注意:

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Difference between revisions of "File permissions"

From Funtoo
Jump to navigation Jump to search
m (some goodies)
m (Special permissions rather than "alter permissions")
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
__NOTOC__
== File permissions ==


== File permissions ==
=== Common permissions ===


With Linux, the most common way to handle user rights provides three distinct rights on files. The meaning of these rights for directories (which '''are''' files in Linux) is slightly different. worths
With Linux, the most common way to handle user rights provides three distinct rights on files. The meaning of these rights for directories (which '''are''' files in Linux) is slightly different.


{|class="table table-striped"
{|class="table table-striped"
Line 26: Line 26:


<pre>
<pre>
-rwx    Octal    Permissions
rwx    Octal    Permissions
0000     0      None
000     0      None
0001     1      Execution only
001     1      Execution only
0010     2      Read only
010     2      Write only
0100     4      Write only
100     4      Read only
0111     7      All (ie. Read and Write and Execution)
111     7      All (ie. Read and Write and Execution)
0110     6      All but Execution (ie. Read and Write)
110     6      All but Execution (ie. Read and Write)
</pre>
</pre>


Line 41: Line 41:
; The others (<code>o</code> as others): Anybody else
; The others (<code>o</code> as others): Anybody else


As you would have notice, this does not provide a fine-grained way to manage permissions, but this is quite light, simple, and sufficient for most usages. However, if you think you need a really fine-grained level, you should consider looking at [[SELinux]].
File permissions are thus represented with nine bits. The three most significant representing the owner rights and the three least significant representing others rights. For instance, a typical file permission is <code>640</code> which means <q style="font-style:italic">The owner can read an write, the group have a read-only access, and other can't even read it</q>.
 
=== Special permissions ===
 
There is actually three more bits that enable special behaviors.
 
{|class="table table-striped"
! Subject                  || Right (Oct.&nbsp;repr.)  || Name      || Description
|-
|rowspan=3| '''File'''      || <code>s/S (4)</code> || Setuid&nbsp;bit || Enables to execute the underlying file in the name of the owner. This means that if you are allowed to execute this file (ie. have <code>x</code> right) and the file is owned by <code>simon</code>, it will be executed as if you were <code>simon</code> (namely, with his rights). A typical file using <code>setuid</code> is <code>/usr/bin/sudo</code>.
|-
                            || <code>s/S (2)</code> || Setgid&nbsp;bit || Same as the setuid bit but granting group permissions instead of owner's ones.
|-
                            || <code>t/T (1)</code> || Sticky&nbsp;bit || Prevent the underlying file to be flushed from memory after execution. Quite limited interest nowadays though.
|-
|rowspan=3| '''Directory''' || <code>s/S (4)</code> || Setuid&nbsp;bit || <i>No effect</i>
|-
                            || <code>s/S (2)</code> || Setgid&nbsp;bit || Causes any later file or sub-directory created within this directory to have the same group as the underlying directory instead of the creator's group by default. Moreover, later sub-directories would inherit the setgid bit.
|-
                            || <code>t/T (1)</code> || Sticky&nbsp;bit || Denies any user but the directory owner to remove a file from this directory. Of course, note that this does not prevent any user with write privilege on a file to truncate it.
|}
 
The notation of the setuid bit (s/S), the setgid bit (s/S) and the sticky bit (t/T) overwrites the notation of the execution permission (x) of respectively the owner, the group and the others. Lowercase means <code>x</code> is set. Uppercase means <code>x</code> is not set.
 
For instance, in this sample, <code>-rws--x--T</code> is equivalent to the following octal value <code>5710</code> (where 5 means setuid+sticky).
 
=== Going further ===
 
As you would have notice, this does not provide a fine-grained way to manage permissions, but this is quite light, simple, and sufficient for most usages. However, if you think you need a really fine-grained level, you should consider looking at [[Access_Control_List]] or [[SELinux]].


== Manage user and groups ==
== Manage user and groups ==


Users, and Groups  are named, and numbered.  the lower the number the more permissions the account has.  For example root user has the number 0, and root group has the number 0.
Users, and Groups  are named, and numbered.  the lower the number the more permissions the account has.  For example root user has the number 0, and root group has the number 0. To display this information:
<console>###i## cat /etc/passwd
<console>###i## cat /etc/passwd
cat /etc/group</console>
###i## cat /etc/group</console>


=== Add user ===
=== Add user ===
Line 54: Line 82:


<console>
<console>
# useradd -g users -G wheel,portage,audio,video,usb,cdrom,tty -m <username>
###i## useradd -g users -G wheel,portage,audio,video,usb,cdrom,tty -m <username>
</console>
</console>


Line 62: Line 90:


<console>
<console>
# userdel <username>
###i## userdel <username>
</console>
</console>


{{fancynote|If you want to remove user files as well (home directory and mail spool, use the <code>-r</code> option:
{{fancynote|If you want to remove user files as well (home directory and mail spool, use the <code>-r</code> option:
<console>
<console>
# userdel -r <username>
###i## userdel -r <username>
</console>
</console>
}}
}}
Line 73: Line 101:
=== List groups ===
=== List groups ===


You can list groups with group.
You can list groups with groups.


