Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

GNU/Linux Command-Line Tools Summary
Prev Chapter 14. Security Next

14.2. File Permissions

Use ls -l to see the permissions of files (list-long). They will appear like this, note that I have added spaces between permissions to make it easier to read:

Where: r = read, w = write, x = execute

  -  rwx   rw-   r--  1 (1) newuser newuser
type(2)owner(3)group(4)others(5)
(1)
This number is the number of hard links (pointers) to this file. You can use ln to create another hard-link to the file.
(2)
This is the type of file. '-' means a regular file, 'd' would mean a directory, 'l' would mean a link. There are also other types such as 'c' for character device and 'b' for block device (found in the /dev/ directory).
(3)
These are the permissions for the owner of the file (the user who created the file).
(4)
These are the permissions for the group, any users who belong is the same group as the user who created the file will have these permissions.
(5)
These are the permissions for everyone else. Any user who is outside the group will have these permissions to the file.

The two names at the end are the username and group respectively.

chmod Change file access permissions for a file(s).

There are two methods to change permissions using chmod; letters or numbers.

Letters Method:

use a + or - (plus or minus sign) to add or remove permissions for a file. Use an equals sign =, to specify new permissions and remove the old ones for the particular type of user(s).

You can use chmod letter where the letters are:

a (all (everyone)), u (user), g (group) and o (other).

Examples:

chmod u+rw somefile

This would give the user read and write permission.

chmod o-rwx somefile

This will remove read/write/execute permissions from other users (doesn't include users within your group).

chmod a+r somefile

This will give everyone read permission for the file.

chmod a=rx somefile

This would give everyone execute and read permission to the file, if anyone had write permission it would be removed.

Numbers Method:

you can also use numbers (instead of letters) to change file permissions. Where:

r (read) = 4 w (write) = 2 x (execute) = 1

Numbers can be added together so you can specify read/write/execute permissions; read+write = 6, read+execute = 5, read+write+execute = 7

Examples:

chmod 777 somefile

This would give everyone read/write/execute permission on "this_file". The first number is user, second is group and third is everyone else (other).

chmod 521 somefile

This would give the user read and execute permission, and the group write permission (but not read permission!) and everyone else execute permission. (Note that it's just an example, settings like that don't really make sense...).

chown Changes the ownership rights of a file (hence the name 'chown' - change owner). This program can only be used by root.

Use the -R option to change things recursively, in other words, all matching files including those in subdirectories.

Command syntax:

chown owner:group the_file_name
sticky

bit Only the person who created the file may delete it, even if other people have write permission. You can turn it on by typing:

chmod 1700 somefile (where 1 = sticky bit)

or (where t represents the sticky bit)

chmod +t somefile

To turn it off you would need to type:

chmod 0700 somefile (where the zero would mean no sticky bit)

or (where t represents the sticky bit)

chmod -t somefile

Note that the permissions aren't relevant in the numbers example, only the first number (1 = on, 0 = off).

Tip Sticky Directories
 

You may also have sticky directories, the /tmp directory is usually an example of a sticky directory.

The files inside can only be deleted by the super-user (root) or the creator of the file.

Sticky directories will show a 't' at the end of their file permissions (when listed using ls -l). This may be useful when you have a directory that everyone has access to but no-one should be deleting each others files.
suid

Allow SUID/SGID (switch user ID/switch group ID) access. You would normally use chmod to turn this on or off for a particular file, suid is generally considered a security hazard so be careful when using this.

Example:

chmod a+s file_name

This will give everyone permission to execute the file with the permissions of the user who set the +s switch.

Caution Security Hazard
 

This is obviously a security hazard. You should avoid using the suid flag unless necessary.
chattr

Change file system attributes (works on ext2fs and possibly others...). Use the -R option to change files recursively, chattr has a large number of attributes which can be set on a file, read the manual page for further information.

Example:

chattr +i /sbin/lilo.conf[1]

This sets the 'immutable' flag on a file. Use a '+' to add attributes and a '-' to take them away. The +i will prevent any changes (accidental or otherwise) to the "lilo.conf" file. If you wish to modify the lilo.conf file you will need to unset the immutable flag: chattr -i. Note some flags can only be used by root; -i, -a and probably many others.

Note there are many different attributes that chattr can change, here are a few more which may be useful:

  • A (no Access time) --- if a file or directory has this attribute set, whenever it is accessed, either for reading of for writing, it's last access time will not be updated. This can be useful, for example, on files or directories which are very often accessed for reading, especially since this parameter is the only one which changes on an inode when it's opened read-only.

  • a (append only) --- if a file has this attribute set and is open for writing, the only operation possible will be to append data to it's previous contents. For a directory, this means that you can only add files to it, but not rename or delete any existing file. Only root can set or clear this attribute.

  • s (secure deletion) --- when such a file or directory with this attribute set is deleted, the blocks it was occupying on disk are written back with zeroes (similar to using shred). Note that this does work on the ext2, and ext3 filesystems but is unlikely to work on others (please see the documentation for the filesystem you are using). Or try using shred when you want to delete the file see Chapter 7

lsattr (list attributes). This will list if whether a file has any special attributes (as set by chattr). Use the -R option to list recursively and try using the -d option to list directories like other files rather than listing their contents.

Command syntax:

lsattr

This will list files in the current directory, you may also like to specify a directory or a file:

lsattr /directory/or/file

Notes

[1]

This example and tiny parts of the explanation have been taken from the Linux Online Classroom, see [4] in the Bibliography for further information.
Prev Home Next
Some basic Security Tools Up Archiving Files

 
 
  Published under the terms of the GNU General Public License Design by Interspire