5.3 Lesson 1
Certificate: |
Linux Essentials |
---|---|
Version: |
1.6 |
Topic: |
5 Security and File Permissions |
Objective: |
5.3 Managing File Permissions and Ownership |
Lesson: |
1 of 1 |
Introduction
Being a multi-user system, Linux needs some way to track who owns each file and whether or not a user is allowed to perform actions on that file. This is to ensure the privacy of users who might want to keep the content of their files confidential, as well as to ensure collaboration by making certain files accessible to multiple users.
This is done through a three-level permissions system: every file on disk is owned by a user and a user group and has three sets of permissions: one for its owner, one the group who owns the file and one for everyone else. In this lesson, you will learn how to query the permissions for a file and how to manipulate them.
Querying Information about Files and Directories
The command ls
is used to get a listing of the contents of any directory. In this basic form, all you get are the filenames:
$ ls Another_Directory picture.jpg text.txt
But there is much more information available for each file, including type, size, ownership and more. To see this information you must ask ls
for a “long form” listing, using the -l
parameter:
$ ls -l total 536 drwxrwxr-x 2 carol carol 4096 Dec 10 15:57 Another_Directory -rw------- 1 carol carol 539663 Dec 10 10:43 picture.jpg -rw-rw-r-- 1 carol carol 1881 Dec 10 15:57 text.txt
Each column on the output above has a meaning:
-
The first column on the listing shows the file type and permissions.
For example, on
drwxrwxr-x
:-
The first character,
d
, indicates the file type. -
The next three characters,
rwx
, indicate the permissions for the owner of the file, also referred to as user oru
. -
The next three characters,
rwx
, indicate the permissions of the group owning the file, also referred to asg
. -
The last three characters,
r-x
, indicate the permissions for anyone else, also known as others oro
.
-
-
The second column indicates the number of hard links pointing to that file. For a directory, this means the number of subdirectories, plus a link to itself (
.
) and the parent directory (..
). -
The third and fourth columns show ownership information: respectively the user and group that own the file.
-
The fifth column shows the filesize, in bytes.
-
The sixth column shows the precise date and time, or timestamp, when the file was last modified.
-
The seventh and last column shows the file name.
If you wish to see the filesizes in “human readable” format, add the -h
parameter to ls
. Files less than one kilobyte in size will have the size shown in bytes. Files with more than one kilobyte and less than one megabyte will have a K
added after the size, indicating the size is in kilobytes. The same follows for filesizes in the megabyte (M
) and gigabyte (G
) ranges:
$ ls -lh total 1,2G drwxrwxr-x 2 carol carol 4,0K Dec 10 17:59 Another_Directory ----r--r-- 1 carol carol 0 Dec 11 10:55 foo.bar -rw-rw-r-- 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip -rw------- 1 carol carol 528K Dec 10 10:43 picture.jpg ---xr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh -rwxr--r-- 1 carol carol 1,9K Dec 20 18:13 text.txt -rw-rw-r-- 1 carol carol 2,6M Dec 11 22:14 Zipped.zip
To only show information on a specific set of files, add the names of these files to ls
:
$ ls -lh HugeFile.zip test.sh total 1,2G -rw-rw-r-- 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip ---xr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh
What about Directories?
If you try to query information about a directory using ls -l
, it will show you a listing of the directory contents instead:
$ ls -l Another_Directory/ total 0 -rw-r--r-- 1 carol carol 0 Dec 10 17:59 another_file.txt
To avoid this and query information about the directory itself, add the -d
parameter to ls
:
$ ls -l -d Another_Directory/ drwxrwxr-x 2 carol carol 4096 Dec 10 17:59 Another_Directory/
Seeing Hidden Files
The directory listing we have retrieved using ls -l
before is incomplete:
$ ls -l total 544 drwxrwxr-x 2 carol carol 4096 Dec 10 17:59 Another_Directory -rw------- 1 carol carol 539663 Dec 10 10:43 picture.jpg -rw-rw-r-- 1 carol carol 1881 Dec 10 15:57 text.txt
There are three other files in that directory, but they are hidden. On Linux, files whose name starts with a period (.
