Professional Documents
Culture Documents
You are currently viewing LQ as a guest. By joining our free community you will have
access to post topics, receive our newsletter, use the advanced search, subscribe to threads
and access many other special features. Registration is fast, simple and absolutely free so
please, join our community today! Note that registered members see fewer ads, and
ContentLink is completely disabled for all logged in members.
If you have any problems with the registration process or your account login, please
contact us.
Advanced Search
Search Tags
Search LQ Wiki
Search Tutorials/Articles
Search HCL
Search Reviews
Search Bookmarks
Search ISOs
Go to Page...
LinuxQuestions.org > Linux Answers
> Security User Name Remember Me?
Setting File and Directory Permission in Password Log in
Unix/Linux
Before setting permissions on files & directories you have to check the permissions so
that you can verify the changes. In order to view the file/directory permission issue the
following command
ls �l
This will show files in long format i.e.
-rw -r- -r - - 1 root adm 4096 May 15 16:20 MyText
� The first char (-) shows file type here � means that it is a regular text file the other
option may be d (directory).
� The next three characters(i.e. rw- -) are reserved for permission for the owner/creator
of the file/directory.
� Next three characters( r - -) are reserved for permission for the group users the
file/directory belongs to.
� May 15 16:20 is the date & time the file/directory last access/created/modified
1. r (Read)
2. w(Write)
3. x(Execute)
There are other file permissions in the Unix/Linux but they are beyond the scope of this
document
1. Symbolically
2. Numerically
Symbolic Method
In this method each permission and user type is defined using special character which
we have already discussed
Syntax
--w -r- -r - - 1 root adm 4096 May 15 16:20 MyText
chmod u+r MyText (user will now have read permission i.e - r w - r - - r - - p; )
chmod a-w MyText(write permission must be taken back from all users - r w - r w - r w
-)
chmod g=x MyText (all the permissions must be taken back and assign execute as the
only permission for group users of the file/directory i.e - r w - - - x r - -)
Numeric Method
this is a quick method for assigning permissions it is consist of 4 numbers leading zero
will automatically placed on the left side i.e 517 will be interpreted as 0517 the first
number defines special type of permission which I am not going to discuss here so
always use three characters instead of four. It must be noted that each character must be
(0-7) as 0 is minimum and 7 is the maximum sum of permission
File Permissions
1. Read ( means the contents can only be viewed but can not be altered )
2. write ( means the contents can be written/altered)
3. Execute (file can be executed as excitable)
Combine effect of the file permission can be observed with the help of this table
Permissions Operations
Read Write Execute
- - - No No No
- - x No No Yes
- w x No Yes Yes
R w x Yes Yes Yes
R w - Yes Yes No
R - - Yes No No
- w - No Yes No
Directory Permissions
Combine effect of the file permission can be observed with the help of this table
Permissions Operations
List Create/Delete /Modified Directory Contents Move into directory
- - - No No No
- - x No No Yes
- w x No Yes Yes
R w x Yes Yes Yes
R w - Yes Yes No
R - - Yes No No
- w - No Yes No
One of the most confusing issues for Windows defector is that of file permissions. Home-
user Windows systems have no concept of file ownership, which depending on your
situation, can be a good or bad thing. You need to keep in mind that Linux is at heart a
Unix system, and Unix is built to support multiple users. Even on a home computer
permissions are a useful feature which allow you to block sensitive files from being
edited, or even read by non-authorized people.
To further illustrate this point, consider your old Windows box. You might have spent
hours or days getting your preferences and settings just right, only to find that the next
time you sit down at the computer somebody has changed the widget colours to an
ungodly lemon yellow, and changed the system time to GMT when you live in New
York. Another example: You spend all weekend putting the finishing touches on a report
for your boss, but unfortunately it is lost forever because your child has just discovered
the joy of "delete". Oops.
