Difference between revisions of "Permissions on Linux"
Jump to navigation
Jump to search
(Created page with "== Permissions on Linux == <pre> File permission symbols If you run the command ls -l in your home directory, you will get a list of files that may include something like th...") |
|||
(One intermediate revision by the same user not shown) | |||
Line 294: | Line 294: | ||
If "fs" is not found, or the man pages are not found, your paths are not set up correctly. I recommend you run /usr/local/bin/mknewdotfiles to correct that. | If "fs" is not found, or the man pages are not found, your paths are not set up correctly. I recommend you run /usr/local/bin/mknewdotfiles to correct that. | ||
</pre> | </pre> | ||
== Set File And Directory Permissions using Find Command == | |||
<pre> | |||
This wll set all the directores to 755 and all the files to 644 | |||
find -type d -print | xargs chmod 755 | |||
find -type f -print | xargs chmod 644 | |||
</pre> | |||
== Setting File and Directory Permissions == | |||
<pre> | |||
Setting File/Directory Permissions | |||
The ability to access files, run commands, and change to a directory can be restricted with permission settings for user, group, and other users. When you do a long list (ls -l) of files and directories in Linux, the beginning 10 characters shown indicate what the item is (file, directory, block device, and so on) along with whether or not the item can be read, written, and/or executed. | |||
To follow along with examples in this section, create a directory called /tmp/test and a file called /tmp/test/hello.txt. Then do a long listing of those two items, as follows: | |||
$ mkdir /tmp/test | |||
$ echo "some text" > /tmp/test/hello.txt | |||
$ ls -ld /tmp/test/ /tmp/test/hello.txt | |||
drwxr-xr-x 2 francois sales 4096 Mar 21 13:11 /tmp/test | |||
-rw-r--r-- 2 francois sales 10 Mar 21 13:11 /tmp/test/hello.txt | |||
After creating the directory and file, the first character of the long listing shows /tmp/ test as a directory (d) and hello.txt as a file (-). Other types of files available in Linux that would appear as the first character include character devices (c), block devices (b) or symbolic links (l), named pipes (p), and sockets (s). | |||
The next nine characters represent the permissions set on the file and directory. The first rwx indicates that the owner (francois) has read, write, and execute permissions on the directory. Likewise, the group sales has the more restricted permissions (r-x) with no write permission. Then all other users have only read and execute permissions (r-x); the dash indicates the missing write permission. For the hello.txt file, the user has read and write permissions (rw-) and members of the group and all others have read permission (r--). | |||
When you set out to change permissions, each permission can be represented by an octal number (where read is 4, write is 2, and execute is 1) or a letter (rwx). Generally speaking, read permission lets you view the contents of the directory, write lets you change (add or modify) the contents of the directory, and execute lets you change to (in other words, access) the directory. | |||
If you don't like the permissions you see on files or directories you own, you can change those permissions using the chmod command. | |||
Changing Permissions with chmod | |||
The chmod command lets you change the access permissions of files and directories. Table 4-1 shows several chmod command lines and how access to the directory or file changes. | |||
Table 4-1: Changing Directory and File Access Permissions | |||
chmod command (octal or letters) | |||
Original Permission | |||
New Permission | |||
Description | |||
chmod 0700 | |||
any | |||
drwx------ | |||
The directory's owner can read or write files in that directory as well as change to it. All other users (except root) have no access. | |||
chmod 0711 | |||
any | |||
drwx--x--x | |||
Same as for the owner. All others can change to the directory, but not view or change files in the directory. This can be useful for server hardening, where you prevent someone from listing directory contents, but allow access to a file in the directory if someone already knows it's there. | |||
chmod go+r | |||
drwx------ | |||
drwxr--r-- | |||
Adding read permission to a directory may not give desired results. Without execute on, others can't view the contents of any files in that directory. | |||
chmod 0777 | |||
chmod a=rwx | |||
any | |||
drwxrwxrwx | |||
All permissions are wide open. | |||
chmod 0000 | |||
chmod a-rwx | |||
any | |||
d--------- | |||
All permissions are closed. Good to protect a directory from errant changes. However, backup programs that run as non-root may fail to back up the directory's contents. | |||
chmod 666 | |||
any | |||
-rw-rw-rw- | |||
Open read/write permissions completely on a file. | |||
chmod go-rw | |||
-rw-rw-rw- | |||
-rw------- | |||
