Permissions

The Prolog... Intro...


Permissions are one of the key elements to the security of the linux/unix system. Practically everything in the linux world has permissions associated with it because in linux practically everthing is a file. Although permissions can be a pain to deal with... especially when breaking new ground... permissions pretect us. And not just from outside foes like hackers but also from ourselves. With file permissions, we can prevent ourselves from making mistakes that could damage or compromise a system.

CREATED 2012-11-15 16:03:10.0

00-17-B3

UPDATED 2016-11-26 14:57:31.0

The Basic Permissions...


-rw------- 1 jimbob users 15244 Nov 25 14:09 test.txt

There are basically three types of permissions to grant: Read, Write and eXecute. The linux system stores an octal value i.e. base 8, to store permissions by assigning values to each of them.

Permission Octal Value Letter Value Description
Read 4 r Allows the ability to read the file or directory.
Write 2 w Allows the ability to write or modify a file.
Execute 1 x Give the ability to execute a file or directory.

To store the permisions the value for each permission is added together. For example: to give read and write permissions to a file, the value of read (4) and the value for write (2) is added together to make the value 6. By assigning the value of 6 to the file it would then give read and write permissions. Read and eXecute would be 4 for read + 1 for execute = 5 and so on.

So lets say we wanted to set the permissions of text.txt to read and write only. A Directory of this file would look like this.

The block on the left is the permissions. Mostly dashes and a whole lot more than read, write and execute. The first position is a dash which means this is a regular file. If it was a d that would indicate a directory.

The next three positions are the permissions for the owner of the file... jimbob. The rw- indicates that Jimbob has read and write permissions for the file test.txt.

CREATED 2012-11-15 16:42:20.0

00-17-B6

UPDATED 2016-11-26 18:15:51.0

Permission Groups...


-rw-rw---- 1 jimbob users 15244 Nov 25 14:09 test.txt -rw-rw-r-- 1 jimbob users 15244 Nov 25 14:09 test.txt

Permissions come in three sets which is why there are so many dashes. There are 10 positions. The first is for the type and the remaing 9 are for these three groups:

  • The file owner - jimbob
  • The group the file is associated to - users
  • Everyone elese

So Jim Bob has given himself read and write permissions by assigning a value of 6 to the file owner. Lets say that Jim Bob needed to share this file with Mary Sue and that Mary Sue was in the same group that this file is associated with, users. Jim Bob could give permissions to Mary Sue by assigning permissions to the group users . Currently the group has no permissions which is why following the file owners permissions -rw- are three more dashes. So after assigning read and write permissions, a value of 6, to Mary Sue by way of the group users the permissions now looks like this:

The second set of permissions are for the group associated with the file users which means that now, any one in the group users like Mary Sue, can read and write this file.

The last set of dashes are for permissions for those that are not the owner and not in the group users that the file test.txt is associated with. Sometimes refered to as the world because it is for anyone that has a logon to the system.

So if Jim Bob wanted to let everyone else read the file but not write to it i.e. modify the contents he could assign a value of 4.

CREATED 2012-11-15 16:43:12.0

00-17-B7

UPDATED 2012-11-15 16:43:23.0

Assigning Permissions...


chmod [options] mode chmod 0662

To assign permissions to a file or directory use the chmod command. The format:

Where options is command line switches and mode the permissions to set. chmod takes a 4 digit perameter which the last three are applied to the owner, group and other permission groups.

For example, for Jim Bob to set the permissions for test.txt above:

The second number 6 sets the owners permissions to read and write, read (4) + write (2) = 6. The third number sets the groups permissions to read and write as well while the fourth number sets the others permissions to read only (2).

chmod doesn't have very many options, see the man pages for a complete list. These are a few.

  • -c, --change - output what is going on when changes are made
  • -v, --verbose - output what it is doing
  • --reference=filename - use the mode of filename
  • -R, --recursive - change files and directories recursively

CREATED 2016-11-26 21:31:15.0

00-26-D5

UPDATED 2016-11-26 21:31:24.0

The Sticky Bit...


chmod o+t [filename] chmod 1744 [filename]

The sticky bit or rather the restriction bit restricts any user from renaming or deleting a file unless they own it. The sticky bit can be set in one of two ways.

The ever popular sybolic way:

or the old fashion octal way...

Although there is no difference bettween the two types, you can not always remove special permissions using the octal notation.

CREATED 2019-01-12 22:16:50.0

007-00-00-B6

UPDATED 2019-01-12 22:17:20.0

About Paths...


/usr/share/tomcat

To access a path in the file system, the user needs to have Execute permissions on all the directories in the path. Example: to reach the path...

The user would need execute permission on usr and share and tomcat

CREATED 2012-11-15 16:43:54.0

00-17-B8

UPDATED 2019-01-12 22:17:28.0

Set UID/GID...


chmod o+s [filename] chmod u+s [filename]

Setting the UID and GID are different than the sticky bit although often confused. Setting UID and GID will ensure that when a program is executed it will run with the permissions of the owner (UID) or the group (GID).

As with the sticky bit there are two ways to change it. The ever popular sybolic way...

and the old fashion octal way...

This one takes on two different statuses depending on wheather the eXecute attribute is set on or off. On is a lower case s while off is an uppercase S .

NOTE: You need to do this as root. or it won't work.

CREATED 2019-01-12 22:34:19.0

007-00-00-B7

UPDATED 2019-01-12 22:34:46.0

An Easier Method...


chmod u+rw test.txt chmod g+rw test.txt chmod o+r test.txt

Instead of dealing with numbers one can use letters to modify permissions with chmod. First there are three letters that apply to the groups:

  • u - user
  • g - group
  • o - other

Next there are three letters that apply to the permissions themselves:

  • r - read
  • w - write
  • x - execute

Now to put this all together. For the file test.txt, JimBob could have set them this way.




CREATED 2016-11-26 22:07:56.0

00-26-D6

UPDATED 2019-01-12 22:34:47.0

To See Permissions...


To see file permisions on a single file or directory use the stat command...

   File: `test.txt'  Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 801h/2049d Inode: 2359402 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 1000/ jimbob) Gid: ( 1000/ jimbob) Access: 2016-11-26 19:05:03.270734594 -0700 Modify: 2016-11-26 19:05:03.270734594 -0700 Change: 2016-11-26 19:05:52.494979096 -0700  Birth: -   																

Lot of stuff... but check out line 4. Access: (0664/-rw-rw-r--) Uid: (1000/jimbob) Gid:(1000/ jimbob) In the parenthesis is the access rights, first by number and second by group written out. 0664 is the number assigned to the permission while three gourps of rwx indicate the permissions for each group (owner/group/all others). The dashes indicate the privledge is not assigned.

CREATED 2012-11-15 16:47:03.0

00-17-B9

UPDATED 2019-01-12 22:34:48.0

DBID: db.wam

Page Server: Ruger

©2012 Leistware Data Systems

      Hello anonymous