) are automatically hidden. To see them we need to add the -a
parameter to ls
:
$ ls -l -a total 544 drwxrwxr-x 3 carol carol 4096 Dec 10 16:01 . drwxrwxr-x 4 carol carol 4096 Dec 10 15:56 .. drwxrwxr-x 2 carol carol 4096 Dec 10 17:59 Another_Directory -rw------- 1 carol carol 539663 Dec 10 10:43 picture.jpg -rw-rw-r-- 1 carol carol 1881 Dec 10 15:57 text.txt -rw-r--r-- 1 carol carol 0 Dec 10 16:01 .thisIsHidden
The file .thisIsHidden
is simply hidden because its name starts with .
.
The directories .
and ..
however are special. .
is a pointer to the current directory, while ..
is a pointer to the parent directory (the directory which contains the current directory). In Linux, every directory contains at least these two special directories.
Tip
|
You can combine multiple parameters for |
Understanding Filetypes
We have already mentioned that the first letter in each output of ls -l
describes the type of the file. The three most common file types are:
-
(normal file)-
A file can contain data of any kind. Files can be modified, moved, copied and deleted.
d
(directory)-
A directory contains other files or directories and helps to organize the file system. Technically, directories are a special kind of file.
l
(soft link)-
This “file” is a pointer to another file or directory elsewhere in the filesystem.
In addition to those, there are three other file types that you should at least know about, but are out of scope for this lesson:
b
(block device)-
This file stands for a virtual or physical device, usually disks or other kinds of storage devices. For example, the first hard disk in the system might be represented by
/dev/sda
. c
(character device)-
This file stands for a virtual or physical device. Terminals (like the main terminal on
/dev/ttyS0
) and serial ports are common examples of character devices. s
(socket)-
Sockets serve as “conduits” passing information between two programs.
Warning
|
Do not alter any of the permissions on block devices, character devices or sockets, unless you know what you’re doing. This may prevent your system from working! |
Understanding Permissions
In the output of ls -l
the file permissions are shown right after the filetype, as three groups of three characters each, in the order r
, w
and x
. Here is what they mean. Keep in mind that a dash -
represents the lack of a particular permission.
Permissions on Files
r
-
Stands for read and has an octal value of
4
(don’t worry, we will discuss octals shortly). This means permission to open a file and read its contents. w
-
Stands for write and has an octal value of
2
. This means permission to edit or delete a file. x
-
Stands for execute and has an octal value of
1
. This means that the file can be run as an executable or script.
So, for example, a file with permissions rw-
can be read and written to, but cannot be executed.
Permissions on Directories
r
-
Stands for read and has an octal value of
4
. This means permission to read the directory’s contents, like filenames. But it does not imply permission to read the files themselves. w
-
Stands for write and has an octal value of
2
. This means permission to create or delete files in a directory, or change their names, permissions and owners. If a user has the write permission on a directory, the user can change permissions of any file in the directory, even if the user has no permissions on the file or if the file is owned by another user. x
-
Stands for execute and has an octal value of
1
. This means permission to enter a directory, but not to list its files (for that, ther
permission is needed).
The last bit about directories may sound a bit confusing. Let’s imagine, for example, that you have a directory named Another_Directory
, with the following permissions:
$ ls -ld Another_Directory/ d--xr-xr-x 2 carol carol 4,0K Dec 20 18:46 Another_Directory
Also imagine that inside this directory you have a shell script called hello.sh
with the following permissions:
-rwxr-xr-x 1 carol carol 33 Dec 20 18:46 hello.sh
If you are the user carol
and try to list the contents of Another_Directory
, you will get an error message, as your user lacks read permission for that directory:
$ ls -l Another_Directory/ ls: cannot open directory 'Another_Directory/': Permission denied
However, the user carol
does have execute permissions, which means that she can enter the directory. Therefore, the user carol
can access files inside the directory, as long as she has the correct permissions for the respective file. In this example, the user has full permissions for the script hello.sh
, so she can run the script, even if she can’t read the contents of the directory containing it. All that is needed is the complete filename.
$ sh Another_Directory/hello.sh Hello LPI World!
As we said before, permissions are specified in sequence: first for the owner of the file, then for the owning group, and then for other users. Whenever someone tries to perform an action on the file, the permissions are checked in the same fashion. First the system checks if the current user owns the file, and if this is true it applies the first set of permissions only. Otherwise, it checks if the current user belongs to the group owning the file. In that case, it applies the second set of permissions only. In any other case, the system will apply the third set of permissions. This means that if the current user is the owner of the file, only the owner permissions are effective, even if the group or other permissions are more permissive than the owner’s permissions.
