Wednesday, 25 July 2012

Linux file permissions

The first character can be any of these:

d = directory
- = regular file
l = symbolic link
s = Unix domain socket
p = named pipe
c = character device file
b = block device file

The characters are pretty easy to remember.

r = read permission
w = write permission
x = execute permission
- = no permission


As a summary, have a look at this quick reference for setting file permissions in symbolic mode:
Which user?
What to do?
+add this permission
-remove this permission
=set exactly this permission
Which permissions?
How to set file permissions - numeric mode: 

= read (r)
2 = write (w)
1 = execute (x)
= no permission (-)

owner: rwx = 4 + 2 + 1 = 7
group: r-x = 4 + 0 + 1 = 5
everyone: --x = 0 + 0 + 1 = 1


Which number?

Let's start from scratch, analysing the information in the previous screenshot.

What is the "umask"

How is the file permissions are set in the first place?
When you create a new file the shell variable umask determinds the default permissions set for the new file.

We can see the default permission if we use the following command:

$ umask

umask is specified as a three digit octal value that represents the new files permissions. The first digit is for the owner permissions the second digit is for the grouppermissions and the third digit is for world permissions.

umask represent what is not allowed for the new file by default. If we examine our default permission for the owner we see he has zero assigned to him. This means he is allowed to do everything since nothing is forbidden. 

The Group permissions has the number 2 assigned to it. This means that the Write permission is not set by default for the group permission. How do we calculate this? Read has the value of 4, Write the value of 2, and execute has the value of 1.

The same goes with the default permission for the world. Here the owner will have Read and Write Permission to the newly created file, the group and world permissions would be Read. Why the executable bit vanished?

Why is this? where went the value 1 for the executable? By default a new file is not given an executable permission. This is done to distinguish between regular files to programs (binary files) and shell scripts.

For directories the executable permission is set since with no executable set we cannot cd into the directory.

How do you set the value of umask?

$umask 027

This will set all new files created by you to default permission of read, and write for the owner (since nothing is forbidden and this is a file). Read for the group and no permission at all for world permission. The mathematics for a file is 666-026=640.

If this was a Directory newly created by us, than the permissions for the owener were Read, Write, and Execute. Permissions for the Group were Read and Execute, and no permissions at all for the world.

Permission encoding for umask
Octal Permission
0 rwx
1 rw-
2 r-x
3 r--
4 -wx
5 -w-
6 --x
7 ---

Group permissions

When you work on a project with other system users, you may need to grant access to your team mates to modify the files on the team project directory. You need also to block access from other (world) users or restrice them in a way they could not harm your the teams work.

If the setgid is set, BSD rule apply's if the bit is not set, the System V rule apply. (We set the setgid with chmod g+s and remove it with chmod s-g as you will see later in this editorial).

The Sticky Bit

If a user has write permission on a directory he can rename and remove files on that directory even if those files not belong to him. How can we prevent this? The owner of a directory can set the directory's "sticky bit", octal value 1000, which will give the rename and remove permissions of any file in that directory to the fileowner, the directory owner, and the superuser (in this order).

If you examine your / directory using the command ls -l, 

you will notice your /tmp directory has the sticky bit on.

drwxrwxrwt 4 root root 50176 Apr 20 04:50 tmp

This allow different users to use this directory for temporary files, when only the file owner can delete his files (the directory owner for /tmp is the root user and he can also delete files). This prevents other users from deleting temporary files created by others and harming their work.

No comments:

Post a Comment