These examples may be a bit extreme, but suffice it to say that ensuring your files don't
get 'accidently' deleted, or viewed by the wrong eyes provides a great deal of comfort.
overview
In a nutshell, there are three types of permissions, and three entities that receive these
permissions. As a quick example type 'ls -l' in a directory. Any directory. You should see
something like this:
What we are interested in is the cryptic 'r's 'w's and 'x's on the left side. You may already
know that these are the permissions of the respective files. So what do they mean?
'r'
'read' permission. This allows you to read, view, or otherwise open the file depending on
context.
'w'
'write' permission. This allows you to edit or delete the file.
'x'
'execute' permission. This allows you to run the file as a program.
So who recieves these permissions? We have three entities: owner, group, and other.
owner
Typically the owner is the person who creates the file. The majority of system files are
owned by root, ensuring that mortal users cannot erase or edit important system settings.
group
Groups create a way to share files between users, for example, a team of designers who
are working together on a project. Groups may also be used to allow access to certain
devices, such as CDROMs or printers to regular users.
other
As the name implies, this permission applies to everybody else. We need to pay particular
attention to this permission because if it is set to read or write then anybody can view,
edit, or delete the file.
Looking back to our 'ls -l' example you can see that there are 10 slots in the listing. The
first slot is usually just a dash (-) which tells us it is a regular file. Sometimes it is a 'd' for
directory, 'l' for link, or 'c' for character device. We don't need to worry about that right
now. The other 9 slots are our three permissions for our three entities. The first three are
for the owner, then group, then other. Perhaps an example:
In this example we can see that the first three are 'rwx' which means the owner of the file
can read, write or execute it. The group can read and write (rw-), and everybody else is
limited to viewing the file (r--). In this particular example we can see that the file's owner
is 'bulliver', and the file's group is 'web'.
To change the owner of a file, we use the chown command. The format is 'chown [new
owner] file'. To change the file's group, we use the chgrp command. The format is the
same 'chgrp [new group] file'. To save some typing we can change both in one shot using
the dot notation: 'chown [new owner].[new group] file'. Let's have some examples:
[root@localhost]$ ls -l anyfile
-rw-rw-r-- 1 bulliver web 192 Feb 6 14:55 anyfile
[root@localhost]$ chown root anyfile
[root@localhost]$ ls -l anyfile
-rw-rw-r-- 1 root web 192 Feb 6 14:55 anyfile
[root@localhost]$ chgrp bozo anyfile
[root@localhost]$ ls -l anyfile
-rw-rw-r-- 1 root bozo 192 Feb 6 14:55 anyfile
[root@localhost]$ chown bulliver.web anyfile
[root@localhost]$ ls -l anyfile
-rw-rw-r-- 1 bulliver web 192 Feb 6 14:55 anyfile
A file's permissions are also known as its 'mode' to gurus and Linux geeks, so to change
them we use the 'chmod' command (change mode). There are two ways of specifying the
new permissions using chmod: symbolic and absolute.
absolute mode
Because you are dying with suspense, I will just tell you that absolute mode is the one
with the numbers. You can use simple arithmetic to arrive at the permission you are
looking for. Consider:
-----------------------------------------------------------------------
--------------
| owner | group | everyone |
-----------------------------------------------------------------------
--------------
| read | write | execute | read | write | execute | read | write |
execute |
-----------------------------------------------------------------------
--------------
| 400 | 200 | 100 | 40 | 20 | 10 | 4 | 2 | 1 |
-----------------------------------------------------------------------
---------------
So you just add the appropriate mode numbers to arrive at your desired permission. It
may be easier to consider each entity as a single digit, in the usual order (owner group
other). As always, this theory is best understand with some examples. Let's imagine a
hypothetical file named 'myscript'. 'myscript' is a shell script that we are writing that
performs a useful function. When we first create it we don't want others to mess around
with it, so we set some restrictive permissions while writing it:
Now let us imagine that we need some help with our script, so we make it available to
our programmer friend, who just happens to belong to a group called 'web'. We need to
change the group, and change the group permissions:
Our script is now almost done, and we want to test it. We need it to be executable:
Our script is now perfect. We are going to make the script available for all users to run,
and we want them to be able to see our handywork so we'll let everybody read and
execute it. We don't want users changing it however, so they don't get write permission:
This should give you a good working knowledge of absolute mode. Just remember that to
get your permission, add the appropriate mode numbers.
