Have you heard the LinuxQuestions.org Podcast?

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our free community you will have
access to post topics, receive our newsletter, use the advanced search, subscribe to threads
and access many other special features. Registration is fast, simple and absolutely free so
please, join our community today! Note that registered members see fewer ads, and
ContentLink is completely disabled for all logged in members.

If you have any problems with the registration process or your account login, please
contact us.

Home Forums HCL Reviews Tutorials Articles Register Search

Search Forums

Advanced Search
Search Tags

Search LQ Wiki

Search Tutorials/Articles

Search HCL

Search Reviews

Search Bookmarks

Search ISOs

Go to Page...
 LinuxQuestions.org > Linux Answers
> Security User Name Remember Me?
Setting File and Directory Permission in Password Log in
Unix/Linux

Setting File and Directory Permission in Unix/Linux

Written by munawer_hassan - 2005-08-14 04:21

Before setting permissions on files & directories you have to check the permissions so
that you can verify the changes. In order to view the file/directory permission issue the
following command
ls �l
This will show files in long format i.e.
-rw -r- -r - - 1 root adm 4096 May 15 16:20 MyText

� The first char (-) shows file type here � means that it is a regular text file the other
option may be d (directory).

� The next three characters(i.e. rw- -) are reserved for permission for the owner/creator
of the file/directory.

� Next three characters( r - -) are reserved for permission for the group users the
file/directory belongs to.

� The next character (i.e 1 ) shows the no of links in case of directory or no of

subdirectories or files in case of directory.

� root is representing the user name of the owner/creator of the file

� adm shows the group the file belongs to

� 4096 is the size of the file in bytes

� May 15 16:20 is the date & time the file/directory last access/created/modified

� Finally Mytext is the name of the file

A file/directory may has following permissions

1. r (Read)
2. w(Write)
3. x(Execute)

There are other file permissions in the Unix/Linux but they are beyond the scope of this
document

Permissions can be defined for

1. u (user/owner/creator of the file/directory)

2. g (group members of the group file/directory belongs to)
3. o (users neither belongs to user nor to the group of the file)
4. a (all)

Permission assignment can be made using

1. (+) to grant permission

2. (-) to revoke permission
3. (=) to assign the only permission

Permissions can be defined in two fashions

1. Symbolically
2. Numerically

Symbolic Method

In this method each permission and user type is defined using special character which
we have already discussed

Syntax
--w -r- -r - - 1 root adm 4096 May 15 16:20 MyText

chmod u+r MyText (user will now have read permission i.e - r w - r - - r - - p; )

chmod a-w MyText(write permission must be taken back from all users - r w - r w - r w
-)

chmod g=x MyText (all the permissions must be taken back and assign execute as the
only permission for group users of the file/directory i.e - r w - - - x r - -)

chmod o+wrx MyText (others must have rwx i.e. - r w - - - x r w x )

Numeric Method

Numeric method can be understood by the following table

Permission Type Users Type

User Group other
Read (r) =4 Yes No Yes
Write (w)=2 No No Yes
Execute (x)=1 Yes Yes Yes
4+0+1=5 0+0+1=1 4+2+1=7

--w -r- -r - - 1 root adm 4096 May 15 16:20 MyText

chmod 517 MyText ( i.e. - r � x - - x r w x )

chmod 235 MyText ( i.e. - - w - w x r - x )

chmod 777 Mytext (i.e. � r w x r w x r w x )

this is a quick method for assigning permissions it is consist of 4 numbers leading zero
will automatically placed on the left side i.e 517 will be interpreted as 0517 the first
number defines special type of permission which I am not going to discuss here so
always use three characters instead of four. It must be noted that each character must be
(0-7) as 0 is minimum and 7 is the maximum sum of permission

File Permissions

A file may have following basic permissions

1. Read ( means the contents can only be viewed but can not be altered )
2. write ( means the contents can be written/altered)
3. Execute (file can be executed as excitable)

Combine effect of the file permission can be observed with the help of this table