Modifying File Permissions
The command chmod
is used to modify the permissions for a file, and takes at least two parameters: the first one describes which permissions to change, and the second one points to the file or directory where the change will be made. However, the permissions to change can be described in two different ways, or “modes”.
The first one, called symbolic mode offers fine grained control, allowing you to add or revoke a single permission without modifying others on the set. The other mode, called numeric mode, is easier to remember and quicker to use if you wish to set all permission values at once.
Both modes will lead to the same end result. So, for example, the commands:
$ chmod ug+rw-x,o-rwx text.txt
and
$ chmod 660 text.txt
will produce exactly the same output, a file with the permissions set:
-rw-rw---- 1 carol carol 765 Dec 20 21:25 text.txt
Now, let’s understand how each mode works.
Symbolic Mode
When describing which permissions to change in symbolic mode the first character(s) indicate(s) whose permissions you will alter: the ones for the user (u
), for the group (g
), for others (o
) and/or for all the three together (a
).
Then you need to tell the command what to do: you can grant a permission (+
), revoke a permission (-
), or set it to a specific value (=
).
Lastly, you specify which permission you wish to affect: read (r
), write (w
), or execute (x
).
For example, imagine we have a file called text.txt
with the following permission set:
$ ls -l text.txt -rw-r--r-- 1 carol carol 765 Dec 20 21:25 text.txt
If you wish to grant write permissions to members of the group owning the file, you would use the g+w
parameter. It is easier if you think about it this way: “For the group (g
), grant (+
) write permissions (w
)”. So, the command would be:
$ chmod g+w text.txt
Let’s check the result with ls
:
$ ls -l text.txt -rw-rw-r-- 1 carol carol 765 Dec 20 21:25 text.txt
If you want to remove read permissions for the owner of the same file, think about it as: “For the user (u
) revoke (-
), read permissions (r
)”. So the parameter is u-r
, like so:
$ chmod u-r text.txt $ ls -l text.txt --w-rw-r-- 1 carol carol 765 Dec 20 21:25 text.txt
What if we want to set the permissions exactly as rw-
for everyone? Then think of it as: “For all (a
), set exactly (=
), read (r
), write (w
), and no execute (-
)”. So:
$ chmod a=rw- text.txt $ ls -l text.txt -rw-rw-rw- 1 carol carol 765 Dec 20 21:25 text.txt
Of course, it is possible to modify multiple permissions at the same time. In this case, separate them with a comma (,
):
$ chmod u+rwx,g-x text.txt $ ls -lh text.txt -rwxrw-rw- 1 carol carol 765 Dec 20 21:25 text.txt
The example above can be read as: “For the user (u
), grant (+
) read, write and execute (rwx
) permissions, for the group (g
) revoke (-
), execute permissions (x
)”.
When run on a directory, chmod
modifies only the directory’s permissions. chmod
has a recursive mode, useful when you want to change the permissions for “all files inside a directory and its subdirectories”. To use this, add the parameter -R
after the command name and before the permissions to change, like so:
$ chmod -R u+rwx Another_Directory/
This command can be read as: “Recursively (-R
), for the user (u
), grant (+
) read, write and execute (rwx
) permissions”.
Warning
|
Be careful and think twice before using the |
Numeric Mode
In numeric mode, the permissions are specified in a different way: as a three-digit numeric value on octal notation, a base-8 numeric system.
Each permission has a corresponding value, and they are specified in the following order: first comes read (r
), which is 4
, then write (w
), which is 2
and last is execute (x
), represented by 1
. If there is no permission, use the value zero (0
). So, a permission of rwx
would be 7
(4+2+1
) and r-x
would be 5
(4+0+1
).
The first of the three digits on the permission set represents the permissions for the user (u
), the second for the group (g
) and the third for the other (o
). If we wanted to set the permissions for a file to rw-rw----
, the octal value would be 660
:
$ chmod 660 text.txt $ ls -l text.txt -rw-rw---- 1 carol carol 765 Dec 20 21:25 text.txt
Besides this, the syntax in numeric mode is the same as in symbolic mode, the first parameter represents the permissions you wish to change, and the second one points to the file or directory where the change will be made.
Tip
|
If a permission value is odd, the file surely is executable! |
Which syntax to use? The numeric mode is recommended if you want to change the permissions to a specific value, for example 640
(rw- r-- ---
).