SETUID
Normally, when a program is run it inherits all the rights/restrictions of the user that
executed it. if a user can't read /var/log/messages, then neither can any program/script
executed by that user. There is a way around this, we again use the chmod command but
add a '4' at the beginning of the permission string, example:
chmod 4755 myscript
this would execute 'myscript' with the permissions of the files owner(such as root, if the
file is own by root),and not the normal user executing 'myscript'. As you can imagine,
this should be used sparingly if at all, as it defeats the normal permission structure,and
can lead to security issues.
SETGID
The setgid bit works the same way, except instead of applying to the files owner, it is
applied to the files group setting. the chmod command is used again prefixing a '2' as the
first digit.
relative mode
As the name implies, relative mode only changes permissions relative to the current
permissions. That is, you can add or remove permissions from the existing ones. The
format is pretty much the same as absolute mode: 'chmod [new_mode] file'. It is only the
mode that is different.
We have three parts, which for lack of better terms, are '[entity][operator][permissions]'.
The entities describe who gets the permissions. They are:
The operators decide whether we add, remove, or emulate absolute mode (ie: describe
permissions from scratch). They are:
There are actually quite a few more options available, but they should not be necessary
for casual use. If you are really curious I direct you to 'man chmod'. Perhaps some more
examples are in order.
As you can see pretty much any combination is valid as long as you follow the '[entity]
[operator][permissions]' formula.
Linux directory access permissions say that if a user has write permissions on a directory,
they can rename or remove files there,even if the files don't belong to them.
When the owner of the directory sets the sticky bit, renames/removals are only allowed
by the files owner, the directories owner and the root user.
Setting the sticky bit on files was once used to force a copy of the file to stay in swap
space, in an attempt to speed execution the next time the file was used. This hasn't been
used in quite some time, due to advances in memory management. You can still set the
sticky bit on a file, but the kernel will just ignore it.
Well, I hope this has helped you get a handle on Linux file permissions. It's really not as
hard as it might seem. That's all for now, happy chmoding to you!
previous
up
Protecting Files Using Encrypted Containers
Bookmark this post with:
| | | | |
29 comments | Discuss Article | printer-friendly version
One suggestion, one comment: You could add some sentences about umask and what it
does.
The comment is about this suid- "myscript" thing. I know it's just to show the recipe, but
it suggests that it's ok to have such a script, while it's not. ("'myscript' is a shell script that
we are writing that performs a useful function.") The target here are people new to Linux,
and they may not know better. Fundamentally, such a script cannot be made
unexploitable (path issues. temp file issues. IFS issues. Remaining race conditions that
cannot be fixed. And so on and so on.) Because of that, the Linux kernel will not honor
the suid bit for scripts, so on linux one is safe. But Solaris has no such inhibitions, for
example.
mlp
reply
Quote:
The comment is about this suid- "myscript" thing. I know it's just to show the recipe,
but it suggests that it's ok to have such a script, while it's not. ("'myscript' is a shell
script that we are writing that performs a useful function.") The target here are
people new to Linux, and they may not know better. Fundamentally, such a script
cannot be made unexploitable (path issues. temp file issues. IFS issues. Remaining
race conditions that cannot be fixed. And so on and so on.) Because of that, the Linux
kernel will not honor the suid bit for scripts, so on linux one is safe.
Firstly, i think that this is a very informative article. I really appreciate the authors help
towards people who are new to Linux. This covers up pretty much everything that one
needs to know about file permissions for basic usage.