Permissions Operations
Read Write Execute
- - - No No No
- - x No No Yes
- w x No Yes Yes
R w x Yes Yes Yes
R w - Yes Yes No
R - - Yes No No
- w - No Yes No

Directory Permissions

Directory permissions are somehow different to that of file permissions

4. Read ( means the contents can be listed )

5. write ( means file/sub-directory can be created/deleted/modified)
6. Execute (means user can move into directory)

Combine effect of the file permission can be observed with the help of this table

Permissions Operations
List Create/Delete /Modified Directory Contents Move into directory
- - - No No No
- - x No No Yes
- w x No Yes Yes
R w x Yes Yes Yes
R w - Yes Yes No
R - - Yes No No
- w - No Yes No

Quick and Dirty Guide to Linux File Permissions

Written by bulliver - 2003-07-12 23:36

One of the most confusing issues for Windows defector is that of file permissions. Home-
user Windows systems have no concept of file ownership, which depending on your
situation, can be a good or bad thing. You need to keep in mind that Linux is at heart a
Unix system, and Unix is built to support multiple users. Even on a home computer
permissions are a useful feature which allow you to block sensitive files from being
edited, or even read by non-authorized people.

To further illustrate this point, consider your old Windows box. You might have spent
hours or days getting your preferences and settings just right, only to find that the next
time you sit down at the computer somebody has changed the widget colours to an
ungodly lemon yellow, and changed the system time to GMT when you live in New
York. Another example: You spend all weekend putting the finishing touches on a report
for your boss, but unfortunately it is lost forever because your child has just discovered
the joy of "delete". Oops.

These examples may be a bit extreme, but suffice it to say that ensuring your files don't
get 'accidently' deleted, or viewed by the wrong eyes provides a great deal of comfort.

overview

In a nutshell, there are three types of permissions, and three entities that receive these
permissions. As a quick example type 'ls -l' in a directory. Any directory. You should see
something like this:

-rwxr-xr-x 1 bulliver web 664 Feb 9 02:28 ip2name.pl

-rw-r--r-- 1 bulliver web 1704 Feb 1 07:29 letter.dvi
[Ad: Advertisement]
-rw-r--r-- 1 bulliver web 1185 Feb 5 19:16 letter.latex
-rwxrwxrwx 1 bulliver web 192 Feb 14:55 darren_says

What we are interested in is the cryptic 'r's 'w's and 'x's on the left side. You may already
know that these are the permissions of the respective files. So what do they mean?

'r'
'read' permission. This allows you to read, view, or otherwise open the file depending on
context.

'w'
'write' permission. This allows you to edit or delete the file.

'x'
'execute' permission. This allows you to run the file as a program.

So who recieves these permissions? We have three entities: owner, group, and other.

owner
Typically the owner is the person who creates the file. The majority of system files are
owned by root, ensuring that mortal users cannot erase or edit important system settings.

group
Groups create a way to share files between users, for example, a team of designers who
are working together on a project. Groups may also be used to allow access to certain
devices, such as CDROMs or printers to regular users.

other
As the name implies, this permission applies to everybody else. We need to pay particular
attention to this permission because if it is set to read or write then anybody can view,
edit, or delete the file.

Looking back to our 'ls -l' example you can see that there are 10 slots in the listing. The
first slot is usually just a dash (-) which tells us it is a regular file. Sometimes it is a 'd' for
directory, 'l' for link, or 'c' for character device. We don't need to worry about that right
now. The other 9 slots are our three permissions for our three entities. The first three are
for the owner, then group, then other. Perhaps an example:

-rwxrw-r-- 1 bulliver web 192 Feb 6 14:55 darren_says

In this example we can see that the first three are 'rwx' which means the owner of the file
can read, write or execute it. The group can read and write (rw-), and everybody else is
limited to viewing the file (r--). In this particular example we can see that the file's owner
is 'bulliver', and the file's group is 'web'.

ownership and groups :: chown and chgrp

To change the owner of a file, we use the chown command. The format is 'chown [new
owner] file'. To change the file's group, we use the chgrp command. The format is the
same 'chgrp [new group] file'. To save some typing we can change both in one shot using
the dot notation: 'chown [new owner].[new group] file'. Let's have some examples:

[root@localhost]$ ls -l anyfile
-rw-rw-r-- 1 bulliver web 192 Feb 6 14:55 anyfile
[root@localhost]$ chown root anyfile
[root@localhost]$ ls -l anyfile
-rw-rw-r-- 1 root web 192 Feb 6 14:55 anyfile
[root@localhost]$ chgrp bozo anyfile
[root@localhost]$ ls -l anyfile
-rw-rw-r-- 1 root bozo 192 Feb 6 14:55 anyfile
[root@localhost]$ chown bulliver.web anyfile
[root@localhost]$ ls -l anyfile
-rw-rw-r-- 1 bulliver web 192 Feb 6 14:55 anyfile

Not much to this, right? Let's move on to something complicated.

permissions and chmod

A file's permissions are also known as its 'mode' to gurus and Linux geeks, so to change
them we use the 'chmod' command (change mode). There are two ways of specifying the
new permissions using chmod: symbolic and absolute.

absolute mode
Because you are dying with suspense, I will just tell you that absolute mode is the one
with the numbers. You can use simple arithmetic to arrive at the permission you are
looking for. Consider:
-----------------------------------------------------------------------
--------------
| owner | group | everyone |
-----------------------------------------------------------------------
--------------
| read | write | execute | read | write | execute | read | write |
execute |
-----------------------------------------------------------------------
--------------
| 400 | 200 | 100 | 40 | 20 | 10 | 4 | 2 | 1 |
-----------------------------------------------------------------------
---------------

So you just add the appropriate mode numbers to arrive at your desired permission. It
may be easier to consider each entity as a single digit, in the usual order (owner group
other). As always, this theory is best understand with some examples. Let's imagine a
hypothetical file named 'myscript'. 'myscript' is a shell script that we are writing that
performs a useful function. When we first create it we don't want others to mess around
with it, so we set some restrictive permissions while writing it:

[joe@localhost]$ chmod 600 myscript

[joe@localhost]$ ls -l myscript
-rw------- 1 joe user 192 Feb 6 14:55 myscript

Now let us imagine that we need some help with our script, so we make it available to
our programmer friend, who just happens to belong to a group called 'web'. We need to
change the group, and change the group permissions:

[joe@localhost]$ chgrp web myscript

[joe@localhost]$ chmod 660 myscript
[joe@localhost]$ ls -l myscript
-rw-rw---- 1 joe web 192 Feb 6 14:55 myscript

Our script is now almost done, and we want to test it. We need it to be executable:

[joe@localhost]$ chmod 770 myscript

[joe@localhost]$ ls -l myscript
-rwxrwx--- 1 joe web 192 Feb 6 14:55 myscript

Our script is now perfect. We are going to make the script available for all users to run,
and we want them to be able to see our handywork so we'll let everybody read and
execute it. We don't want users changing it however, so they don't get write permission:

[joe@localhost]$ chmod 775 myscript

[joe@localhost]$ ls -l myscript
-rwxrwxr-x 1 joe web 192 Feb 6 14:55 myscript

This should give you a good working knowledge of absolute mode. Just remember that to
get your permission, add the appropriate mode numbers.

SETUID

Normally, when a program is run it inherits all the rights/restrictions of the user that
executed it. if a user can't read /var/log/messages, then neither can any program/script
executed by that user. There is a way around this, we again use the chmod command but
add a '4' at the beginning of the permission string, example:
chmod 4755 myscript
this would execute 'myscript' with the permissions of the files owner(such as root, if the
file is own by root),and not the normal user executing 'myscript'. As you can imagine,
this should be used sparingly if at all, as it defeats the normal permission structure,and
can lead to security issues.

SETGID

The setgid bit works the same way, except instead of applying to the files owner, it is
applied to the files group setting. the chmod command is used again prefixing a '2' as the
first digit.

chmod 2755 myscript

relative mode

As the name implies, relative mode only changes permissions relative to the current
permissions. That is, you can add or remove permissions from the existing ones. The
format is pretty much the same as absolute mode: 'chmod [new_mode] file'. It is only the
mode that is different.