Don't let anyone except the owner view, change, or delete the file. | |||
chmod 644 | |||
any | |||
-rw-r--r-- | |||
Only the owner can change or delete the file, but all can view it. | |||
The first 0 in the mode line can usually be dropped (so you can use 777 instead of 0777). That placeholder has special meaning. It is an octal digit that can be used on commands (executables) to indicate that the command can run as a set-UID program (4), run as a set-GID program (2), or become a sticky program (1). With set-UID and set-GID, the command runs with the assigned user or group permissions (instead of running with permission of the user or group that launched the command). | |||
Warning | |||
SUID should not be used on shell scripts. Here is a warning from the Linux Security HOWTO: "SUID shell scripts are a serious security risk, and for this reason the kernel will not honor them. Regardless of how secure you think the shell script is, it can be exploited to give the cracker a root shell." | |||
Having the sticky bit on for a directory keeps users from removing or renaming files from that directory that they don't own (/tmp is an example). Given the right permission settings, however, users can change the contents of files they don't own in a sticky bit directory. The final permission character is t instead of x on a sticky directory. A command with sticky bit on used to cause the command to stay in memory, even while not being used. This is an old Unix feature that is not supported in Linux. | |||
The -R option is a handy feature of the chmod command. With -R, you can recursively change permissions of all files and directories starting from a point in the file system. Here are some examples: | |||
$ sudo chmod -R 700 /tmp/test Open permission only to owner below /tmp/test | |||
$ sudo chmod -R 000 /tmp/test Close all permissions below /tmp/test | |||
$ sudo chmod -R a+rwx /tmp/test Open all permissions to all below /tmp/test | |||
Note that the -R option is inclusive of the directory you indicate. So the permissions above, for example, would change for the /tmp/test directory itself, and not just for the files and directories below that directory. | |||
Setting the umask | |||
Permissions given to a file or directory are assigned originally at the time that item is created. How those permissions are set is based on the user's current umask value. Using the umask command, you can set the permissions given to files and directories when you create them. | |||
$ umask 0066 Make directories drwx--x--x and files -rw------- | |||
$ umask 0077 Make directories drwx------ and files -rw------- | |||
$ umask 0022 Make directories drwxr-xr-x and files -rw-r--r-- | |||
$ umask 0777 Make directories d--------- and files ---------- | |||
Changing Ownership | |||
When you create a file or directory, your user account is assigned to that file or directory. So is your primary group. As root user, you can change the ownership (user) and group assigned to a file to a different user and/or group using the chown and chgrp commands. Here are some examples: | |||
$ chown chris test/ Change owner to chris | |||
$ chown chris:market test/ Change owner to chris and group to market | |||
$ chgrp market test/ Change group to market | |||
$ chown -R chris test/ Change all files below test/ to owner chris | |||
The recursive option to chown (-R) just shown is useful if you need to change the ownership of an entire directory structure. As with chmod, using chown recursively changes permissions for the directory named, along with its contents. You might use chown recursively when a person leaves a company or stops using your web service. You can use chown -R to reassign their entire /home directory to a different user.</pre> | |||
---- | ---- | ||
==[[#Permissions on Linux|Back To Top]]-[[Main_Page| Home]] - [[Ubuntu_Tips|Category]]== | ==[[#Permissions on Linux|Back To Top]]-[[Main_Page| Home]] - [[Ubuntu_Tips|Category]]== |
Latest revision as of 14:16, 17 August 2016
Permissions on Linux
File permission symbols If you run the command ls -l in your home directory, you will get a list of files that may include something like this -rw-r--r-- 1 bob users 1892 Jul 10 18:30 linux_course_notes.txt This basically says, interpreting this from RIGHT to LEFT that the file, linux_course_notes.txt was created at 6:30 PM on July 10 and is 1892 bytes large. It belongs to the group users (i.e, the people who use this computer). It belongs to bob in particular and it is one (1) file. Then come the file permission symbols. Let's look at what these symbols mean: The dashes - separate the permissions into three types The first part refers to the owner's (bob's) permissions. The dash - before the rw means that this is a normal file that contains any type of data. A directory, for example, would have a d instead of a dash. The rw that follows means that bob can read and write to (modify) his own file. That's pretty logical. If you own it, you