Working with Permissions
Permissions determine how users can access resources on a system. System security is configured by the user’s UID (User ID), his GIDs (Group ID), (both primary and secondary), and the permissions on the object she is attempting to access.
Permission Trio Bits
The figure below shows the 10 positions (1 type bit and 3 trios of permission bits) that make up the permissions section of a file.
The first bit of the 10 shown is the type of object:
- – —- Used for normal files
- l —- Used for symlinks that point to other objects
- b —- Used for block device files
- c —- Used for character devices
- d —- Used for directory
The next nine bits are the permission trios. Each of the trios affects a certain set of users with its permissions. To determine which permissions a user has to a given object, begin from the left and as soon as a match is made, that trio alone is the permissions that are in effect for that user. Here are the trios:
- user —- If the user is the user owner, this is the permission trio in effect.
- group —- If the user’s primary or secondary groups are this group, but only if that user is not the user owner, this is the permission trio in effect.
- other —- If the user is neither the user owner for a member of the group owner, this is the permission trio in effect.
The bit values have the following permissions:
- 4 —- Read, this is the ability to view the file’s contents.
- 2 —- Write, which is the ability to change the file’s contents, permissions, ownership, and so on.
- 1 —- Execute, the file can be executed. (Read is needed for a script,
Example:
create the xxx file
[root@servername /]# touch xxx
list contents of directory to view permission, owner, group, etc.
[root@servername /]# ls –l (or its alias being ll)
total 112
…
-rw-r–r– 1 root root 0 Feb 6 17:01 xxx
…
Change file’s permissions to read and write for all users
[root@servername /]# chmod 666 xxx (4 for read + 2 for write = 6)
Manipulating Permissions
chmod is the command to use when modifying or altering an object’s permission trio bits. Only the root and object owners can alter permissions. The two modes of manipulating the permissions for an object are numeric and symbolic. Both modes have their place, and if there were only one mode, someone would have to invent the other, just for variety (the world of open source).
The Numeric Mode
Numeric permissions are the most often used. The chmod command works great on groups of files too:
chmod 644 /home/namesurname/*.txt
It even works on directories and their contents. For example, say the user bertrandr has a home directory he inherited from someone else and a few files are not set properly to be readable only by him. He asks the administrator to set all the files in his home directory to 640 for security’s sake and to give him read/write access to them. You might use the command:
chmod -R 640 /home/bertrandr/*
The above command has a -R recursive option that affects the object named and all its child objects. However, bertrandr didn’t ask you to change his home directory. and all the contents, but just the contents, which is why the slash and asterisk characters are on the end of the target. This command acts on the entire contents of bertrandr’s home directory but leaves the directory alone.
The chmod command has surprisingly few options:
-c —- Reports only changed files
-v —- Reports all files
-h —- Changes symbolic links, not the original file
-f —- Suppresses error messages
-R —- Operates recursively through directories
The chmod command’s recursive option is an uppercase R, not a lowercase r as in some other commands.
Symbolic Mode
When using chmod with symbolic values, keep in mind that you can force the permissions like the numeric mode. The primary reason to use the symbolic mode is to affect, or alter, permissions rather than to set or overwrite them.
The symbolic mode uses a letter to identify the trios (user = u, group = g, other = o and all = a), a qualifier (+, -, or =) and then the permissions being altered or set (r = read, w = write, and x = execute).
To use the symbolic values to set permissions, you can do them all at once, like so:
chmod a = rwx filename
This produces permission trios that are set to –rwxrwxrwx. Or you can use each one of the identifiers with its qualifier and permissions separated by commas:
chmod u = rw, g = rx, a =
This produces a file that has its permissions set to -rw-r-x—
To change just the user owner’s permissions to rwx, you would use the following command:
chmod u=rwx mystuff
To change the group owner’s permissions to r-x, you would use the command shown here:
chmod g=rx mystuff
To change the other or everyone permissions to r, you would use this command:
chmod o=r mystuff
Setting a file to be an executable, without knowing its other permissions, can be done several ways. For example, if you know a file exists but don’t know the permissions and you are told to make sure it’s executable by all permission trios; you would use the following command:
chmod a+x file1
Alternatively, you can leave the a off and get all the trios by default:
chmod +x file1
User and Group Ownership
To set the stage for the chown and chgrp commands, let’s review how users and groups are set to function on a Linux machine. Changing user owner and group owner for objects can be frustrating unless you understand some ground rules about how Linux sets the ownership for objects:
- A user has two types of groups associated with him: The primary group is the one who’s GID appears in the user’s /et/passwd entry.
- Users can be members of other groups via entries in the /etc/group file. These group memberships are called secondary groups.
- If a user has a group set as her primary group, she doesn’t have to be physically listed as a group member in the /etc/group file. The primary group setting acts as a full membership option, too.
- When a user creates an object, her primary group GID/name is set as the group owner by default.
- Changing a user’s primary group doesn’t automatically update any of the owned objects and can cause problems if that user isn’t a member of the new group owner for the object.
Changing Ownership
The chown command is used to set the user owner, group owner, or a combination of the two with one command. The format for the chown command is
chown –options user:group object
The chown command accepts both of the following commands as valid:
chown snuffy:users file1
chown snuffy:users file1
In addition, you can use the following syntax with chown:
- owner —- Changes only the owner
- owner:group —- Changes both the owner and group
- owner: —- Changes the owner and sets the group to the login or primary group of the user
- :group —- Changes only the group and leaves the owner unaffected Let’s say that the user snuffy has the primary group of users and a secondary group membership of accounting. By default, every object snuffy creates on the system will have snuffy as the user owner and users as the group owner.
If snuffy visits a shared directory whose ownership is set to root/accounting and creates a file named snuffysexpesnes.txt, that file will be inaccessible to any of the other users who share that directory unless they are also members of the group users.
Say the user Martha does expenses and needs to have ownership of the file.
To change the file snuffy created to be owned by martha/accounting, you would use this command:
chown snuffy:accounting snuffysexpenses.txt
Let’s say that now the file needs to be owned by another user who cuts the checks, fluchre, so you can just change the user owner without having to bother with the group, which will be unaffected:
chown fluchre snuffysexpenses.txt
If, for some reason, you decide that an entire directory tree of files needs to have its ownership changed, you can do so at one time with the following command:
chown –R root:accounting /accounting
Changing Group Ownership
When just the group owner needs to be changed, the simplest method is to use the chgrp command. The syntax of the command is very straightforward:
chgrp newgrp file1
Changing a large set of files to another group owner requires the use of the
-R recursive option:
chgrp –R newgrp /data/*
The previous command changes just the contents of the /data directory to the group owner newgrp but leaves the user owner alone. Options for the chgrp command include:
- -c —- Shows a line of output only for changed objects
- -h —- Changes symbolic links, not the original file
- -R — Recursively affects the target and all children
- -v —- Shows a line of output for every object, regardless of the actions performed on the object.