We have three parts, which for lack of better terms, are '[entity][operator][permissions]'.
The entities describe who gets the permissions. They are:

• 'u': user, the file's owner

• 'g': group, the file's group
• 'o': other, everybody else
• 'a': all, all three together

The operators decide whether we add, remove, or emulate absolute mode (ie: describe
permissions from scratch). They are:

• '+' : add permissions

• '-': remove permissions
• '=': emulate absolute mode

The permissions we have seen already, they are nothing new:

• 'r' : read permission

 • 'w': write permission
• 'x': execute permission

There are actually quite a few more options available, but they should not be necessary
for casual use. If you are really curious I direct you to 'man chmod'. Perhaps some more
examples are in order.

chmod a+x filename # adds execute permissions to all

chmod u+x filename # adds execute permissions to the file's owner
chmod ug+w filename # adds write permissions to the file's owner and
group
chmod o-rwx filename # removes read, write, and execute permissions
from other
chmod a=rx filename # creates a 555 permission from scratch

As you can see pretty much any combination is valid as long as you follow the '[entity]
[operator][permissions]' formula.

THE STICKY BIT

Linux directory access permissions say that if a user has write permissions on a directory,
they can rename or remove files there,even if the files don't belong to them.
When the owner of the directory sets the sticky bit, renames/removals are only allowed
by the files owner, the directories owner and the root user.

chmod +t /tmp to set the sticky bit

chmod -t /tmp to remove the sticky bit
or
chmod 1755 /tmp prefix a '1' to set the sticky bit

Setting the sticky bit on files was once used to force a copy of the file to stay in swap
space, in an attempt to speed execution the next time the file was used. This hasn't been
used in quite some time, due to advances in memory management. You can still set the
sticky bit on a file, but the kernel will just ignore it.

Well, I hope this has helped you get a handle on Linux file permissions. It's really not as
hard as it might seem. That's all for now, happy chmoding to you!
previous

up
Protecting Files Using Encrypted Containers
Bookmark this post with:
| | | | |
29 comments | Discuss Article | printer-friendly version

By Azmeen on Wed, 2003-08-20 20:40

This article can be improved by touching on the chattr command as well :)
reply
By mlp68 on Wed, 2003-09-17 00:13
I see that the comments have dried up some time ago...

One suggestion, one comment: You could add some sentences about umask and what it
does.

The comment is about this suid- "myscript" thing. I know it's just to show the recipe, but
it suggests that it's ok to have such a script, while it's not. ("'myscript' is a shell script that
we are writing that performs a useful function.") The target here are people new to Linux,
and they may not know better. Fundamentally, such a script cannot be made
unexploitable (path issues. temp file issues. IFS issues. Remaining race conditions that
cannot be fixed. And so on and so on.) Because of that, the Linux kernel will not honor
the suid bit for scripts, so on linux one is safe. But Solaris has no such inhibitions, for
example.

Just my 5cts on this peripheral issue. Nice article!

mlp
reply

By king_nothingzzz on Fri, 2004-01-16 01:48

Quote:

Originally posted by mlp68

The comment is about this suid- "myscript" thing. I know it's just to show the recipe,
but it suggests that it's ok to have such a script, while it's not. ("'myscript' is a shell
script that we are writing that performs a useful function.") The target here are
people new to Linux, and they may not know better. Fundamentally, such a script
cannot be made unexploitable (path issues. temp file issues. IFS issues. Remaining
race conditions that cannot be fixed. And so on and so on.) Because of that, the Linux
kernel will not honor the suid bit for scripts, so on linux one is safe.
Firstly, i think that this is a very informative article. I really appreciate the authors help
towards people who are new to Linux. This covers up pretty much everything that one
needs to know about file permissions for basic usage.

Secondly, i think all that bashing from mlp68 was totally unwanted. As far as i know, no
newbie will even think about 'myscript', they will concentrate on how to go ahead setting
file permissions. I'm saying this from a newbie's point of view. I'm not a Linux 'Guru', but
certainly not a newbie.

I know how a newbie (with considerable IQ) will think while reading the article and what
he/she concludes from it.

I mean, how many newbies do you know who know anything about path issues, temp file
issues, IFS issue etc??

Once again, i say that this is a very good article

Cheers

King Nothing
reply

By mlp68 on Fri, 2004-01-16 18:14

I wouldn't call my comment "bashing" - it's just a friendly comment.

M.
reply

By king_nothingzzz on Sat, 2004-01-17 01:25

Maybe *Bashing* was an inappropriate word, but it did look like that to me.
No offense, but still all those things that you said were not necessary

King Nothing
reply

By bulliver on Fri, 2004-04-30 01:22

I didn't consider it bashing, in fact I'm still trying to figure out what the hell mlp68 is
talking about. It was just a random example, and i used the 'myscript' thing because I
wanted to fit chmod + x into the example. Wouldn't work with an image or mp3 in the
example would it :).

BTW I just wanted to say that I did not add the parts about suid or the sticky bit, they
were added by whoever proofread the article prior to posting it here.

Cheers folks....
reply

By mlp68 on Fri, 2004-04-30 13:55

Hi Bulliver,

first off, sorry if others perceived my comment as bashing. It's a great and well-written
article. I was just referring to that paragraph

Quote:

SETUID
Normally, when a program is run it inherits all the rights/restrictions of the user that
executed it. if a user can't read /var/log/messages, then neither can any program/script
executed by that user. There is a way around this, we again use the chmod command but
add a '4' at the beginning of the permission string, example:

code:chmod 4755 myscript

this would execute 'myscript' with the permissions of the files owner(such as root, if the
file is own by root),and not the normal user executing 'myscript'. As you can imagine, this
should be used sparingly if at all, as it defeats the normal permission structure,and can
lead to security issues.

You say the right warning words, but since the linux kernel doesn't honor the SUID bit
for scripts at all (because of the security flaws I listed, and some more), this wouldn't
work. But worse, other flavors of Unix don't have those inhibitions about suid scripts, and
that's where it could become dangerous (that's why I said a novice could take away from
here that it is ok, while it's not). You can have a suid (or guid) executable, but not a
script.

Have a look at http://www.phrack.org/phrack/47/P47-05 (question 10) which I just

googled. It has a nice summary and explanation of the 4 easiest exploits. (There are
more.)

Again, I didn't mean to diminish your great article, just point out this thing. Sorry if it
came across the wrong way.

mlp
reply

By thrice on Fri, 2004-05-14 00:46

i think its a great article. i've never really understood how absolute modes worked
because the explanations i've read ramble on about bits and such, but your illustration
made it verry simple. thanks again
reply

By bulliver on Fri, 2004-05-14 01:38

Thanks man, means a lot...
reply
Read full thread

MySQL root password recovey

Written by Boby - 2004-11-15 16:40

This tutorial is written in two ways. One way is for the compiled MySQL and one for the
installed MySQL by RPM [tested only in Fedora]. It's not big deal, but I hope it is
accessible also to newbies because the directory's change in both examples.

--------------------
If you compiled MySQL by yourself, go this way:

Maybe you have to change the directory where you installed MySQL (here it's
/usr/local/mysql/ ).

1. Gain root access to your Linux system

[boby@space boby]$ su -
Password:
[root@space root]#
2. First you have to stop the daemon
[root@space root]# /etc/init.d/mysql.server stop
[root@space root]#
3. You will now start MySQL in safe mode without reading the grant tables with all
MySQL database passwords and also you will disable networking. [Ad: Advertisement]
The "safe_mysqld" command will do this trick for you.
[root@space root]# /usr/local/mysql/bin/safe_mysqld --user=mysql
--skip-grant-tables --skip-networking &
[root@space root]#
4. The "mysqladmin" command can now reset the root password. In this case we are
setting it to "newpassword".
[root@space root]# /usr/local/mysql/bin/mysqladmin -u root flush-
privileges password "newpassword"
[root@space root]#
5. And finally restart the daemon
[root@space root]# /etc/init.d/mysql.server restart
[root@space root]#
6. You can use now your new root password
[root@space root]# /usr/local/mysql/bin/mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 4.0.20-standard