can do what you want with it. The second part of the these symbols after the second dash, are the permissions for the group. Linux can establish different types of groups for file access. In a one home computer environment anyone who uses the computer can read this file but cannot write to (modify) it. This is a completely normal situation. You, as a user, may want to take away the rights of others to read your file. We'll cover how to do that later. After the two dashes (two here because there is no write permissions for the group) come the overall user permissions. Anyone who might have access to the computer from inside or outside (in the case of a network) can read this file. Once again, we can take away the possibility of people reading this file if we so choose. Let's take a look at some other examples. An interesting place to look at different kinds of file permissions is the /bin directory. Here we have the commands that anybody can use on the Linux system. Let's look at the command for gzip, a file compression utility for Linux. -rwxr-xr-x 1 root root 53468 May 1 1999 gzip As we see here, there are some differences. The program name, date, bytes are all standard. Even though this is obviously different information, the idea is the same as before. The changes are in the owner and group. Root owns the file and it is in the group "root". Root is actually the only member of that group. The file is an executable (program) so that's why the letter x is among the symbols. This file can be executed by everybody: the owner (root), the group (root) and all others that have access to the computer As we mentioned, the file is a program, so there is no need for anybody other than root to "write" to the file, so there is no w permissions for it for anybody but root. If we look at a file in /sbin which are files that only root can use or execute, the permissions would look like this: -rwxr--r-- 1 root root 1065 Jan 14 1999 cron 'cron' is a program on Linux systems that allows programs to be run automatically at certain times and under certain conditions. As we can see here, only root, the owner of the file, is allowed to use this program. There are no xpermissions for the rest of the users. We hope you enjoyed this little walk-through of file permissions in Linux. Now that we know what we're looking for, we can talk about changing certain permissions. chmod chmod is a Linux command that will let you "set permissions" (aka, assign who can read/write/execute) on a file. chmod permissions file chmod permission1_permission2_permission3 file When using chmod, you need to be aware that there are three types of Linux users that you are setting permissions for. Therefore, when setting permissions, you are assigning them for "yourself", "your group" and "everyone else" in the world. These users are technically know as: Owner Group World Therefore, when setting permissions on a file, you will want to assign all three levels of permissions, and not just one user. Think of the chmod command actually having the following syntax... chmod owner group world FileName Now that you understand that you are setting permissions for THREE user levels, you just have to wrap your head around what permissions you are able to set! There are three types of permissions that Linux allows for each file. #read #write #execute Putting it all together: So, in laymen terms, if you wanted a file to be readable by everyone, and writable by only you, you would write the chmod command with the following structure. COMMAND : OWNER : GROUP : WORLD : PATH chmod read & write read read FileName chmod 6 4 4 myDoc.txt Wait! What are those numbers?!? Computers like numbers, not words. Sorry. You will have to deal with it. Take a look at the following output of `ls -l` -rw-r--r-- 1 gcawood iqnection 382 Dec 19 6:49 myDoc.txt You will need to convert the word read or write or execute into the numeric equivalent (octal) based on the table below. 4 – read (r) 2 – write (w) 1 – execute (x) Practical Examples chmod 400 mydoc.txt – read by owner chmod 040 mydoc.txt – read by group chmod 004 mydoc.txt – read by anybody (other) chmod 200 mydoc.txt – write by owner chmod 020 mydoc.txt – write by group chmod 002 mydoc.txt – write by anybody chmod 100 mydoc.txt – execute by owner chmod 010 mydoc.txt – execute by group chmod 001 mydoc.txt – execute by anybody Wait! I don't get it... there aren't enough permissions to do what I want! Good call. You need to add up the numbers to get other types of permissions... So, try wrapping your head around this!! 7 = 4+2+1 (read/write/execute) 6 = 4+2 (read/write) 5 = 4+1 (read/execute) 4 = 4 (read) 3 = 2+1 (write/execute) 2 = 2 (write) 1 = 1 (execute) chmod 666 mydoc.txt – read/write by anybody! (the devil loves this one!) chmod 755 mydoc.txt – rwx for owner, rx for group and rx for the world chmod 777 mydoc.txt – read, write, execute for all! (may not be the best plan in the world...)
