Ict-innovation/LPI/104.5

= 104.5 Manage File Permissions and Ownership = Candidates should be able to control file access through the proper use of permissions and ownerships.

Key Knowledge Areas


 * Manage access permissions on regular and special files as well as directories.
 * Use access modes such as suid, sgid and the sticky bit to maintain security.
 * Know how to change the file creation mask.
 * Use the group field to grant file access to group members.

File and Directory Permissions

Access to directories and files on Linux is controlled by a simple file permissions systems. Every file/directory has permissions for the file owner, the group to which the file belongs and other, that is users who are not the owner and do not belong to the group to which the file belongs. The permissions are known as the access mode of file/directory and can be viewed by running the ls -l command.

File access modes are displayed symbolically as group of 3 letters or numerically as a set of 3 octal digits, but represent a 9 bit number, with each bit representing an access right.

The extract above is from running the ls -l command on the

/etc directory. When a file is created it is owned by the user who created the file and assigned to the default group of the owner.

Symbolic and Octal Notation



Permissions can be read=r, write=w and execute=x. The octal values of these permissions are listed in the next table.

Octal and symbolic permissions.

Permissions apply to the user, the group and to others. An item has a set of 3 grouped permissions for each of these categories.

How to read a 755 or -rwxr-xr-x permission

The Standard Permissions & UMASK

UNIX system create files and directories with standard permissions as follows:

Standard permission for:

Files666-rw-rw-rw-

Directories777-rwxrwxrwx

Every user has a defined umask that alters the standard permissions. The umask applies only at the point at which the file is created. The umask has an octal value and is subtracted(*) from the octal standard permissions to give the file's permission (this permission doesn't have a name and could be called the file's effective permission).

(*) While subtraction works in most cases, it should be noted that technically the standard permissions and the umask are combined as follows:

On systems where users belong to separate groups, the umask can have a value of 002.

For systems which place all users in the users group, the umask is likely to be 022 so that files do not have group write access by default.

Changing permissions and owners
From the previous figure we see that permissions can be acted upon with chmod. There are 3 categories of ownership for each file and directory:

u: user

g: group

o: other

Example:

-rw-rw-r-- 1 jade sales 24880 Oct 25 17:28 libcgic.a

Changing Permissions with chmod:

Changing user and group with chown and chgrp :

NOTE:

A useful option for chmod, chown and chgrp is –R which recursively changes ownership and permissions through all files and directories indicated.

Special Permissions

SUID Permissions

An executable can be assigned a special permission which will always make it run as the owner of this file. This permission is called SUID meaning 'set user ID'. It has a symbolic value s or a numerical value 4000.

Administrative tools may have the SUID bit set in order to allow non-root users to change system files.

For example the passwd command can be run by any user and will interactively change his or her current password. This password will be saved to /etc/shadow. However this file belongs to user root with typical permissions of 600.

This problem has been solved by setting the SUID bit on passwd hence forcing it to run as user root with the correct permissions to modify /etc/shadow.

The SUID on passwd

NOTE:

The SUID bit is shown in symbolic form in the command above. It is possible to get more information about a file using stat as well as seeing the octal representation of the permissions as follows:

The next examples are dangerous. Why?

SGID permissions
The SGID is a permission similar to SUID that is set for group members. The symbolic value is s and the octal value of 2000.

Setting SGID on a directory changes the group ownership used for files subsequently created in that directory to the directory's group ownership. No need to use newgrp to change the effective group of the process prior to file creation.

Examples:

The sticky bit

The sticky bit permission with value 1000 has the following effect:


 * 1) Applied to a directory it prevents users from deleting files unless they are the owner (ideal for directories shared by a group, or for /tmp
 * 2) Applied to a file this used to cause the file or executable to be loaded into memory and caused later access or execution to be faster. The symbolic value for an executable file is t . It was supported in some versions of Unix but is not used in Linux.

Examples:

Used files, terms and utilities:


 * chmod
 * umask
 * chown
 * chgrp

Previous Chapter | Next Chapter