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>

--------------------
If you installed MySQL by RPM or use the package that comes with the distribution, go
this way:

1. Gain root access to your Linux system

[boby@space boby]$ su -
Password:
[root@space root]#
2. First you have to stop the daemon
[root@space root]# /etc/init.d/mysqld stop
[root@space root]#
3. You will now start MySQL in safe mode without reading the grant tables with all
MySQL database passwords and also you will disable networking. The "safe_mysqld"
command will do this trick for you.
[root@space root]# /usr/bin/safe_mysqld --user=mysql
--socket=/var/lib/mysql/mysql.sock --pid-
file=/var/run/mysqld/mysqld.pid --datadir=/var/lib/mysql
--skip-grant-tables --skip-networking &
[root@space root]#
4. The "mysqladmin" command will now reset[rewrite] the root password. In this case
we are setting it to "newpassword".
[root@space root]# mysqladmin -u root flush-privileges password
"newpassword"
[root@space root]#
5. Stop the running daemon
kill `cat /var/run/mysqld/mysqld.pid`
6. And finally restart it
[root@space root]# /etc/init.d/mysqld start
[root@space root]#
7. You can use now your new root password
[root@space root]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 4.0.20-standard

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>
--------------------

Hope this helped you!

Please post any mistakes or if I forgot something.

Boby
previous

up
Breaking/RESETTING grub password

Breaking/RESETTING grub password

Written by gnukish - 2005-06-18 08:23

Courtesy: ThinkDigit Forums

This guide illustrates three methods to break the grub password

===================================================
METHOD 1
===================================================
HOW TO RESET UR ROOT PASSWORD IF U FORGET IT

While Booting ( Redhat ) just press "e" in GRUB

u will find 3 lines of code..
Goto to the 2nd line press "e"again and type "1" in the end
then press ENTER..
Then press "b" and it will boot you into your shell..
Just type "passwd" and change your ROOT password...
don't need to know the old one..
===================================================
METHOD 2
===================================================
"I, uh, forgot the root password"

Let's look at recovering the root password from the boot loader. If you're using GRUB,
then, as GRUB loads up, highlight the Red Hat Linux entry on the GRUB menu and then
press [E] to edit the boot configuration. Locate the following line, something that looks
like this:

kernel /boot/vmlinuz-2.4.20-0.70 root=LABEL=/hdc=ide-scsi [Ad: Advertisement]

Type the number '1' at the end. Doing so boots the PC into run level 1-single user mode,
where you're automatically logged in as root. This done, type 'passwd' at the prompt. You
can enter a new password here.
===================================================
METHOD 3
===================================================
Question.
I am doing a project on Linux platform. Someone has added the GRUB password to the
computer on which I am working and has also changed the root password. I can crack the
root password, if there is no Grub password, from the initial screen (i.e. from the init 1);
but with the GRUB password. While reading LinuxForYou, I saw your section and
thought you may be able to help.

Answer.
To break the GRUB start-up password, follow the steps given below:

1. Boot the system with the first Linux CD. At the boot prompt, type linux rescue to
switch to rescue mode. In rescue mode you will be asked if similar steps should be
followed, which need to be followed in the installation. Once you get the # prompt, type
the following command:

# chmod /mnt/sysImage

2. Edit the grub.conf file and remove the passwd line from the file. Save the file and exit.
3. Once your machine reboots, you will be able to start your Linux OS in the usual
manner.
===================================================

previous

up
A Couple Quick find Tips
Bookmark this post with:
| | | | |
1 comment | Discuss Article | printer-friendly version

By linuxprosun on Sat, 2005-09-03 04:17

hi,

after using 1st CD in rescue mode and it while finds out the linux image you have to use

# chroot /mnt/sysimage --> currently, the linux is virtual, and chroot changes the / to the
original filesystem which is currently mounted on /mnt/sysimage

wheread chmod is used to change the file permissions

bye

prosun
reply
Read full thread