################################
104.5 Manage file permissions and ownership
#####################################################
Candidates should be able to control file access through the proper use of permissions and ownerships.
3Objectives
& Manage access permissions on regular and special files as well as directories.
& Use access modes such as suid, sgid and the sticky bit to maintain security.
& Know how to change the file creation mask.
& Use the group field to grant file access to group members.
& chmod
& umask
& chown
& chgrp
#####################################################
Users and Groups
#####################################################
A linux system can have many users and many groups. You can login with one user and use su command to change to another group. Each user belongs to one primary group and can be a member of other groups too.
There commands like whoami, groups and id to determine who you are.
- $ whoami
mojtaba
- $ groups
mojtaba adm cdrom sudo dip plugdev netdev lpadmin sambashare debian-tor
- $ id
uid=1000(mojtaba) gid=1000(mojtaba) groups=1000(mojtaba),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),102(netdev),108(lpadmin),124(sambashare),125(debian-tor)
- $ su root -
Password:
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
- # id
uid=0(root) gid=0(root) groups=0(root)
- # exit
exit
- $ whoami
mojtaba
id shows both user and group information
There info are stored in /etc/passwd and /etc/group
$ cat /etc/group | grep adm
adm:x:4:syslog,mojtaba
lpadmin:x:108:mojtaba
#####################################################
File ownership & permissions
#####################################################
Files are also belong to one user and one group.
$ ls -l /sbin/fdisk ~/w/lpic/notes.txt
-rw-rw-r-- 1 mojtaba users 576 Dec 7 22:30 /home/mojtaba/w/lpic/notes.txt
-rwxr-xr-x 1 root root 267176 Oct 15 18:58 /sbin/fdisk
As you can see, the notes.txt belongs to mojtaba and a group called users.
In many distros, when you create a user, system creates a group with same name and assign that users files to that group
Another part of the ls -l command shows the permissions on that file. Linux system users a 3 layer permission: permissions for the owner, for the group member and for others. Each layer also has 3 different parts: read, write (including deletion and edit) & execute (reading directory content). These are shown at the first column of ls - command as -rw-rw-r--. The character meanings are as follow:
bit meaning
1 What this entry is. Dash (-) is for ordinary files, 'l' is for links & 'd' is for directory
2,3,4 read, write and execute access for the owner
5,6,7 read, write and execute access for the group members
8,9,10 read, write and execute access for other users
11 Indicated if any other access methos (such as SELinux) applies to this file - not part of the 101 exam
As you can see in our example, characters 2 to 10 show the accesses. A - there means "no access on this part" and read, write and execute are shown by r, w & x.
In the following line:
`
$ ls -l /sbin/fdisk
-rwxr-xr-x 1 root root 267176 Oct 15 18:58 /sbin/fdisk
We can see that the fdisk can be read, written and and be executed by its owner (root), only be read and executed by whoever is part of group root and be read and executed by all other users.
although non-root users can execute the fdisk, this program wont do much if it sees that a non root user is running it.
Lets look at another example:
$ ls -l /home/
total 12
drwxr-xr-x 160 mojtaba mojtaba 12288 Feb 7 11:44 mojtaba
The first character is a d so this is a directory! The owner (mojtaba) has read, write and execute access but other members of the group mojtaba and others only have read and execute access on this directory (execute means that they can see the files inside it).
#####################################################
Chanhging permissions
#####################################################
It is possible to change the permissions on files & directories using the chmod command. There are two ways to tell this command what you want to do:
1- using octal codes
2- using short coeds
When using octal codes, you have to to create an octal string to tell chmod what you want to do. This way, 0 means no access, means execute, 2 means write and 4 means read. So if you want to give read+execute, you have to give 4+1 which is 5. This table shows every possible combination:
Symbolic Octal
rwx 7
rw- 6
r-x 5
r-- 4
-wx 3
-w- 2
--x 1
--- 0
So if you want to give rwx to owner, rx to group and only x to others, you have to use 751:
$ ls -ltrh myfile
-rw-rw-r-- 1 mojtaba mojtaba 0 Feb 8 21:01 myfile
$ chmod 751 myfile
$ ls -ltrh myfile
-rwxr-x--x 1 mojtaba mojtaba 0 Feb 8 21:01 myfile
But there is also an easier method. You can use +x to give execute permission, +r to give read permission and +w to give read permission. Removing these permissions will be like -r.
