File system permissions in Linux distributions


One critical component of the Linux OS that every Sysadmin must master is the File System permissions. If you are familiar with file permissions under Windows OS, you will see that there are many common elements in UNIX/Linux Systems. The permission system is less complicated than in Windows and you will see that once you’ve understood the principles behind this technology, everything will be much easier to digest.
By now we’ve learned that everything in Linux is displayed and treated as files which means that each element must have proper permissions set for users interacting with the Operating System. Each file will have three permission categories present at all time, as follows:
  • owner – the user that created the file and the one who’s got rights to modify permissions. Of course, root can modify every file in the OS but, it’s not recommended to use root like a standard user
  • group – the local group that has permissions on the file. By adding multiple users in one group you can enable permissions for multiple credentials. The group has similar functionality as in Windows but, only can be configured on a file
  • others – just like in Windows (Everyone), this category includes all other users not included in the first two categories

 

Each file or directory can have three main permissions, these are similar to Windows:
  • read – user/group is able to open the file and read the content but, cannot modify it. For directories this means that the user can display it’s content.
  • write – user/group can modify the file’s content. In case of directories, a user/group can rename and delete its files
  • execute – user/group can execute the file
Besides these standard permissions, each file or directory can receive three more “special” permissions:
  • set UID – the owner will be used when executing the file. This means that every user impersonates the owner and executes the file. If the owner is root then this can pose a real security threat because the file is most likely important
  • set GID – used to impersonate the assigned group when executing the file. For directories, all files contained will inherit the parent directory group
  • sticky – a particular file or directory can be deleted only by the owner of the file or by the owner of the parent directory. This type of System permissions are mostly used in public resources where multiple accounts have access to the same resources.
Remember that permissions set on a file does not apply in case of renaming or deleting the file, these permissions are set from the parent directory.
To change permissions for a file we use the following commands:
  1. chown – change the owner for the file
  2. chgrp – change the group of the file
We can use the -h option to apply the command on the symlink or -R to apply the changes to all files contained in the specified path.
When changing file permissions within Linux distributions you can use the chmod command. There are two ways in which we can set permissions:
Symbolic notation
in this method we use symbols to add/remove or set permissions on a file. These symbols are:
  • the entity for which we modify permissions: u=user/owner, g=group and a=all/others
  • the action executed on the file: + = add permissions, – = remove permissions and = for setting exact permissions replacing everything else
  • rights that will be configured: r=read, w=write, x=execute, s=setuid/setgid, t=sticky
Numeric notation
Using this method we assign permissions using a numbering format. Each permission group (owner, group, others) is represented by a 3 bit number.
Suppose we have the following example:
-rw-r–r–.  1 root root    10 Jan 29 02:15 f1
  • the first group rw- represents the owner permissions
  • the second group r– represents group permissions
  • the third group r– represents the others permissions

Each set is composed of three permissions types (read, write, execute) in this particular order. Each permission represents a number that is 2 at the power of the position, just like in the following example. The least significant bit is the one located in the right side:
r (read) – 2^2 = 4
w (write) – 2^1 = 2
x (execute) – 2^0 = 1
We need to sum up each number to assign all these permissions to the owner: 1+2+4 = 7
Based on this principles, if we want to assign read, write and execute permissions to a file only for the owner we would type chmod 700 f1 which would modify the permissions as follows:
-rwx——.  1 root root    10 Jan 29 02:15 f1
If we want to expand this permissions and set just read an write permissions to the group, we would type: chmod 760
-rwxrw—-. 1 root root 10 Jan 29 02:15 f1
Now let’s add read permissions for the others: chmod 764 f1
-rwxrw-r–. 1 root root 10 Jan 29 02:15 f1
For special permissions, the numeric notation is the following:
set UID = 4000
set GID = 2000
sticky = 1000
You’ll need to remember the position for each set of permissions. These bits will then be transformed into binary and the numeric permission can be easily configured.
When setting default permissions for files and directories, you’ll need to use the umask command in which you’ll set a “mask” for the permissions desired. In other words, you’ll need to eliminate the undesired permissions. umask command used without any parameters will display the current mask configured on a file

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s