The symbolic mode is more useful if you want to flip just a specific value, regardless of the current permissions for the file. For example, I can add execute permissions for the user using just chmod u+x script.sh
without regard to, or even touching, the current permissions for the group and others.
Modifying File Ownership
The command chown
is used to modify the ownership of a file or directory. The syntax is quite simple:
chown username:groupname filename
For example, let’s check a file called text.txt
:
$ ls -l text.txt -rw-rw---- 1 carol carol 1881 Dec 10 15:57 text.txt
The user who owns the file is carol
, and the group is also carol
. Now, let’s modify the group owning the file to some other group, like students
:
$ chown carol:students text.txt $ ls -l text.txt -rw-rw---- 1 carol students 1881 Dec 10 15:57 text.txt
Keep in mind that the user who owns a file does not need to belong to the group who owns a file. In the example above, the user carol
does not need to be a member of the students
group. However, she does have to member of the group in order to transfer the file’s group ownership to that group.
User or group can be omitted if you do not wish to change them. So, to change just the group owning a file you would use chown :students text.txt
. To change just the user, the command would be chown carol text.txt
. Alternatively, you could use the command chgrp students text.txt
to change only the group.
Unless you are the system administrator (root), you cannot change ownership of a file owned by another user or a group that you don’t belong to. If you try to do this, you will get the error message Operation not permitted
.
Querying Groups
Before changing the ownership of a file, it might be useful to know which groups exist on the system, which users are members of a group and to which groups a user belongs. Those tasks can be accomplished with two commands, groups
and groupmems
.
To see which groups exist on your system, simply type groups
:
$ groups carol students cdrom sudo dip plugdev lpadmin sambashare
And if you want to know to which groups a user belongs, add the username as a parameter:
$ groups carol carol : carol students cdrom sudo dip plugdev lpadmin sambashare
To do the reverse, displaying which users belong to a group, use groupmems
. The parameter -g
specifies the group, and -l
will list all of its members:
$ sudo groupmems -g cdrom -l carol
Tip
|
|
Special Permissions
Besides the read, write and execute permissions for user, group and others, each file can have three other special permissions which can alter the way a directory works or how a program runs. They can be specified either in symbolic or numeric mode, and are as follows:
Sticky Bit
The sticky bit, also called the restricted deletion flag, has the octal value 1
and in symbolic mode is represented by a t
within the other’s permissions. This applies only to directories, and on Linux it prevents users from removing or renaming a file in a directory unless they own that file or directory.
Directories with the sticky bit set show a t
replacing the x
on the permissions for others on the output of ls -l
:
$ ls -ld Sample_Directory/ drwxr-xr-t 2 carol carol 4096 Dec 20 18:46 Sample_Directory/
In numeric mode, the special permissions are specified using a “4-digit notation”, with the first digit representing the special permission to act upon. For example, to set the sticky bit (value 1
) for the directory Another_Directory
in numeric mode, with permissions 755
, the command would be:
$ chmod 1755 Another_Directory $ ls -ld Another_Directory drwxr-xr-t 2 carol carol 4,0K Dec 20 18:46 Another_Directory
Set GID
Set GID, also known as SGID or Set Group ID bit, has the octal value 2
and in symbolic mode is represented by an s
on the group permissions. This can be applied to executable files or directories. On executable files, it will grant the process resulting from executing the file access to the privileges of the group who owns the file. When applied to directories, it will make every file or directory created under it inherit the group from the parent directory.
Files and directories with SGID bit show an s
replacing the x
on the permissions for the group on the output of ls -l
:
$ ls -l test.sh -rwxr-sr-x 1 carol carol 33 Dec 11 10:36 test.sh
To add SGID permissions to a file in symbolic mode, the command would be:
$ chmod g+s test.sh $ ls -l test.sh -rwxr-sr-x 1 carol root 33 Dec 11 10:36 test.sh
The following example will make you better understand the effects of SGID on a directory. Suppose we have a directory called Sample_Directory
, owned by the user carol
and the group users
, with the following permission structure:
$ ls -ldh Sample_Directory/ drwxr-xr-x 2 carol users 4,0K Jan 18 17:06 Sample_Directory/
Now, let’s change to this directory and, using the command touch
, create an empty file inside it. The result would be:
$ cd Sample_Directory/ $ touch newfile $ ls -lh newfile -rw-r--r-- 1 carol carol 0 Jan 18 17:11 newfile
As we can see, the file is owned by the user carol
and group carol
. But, if the directory had the SGID permission set, the result would be different. First, let’s add the SGID bit to the Sample_Directory
and check the results:
$ sudo chmod g+s Sample_Directory/ $ ls -ldh Sample_Directory/ drwxr-sr-x 2 carol users 4,0K Jan 18 17:17 Sample_Directory/
The s
on the group permissions indicates that the SGID bit is set. Now, let’s change to this directory and, again, create an empty file with the touch
command:
$ cd Sample_Directory/ $ touch emptyfile $ ls -lh emptyfile -rw-r--r-- 1 carol users 0 Jan 18 17:20 emptyfile
As we can see, the group who owns the file is users
. This is because the SGID bit made the file inherit the group owner of its parent directory, which is users
.
