104.5 Manage File Permissions and Ownership
Candidates should be able to control file access through the proper use of permissions and ownerships.
Key Knowledge Areas
- Manage access permissions on regular and special files as well as directories.
- Use access modes such as suid, sgid and the sticky bit to maintain security.
- Know how to change the file creation mask.
- Use the group field to grant file access to group members.
File and Directory Permissions
Access to directories and files on Linux is controlled by a simple file permissions systems. Every file/directory has permissions for the file owner, the group to which the file belongs and other, that is users who are not the owner and do not belong to the group to which the file belongs. The permissions are known as the access mode of file/directory and can be viewed by running the ls -l command.
File access modes are displayed symbolically as group of 3 letters or numerically as a set of 3 octal digits, but represent a 9 bit number, with each bit representing an access right.
| drwxr-xr-x 3 root root 4.0K 2009-10-27 20:03 hal
-rw-r--r-- 1 root root 4.7K 2009-10-06 22:45 hdparm.conf
-rw-r--r-- 1 root root 92 2009-04-27 11:56 host.conf
-rw-r--r-- 1 root root 4 2010-02-13 01:03 hostname
-rw-r--r-- 1 root root 292 2010-06-24 11:57 hosts
-rw-r--r-- 1 root root 579 2009-10-27 20:12 hosts.allow
The extract above is from running the ls -l command on the
/etc directory. When a file is created it is owned by the user who created the file and assigned to the default group of the owner.
Symbolic and Octal Notation
Permissions can be read=r, write=w and execute=x. The octal values of these permissions are listed in the next table.
Octal and symbolic permissions.
Permissions apply to the user, the group and to others. An item has a set of 3 grouped permissions for each of these categories.
How to read a 755 or -rwxr-xr-x permission
The Standard Permissions & UMASK
UNIX system create files and directories with standard permissions as follows:
Standard permission for:
Every user has a defined umask that alters the standard permissions. The umask applies only at the point at which the file is created. The umask has an octal value and is subtracted(*) from the octal standard permissions to give the file's permission (this permission doesn't have a name and could be called the file's effective permission).
(*) While subtraction works in most cases, it should be noted that technically the standard permissions and the umask are combined as follows:
On systems where users belong to separate groups, the umask can have a value of 002.
For systems which place all users in the users group, the umask is likely to be 022 so that files do not have group write access by default.
Changing permissions and owners
From the previous figure we see that permissions can be acted upon with chmod. There are 3 categories of ownership for each file and directory:
-rw-rw-r-- 1 jade sales 24880 Oct 25 17:28 libcgic.a
Changing Permissions with chmod:
#chmod g=r,o-r libcgic.a
#chmod g+w libcgic.a
Changing user and group with chown and chgrp :
#chown root libcgic.a
#chgrp apache libcgic.a
A useful option for chmod, chown and chgrp is –R which recursively changes ownership and permissions through all files and directories indicated.
An executable can be assigned a special permission which will always make it run as the owner of this file. This permission is called SUID meaning 'set user ID'. It has a symbolic value s or a numerical value 4000.
Administrative tools may have the SUID bit set in order to allow non-root users to change system files.
For example the passwd command can be run by any user and will interactively change his or her current password. This password will be saved to /etc/shadow. However this file belongs to user root with typical permissions of 600.
This problem has been solved by setting the SUID bit on passwd hence forcing it to run as user root with the correct permissions to modify /etc/shadow.
The SUID on passwd
# ls -l $(which passwd)
-r-s--x--x 1 root root 18992 Jun 6 2003 /usr/bin/passwd
The SUID bit is shown in symbolic form in the command above. It is possible to get more information about a file using stat as well as seeing the octal representation of the permissions as follows:
# stat /usr/bin/passwd
Size: 18992 Blocks: 40 IO Block: 4096 regular file
Device: 305h/773d Inode: 356680 Links: 1
Access: (4511/-r-s--x--x) Uid: ( 0/ root) Gid: ( 0/ root)
|WARNING! WARNING! WARNING!|
|The SUID permission is often associated with security issues. Here is an example that illustrates this.|
|1. A user would like to read user root' s mail. For this he changes the MAIL environment variable as follows:|
# export MAIL=/var/spool/mail/root
|2. The user then uses the command mail, hoping to see something!|
|So far it doesn't work. This would be too easy!|
|But if root can be convinced to set the SUID bit on mail the previous commands would allow any user to read anybody's mail (including root).|
The next examples are dangerous. Why?
#chmod 4755 /bin/cat
#chmod u+s /bin/grep
The SGID is a permission similar to SUID that is set for group members. The symbolic value is s and the octal value of 2000.
Setting SGID on a directory changes the group ownership used for files subsequently created in that directory to the directory's group ownership. No need to use newgrp to change the effective group of the process prior to file creation.
#chmod 2755 /home/data
#chmod g+s /bin/wc
The sticky bit
The sticky bit permission with value 1000 has the following effect:
- Applied to a directory it prevents users from deleting files unless they are the owner (ideal for directories shared by a group, or for /tmp
- Applied to a file this used to cause the file or executable to be loaded into memory and caused later access or execution to be faster. The symbolic value for an executable file is t . It was supported in some versions of Unix but is not used in Linux.
#chmod 1666 /data/store.txt
#chmod o+t /home/students
Used files, terms and utilities: