Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Debian GNU/Linux Reference Guide
Prev Home Next

4.5.3 File and directory access permissions

File and directory access permissions are defined separately for the following three categories of affected users:

  • the user who owns the file (u),

  • other users in the group which the file belongs to (g), and

  • all other users (o).

For a file, each corresponding permission allows:

  • read (r): to examine contents of the file,

  • write (w): to modify the file, and

  • execute (x): to run the file as a command.

For a directory, each corresponding permission allows:

  • read (r): to list contents of the directory,

  • write (w): to add or remove files in the directory, and

  • execute (x): to access files in the directory.

Here, execute permission on the directory means not only to allow reading of files in its directory but also to allow viewing their attributes, such as the size and the modification time.

To display permission information (and more) for files and directories, ls is used. See ls(1). When ls invoked with the -l option, it displays the following information in the order given:

  • the type of file (first character)

    • -: normal file

    • d: directory

    • l: symlink

    • c: character device node

    • b: block device node

    • p: named pipe

    • s: socket

  • the file's access permissions (the next nine characters, consisting of three characters each for user, group, and other in this order)

  • the number of hard links to the file

  • the name of the user who owns the file

  • the name of the group which the file belongs to

  • the size of the file in characters (bytes)

  • the date and time of the file (mtime)

  • the name of the file.

To change the owner of the file, chown is used from the root account. To change the group of the file, chgrp is used from the file's owner or root account. To change file and directory access permissions, chmod is used from the file's owner or root account. Basic syntax to manipulate foo file is: 

     # chown newowner foo
     # chgrp newgroup foo 
     # chmod  [ugoa][+-=][rwx][,...] foo

See chown(1), chgrp(1), and chmod(1) for the detail.

For example, in order to make a directory tree to be owned by a user foo and shared by a group bar, issue the following commands from the root account: 

     # cd /some/location/
     # chown -R foo:bar .
     # chmod -R ug+rwX,o=rX .

There are three more special permission bits:

  • set user ID (s or S instead of user's x),

  • set group ID (s or S instead of group's x), and

  • sticky bit (t or T instead of other's x).

Here the output of ls -l for these bits is capitalized if execution bits hidden by these outputs are unset.

Setting set user ID on an executable file allows a user to execute the executable file with the owner ID of the file (for example root). Similarly, setting set group ID on an executable file allows a user to execute the executable file with the group ID of the file (for example root). Because these settings can cause security risks, enabling them requires extra caution.

Setting set group ID on a directory enables the BSD-like file creation scheme where all files created in the directory belong to the group of the directory.

Setting the sticky bit on a directory prevents a file in the directory from being removed by a user who is not the owner of the file. In order to secure the contents of a file in world-writable directories such as /tmp or in group-writable directories, one must not only set write permission off for the file but also set the sticky bit on the directory. Otherwise, the file can be removed and a new file can be created with the same name by any user who has write access to the directory.

Here are a few interesting examples of the file permissions. 

     $ ls -l /etc/passwd /etc/shadow /dev/ppp /usr/sbin/pppd
     crw-rw----    1 root     dip      108,   0 Jan 18 13:32 /dev/ppp
     -rw-r--r--    1 root     root         1051 Jan 26 08:29 /etc/passwd
     -rw-r-----    1 root     shadow        746 Jan 26 08:29 /etc/shadow
     -rwsr-xr--    1 root     dip        234504 Nov 24 03:58 /usr/sbin/pppd
     $ ls -ld /tmp /var/tmp /usr/local /var/mail /usr/src
     drwxrwxrwt    4 root     root         4096 Feb  9 16:35 /tmp
     drwxrwsr-x   10 root     staff        4096 Jan 18 13:31 /usr/local
     drwxrwsr-x    3 root     src          4096 Jan 19 08:36 /usr/src
     drwxrwsr-x    2 root     mail         4096 Feb  2 22:19 /var/mail
     drwxrwxrwt    3 root     root         4096 Jan 25 02:48 /var/tmp

There is an alternative numeric mode to describe file permissions in chmod(1) commands. This numeric mode uses 3 to 4 digit wide octal (radix=8) numbers. Each digit corresponds to:

  • 1st optional digit: sum of set user ID (=4), set group ID (=2), and sticky bit (=1)

  • 2nd digit: sum of read (=4), write (=2), and execute (=1) permissions for user

  • 3rd digit: ditto for group

  • 4th digit: ditto for other

This sounds complicated but it is actually quite simple. If you look at the first few (2-10) columns from ls -l command output and read it as a binary (radix=2) representation of file permissions ("-" being "0" and "rwx" being "1"), this numeric mode value should make sense as an octal (radix=8) representation of file permissions to you. [ 33] For example, try: 

     $ touch foo bar
     $ chmod u=rw,go=r foo
     $ chmod 644 bar
     $ ls -l foo bar
     -rw-r--r--    1 penguin  penguin  0 Nov  3 23:30  foo
     -rw-r--r--    1 penguin  penguin  0 Nov  3 23:30  bar

The default file permission mask can be set by using the umask shell built-in command. See builtins(7).

Debian GNU/Linux Reference Guide
Prev Home Next

 
 
  Published under the terms of the GNU General Public License Design by Interspire