Protecting Files With UNIX Permissions (Task Map)

The following task map points to procedures that list file permissions, change file permissions, and protect files with special file permissions.

Task	For Instructions
Display file information	How to Display File Information
Change file ownership	How to Change the Owner of a File How to Change Group Ownership of a File
Change file permissions	How to Change File Permissions in Symbolic Mode How to Change File Permissions in Absolute Mode How to Change Special File Permissions in Absolute Mode

How to Display File Information

Display information about all the files in a directory by using the ls command.

• Type the following command to display a long listing of all files in the current directory.

  % ls -la

  -l

  Displays the long format that includes user ownership, group ownership, and file permissions.

  -a

  Displays all files, including hidden files that begin with a dot (.).

Example 7-1 Displaying File Information

In the following example, a partial list of the files in the /sbin directory is displayed.

% cd /sbin
% ls -la
total 13456
drwxr-xr-x   2 root     sys          512 Sep  1 14:11 .
drwxr-xr-x  29 root     root        1024 Sep  1 15:40 ..
-r-xr-xr-x   1 root     bin       218188 Aug 18 15:17 autopush
lrwxrwxrwx   1 root     root          21 Sep  1 14:11 bpgetfile -> ...
-r-xr-xr-x   1 root     bin       505556 Aug 20 13:24 dhcpagent
-r-xr-xr-x   1 root     bin       456064 Aug 20 13:25 dhcpinfo
-r-xr-xr-x   1 root     bin       272360 Aug 18 15:19 fdisk
-r-xr-xr-x   1 root     bin       824728 Aug 20 13:29 hostconfig
-r-xr-xr-x   1 root     bin       603528 Aug 20 13:21 ifconfig
-r-xr-xr-x   1 root     sys       556008 Aug 20 13:21 init
-r-xr-xr-x   2 root     root      274020 Aug 18 15:28 jsh
-r-xr-xr-x   1 root     bin       238736 Aug 21 19:46 mount
-r-xr-xr-x   1 root     sys         7696 Aug 18 15:20 mountall
   .
   .
   .

Each line displays information about a file in the following order:

• Type of file – For example, d. For list of file types, see File and Directory Ownership.

• Permissions – For example, r-xr-xr-x. For description, see File and Directory Ownership.

• Number of hard links – For example, 2.

• Owner of the file – For example, root.

• Group of the file – For example, bin.

• Size of the file, in bytes – For example, 7696.

• Date the file was created or the last date that the file was changed – For example, Aug 18 15:20.

• Name of the file – For example, mountall.

How to Change the Owner of a File

The file owner, the Primary Administrator role, or superuser can change any file's ownership.

1. Display the permissions on a file.

   % ls -l example-file
   -rw-r--r--   1 janedoe   staff   112640 May 24 10:49 example-file

2. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

3. Change the owner of the file.

   # chown stacey example-file

4. Verify that the owner of the file has changed.

   # ls -l example-file
   -rw-r--r--   1 stacey   staff   112640 May 26 08:50 example-file 

Example 7-2 Enabling Users to Change the Ownership of Files That Others Own

Security Consideration – You should have good reason to override system security policy by changing the setting of the rstchown variable to zero. Any user who accesses the system can change the ownership of any file on the system.

In this example, the value of the rstchown variable is set to zero in the /etc/system file. This setting enables the owner of a file to use the chown command to change the file's ownership to another user. This setting also enables the owner to use the chgrp command to set the group ownership of a file to a group that the owner does not belong to. The change goes into effect when the system is rebooted.

set rstchown = 0

For more information, see the chown(1) and chgrp(1) man pages.

Also, be aware that NFS-mounted file systems have further restrictions on changing ownership and groups. For more information on restricting access to NFS-mounted systems, see Chapter 6, Accessing Network File Systems (Reference), in System Administration Guide: Network Services.

How to Change Group Ownership of a File

1. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Change the group ownership of a file.

   $ chgrp scifi example-file

   For information on setting up groups, see Chapter 4, Managing User Accounts and Groups (Overview), in System Administration Guide: Basic Administration.

3. Verify that the group ownership of the file has changed.

   $ ls -l example-file
    -rw-r--r--   1 stacey   scifi   112640 June 20 08:55  example-file

   Also see Example 7-2.