<console>
<console>
$ groups
$##i## groups
$ groups <username>
$##i## groups <username>
</console>
</console>


Line 85: Line 113:


<console>
<console>
# gpasswd -a <user> <group>
###i## gpasswd -a <user> <group>
# gpasswd -d <user> <group>
###i## gpasswd -d <user> <group>
</console>
</console>


Line 94: Line 122:


<console>
<console>
# groupadd <group>
###i## groupadd <group>
# groupdel <group>
###i## groupdel <group>
</console>
</console>


Line 105: Line 133:


<console>
<console>
$ chmod <u><g><o> <file>
$##i## chmod <u><g><o> <file>
</console>
</console>


Line 123: Line 151:


<console>
<console>
# chown <user>:<group> <file>
###i## chown <user>:<group> <file>
</console>
</console>


Line 129: Line 157:


<console>
<console>
# chown -R <user>:<group> <folder>
###i## chown -R <user>:<group> <folder>
</console>
</console>


=== Security ===
=== Security ===


Generally you will want to have restrictive yet functional permissions.  777 on everything is a bad idea, especially files containing plaintext passwords.  600 is common for files like this, with a high level user.  mediawiki's LocalSettings.php has databasepasswords.  A good method to lock this down is to change its permissions to 600, and set the user as the webserver's user.
Generally you will want to have restrictive yet functional permissions.  777 on everything is a bad idea, especially files containing plain text passwords.  600 is common for files like this, with a high level user.  mediawiki's LocalSettings.php has database passwords.  A good method to lock this down is to change its permissions to 600, and set the file owner as the webserver's user.
 
=== Can I have write permission on a file while not being allowed to read it? ===
 
Yes, you can! Example:
 
<console>
##i### echo "$USER: You can't read! >:)" > /tmp/test
##i### ls -l /tmp/test
-rw-r--r-- 1 root root 6 Oct  2 07:30 /tmp/test
##i### chmod o-r+w /tmp/test
##i### ls -l /tmp/test
-rw-r---w- 1 root root 6 Oct  2 07:30 /tmp/test
##i### cat /tmp/test
root: You can't read! >:)
##i### su anyuser
##i##$ cat /tmp/test/
cat: /tmp/test: Permission denied
##i##$ vi /tmp/test/
---[Permission Denied]---
##i##$ echo "$USER: But I can write! :)" >> /tmp/test
##i##$ exit
##i### cat /tmp/test
root: You can't read! >:)
anyuser: But I can write! :)
</console>
 
I don't know if this has an actual application though. Maybe if you need to allow some users to write (and truncate) logs in the same file but you don't want them to be able read what others wrote...


[[Category:HOWTO]]
[[Category:HOWTO]]
[[Category:First Steps]]
[[Category:First Steps]]

Latest revision as of 15:47, September 7, 2015

File permissions

Common permissions

With Linux, the most common way to handle user rights provides three distinct rights on files. The meaning of these rights for directories (which are files in Linux) is slightly different.

Subject Right (Oct. repr.) Description Typical granted commands
File r (4) Read cat f, less f, grep f, file f
w (2) Write sed -i f, shred f, truncate f, vi f
x (1) Execution /absolute/path/to/f, relative/path/to/f
Directory r (4) List contents ls d
w (2) Create/Remove files touch d/a_file, mkdir d/a_dir, rm d/a_file, rmdir d/a_dir, chmod d/a_file, chown d/a_dir
x (1) Browse hierarchy cd d, pushd d

You would notice that rights octal representation is coded with powers of 2. This is a common way to represent bunch two-states settings that can be independently toggled. Indeed, a file does not properly have a list of permissions set, you should see this rather as a a bit string (where a 1 at the position i means ON and a 0 means OFF for the right coded 2i).

An example is worth 1000 words:

rwx    Octal    Permissions
000      0      None
001      1      Execution only
010      2      Write only
100      4      Read only
111      7      All (ie. Read and Write and Execution)
110      6      All but Execution (ie. Read and Write)

File permissions are split into three categories of users:

The owner of the file (u as user)
Typically the creator of the file
The group of the file (g as group)
Typically the main group of the owner
The others (o as others)
Anybody else

File permissions are thus represented with nine bits. The three most significant representing the owner rights and the three least significant representing others rights. For instance, a typical file permission is 640 which means The owner can read an write, the group have a read-only access, and other can't even read it.

