104.5 Manage file permissions and ownership

Manage access permissions on regular and special files as well as directories.

Use Access Modes such as SUID, SGID and the Sticky Bit to maintain Security

Know How to change the file creation mask

Use the group filed to grant access to group members

Commands : chmod, umask, chown, chgrp

Permissions can be set at the user , group, and other levels

ls -l

shows files and permissions

Understanding File Permisssions

-rw-rw-r—

<leading Character>{owner permission}{group permission}{other’s permission}

<leading Character>{[read bit][write bit][execute bit]}{[read bit][write bit][execute bit]}{[read bit][write bit][execute bi]}

<leading Character> ‘-’ for files and ‘d’ for directories

Above is also interpreted as follows in Octal.

664

r = 4

w = 2

x = 7

‘chmod’ command modifies permission of files and folders

chmod u-w myfile

Takes write permission from user/owner of ‘myfile’

chmod o+w myfile

Add write permission to others

chmod +x myfile

Add executable permission for user, group and other

chmod -R g+r /usr/files

Add read permission to group for all files under /usr/files

chmod ugo+w  myfile

add write permission to all on myfile

Note: ls -lhart /usr/files/*

Shows all attributes under a directory

chmod -R 644 /mydir

modify permissions to all sub directories recursively

‘chown’ command modifies the owner, group or both for files and directories.

chown user1 myfile

Change owner to user1 for myfile

chown users:user1 myfile

Change owner of myfile to user1 and group to users

chown -R users:user1 /user/*

Change owner of myfile and group to users for all files under /user/

Use Access Modes such as SUID, SGID and the Sticky Bit to maintain Security

SUID and SGUID helps regular users to execute programs with  the permission of the root user

‘chattr’ and ‘lsattr’ are used to change and view file attributes.

chattr

chattr +i myfile

set immutable bit. When a file is in immutable mode it is not removable.

chattr +a myfile

set appendable bit. Remind here that ‘>’ create file, ‘>>’ append to file.

chattr -R +i /user/*

Modify(Recursively) all files under /user/ into immutable.

lsattr

lsattr myfile

Shows attribute bits of myfile

lsattr -a /users/*

Shows attributes of all files under /users/directory

Sticky bit protects files and directories so that only root and owner can rename or delete them.

Forces file to remain in memory instead loading from disk.  

Only the owner or root can rename or delete the file

chmod +t myotherfile

Set sticky bit

chmod u+s myotherfile

Set myotherfile to be executed by users with root privileges.

chmod g+s myoherfile

Set myotherfile to be execute by groups with root privileges

Know How to change the file creation mask

The umask command used to set default permissions for new files and directories.

Umask values can be set with three or four digits

Thee digits is typical

Four digits used when setting special permissions

Each bit set in umask command removes that bit in new files or directories.

So, umask tells which permission should NOT be given to new files and directories.

umask u=rw,g=r,o=r

When new files get created users can read and write, groups can read, others can read.

umask

Shows existing options in octal

umask -S

Shows existing options in characters.

umask ugo=r

New files only readable by all.

Use the group filed to grant access to group members

Managing files or directory access at group level is more efficient rather than managing at the user level.

‘chown’ changes user and group, ‘chgrp’ changes only the group.

chgrp users /files/myfile.txt

chgrp -R users /files/*