Set UID
SUID, also known as Set User ID, has the octal value 4
and is represented by an s
on the user permissions in symbolic mode. It only applies to files and its behavior is similar to the SGID bit, but the process will run with the privileges of the user who owns the file. Files with the SUID bit show an s
replacing the x
on the permissions for the user on the output of ls -l
:
$ ls -ld test.sh -rwsr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh
You can combine multiple special permissions in one parameter by adding them together. So, to set SGID (value 2
) and SUID (value 4
) in numeric mode for the script test.sh
with permissions 755
, you would type:
$ chmod 6755 test.sh
And the result would be:
$ ls -lh test.sh -rwsr-sr-x 1 carol carol 66 Jan 18 17:29 test.sh
Tip
|
If your terminal supports color, and these days most of them do, you can quickly see if these special permissions are set by glancing at the output of |
Guided Exercises
-
Create a directory named
emptydir
using the commandmkdir emptydir
. Now, usingls
, list the permissions for the directoryemptydir
. -
Create an empty file named
emptyfile
with the commandtouch emptyfile
. Now, usingchmod
with symbolic notation, add execute permissions for the owner of the fileemptyfile
, and remove write and execute permissions for everyone else. Do this using only onechmod
command. -
What will be the permissions for a file called
text.txt
after you use the commandchmod 754 text.txt
? -
Let’s assume a file named
test.sh
is a shell script with the following permissions and ownership:-rwxr-sr-x 1 carol root 33 Dec 11 10:36 test.sh
-
What are the permissions for the owner of the file?
-
If the user
john
runs this script, under which user’s privileges will it be run? -
Using the numeric notation, which should be the syntax of chmod to “unset” the special permission granted to this file?
-
-
Consider this file:
$ ls -l /dev/sdb1 brw-rw---- 1 root disk 8, 17 Dec 21 18:51 /dev/sdb1
Which kind of file is
sdb1
? And who can write to it? -
Consider the following 4 files:
drwxr-xr-t 2 carol carol 4,0K Dec 20 18:46 Another_Directory ----r--r-- 1 carol carol 0 Dec 11 10:55 foo.bar -rw-rw-r-- 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip drwxr-sr-x 2 carol users 4,0K Jan 18 17:26 Sample_Directory
Write down the corresponding permissions for each file and directory using numeric 4-digit notation.
Another_Directory
-
foo.bar
-
HugeFile.zip
-
Sample_Directory
-
Explorational Exercises
-
Try this on a terminal: create an empty file called
emptyfile
with the commandtouch emptyfile
. Now “zero out” the permissions for the file withchmod 000 emptyfile
. What will happen if you change the permissions foremptyfile
by passing only one value forchmod
in numeric mode, such aschmod 4 emptyfile
? What if we use two, such aschmod 44 emptyfile
? What can we learn about the waychmod
reads the numerical value? -
Can you execute a file for which you have execute, but not read permissions (
--x
)? Why or why not? -
Consider the permissions for the temporary directory on a Linux system,
/tmp
:$ ls -l /tmp drwxrwxrwt 19 root root 16K Dec 21 18:58 tmp
User, group and others have full permissions. But can a regular user delete any files inside this directory? Why is this?
-
A file called
test.sh
has the following permissions:-rwsr-xr-x
, meaning the SUID bit is set. Now, run the following commands:$ chmod u-x test.sh $ ls -l test.sh -rwSr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh
What did we do? What does the uppercase
S
mean? -
How would you create a directory named
Box
where all the files are automatically owned by the groupusers
, and can only be deleted by the user who created them?
Summary
As a multi-user system, Linux needs a way to track who owns and who can access each file. This is done through a three-level permissions system, and in this lesson we learned all about how this system works.
In this lesson you have learned how use ls
to get information about file permissions, how to control or change who can create, delete or modify a file with chmod
, both in numeric and symbolic notation and how to change the ownership of files with chown
and chgrp
.
The following commands were discussed in this lesson:
ls
-
List files, optionally including details such as permissions.
chmod
-
Change the permissions of a file or directory.
chown
-
Change the owning user and/or group of a file or directory.
chgrp
-
Change the owning group of a file or directory.
Answers to Guided Exercises
-
Create a directory named
emptydir
using the commandmkdir emptydir
. Now, usingls
, list the permissions for the directoryemptydir
.Add the
-d
parameter tols
to see the file attributes of a directory, instead of listing its contents. Therefore the answer is:ls -l -d emptydir
Bonus points if you merged the two parameters in one, as in
ls -ld emptydir
. -
Create an empty file named
emptyfile
with the commandtouch emptyfile
. Now, usingchmod
in symbolic notation, add execute permissions for the owner of the fileemptyfile
, and remove write and execute permissions for everyone else. Do this using only onechmod
command.Think about it this way:
-
“For the user who owns the file (
u
) add (+
) execute (x
) permissions”, sou+x
. -
“For the group (
g
) and other users (o
), remove (-
) write (w
) and execute (x
) permissions”, sogo-wx
.To combine these two sets of permissions, we add a comma between them. So the final result is:
chmod u+x,go-wx emptyfile
-
-
What will be the permissions of a file called
text.txt
after I use the commandchmod 754 text.txt
?Remember that in numeric notation each digit represents a set of three permissions, each one with a respective value: read is
4
, write is2
, execute is1
and no permission is0
. We get the value for a digit by adding the corresponding values for each permission.7
is4+2+1
, orrwx
,5
is4+0+1
, sor-x
and4
is just read, orr--
. The permissions fortext.txt
would berwxr-xr--
-
Let’s assume a file named
test.sh
is a shell script with the following permissions and ownership:-rwxr-sr-x 1 carol root 33 Dec 11 10:36 test.sh
-
What are the permissions for the owner of the file?
The permissions for the owner (2nd to 4th characters in the output of
ls -l
) arerwx
, so the answer is: “to read, to write to and to execute the file”. -
If the user
john
runs this script, under which user’s privileges will it be run?Pay attention to the permissions for the group. They are
r-s
, which means the SGID bit is set. The group who owns this file isroot
, so the script, even when started by a regular user, will be run with root privileges. -
Using the numeric notation, which should be the syntax of chmod to “unset” the special permission granted to this file?
We can “unset” the special permissions by passing a 4th digit,
0
, tochmod
. The current permissions are755
, so the command should bechmod 0755
.
-
-
Consider this file:
$ ls -l /dev/sdb1 brw-rw---- 1 root disk 8, 17 Dec 21 18:51 /dev/sdb1
Which kind of file is
sdb1
? And who can write to it?The first character of the output from
ls -l
shows the kind of file.b
is a block device, usually a disk (internal or external), connected to the machine. The owner (root
) and any users of the groupdisk
can write to it. -
Consider the following 4 files:
drwxr-xr-t 2 carol carol 4,0K Dec 20 18:46 Another_Directory ----r--r-- 1 carol carol 0 Dec 11 10:55 foo.bar -rw-rw-r-- 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip drwxr-sr-x 2 carol users 4,0K Jan 18 17:26 Sample_Directory
Write down the corresponding permissions for each file and directory using 4-digit numeric notation.
The corresponding permissions, in numeric notation, are as follows:
Another_Directory
-
Answer:
1755
1
for the sticky bit,755
for the regular permissions (rwx
for the user,r-x
for group and others). foo.bar
-
Answer:
0044
No special permissions (so the first digit is
0
), no permissions for the user (---
) and just read (r—r--
) for group and others. HugeFile.zip
-
Answer:
0664
No special permissions, so the first digit is
0
.6
(rw-
) for the user and group,4
(r--
) for the others. Sample_Directory
-
Answer:
2755
2
for the SGID bit,7
(rwx
) for the user,5
(r-x
) for the group and others.
