[linuxkernelnewbies] Introduction to Unix file permissions

Wed, 11 Mar 2009 08:47:15 -0700

http://oldfield.wattle.id.au/luv/permissions.html

Back to LUV presentations

Introduction to Unix file permissions

Talk presented by Kim Oldfield to the Linux Users of Victoria Inc. on Tuesday, December 2, 2003.

Basic attributes of a file

  • owner, eg kim
  • group, eg users
  • permission bits, eg rw-r--r--
  • special bits, eg d,l,c

Users

  • Name: eg kim
  • Number (uid), used internally by the kernel: eg 1006
  • Defined in /etc/passwd. eg
    kim:x:1006:100:Kim Oldfield,,,:/home/kim:/bin/bash
    The columns in /etc/passwd are:
    1. Username
    2. Encrypted password, or 'x' if the password hash is stored in /etc/shadow
    3. User ID, uid - number for this user
    4. Group ID, gid - number for the default group for this user
    5. Full name, or other description
    6. User's home directory, typically /home/username, but can be anywhere.
    7. User's shell

To find out your current username and uid, primary group an gid, and additional groups you are a member of run id.

bash> id
uid=1006(kim) gid=1006(kim) groups=1006(kim),4(adm),29(audio)
Commands
chown user file Change the owner of file to user
chown user.group file Change file's owner to user and group to group.

chown can only be used by root.

Groups

  • Name: eg users
  • Number (gid): eg 100, used internally by the kernel
  • Defined in /etc/group
    audio:x:29:kim,jason
    The columns in /etc/group are:
    1. Group name, eg audio
    2. Encrypted group password, or 'x' if the password hash is stored in /etc/gshadow
    3. Group number (gid), eg 29
    4. List of user name for people who are members of this group
Commands
chgrp group file Change file's group to group.

Adding users or groups

All of these commands require that you are root. To become root from an ordinary user run su and enter the root password when prompted.

Commands
adduser Adds a users. You will be prompted for the username, password, full name, and other details.
vipw Edit /etc/password. This locks the file, and does some sanity checking on your changes before making them permanent. /etc/shadow can be edited with vipw -s
addgroup Create a new group. You will be prompted for the name.
adduser username groupname
  Adds username to the group groupname
vigr Edit /etc/group. This locks the file, and does some sanity checking on your changes before making them permanent. /etc/gshadow can be edited with vigr -s

Changes to group membership take place the next time you login.

Permission bits - an example

bash> ls -l /etc/shadow
-rw-r-----  1 root shadow  680 Nov  2 18:49 shadow

Each of these characters correspond to type, and permissions for the user, group, and others.

The first '-' indicates that this is a regular file.

'rw-' indicates that the owner of the file (root), is able to read an write to the file. The '-' indicates that root is not allowed to run the file.

'r--' indicates that anyone who is a member of the group 'shadow' is able to read to the file.

'---' indicates that anyone who is not root and not a member of the group 'shadow' (ie 'others') are not able to read or write to the file.

Permissions

ls shows permissions as a 10 character string, for example -rw-r--r--. The characters can be interpreted as TUUUGGGOOO where:

T Type
UUU Rights for the owner of the file
GGG Rights for users in the group
OOO Rights for others, not listed above

T is one of:

- file
d directory
c character device
b block device
l symbolic link

Character and block devices are usually in /dev

The permissions on a symbolic link are always lrwxrwxrwx. This means that anyone can see where the links points. Who can read, write, or execute the file (or directory or device) the link points to is determined by the permissions on that file, not the link.

Each of the permission triplets, UUU, GGG, and OOO, can consist of:

File permissions:
r allows reading
w allows writing
x allows execution (*)

Directory permissions:
r allows reading of files, size, etc
w allows creating and deleting of files (see also t below)
x allows access to files and directories below if you take away x that stops access to the directory, files, and all sub directories
Commands
chmod g+r file Allow group to read
chmod u+w file Allow user to write
chmod a+x file Allow everyone (user, group, and other) to execute
chmod o-r file Disallow others to read
chmod ug+r file Disallow others to read
chmod g+w,o-r file Allow group write, disallow other read
chmod u=rw file Set user permissions to read and write.

Octal numerical representation

Add up the values for the rights required.

r 4
w 2
x 1

For example: converting rwxr-x--- to octal:
7 = 4+2+1 = r + w + x
5 = 4+1 = r + x (not write)
0 = no rights
So rwxr-x--- is 750 in octal.

Octal values can be given to chmod, so chmod 750 file

Set uid and set gid on files

When run Unix executables can use the effective rights of a different user or group. This is shown by having an 's' rather than 'x'. For example: 

bash> ls -l /bin/su
-rwsr-xr-x  1 root   root    22904 Apr 27  2003 /bin/su

When su is run it runs with the same rights as the user root.

Any program which is suid or sgid must be written very carefully to make sure that it can not be abused by malicious users to do things they shouldn't.

Commands
chmod u+s Set the suid bit
chmod u-s Clear the suid bit
chmod g+s Set the sgid bit
chmod g-s Clear the sgid bit

Set uid and set gid on directories

Set gid on a directory means that all new files and directories created in that directory will have the same group as that directory.

When set gid is not set on a directory then the group used for new files and directories is the default group for that user.

Does anyone know what suid on a directory does?

The sticky bit - /tmp directory

Normally (without 't') any user who has write permission to a directory can delete any files in the directory regardless of who owns it, even if they can't read or write to the file.

With 't' set, only the owner of a file can delete it.

This is used on /tmp

bash> ls -ld /tmp
drwxrwxrwt  8 root   root    4096 Nov  2 19:27 /tmp
Commands
chmod +t directory Set the sticky bit on a directory
chmod -t directory Remove the sticky bit from a directory

umask - default permissions

The logical not of your umask is used as the default permission for files or directories created by you.

A typical umask is 002, not(002) = 775 (in octal). 775 corresponds to rwxrwxr-x, or the owner and group can read, write, and execute, while others can only read or execute, but not run. Where the file isn't executable rw-rw-r-- will be used.

Most Linux distributions will configure a group for every user, eg my username is kim, and there is also a group kim, of which I am the only member. The default mask is 0002 so by default all files I create are group writable, but this isn't a problem as I'm the only person in the group.

If you have a group of people (eg staff) who you would like to be able to write to a directory tree then change the base directory group to staff, and chmod g+s. Assuming each user has a umask of 0002 then all files and directories created will be writable by everyone in group.

Commands
umask display current umask
umask 002 set umask to 002

More information

For more information about any of the commands or files mentioned earlier see the appropriate man page. Note that most commands are in section 1 of the manual, while section 5 details file formats.

Commands
man 1 passwd View the man page for the passwd(1) command.
man 5 passwd View the man page for the passwd(5) file.
man -a passwd View the all man pages for passwd.
man chmod View the man page for the chmod(1) command.

This presentation is available from http://oldfield.wattle.id.au/luv/permissions.html

Reply via email to