Secondly, i think all that bashing from mlp68 was totally unwanted. As far as i know, no
newbie will even think about 'myscript', they will concentrate on how to go ahead setting
file permissions. I'm saying this from a newbie's point of view. I'm not a Linux 'Guru', but
certainly not a newbie.
I know how a newbie (with considerable IQ) will think while reading the article and what
he/she concludes from it.
I mean, how many newbies do you know who know anything about path issues, temp file
issues, IFS issue etc??
Cheers
King Nothing
reply
M.
reply
King Nothing
reply
BTW I just wanted to say that I did not add the parts about suid or the sticky bit, they
were added by whoever proofread the article prior to posting it here.
Cheers folks....
reply
first off, sorry if others perceived my comment as bashing. It's a great and well-written
article. I was just referring to that paragraph
Quote:
SETUID
Normally, when a program is run it inherits all the rights/restrictions of the user that
executed it. if a user can't read /var/log/messages, then neither can any program/script
executed by that user. There is a way around this, we again use the chmod command but
add a '4' at the beginning of the permission string, example:
this would execute 'myscript' with the permissions of the files owner(such as root, if the
file is own by root),and not the normal user executing 'myscript'. As you can imagine, this
should be used sparingly if at all, as it defeats the normal permission structure,and can
lead to security issues.
You say the right warning words, but since the linux kernel doesn't honor the SUID bit
for scripts at all (because of the security flaws I listed, and some more), this wouldn't
work. But worse, other flavors of Unix don't have those inhibitions about suid scripts, and
that's where it could become dangerous (that's why I said a novice could take away from
here that it is ok, while it's not). You can have a suid (or guid) executable, but not a
script.
Again, I didn't mean to diminish your great article, just point out this thing. Sorry if it
came across the wrong way.
mlp
reply
This tutorial is written in two ways. One way is for the compiled MySQL and one for the
installed MySQL by RPM [tested only in Fedora]. It's not big deal, but I hope it is
accessible also to newbies because the directory's change in both examples.
--------------------
If you compiled MySQL by yourself, go this way:
Maybe you have to change the directory where you installed MySQL (here it's
/usr/local/mysql/ ).
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
--------------------
If you installed MySQL by RPM or use the package that comes with the distribution, go
this way:
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
--------------------
Boby
previous
up
Breaking/RESETTING grub password
Let's look at recovering the root password from the boot loader. If you're using GRUB,
then, as GRUB loads up, highlight the Red Hat Linux entry on the GRUB menu and then
press [E] to edit the boot configuration. Locate the following line, something that looks
like this:
Type the number '1' at the end. Doing so boots the PC into run level 1-single user mode,
where you're automatically logged in as root. This done, type 'passwd' at the prompt. You
can enter a new password here.
===================================================
METHOD 3
===================================================
Question.
I am doing a project on Linux platform. Someone has added the GRUB password to the
computer on which I am working and has also changed the root password. I can crack the
root password, if there is no Grub password, from the initial screen (i.e. from the init 1);
but with the GRUB password. While reading LinuxForYou, I saw your section and
thought you may be able to help.
Answer.
To break the GRUB start-up password, follow the steps given below:
1. Boot the system with the first Linux CD. At the boot prompt, type linux rescue to
switch to rescue mode. In rescue mode you will be asked if similar steps should be
followed, which need to be followed in the installation. Once you get the # prompt, type
the following command:
# chmod /mnt/sysImage
2. Edit the grub.conf file and remove the passwd line from the file. Save the file and exit.
3. Once your machine reboots, you will be able to start your Linux OS in the usual
manner.
===================================================
previous
up
A Couple Quick find Tips
Bookmark this post with:
| | | | |
1 comment | Discuss Article | printer-friendly version
after using 1st CD in rescue mode and it while finds out the linux image you have to use
# chroot /mnt/sysimage --> currently, the linux is virtual, and chroot changes the / to the
original filesystem which is currently mounted on /mnt/sysimage
bye
prosun
reply
Read full thread