Understanding Permissions
| Every file and directory in a Linux system is governed by a set of security-related properties. These properties govern the life of the file or directory in two ways:
Both ownership and permissions are assigned from default values when a file or directory is created; file or directory owners can then change this information as needed. You should be familiar with these properties when working with files and directories in Linux so that you can control who is allowed to access sensitive data. You also should understand why you might not be able to access data belonging to others. The sections that follow teach you to examine and manipulate a file's ownership and permissions. Let's study some real-world examples. Up to this point, you've created files only in your home directory because that's the place users are meant to put their files. But can you put your files somewhere else? Let's see. Visit your home directory's parent directory, /home, and try to create a file there called hello.txt: [you@workstation20 ~]$ cd .. [you@workstation20 home]$ touch hello.txt touch: cannot touch 'hello.txt': Permission denied [you@workstation20 home]$ You don't have permission to create files in the directory /home. To see why, you need to learn to use the ls command in a new way. Long File ListingsSo far, you've used the ls command to get a basic listing of the names of the files and directories in a given directory. You can use a number of common options, however, to alter the behavior of ls so that it also lists other information, such as the creation date or size of a file or directory. Most used among these options is the -l or long listing option, which causes ls to display a great deal of extra information about each file it lists. Try it now on your root directory: [you@workstation20 home]$ ls -l / total 20 drwxr-xr-x 2 root root 2344 Mar 23 20:55 bin drwxr-xr-x 4 root root 1024 Mar 23 20:53 boot drwxr-xr-x 9 root root 5460 Mar 24 20:48 dev drwxr-xr-x 75 root root 5912 Mar 24 20:54 etc [...] drwxr-xr-x 10 root root 0 Mar 24 15:46 sys drwxrwxrwt 13 root root 576 Mar 24 20:50 tmp drwxr-xr-x 14 root root 360 Mar 23 20:52 usr drwxr-xr-x 22 root root 552 Mar 23 21:25 var [you@workstation20 home]$ The -l option (lowercase L, not the number 1) causes ls to display a wealth of new information, including (from left to right)
The date, time, and size information in a long file listing is provided primarily for your convenience as a user. The hard link count provided by the long file listing is not commonly used in the course of day-to-day work and is thus beyond the scope of a book like this one. The owning group, owning user, and permissions are all important for understanding and using Linux permissions and are your focus for the remainder of this chapter. Identity and File OwnershipIn Linux, the two basic forms of identity are the user account, which you are using right now, and the group membership. At any time, a user account can belong to one (always at least one) or several groups; groups are created by system administrators to manage security and enhance workflow. Every file and directory in a Linux file system is similarly owned at all times by exactly one primary user and by all the users in exactly one group. The ls command provides this ownership information in columns three and four of a long listing. As you've seen, every item in your system's root directory is owned by the root user and by the root group. For contrast, let's list the files in your home directory: [you@workstation20 home]$ cd [you@workstation20 ~]$ pwd /home/you [you@workstation20 ~]$ ls l total 12 drwx------ 3 you you 4096 Mar 23 21:53 Desktop -rw-rw-r-- 1 you you 324 Mar 23 16:57 anotherfile.txt lrwxrwxrwx 1 you you 5 Mar 23 20:41 blue -> green drwxrwxr-x 2 you you 4096 Mar 23 20:41 green lrwxrwxrwx 1 you you 4 Mar 23 20:48 yellow -> blue [you@workstation20 ~]$ The files in your home directory are owned by the user you. They also belong to the group you. That group was created when your account was created, and you automatically belongs to it. Ownership and File PermissionsWhat do we mean when we say that someone "has permission" to create or delete files in a given directory? In real terms, it means that the person in question owns the directory and that the permissions properties for the directory indicate that the directory's owner should be allowed to change the directory's contents. Referring back to your long listing of the root directory, you might recall the following entry for /home: drwxr-xr-x 3 root root 4096 Mar 23 04:14 home The ownership of /home is clear; the /home directory is owned by the root user and the root group. The 10-character permissions code at the extreme left determines just what root, members of the group root, or anyone else can do to the /home directory. Each of the 10 positions in the permissions code means something specific. Let's look at this code more closely, with some spaces added to separate the major parts of the code: d rwx r-x r-x The character in the leftmost (first) position indicates the type of file /home is. In this case, the d in this position indicates that /home is a directory. Table 7.1 lists the common values for file types.
A few other file types are available, but we're not going to worry about them in this chapter. Let's look at the code for /home again: d rwx r-x r-x Positions 24 of this code, rwx in the case of /home, dictate what the owning user of a file, in this case root, can do to it. Table 7.2 shows the precise meanings of the characters in positions 24.
