Module 17 Ownership and Permissions
Exam Objective
5.3 Managing File Permissions and Ownership
Objective Description
Understanding and manipulating file permissions and ownership settings.
Ownership
File Ownership
¡ñ File ownership is critical for security.
¡ñ By default, users will own the files they create. Ownership can be changed by admin.
¡ñ Every file also has a group owner. By default, primary group of user who creates file will be group owner of any new files.
¡ñ Remember: UIDs and GIDs are associated with username and group name.
¡ñ The id command can be used to view user UID, GID, username, and group name(s).
File Ownership
¡ñ When a user creates a file with the touch command it will belong to the current user and their primary group.
¡ñ File ownership can be confirmed using the long listing -l option of the ls command.
sysadmin@localhost:~$ touch /tmp/filetest1 sysadmin@localhost:~$ ls -l /tmp/filetest1
-rw-rw-r–. 1 sysadmin sysadmin 0 Oct 21 10:18 /tmp/filetest1
Changing Groups
¡ñ To create a file under a different group, use the newgrp command to change your current primary group.
¡ñ Use the groups command to view user group information.
¡ñ Verify new primary group using the id command:
sysadmin@localhost:~$ id
uid=502(sysadmin) gid=503(sysadmin) groups=503(sysadmin),10001(research),10002(development) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sysadmin@localhost:~$ newgrp research sysadmin@localhost:~$ id
uid=502(sysadmin) gid=10001(research) groups=503(sysadmin),10001(research),10002(development) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
The newgrp command opens a new shell; as long as the user stays in that shell, the primary group won’t change. To switch the primary group back to the original, the user can leave the new shell by running the exit command.
Changing Group Ownership
¡ñ To change the group owner of existing file, use the chgrp command.
¡ñ The root user can use chgrp command to change group owner of any file. A regular user can change group owner of the file to a group they are a member of:
sysadmin@localhost:~$ touch sample sysadmin@localhost:~$ ls -l sample
-rw-rw-r– 1 sysadmin sysadmin 0 Dec 10 00:44 sample sysadmin@localhost:~$ chgrp research sample sysadmin@localhost:~$ ls -l sample
-rw-rw-r–. 1 sysadmin research 0 Oct 23 22:12 sample
Permissions
Permissions
¡ñ To display the file type and permissions of a file, use the ls -l command:
root@localhost:~# ls -l /etc/passwd
-rw-r–r–. 1 root root 4135 May 27 21:08 /etc/passwd
¡ñ File Type:
-rw-r–r–. 1 root root 4135 May 27 21:08 /etc/passwd
The first character of each line indicates the type of file. Possible values for file types:
– regular file d directory
l symbolic link b block file
c character file
p pipe file
s socket file
Permissions
¡ñ Permission Groups
The next nine characters demonstrate the permissions of the file. These determine the level of access a user will have on the file.
¡ð User Owner:
Characters 2-4 indicate the permissions for the user that owns the file.
¡ð Group Owner:
Characters 5-7 indicate permissions for the group that owns the file.
-rw-r–r–. 1 root root 4135 May 27 21:08 /etc/passwd
-rw-r–r–. 1 root root 4135 May 27 21:08 /etc/passwd
-rw-r–r–. 1 root root 4135 May 27 21:08 /etc/passwd
Permissions
¡ð Other Permissions:
Characters 8-10 indicate the permissions for others or what is sometimes referred to as the world’s permissions.
-rw-r–r–. 1 root root 4135 May 27 21:08 /etc/passwd
Permission Types
¡ñ Each group is attributed three types of permissions: read, write, and execute:
¡ñ Read:
¡ð File – allows process to read contents of the file, which means contents can be viewed and copied.
¡ð Directory – Names of directory are listed, but no other details are available.
Permission Types
¡ñ Write:
¡ð File – Can be written to by the process. The w permission requires r permission to work.
¡ð Directory – Files can be added to or removed from the directory. The w permission requires the x permission to work.
¡ñ Execute:
¡ð File – a file can be executed or run as a process.
¡ð Directory – User can use the cd command to get into directory and use pathname to access files in directory.
Example Scenario
Based on the following information, what access would the user bob have on the file abc.txt?
drwxr-xr-x. 17 root root 4096 23:38 /
drwxr-xr–. 10 root root 128 03:38 /data -rwxr-xr–. 1 bob bob 100 21:08 /data/abc.txt
Answer: None.
In order to do anything with the file, the user must first “get into” the /data directory. The permissions
for bob for the /data directory are the permissions for “others” (r–), which means bob can’t even use
the cd command to get into the directory. If the execute permission (–x) was set for the directory, then the user bob would be able to “get into” the directory, meaning the permissions of the file itself would apply.
drwxr-xr–. 10 root root 128 03:38 /data
Changing Permissions
¡ñ There are two techniques that can be used with this command: symbolic and numeric.
¡ñ Symbolic Method
¡ð The chmod (change mode) command is used to change permissions on a directory.
¡ð Characters indicate which permission group (user, group, others) to apply the changes to:
Changing Permissions
¡ð Next, choose an indicator to indicate how to modify permissions:
¡ð Lastly, use the following characters to specify the permission type to change:
¡ð To give the user owner read permission on a file named abc.txt, you could use the following command:
root@localhost:~# chmod u+r abc.txt
Changing Permissions
¡ñ Numeric Method
¡ð Based on the octal numbering system where each permission type is assigned a numeric value.
¡ð Numeric values: 4 = Read, 2 = Write, 1 = Execute
¡ð By using a combination of numbers from 0 to 7, any possible combination of read, write and execute permissions can be specified for a single permission group set:
7 = rwx 6 = rw- 5 = r-x 4 = r–
3 = -wx 2 = -w- 1 = –x 0 = —
¡ð To set the permissions of a file named abc.txt to be rwxr-xr– you could use the following command:
root@localhost:~]# chmod 754 abc.txt
Default Permissions
¡ñ The umask command is used to determine default permissions that are set when a file or directory is created.
¡ñ The umask value is subtracted from the maximum allowable default permissions.
¡ñ Maximum default values for files and directories:
¡ð File = rw-rw-rw-
¡ð Directory = rwxrwxrwx
¡ñ The umask command can be used to display the current umask value:
sysadmin@localhost:~$ umask 0002
– First 0 means umask is given as octal number.
– Second 0 indicates which permission to subtract from default user owner permissions.
– Third 0 indicates which permission to subtract from default group owner¡¯s permissions.
– Last 2 indicates which permission to subtract from default other¡¯s permissions.
Default Permissions
¡ñ How does umask work?
¡ñ Assume that the umask is set to 027: File default 667 Umask -027 Result 640
¡ñ The 027 umask means that, by default new files would receive 640 or rw-r—– permissions:
sysadmin@localhost:~$ umask 027
sysadmin@localhost:~$ touch sample sysadmin@localhost:~$ ls -l sample
-rw-r—–. 1 sysadmin sysadmin 0 Oct 28 20:14 sample