File Permissions on Unix
Understanding file permissions on Unix: a brief tutorial (For files on AFS fileservers, see below) Every user on a Unix system has a unique username, and is a member of at least one group (the primary group for that user). This group information is held in the password file (/etc/passwd). A user can also be a member of one or more other groups. The auxiliary group information is held in the file /etc/group. Only the administrator can create new groups or add/delete group members (one of the shortcomings of the system). Every directory and file on the system has an owner, and also an associated group. It also has a set of permission flags which specify separate read, write and execute permissions for the 'user' (owner), 'group', and 'other' (everyone else with an account on the computer) The 'ls' command shows the permissions and group associated with files when used with the -l option. On some systems (e.g. Coos), the '-g' option is also needed to see the group information. An example of the output produced by 'ls -l' is shown below. drwx------ 2 richard staff 2048 Jan 2 1997 private drwxrws--- 2 richard staff 2048 Jan 2 1997 admin -rw-rw---- 2 richard staff 12040 Aug 20 1996 admin/userinfo drwxr-xr-x 3 richard user 2048 May 13 09:27 public Understanding how to read this output is useful to all unix users, but especially people using group access permissions. Field 1: a set of ten permission flags. Field 2: link count (don't worry about this) Field 3: owner of the file Field 4: associated group for the file Field 5: size in bytes Field 6-8: date of last modification (format varies, but always 3 fields) Field 9: name of file (possibly with path, depending on how ls was called) The permission flags are read as follows (left to right) position Meaning 1 directory flag, 'd' if a directory, '-' if a normal file, something else occasionally may appear here for special devices. 2,3,4 read, write, execute permission for User (Owner) of file 5,6,7 read, write, execute permission for Group 8,9,10 read, write, execute permission for Other value Meaning - in any position means that flag is not set r file is readable by owner, group or other w file is writeable. On a directory, write access means you can add or delete files x file is executable (only for programs and shell scripts - not useful for data files). Execute permission on a directory means you can list the files in that directory s in the place where 'x' would normally go is called the set-UID or set-groupID flag. On an executable program with set-UID or set-groupID, that program runs with the effective permissions of its owner or group. For a directory, the set-groupID flag means that all files created inside that directory will inherit the group of the directory. Without this flag, a file takes on the primary group of the user creating the file. This property is important to people trying to maintain a directory as group accessible. The subdirectories also inherit the set-groupID property. The default file permissions (umask): Each user has a default set of permissions which apply to all files created by that user, unless the software explicitly sets something else. This is often called the 'umask', after the command used to change it. It is either inherited from the login process, or set in the .cshrc or .login file which configures an individual account, or it can be run manually. Typically the default configuration is equivalent to typing 'umask 22' which produces permissions of: -rw-r--r-- for regular files, or drwxr-xr-x for directories. In other words, user has full access, everyone else (group and other) has read access to files, lookup access to directories. When working with group-access files and directories, it is common to use 'umask 2' which produces permissions of: -rw-rw-r-- for regular files, or drwxrwxr-x for directories. For private work, use 'umask 77' which produces permissions: -rw------- for regular files, or drwx------ for directories. The logic behind the number given to umask is not intuitive. The command to change the permission flags is "chmod". Only the owner of a file can change its permissions. The command to change the group of a file is "chgrp". Only the owner of a file can change its group, and can only change it to a group of which he is a member. See the online manual pages for details of these commands on any particular system (e.g. "man chmod"). Examples of typical useage are given below: chmod g+w myfile give group write permission to "myfile", leaving all other permission flags alone chmod g-rw myfile remove read and write access to "myfile", leaving all other permission flags alone chmod g+rwxs mydir give full group read/write access to directory "mydir", also setting the set-groupID flag so that directories created inside it inherit the group chmod u=rw,go= privatefile explicitly give user read/write access, and revoke all group and other access, to file 'privatefile' chmod -R g+rw . give group read write access to this directory, and everything inside of it (-R = recursive) chgrp -R medi . change the ownership of