Answers to Explorational Exercises
-
Try this on a terminal: create an empty file called
emptyfile
with the commandtouch emptyfile
. Now “zero out” the permissions for the file withchmod 000 emptyfile
. What will happen if you change the permissions foremptyfile
by passing only one value forchmod
in numeric notation, such aschmod 4 emptyfile
? What if we use two, such aschmod 44 emptyfile
? What can we learn about the waychmod
reads the numerical value?Remember that we “zeroed out” the permissions for
emptyfile
. So, its initial state would be:---------- 1 carol carol 0 Dec 11 10:55 emptyfile
Now, let’s try the first command,
chmod 4 emptyfile
:$ chmod 4 emptyfile $ ls -l emptyfile -------r-- 1 carol carol 0 Dec 11 10:55 emptyfile
The permissions for others were changed. And what if we try two digits, such as
chmod 44 emptyfile
?$ chmod 44 emptyfile $ ls -l emptyfile ----r--r-- 1 carol carol 0 Dec 11 10:55 emptyfile
Now, the permissions for group and others were affected. From this, we can conclude that in numeric notation
chmod
reads the value “backwards”, from the least significant digit (others) to the most significant one (user). If you pass one digit, you modify the permissions for others. With two digits you modify group and others, and with three you modify user, group and others and with four digits you modify user, group, others and the special permissions. -
Can you execute a file for which you have execute, but not read permissions (
--x
)? Why or why not?At first, the answer seems obvious: If you have execute permission, the file should run. This applies to programs in binary format that are executed directly by the kernel. However, there are programs (e.g. shell scripts) that must first be read and interpreted, so in these cases the read permission (
r
) must also be set. -
Consider the permissions for the temporary directory on a Linux system,
/tmp
:$ ls -l /tmp drwxrwxrwt 19 root root 16K Dec 21 18:58 tmp
User, group and others have full permissions. But can a regular user delete any files inside this directory? Why is this?
/tmp
is what we call a world writeable directory, meaning that any user can write to it. But we don’t want one user modifying files created by others, so the sticky bit_ is set (as indicated by thet
on the permissions for others). This means that a user can delete files in/tmp
, but only if they created that file. -
A file called
test.sh
has the following permissions:-rwsr-xr-x
, meaning the SUID bit is set. Now, run the following commands:$ chmod u-x test.sh $ ls -l test.sh -rwSr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh
What did we do? What does the uppercase
S
mean?We removed execute permissions for the user who owns the file. The
s
(ort
) takes the place of thex
on the output ofls -l
, so the system needs a way to show if the user has execute permissions or not. It does this by changing the case of the special character.A lowercase
s
on the first group of permissions means that the user who owns the file has execute permissions and that the SUID bit is set. An uppercaseS
means that the user who owns the file lacks (-
) execute permissions and that the SUID bit is set.The same can be said for SGID. A lowercase
s
on the second group of permissions means that the group who owns the file has execute permissions and that the SGID bit is set. An uppercaseS
means that the group who owns the file lacks (-
) execute permissions and that the SGID bit is set.This is also true for the sticky bit, represented by the
t
in the third group of permissions. Lowercaset
means the sticky bit is set and that others have execute permissions. UppercaseT
means the sticky bit is set and that others do not have execute permissions. -
How would you create a directory named
Box
where all the files are automatically owned by the groupusers
, and can only be deleted by the user who created them?This is a multi-step process. The first step is to create the directory:
$ mkdir Box
We want every file created inside this directory to be automatically assigned to the group
users
. We can do this by setting this group as the owner of the directory, and then by setting the SGID bit on it. We also need to make sure that any member of the group can write to that directory.Since we do not care about what the other permissions are, and want to “flip” only the special bits, it makes sense to use the symbolic mode:
$ chown :users Box/ $ chmod g+wxs Box/
Note that if you current user does not belong to the group
users
, you will have to use the commandsudo
before the commands above to do the change as root.Now for the last part, making sure that only the user who created a file is allowed to delete it. This is done by setting the sticky bit (represented by a
t
) on the directory. Remember that it is set on the permissions for others (o
).$ chmod o+t Box/
The permissions on the directory
Box
should appear as follows:drwxrwsr-t 2 carol users 4,0K Jan 18 19:09 Box
Of course, you can specify SGID and the sticky bit using only one
chmod
command:$ chmod g+wxs,o+t Box/
Bonus points if you thought of that.