Special permissions

There is actually three more bits that enable special behaviors.

Subject Right (Oct. repr.) Name Description
File s/S (4) Setuid bit Enables to execute the underlying file in the name of the owner. This means that if you are allowed to execute this file (ie. have x right) and the file is owned by simon, it will be executed as if you were simon (namely, with his rights). A typical file using setuid is /usr/bin/sudo.
s/S (2) Setgid bit Same as the setuid bit but granting group permissions instead of owner's ones.
t/T (1) Sticky bit Prevent the underlying file to be flushed from memory after execution. Quite limited interest nowadays though.
Directory s/S (4) Setuid bit No effect
s/S (2) Setgid bit Causes any later file or sub-directory created within this directory to have the same group as the underlying directory instead of the creator's group by default. Moreover, later sub-directories would inherit the setgid bit.
t/T (1) Sticky bit Denies any user but the directory owner to remove a file from this directory. Of course, note that this does not prevent any user with write privilege on a file to truncate it.

The notation of the setuid bit (s/S), the setgid bit (s/S) and the sticky bit (t/T) overwrites the notation of the execution permission (x) of respectively the owner, the group and the others. Lowercase means x is set. Uppercase means x is not set.

For instance, in this sample, -rws--x--T is equivalent to the following octal value 5710 (where 5 means setuid+sticky).

Going further

As you would have notice, this does not provide a fine-grained way to manage permissions, but this is quite light, simple, and sufficient for most usages. However, if you think you need a really fine-grained level, you should consider looking at Access_Control_List or SELinux.

Manage user and groups

Users, and Groups are named, and numbered. the lower the number the more permissions the account has. For example root user has the number 0, and root group has the number 0. To display this information:

root # cat /etc/passwd
root # cat /etc/group

Add user

You can add user with useradd.

root # useradd -g users -G wheel,portage,audio,video,usb,cdrom,tty -m <username>

Delete user

You can delete user with userdel.

root # userdel <username>
   Note

If you want to remove user files as well (home directory and mail spool, use the -r option:

root # userdel -r <username>

List groups

You can list groups with groups.

user $ groups
user $ groups <username>

Add or remove user from group

You can add or remove user from group with gpasswd.

root # gpasswd -a <user> <group>
root # gpasswd -d <user> <group>

Create or delete groups

You can create or delete groups with groupadd.

root # groupadd <group>
root # groupdel <group>

Manage rights on files

Change file permissions

You can change file permissions with chmod.

user $ chmod <u><g><o> <file>

Where <u>, <g> and <o> are respectively the octal representation of the rights you want to set for the owner, the group and others.

7 = 4+2+1 (read/write/execute)
6 = 4+2 (read/write)
5 = 4+1 (read/execute)
4 = 4 (read)
3 = 2+1 (write/execute)
2 = 2 (write)
1 = 1 (execute)

Change owner and group of file

You can change owner and group of a file with chown.

root # chown <user>:<group> <file>

You can change owner of a directory and children recursively with:

root # chown -R <user>:<group> <folder>

Security

Generally you will want to have restrictive yet functional permissions. 777 on everything is a bad idea, especially files containing plain text passwords. 600 is common for files like this, with a high level user. mediawiki's LocalSettings.php has database passwords. A good method to lock this down is to change its permissions to 600, and set the file owner as the webserver's user.

Can I have write permission on a file while not being allowed to read it?

Yes, you can! Example:

root ##i### echo "$USER: You can't read! >:)" > /tmp/test
root ##i### ls -l /tmp/test
-rw-r--r-- 1 root root 6 Oct  2 07:30 /tmp/test
root ##i### chmod o-r+w /tmp/test
root ##i### ls -l /tmp/test
-rw-r---w- 1 root root 6 Oct  2 07:30 /tmp/test
root ##i### cat /tmp/test
root: You can't read! >:)
root ##i### su anyuser
root ##i##$ cat /tmp/test/
cat: /tmp/test: Permission denied
root ##i##$ vi /tmp/test/
---[Permission Denied]---
root ##i##$ echo "$USER: But I can write! :)" >> /tmp/test
root ##i##$ exit
root ##i### cat /tmp/test
root: You can't read! >:)
anyuser: But I can write! :)

I don't know if this has an actual application though. Maybe if you need to allow some users to write (and truncate) logs in the same file but you don't want them to be able read what others wrote...