$ ls -ltrh myfile
-rwxr-x--x 1 mojtaba mojtaba 0 Feb 8 21:01 myfile
$ chmod u-x myfile
$ ls -ltrh myfile
-rw-r-x--x 1 mojtaba mojtaba 0 Feb 8 21:01 myfile
$ chmod +x myfile
$ chmod uo+xr myfile
$ ls -ltrh myfile
-rwxr-xr-x 1 mojtaba mojtaba 0 Feb 8 21:01 myfile
you can tell chmod whos permission should be granted or removed by doing things like u+r (give read to user), og-w (remove write for other and group).
One very common switch on chmod is -R for recursive chmoding on files. This will give read permission of all files inside /tmp/ to any user:
# chmod -R o+r /tmp
#####################################################
Access modes
#####################################################
So you have access only to your files. But how you should change your password? or use programs which needs access to system files? You should be able to access /etc/passwd or /etc/shadow to change your password but you should not be able to access other people files!
Normally when you run a program, it runs with your access levels but linux has two special bits on each file; suid (set user id) and guid (set group id). If these are set on a file, that file be will be executed with the access of the owner of the file and not the user who is running it.
$ ls -ltrh /usr/bin/passwd
-rwsr-xr-x 1 root root 50K Jul 18 2014 /usr/bin/passwd
Did you note the s in the place of executable bit for the user and for the group? That means when any user runs this program, it will be run be the access of the owner of the file (which is root) instead of that users id.
It is possible to set / unser the suid and sgid using chmod and +s or -s instead of x.
The last special option is chmod is the sticky bit which lets only the owner of the file to delete it, even if other users have write (delete) access on that directory. This is good for places like /tmp.
Sticky bit is identified by t and will be shown on the last bit of a directory:
$ ls -dl /tmp
drwxrwxrwt 13 root root 77824 Feb 8 21:27 /tmp
As you can see the sticky bit is set and although all users have write access in this directory, they wont be able to delete each others files.
Lets review how you can set these access modes:
access mode octal symbolic
suid 4000 u+s
guid 2000 g+s
sticky 1000 t
guid on a directory will force any new file in that directory to have the guid of the directory itself.
#####################################################
umask
#####################################################
But what will be the access of the new files? What happens when you touch a new file? This is set with umask. This command tells the system what permissions should not be given to new files:
$ umask
0002
Which removes write (2) permissions from files.
If we need to change umask, it can be done with the same command:
$ umask
0002
$ touch newfile
$ ls -ltrh newfile
-rw-rw-r-- 1 mojtaba mojtaba 0 Feb 8 21:38 newfile
$ mkdir newdir
$ ls -ltrhd newdir
drwxrwxr-x 2 mojtaba mojtaba 4.0K Feb 8 21:38 newdir
$ umask u=rw,g=,o=
$ touch newerfile
$ ls -l newerfile
-rw------- 1 mojtaba mojtaba 0 Feb 8 21:41 newerfile
$ umask
0177
Note how we use u=rw,g=,o= to tell umask or chomd what we exactly need.
#####################################################
Changing owner and groups
#####################################################
If you need to change the ownership or group belonging of a file or directory, use the chown command:
$ ls -ltrh newfile
-rw-rw-r-- 1 mojtaba mojtaba 0 Feb 8 21:38 newfile
$ chown root:root newfile
chown: changing ownership of ‘newfile’: Operation not permitted
$ sudo chown root:root newfile
[sudo] password for mojtaba:
$ ls -ltrh newfile
-rw-rw-r-- 1 root root 0 Feb 8 21:38 newfile
A common switch is -R to do the chown recursively and the general style is chown newuser:newgroup file.
There is also a command specially for changing the group:
$ sudo chgrp postgres newfile
$ ls -ltrh newfile
-rw-rw-r-- 1 root postgres 0 Feb 8 21:38 newfile
If a user is member of different groups, she can change her default group using the newggrp command:
$ touch newfile
$ ls -ltrh newfile
-rw------- 1 mojtaba mojtaba 0 Feb 8 21:53 newfile
$ groups
mojtaba adm cdrom sudo dip plugdev netdev lpadmin sambashare debian-tor
$ newgrp adm
$ touch newerfile
$ ls -ltrh new*
-rw------- 1 mojtaba mojtaba 0 Feb 8 21:53 newfile
-rw------- 1 mojtaba adm 0 Feb 8 21:54 newerfile