Permissions in Linux
These are my notes and thoughts on permissions in linux.
Ownership of Files
Sometimes, when we try to access a file, we do not have permission to do so.
This can be a read or write permission, for example. In Unix and Linux, a user
may own files and directories. When a user owns a file or directory, the user
has control over its access. Users can belong to a group consisting of one or
more users who are given access to files and directories by their owners. In
addition to granting access to a group, an owner may also grant some set of
access rights to everybody. To find out details about yourself on the system,
use the "id" command.
id
When user accounts are created, users are assigned a number called a user ID,
which is then mapped to a username. The user is assigned a group ID and may
belong to other groups.
This information comes from certain text files in Linux. User accounts are
defined in the /etc/passwd file, and groups are defined in the /etc/group file.
When user accounts and groups are created, these files are modified along with
/etc/shadow, which holds information about the user's password.
For each user account, the /etc/passwd file defines the user login name, user
ID, group ID, and account's real name, home directory, and login shell. When we
look at the contents of /etc/passwd and /etc/group, we see that besides the
regular user accounts, there are accounts for the superuser and other system
users.
Reading, Writing, and Executing
Access rights to files and directories are defined in terms of read access,
write access, and execution access. If we look at the output of the ls command,
we can get some clue as to how this is implemented.
ls
The first 10 characters of the listing are the file attributes. The first of
these characters is the file type.
- - a regular file
- d a directory
- l a symbolic link
- c a character special file
- b a block special file
The remaining 9 characters of the file attributes, called the file mode,
represent the read, write, and execute permissions for the file's owner, the
file's group owner, and everyone else.
- r allows a file to be opened and read
- w allows a file to be written to
- x allows a file to be treated as a program and executed
Change File Mode
To change the mode or permission of a file or directory, use the "chmod"
command. Only the file's owner or the superuser can change the mode of a file or
directory. This command supports two distinct ways of specifying mode changes.
They are octal number representation and symbolic representation.
We will cover octal number representation first. With octal notation, we use
octal numbers to set the pattern of desired permissions. Because each digit in
an octal number represents 3 binary digit, this maps nicely to the scheme used
to store the file mode. By using 3 octal digits, we can set the file mode for
the owner, group owner, and everyone else.
chmod 600 example.txt
By passing the argument 600, we were able to set the permissions of the owner to
read and write while removing all permissions from the group owner and everyone
else. Though remembering the octal to binary mapping may seem inconvenient, you
will usually have to use only a few common ones.
- 7 rwx
- 6 rw
- 5 r-x
- 4 r--
- 0 ---
Chmod also supports a symbolic notation for specifying file modes. Symbolic
notation is divided into 3 parts.
who the change will affect
which operation will be performed
what permission will be set
To specify who is affected, a combination of the characters u,g,o, and a is
used.
- u file or directory owner
- g group owner
- o everyone else
- a all, short for u,g, and o
If no character is specified, all will be assumed. The operation may be a+
indicating that a permission is to be added, a- indicating that a permission is
to be taken away, or a= indicating that only the specified permissions are to
be applied and that all others are to be removed.
Some people prefer to use octal notation and some like the symbolic. Symbolic
notation does offer the advantage of allowing you to set a single attribute
without disturbing any of the others.
Setting Umask
The umask command controls the default permissions given to a file when it is
created. It uses octal notation to express a mask of bits to be removed from a
file's mode attrributes.
When we set the mask to 0000 we are turning it off. This makes a file writable
by anyone.
Changing Identities
Sometimes, we need to become another user. This is often done to test an account
or figure out what is wrong for a certain user. We can log in as the user, use
the "su" command in the terminal, or use the "sudo" command in the terminal.
These all do things differently. The "su" command allows you to assume the
identity of another user and either start a new shell session with that user's
ID or issue a single command as that user.
The "sudo" command allows an administrator to set up a configuration file called
/etc/sudoers and define specific commands that particular users are permitted to
execute under an assumed identity. This means the administrator can configure
"sudo" to allow an ordinary user to execute commands as a different user in a
controlled way. A user may be restricted to one or more specific commands and no
others. An important difference is that the use of "sudo" does not require
access to the superuser's password.
Changing Passwords
To set or change a password, use the "passwd" command.
passwd username
To change your password, just enter the "passwd" command. You will be prompted
for your old password and then your new password. The command will try to
enforce the use of strong passwords. This means it will refuse to accept
passwords that are too short or are too similar to previous passwords, are
dictionary words, or are too easily guessed.
If you have superuser privileges, you can specify a username as an argument to
the "passwd" command to set the password for another user. Other options are
available to the superuser to allow locking, password expiration, and other
things.