In the case of /home, the owning user is allowed to list the contents of the directory, create and delete files in the directory, and visit the directory. Let's examine that permissions code for /home one more time: d rwx r-x r-x The characters in positions 57 (the middle group of three) have the same possible values and meanings as those shown in Table 7.2 but apply to members of the owning group, instead of to the owning user. In the case of /home, people who are not root but who happen to be members of the owning group, also called root, are allowed to list the contents of the directory and visit the directory. They are not, however, allowed to create or delete files within the directory. Finally, the characters in positions 810 (the final group of three) again have the same meanings, but they apply to all other usersusers who are neither the owning user nor members of the owning group. In this case, users who are not root and who do not belong to the root group (this includes you) are allowed to list the contents of /home and visit /home but are not allowed to create or delete files in /home. So, when you tried to create a file in /home, Linux returned an error message. More Permissions ExamplesBecause permissions can be a little confusing, going over some examples with brief explanations might be helpful. The following are hypothetical files with owning user, owning group, and permissions codes: -rw-r----- 1 jack admins 16384 Aug 3 04:14 jacks_peppers.txt The file jacks_peppers.txt is likely a text document containing private information that jack doesn't want anyone to edit. Here is what this long listing tells you:
Here's another example: -rwxr-x--- 1 root wheel 54696 Aug 3 04:14 launchit The file launchit is a program that likely performs an administrative task of some kind because only root and members of wheel can run it. Here is what this long listing tells you:
Changing PermissionsSometimes, you might want to change the permissions of files you own in your home directory. You might want to allow other users to modify them, for example, or prevent other users from reading them. You can change file permissions with the chmod command. You can use chmod in two ways: using the symbolic method or the numeric method. The symbolic method for changing permissions is easier to understand because it uses the same characters you've seen used for permissions codes. The numeric method uses numbers to assign permissions and is more commonly used by system administrators because of its brevity. Here is the format for using chmod in symbolic mode: chmod permcode file1 [file2 ...] The permcode consists of three parts:
Let's look at some examples to illustrate how chmod works in symbolic mode. Return to your home directory and create a new file called illustration.txt: [you@workstation20 home]$ cd [you@workstation20 ~]$ touch illustration.txt [you@workstation20 ~]$ ls -l total 4 drwx------ 3 you you 4096 Mar 23 21:53 Desktop -rw-rw-r-- 1 you you 324 Mar 23 16:57 anotherfile.txt lrwxrwxrwx 1 you you 5 Mar 23 20:41 blue -> green drwxrwxr-x 2 you you 4096 Mar 23 20:41 green -rw-rw-r-- 1 you you 0 Mar 23 22:15 illustration.txt lrwxrwxrwx 1 you you 4 Mar 23 20:48 yellow -> blue [you@workstation20 ~]$ Notice that in spite of the fact that illustration.txt is your file, the entire world (users who are not you and do not belong to your group) can still currently read illustration.txt. Suppose illustration.txt contained private information? You would, of course, want to remove permission for other users to read the file: [you@workstation20 ~]$ chmod o-r illustration.txt [you@workstation20 ~]$ ls -l illustration.txt -rw-rw---- 1 you you 0 Mar 23 10:01 illustration.txt [you@workstation20 ~]$ You have now forbidden users who are not you and do not belong to the group you from reading illustration.txt. Other users who try to read the file will get an error message. Now suppose for a moment that you also have a twin, miniyou, who has been made a member of the group you by a system administrator. With the current file permissions of illustration.txt, miniyou would have both read and write access, assuming once again that miniyou was a member of the group you. To prevent this access, you could disable access for all members of the group you: [you@workstation20 ~]$ chmod g-rw illustration.txt [you@workstation20 ~]$ ls -l illustration.txt -rw------- 1 you you 0 Mar 23 10:01 illustration.txt [you@workstation20 ~]$ Now only you have read and write access to illustration.txt. Users who are not you but who are members of the group you have no access. But perhaps you wanted to prevent miniyou only from modifying the filenot necessarily from reading it. No problemyou can restore read permission: [you@workstation20 ~]$ chmod g+r illustration.txt [you@workstation20 ~]$ ls -l illustration.txt -rw-r----- 1 you you 0 Mar 23 10:01 illustration.txt [you@workstation20 ~]$ Now you still have full read and write access; members of the group you (including miniyou) have read-only access. Users who are not you and not members of the group you still have no access at all. Finish by giving full read and write access to everyone in the world, just for fun: [you@workstation20 ~]$ chmod ugo+rw illustration.txt [you@workstation20 ~]$ ls -l illustration.txt -rw-rw-rw- 1 you you 0 Mar 23 10:01 illustration.txt [you@workstation20 ~]$ In practice, you would rarely want to provide this access, because now anyone in any account can read at will and make any changes to illustration.txt. Managing Permissions Using the File ManagerYou also can view and edit file and directory permissions using the file manager. To view the permissions for a given file or directory using the file manager, right-click the icon for the file or directory in question and choose Properties from the context menu. In the dialog box that appears, select the Permissions tab. This tab displays the permissions for the file in question, as shown in Figure 7.3. Figure 7.3. On the Permissions tab of the Properties dialog box, you can view and edit the permissions for the file in question. The Permissions tab contains a number of options that either display information about the file's ownership and permissions, or allow you to make changes to the file's ownership or permissions using your mouse. These options include
To change the permissions or group ownership for a file or directory using the Properties dialog box, simply check or uncheck the boxes in question, as desired, and then click Close to save your changes. For more information on changing ownership and on special file permissions, refer to Chapter 30, "Security Basics." |
EAN: 2147483647
Pages: 311