LPI Linux Certification/Use File Permissions To Control Access To Files

From Wikibooks, the open-content textbooks collection

Contents 1 Detailed Objective 2 File and Directory Permissions 3 File permissions 4 Default permissions 5 Changing file permissions 6 Exercises

[edit] Detailed Objective

Weight: 5

Description:
Candidates should be able to control file access through the proper use of permissions.

• Key knowledge area(s):
  • Manage access permissions on regular and special files as well as directories.
  • Use access modes such as suid, sgid and the sticky bit to maintain security.
  • Use the group field to grant file access to workgroups.
  • Basic knowledge of ACL.
  • Know how to change the default file creation mode of the shell.

• The following is a partial list of the used files, terms and utilities:
  • chmod
  • umask
  • chattr (where applicable)

[edit] File and Directory Permissions

The permission of a file or of a directory can be viewed with ls -l.

[edit] File permissions

Examples of file permissions:

ls -l readme
-rwxrw---- 1 toto users 14 Jul 5 10:00 readme

This means read,write, and execution permissions for user toto, read and write permissions for members of group users. No permissions for others. (0760)

ls -l /etc/hosts
-rw-r--r-- 1 root root 14 Jul 5 10:00 /etc/hosts

This means read and write permissions for user root, read permissions for members of group root and all others. (0644)

Examples of directory permissions:

ls -ld /bin
drwxr-xr-x 2 root root 4096 Jul 5 10:00 /bin

This means read,write, and execution permissions for user root, read and execution permissions for members of group root and others. (0755)

ls -l /home/toto
drwxr-xr-x 10 toto  users 4096 Jul 5 1:00 /home/toto

This means read, write, and execution permissions for user toto, read and execution permissions for members of group users and others. (0755)

[edit] Default permissions

The default permissions when creating a file are 0666 and when creating a directory are 0777. Most of the systems overwrite this at boot time with the program umask. Generally the mask value is 022. It means the write for group and other will be blocked. To check or change the mask value, do:

umask 
umask 066  

Examples for file:

default: rw- rw- rw- (0666)
umask: 0 2 2 (0022) Block
result: rw- r-- r-- (0644)

Examples for directory:

default: rwx rwx rwx (0777)
umask: 0 2 2 (0022) Block
result: rwx r-x r-x (0755)

[edit] Changing file permissions

To change permissions on a file or directory, use chmod. To overwrite the existing permissions, do:

chmod 0755 /tmp #rwx for user, rx for group and others

To change add or cancel some permissions without overwriting all the existing permissions, do:

chmod u+w readme  # Add write permission for user
chmod +r readme  # Add read permission for everybody
chmod -r readme  # Remove read permission for everybody
chmod u+x,g=r readme  # Add execution for user and set read for group
chmod u=rwx,go=rx readme  # Set read write and execution for user, read and execution for group and others

To change in recursive mode, use the -R option.

chmod -R +x /sbin/*

[edit] Exercises

• Exercises results