How to Change File Permissions in Symbolic Mode

1. If you are not the owner of the file or directory, become superuser or assume an equivalent role.

   Only the current owner or superuser can use the chmod command to change file permissions on a file or directory.

2. Change permissions in symbolic mode.

   % chmod who operator permissions filename

   who

   Specifies whose permissions are to be changed.

   operator

   Specifies the operation to be performed.

   permissions

   Specifies what permissions are to be changed. For the list of valid symbols, see Table 7-5.

   filename

   Specifies the file or directory.

3. Verify that the permissions of the file have changed.

   % ls -l filename

Example 7-3 Changing Permissions in Symbolic Mode

In the following example, read permission is taken away from others.

% chmod o-r example-file1

In the following example, read and execute permissions are added for user, group, and others.

$ chmod a+rx example-file2

In the following example, read, write, and execute permissions are assigned to group.

$ chmod g=rwx example-file3

How to Change File Permissions in Absolute Mode

1. If you are not the owner of the file or directory, become superuser or assume an equivalent role.

   Only the current owner or superuser can use the chmod command to change file permissions on a file or directory.

2. Change permissions in absolute mode.

   % chmod nnn filename

   nnn

   Specifies the octal values that represent the permissions for the file owner, file group, and others, in that order. For the list of valid octal values, see Table 7-4.

   filename

   Specifies the file or directory.

   ---

   Note - When you use the chmod command to change the file group permissions on a file with ACL entries, both the file group permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions can change the permissions for other users and groups who have ACL entries on the file. Use the getfacl command to make sure that the appropriate permissions are set for all ACL entries. For more information, see the getfacl(1) man page.

   ---

3. Verify that the permissions of the file have changed.

   % ls -l filename

Example 7-4 Changing Permissions in Absolute Mode

In the following example, the permissions of a public directory are changed from 744 (read, write, execute; read-only; and read-only) to 755 (read, write, execute; read and execute; and read and execute).

# ls -ld public_dir
drwxr--r--  1 ignatz   staff    6023 Aug  5 12:06 public_dir
# chmod 755 public_dir
# ls -ld public_dir
drwxr-xr-x  1 ignatz   staff    6023 Aug  5 12:06 public_dir

In the following example, the permissions of an executable shell script are changed from read and write to read, write, and execute.

% ls -l my_script
-rw------- 1 ignatz   staff    6023 Aug  5 12:06 my_script
% chmod 700 my_script
% ls -l my_script
-rwx------ 1 ignatz   staff    6023 Aug  5 12:06 my_script

How to Change Special File Permissions in Absolute Mode

1. If you are not the owner of the file or directory, become superuser or assume an equivalent role.

   Only the current owner or a user with superuser capabilities can use the chmod command to change the special permissions on a file or directory.

2. Change special permissions in absolute mode.

   % chmod nnnn filename

   nnnn

   Specifies the octal values that change the permissions on the file or directory. The leftmost octal value sets the special permissions on the file. For the list of valid octal values for special permissions, see Table 7-6.

   filename

   Specifies the file or directory.

   ---

   Note - When you use the chmod command to change the file group permissions on a file with ACL entries, both the file group permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions can change the permissions for additional users and groups who have ACL entries on the file. Use the getfacl command to make sure that the appropriate permissions are set for all ACL entries. For more information, see the getfacl(1) man page.

   ---

3. Verify that the permissions of the file have changed.

   % ls -l filename

Example 7-5 Setting Special File Permissions in Absolute Mode

In the following example, the setuid permission is set on the dbprog file.

# chmod 4555 dbprog
# ls -l dbprog
-r-sr-xr-x   1 db     staff        12095 May  6 09:29 dbprog

In the following example, the setgid permission is set on the dbprog2 file.

# chmod 2551 dbprog2
# ls -l dbprog2
-r-xr-s--x   1 db     staff       24576 May  6 09:30 dbprog2

In the following example, the sticky bit permission is set on the public_dir directory.

# chmod 1777 public_dir
# ls -ld public_dir
drwxrwxrwt   2 ignatz   staff          512 May 15 15:27 public_dir