File and Directory Permissions
A strong understanding of file and directory permissions is vital for a strong understanding of the Linux operating system as a whole. In this article, we will begin by offering a general overview as well as a couple of examples. The article will finish with some reference tables to allow you to get a complete picture of the power (and the danger) of access controls.
Let's start by attempting to understand the permissions of a standard text file. We can view these permissions by running "ls -l":
demo:~$ ls -l -rw-r--r-- 1 demo demogroup 1648 2009-07-15 09:58 file.txt
The first section, "-rw-r--r--", is exactly what we're looking for here. (The owner and group are also important, but we'll get to that later.) Without getting into too many details too early, this tells us three things:
- The file's owner (demo) may read and write the file.
- Members of the file's group (demogroup) may read, but not write to, the file.
- Other users, a.k.a. the world, may also read, but not write to, the file.
What, exactly, does it mean when a file has "read" or "write" permissions? Perhaps this table can explain better than I can...
| Access | File | Directory |
|---|---|---|
| Read | File contents may be read | Directory contents may be listed |
| Write | File may be written to | Files in the directory may be created/moved/deleted |
| Execute | File may be executed | Directory may be made the working directory ("cd'd" to) |
Now then, let's say that we want our friends in the demogroup to also be able to modify the file. We can fix this with the following command:
demo:~$ chmod g+w file.txt demo:~$ ls -l -rw-rw-r-- 1 demo demogroup 1648 2009-07-15 09:58 file.txt
Piece of cake! But what if this creatively-named file contains deep, dark secrets? What if we don't want to share its contents with anyone outside of the demogroup clique?
demo:~$ chmod o-r file.txt demo:~$ ls -l -rw-rw---- 1 demo demogroup 1648 2009-07-15 09:58 file.txt
Presto. You can learn more about the syntax of the "chmod" command by running:
man chmod
But what about those letters and dashes? What, exactly, did they mean? Permissions may be specified in two representations -- textual and numerical. "ls -l" displays them in letters, but the "chmod" command will accept either form. We will now fully explain the letters and dashes.
This table uses the following notation:
| drwxrwxrwx | <-- | Values |
| 9876543210 | <-- | Position |
| Position | Effect | Values |
|---|---|---|
| 9 | File Type | "d" symbolizes directory, "l" symbolizes link, "-" is a normal file. You may also see letters "b", "c", "p", and "s". |
| 8 | User Read | "r" or "-" |
| 7 | User Write | "w" or "-" |
| 6 | User Execute | "x" symbolizes non-SUID execute. "s" symbolizes SUID execute, while "S" symbolizes SUID without execute. |
| 5 | Group Read | "r" or "-" |
| 4 | Group Write | "w" or "-" |
| 3 | Group Execute | "x" symbolizes non-SGID execute. "s" symbolizes SGID execute, while "S" symbolizes SGID without execute. |
| 2 | Others Read | "r" or "-" |
| 1 | Others Write | "w" or "-" |
| 0 | Others Execute | "x" symbolizes non-Sticky execute. "t" symbolizes Sticky execute, while "T" symbolizes Sticky bit without execute. |
Of course, this brings us to another question... What's that about SUID, SGID, and the sticky bit (oh my!)? Once again, a table seems appropriate...
| Access | File | Directory |
|---|---|---|
| SUID (setuid) | File executes with rights of its owner (not the user who executed it) | Ignored |
| SGID (setgid) | File executes with rights of its group (not the user who executed it) | Files created within directory inherit the directory's group memberships (rather than the creator's group memberships) |
| Sticky Bit | Ignored | Files created within directory may only be moved or deleted by their owner (or directory's owner) |
This probably isn't intuitive, so we'll go over it in a bit more detail. First, the sticky bit. One place the sticky bit is commonly used on Unix-like systems is the /tmp directory. This directory needs to be world-writable, but you don't want anyone going around and deleting everyone else's files. The sticky bit offers exactly this protection.
In practice, regular users will rarely set the SUID or SGID bits themselves. These are generally only found on specific system binaries and daemons. For example, the "passwd" program (owned by root) must have SUID set to allow users to change their own passwords.
Having said that, here is a file you certainly never want to see on your Cloud Server:
-rwsr-xr-x 1 root root 2928 2009-07-15 10:03 evil.bin
Can you understand why?
This article will conclude with an overview of the octal permissions representation. This table will use the following notation:
| 4755 | <-- | Octal Value |
| 3210 | <-- | Octal Bit |
| Octal Bit | Effect |
|---|---|
| 3 | SUID, SGID, Sticky Bit |
| 2 | User (Owner) |
| 1 | Group |
| 0 | Others (World) |
| Octal Value | Binary Value | Octal bit 3 | Octal bits 0-2 |
|---|---|---|---|
| 0 | 000 | No Effect | Deny All |
| 1 | 001 | Sticky Only | Execute Only |
| 2 | 010 | SGID Only | Write Only |
| 3 | 011 | SGID/Sticky | Write/Execute |
| 4 | 100 | SUID Only | Read Only |
| 5 | 101 | SUID/Sticky | Read/Execute |
| 6 | 110 | SUID/SGID | Read/Write |
| 7 | 111 | SUID/SGID/Sticky | Read/Write/Execute |
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER
0 Comments
Add new comment