this directory to group 'medi' and everything inside of it (-R = recursive). The person issuing this command must own all the files or it will fail. WARNINGS: Putting 'umask 2' into a startup file (.login or .cshrc) will make these settings apply to everything you do unless manually changed. This can lead to giving group access to files such as saved email in your home directory, which is generally not desireable. Making a file group read/write without checking what its group is can lead to accidentally giving access to almost everyone on the system. Normally all users are members of some default group such as "users", as well as being members of specific project-oriented groups. Don't give group access to "users" when you intended some other group. Remember that to read a file, you need execute access to the directory it is in AND read access to the file itself. To write a file, your need execute access to the directory AND write access to the file. To create new files or delete files, you need write access to the directory. You also need execute access to all parent directories back to the root. Group access will break if a parent directory is made completely private. AFS Access Control Lists (ACLs) Files on the central AFS fileservers all have the traditional Unix permissions as explained above, but they are also controlled by Access Control Lists(ACL) which take precedence. They provide access levels more flexible than the user/group/other attribute bits, but they work on the level of complete directories, not files. The command to set and list ACLs is fs. "fs" is a big ugly command that does lots of things related to AFS filesystems depending on the arguments you call it with. For details see the man pages for: fs_setacl, fs_listacl, fs_cleanacl, fs_copyacl For brief help, do (e.g.) "fs help setacl" The default is to give the same permissions to a new directory as are on the parent directory. In practice, this is usually to give complete rights to the owner of the directory, and lookup rights to any other user (equivalent to execute attribute on a directory). To render a directory private, the simplest command is: fs setacl -d DIRNAME -clear -a MYNAME all - replace DIRNAME with the appropriate directory name (or "." for the current directory, and MYNAME with your login name. Check it with: fs listacl DIRNAME It should reply with: Access list for DIRNAME is Normal rights: USERNAME rlidwka (see man fs_setacl for a description of the meaning of the flags "rlidwka") To explicitly give public read/lookup access, use: fs setacl -d DIRNAME -a system:anyuser read This can be abbreviated to fs sa DIRNAME system:anyuser read If "fs" is not found, or the man pages are not found, your paths are not set up correctly. I recommend you run /usr/local/bin/mknewdotfiles to correct that.
Set File And Directory Permissions using Find Command
This wll set all the directores to 755 and all the files to 644 find -type d -print | xargs chmod 755 find -type f -print | xargs chmod 644
Setting File and Directory Permissions
Setting File/Directory Permissions The ability to access files, run commands, and change to a directory can be restricted with permission settings for user, group, and other users. When you do a long list (ls -l) of files and directories in Linux, the beginning 10 characters shown indicate what the item is (file, directory, block device, and so on) along with whether or not the item can be read, written, and/or executed. To follow along with examples in this section, create a directory called /tmp/test and a file called /tmp/test/hello.txt. Then do a long listing of those two items, as follows: $ mkdir /tmp/test $ echo "some text" > /tmp/test/hello.txt $ ls -ld /tmp/test/ /tmp/test/hello.txt drwxr-xr-x 2 francois sales 4096 Mar 21 13:11 /tmp/test -rw-r--r-- 2 francois sales 10 Mar 21 13:11 /tmp/test/hello.txt After creating the directory and file, the first character of the long listing shows /tmp/ test as a directory (d) and hello.txt as a file (-). Other types of files available in Linux that would appear as the first character include character devices (c), block devices (b) or symbolic links (l), named pipes (p), and sockets (s). The next nine characters represent the permissions set on the file and directory. The first rwx indicates that the owner (francois) has read, write, and execute permissions on the directory. Likewise, the group sales has the more restricted permissions (r-x) with no write permission. Then all other users have only read and execute permissions (r-x); the dash indicates the missing write permission. For the hello.txt file, the user has read and write permissions (rw-) and members of the group and all others have read permission (r--). When you set out to change permissions, each permission can be represented by an octal number (where read is 4, write is 2, and execute is 1) or a letter (rwx). Generally speaking, read permission lets you view the contents of the directory, write lets you change (add or modify) the contents of the directory, and execute lets you change to (in other words, access) the directory. If