Objectives
- Explain the concepts of
- owner
- group
- world
- Set file access right
- read
- write
- execute
- Authenticate requests for file access, against proper permissions
- Change file permissions with
- chmod
- Change group ownershipt wih
- chgrp
- Understand the role of umask in stablishing desired permissions on newly created files
- Use ACL to extend the simpler user, group, world and read, write and execute model
Owner, Group and World
$ ls -l some_file -rw-rw-r-- 1 abernal www-data 1601 Mar 9 15:04 some_file
Lets examine the first 10 characters
- -
- Indicates that some_file is a file nor a folder or other type of node
- r
- Indicates that the owner of the file has read priviledges
- w
- Indicates that the owner of the file has write priviledges
- -
- Indicates that the owner of the file do not has execute privilidges
- r
- Indicates that the group of the file has read priviledges
- w
- Indicates that the group of the file has write priviledges
- -
- Indicates that the group of the file do not has execute priviledges
- r
- Indicates that world has read priviledges
- -
- Indicates that world do not has write priviledges
- -
- Indicates that world do not has execute priviledges
Authentication process
- If the requester is the file owner, the file owner permissions are used
- Otherwise, if the requester is in the group that owns the files, the group permissions are examined
- If that doesn't succeed, the world permissions are examined
Changing Permissions : chmod
A normal user can change permissions of his own files, unless superuser.
For chmod we have
- u
- Stands for user
- g
- Stands for group
- o
- Stands for others or world
Example
$ ls -l some_file -rw-rw-r-- 1 abernal abernal 1601 Mar 9 15:45 some_file $ chmod uo+x,g-w some_file $ ls -l some_file -rwxr--r-x 1 abernal abernal 1601 Mar 9 15:47 some_file
chmod: Numerical Syntax for Permissions
Permissions can be represented either as a bitmap, usually written in octal or in symbolic form.
Octal bitmaps usually look like
0755
While symbolic representations look like
u+rwx,g+rwx,o+rx
The octal standard stands for
- 4
- Read Permission
- 2
- Write Permission
- 1
- Execute Permission
Thus
- 7
- Means
- read + write + execute
- Means
- 6
- Means
- read + write
- Means
- 5
- Means
- read + execute
- Means
- 4
- Means
- read
- Means
Example
$ chmod 755 some_file
Means that
- User
- Will have read/write/execute permissions
- Group
- Will have read/execute permissions
- Other
- Will have read/execute permissions
Changing User and Group File Ownership
- chown
- Used to change file ownershop
- chgrp
- Used to change group
Only superuser can change ownership on files. Likewise a user can only change group ownership to groups to which he belongs to
Changing the group ownership of a file is
$ chgrp abernal some_file
Changing the user ownership of a file
$ chown pbernal some_file
Changing both at the same time
$ chown abernal:ccollazos some_file
All of the above command accept the -R argument, which stands for recursive in case we where dealing with directories and our which is to change all the files and directories within such initial one
umask
Define the file and directory permission when they are created.
$ umask 0002
0002 is the most conventional value set by system administrators for users. This value is combined with the file creation permission (0666 for files and 0777 for directories) to ge the actual result
Example
For a file we have
0666 & ~002 = 0664 which turns out to be rw-rw-r--
For a directory
0777 & ~002 = 0775 which turns out to be rwxrwxr-x
Filesystem ACLs
Linux contains a full implementation of POSIX ACLs (Access Control List). A default set of ACLs is created at system install.
Getting and Setting ACLs
To see ACLs
$ getfacl file|directory
To set ACLs
$ setfacl options permissions file|directory $ setfacl -m u:abernal:rx /home/abernal/some_file
To remove an ACL
$ setfacl -x u:abernal /home/abernal/file
To set the default on a directory
$ setfacl -m d:u:abernal:rx some_directory