you don't like the permissions you see on files or directories you own, you can change those permissions using the chmod command. Changing Permissions with chmod The chmod command lets you change the access permissions of files and directories. Table 4-1 shows several chmod command lines and how access to the directory or file changes. Table 4-1: Changing Directory and File Access Permissions chmod command (octal or letters) Original Permission New Permission Description chmod 0700 any drwx------ The directory's owner can read or write files in that directory as well as change to it. All other users (except root) have no access. chmod 0711 any drwx--x--x Same as for the owner. All others can change to the directory, but not view or change files in the directory. This can be useful for server hardening, where you prevent someone from listing directory contents, but allow access to a file in the directory if someone already knows it's there. chmod go+r drwx------ drwxr--r-- Adding read permission to a directory may not give desired results. Without execute on, others can't view the contents of any files in that directory. chmod 0777 chmod a=rwx any drwxrwxrwx All permissions are wide open. chmod 0000 chmod a-rwx any d--------- All permissions are closed. Good to protect a directory from errant changes. However, backup programs that run as non-root may fail to back up the directory's contents. chmod 666 any -rw-rw-rw- Open read/write permissions completely on a file. chmod go-rw -rw-rw-rw- -rw------- Don't let anyone except the owner view, change, or delete the file. chmod 644 any -rw-r--r-- Only the owner can change or delete the file, but all can view it. The first 0 in the mode line can usually be dropped (so you can use 777 instead of 0777). That placeholder has special meaning. It is an octal digit that can be used on commands (executables) to indicate that the command can run as a set-UID program (4), run as a set-GID program (2), or become a sticky program (1). With set-UID and set-GID, the command runs with the assigned user or group permissions (instead of running with permission of the user or group that launched the command). Warning SUID should not be used on shell scripts. Here is a warning from the Linux Security HOWTO: "SUID shell scripts are a serious security risk, and for this reason the kernel will not honor them. Regardless of how secure you think the shell script is, it can be exploited to give the cracker a root shell." Having the sticky bit on for a directory keeps users from removing or renaming files from that directory that they don't own (/tmp is an example). Given the right permission settings, however, users can change the contents of files they don't own in a sticky bit directory. The final permission character is t instead of x on a sticky directory. A command with sticky bit on used to cause the command to stay in memory, even while not being used. This is an old Unix feature that is not supported in Linux. The -R option is a handy feature of the chmod command. With -R, you can recursively change permissions of all files and directories starting from a point in the file system. Here are some examples: $ sudo chmod -R 700 /tmp/test Open permission only to owner below /tmp/test $ sudo chmod -R 000 /tmp/test Close all permissions below /tmp/test $ sudo chmod -R a+rwx /tmp/test Open all permissions to all below /tmp/test Note that the -R option is inclusive of the directory you indicate. So the permissions above, for example, would change for the /tmp/test directory itself, and not just for the files and directories below that directory. Setting the umask Permissions given to a file or directory are assigned originally at the time that item is created. How those permissions are set is based on the user's current umask value. Using the umask command, you can set the permissions given to files and directories when you create them. $ umask 0066 Make directories drwx--x--x and files -rw------- $ umask 0077 Make directories drwx------ and files -rw------- $ umask 0022 Make directories drwxr-xr-x and files -rw-r--r-- $ umask 0777 Make directories d--------- and files ---------- Changing Ownership When you create a file or directory, your user account is assigned to that file or directory. So is your primary group. As root user, you can change the ownership (user) and group assigned to a file to a different user and/or group using the chown and chgrp commands. Here are some examples: $ chown chris test/ Change owner to chris $ chown chris:market test/ Change owner to chris and group to market $ chgrp market test/ Change group to market $ chown -R chris test/ Change all files below test/ to owner chris The recursive option to chown (-R) just shown is useful if you need to change the ownership of an entire directory structure. As with chmod, using chown recursively changes permissions for the directory named, along with its contents. You might use chown recursively when a person leaves a company or stops using your web service. You can use chown -R to reassign their entire /home directory to a different user.