Permissions

1.Benefits of file permissions

2.Definition of file permissions
3.Reading file permissions
4.Formulations of file permissions
5.Changing file permissions
6.Extra file permissions
7.User Mask (Umask)

Version 1.0 linuxslides.blogspot.com

1.0 Benefits of file permission

 Restricting user so that he can only read certain files

 Restricting user so that he can not modify certain files
 Restricting user so that he can not execute certain files
 Restricting user so that he can not enter and see
certain directories
 Restricting user so that he can not remove certain files

Version 1.0 linuxslides.blogspot.com

2.0 Definitions of file permission?

Rights which is gave by root to the certain user to

utilize certain objects. In other words, file
permissions consists three basic concepts: who,
permissions (rights), and objects.

Version 1.0 linuxslides.blogspot.com

 3.0 Reading file permissions
$ ls -l
drwxr-xr-x 2 john scientists 4096 2009-09-24 11:50 projects/

permissions? who? what objects?

d rwx r-x --- john scientists projects/

other
user john (owner) (besides user & group)
have rights rwx
group scientists have rights rx
other: besides user john and group
scientists have no rights at all
directory
Version 1.0 linuxslides.blogspot.com
 3.1 Reading directory permission

d rwx r-x --- john scientists projects/

other
user john (owner)
have rights rwx:
(r) read directory content
(w) write/add/erase directory content
(x) execute/enter directory
group scientists have rights rx:
(r) read directory content
(x) execute/enter directory
other: besides user john and group
scientists have no rights at all
directory
Version 1.0 linuxslides.blogspot.com
 3.1 Reading file permission

- rwx r-x --- john scientists robot.c

other
user john (owner)
have rights rwx:
(r) read file content
(w) write/add/erase file content
(x) execute a file
group scientists have rights rx:
(r) read file content
(x) execute a file
other: besides user john and group
scientists have no rights at all
file
Version 1.0 linuxslides.blogspot.com
3.3 File and directory permissions

Directory File

see directory see file

read (r) contents: contents:
ls, ls -l cat, vi, grep
add/erase directory add/erase file
write (w) content: content:
mkdir, rmdir, rm vi, gedit

execute (x) enter to a directory:

execute a file
cd

Version 1.0 linuxslides.blogspot.com

3.4 QUIZ

Explain file permissions below:

$ ls -l /etc/shadow
-rw- r-- --- 1 root shadow 1118 2009-09-24 11:48 /etc/shadow

Answers:
User root have rights?
Group shadow have rights?
Besides user root and group shadow have rights?

Version 1.0 linuxslides.blogspot.com

3.5 QUIZ

Adjust the permissions (rwx):

I want a file named secret.doc (under projects directory) only
can be read and modified by user john. While group
scientists only can read the files. Others have no rights at all.

Answers:
User john have rights?
Group scientists have rights?
Besides user and group have rights?

Version 1.0 linuxslides.blogspot.com

3.6 QUIZ

Adjust the permissions (rwx):

I want a file named secret.doc (under projects directory) only
can be removed by user john. What rights should be added,
and where?

Answers:
Which part is responsible for deleting a file?
File permissions or directory permissions?
What permissions should be added? Where? User, group or
other?

Version 1.0 linuxslides.blogspot.com

4.0 Formulations of permissions
There are two types of formulations:
1. Symbolic (rwx r-x ---)
2. Octal (750, 644, etc)
Octal numerations:
read (r) = 4 write (w) = 2 execute (x) = 1
Example:
-rwx r-x ---
rwx = 4+2+1 = 7
r-x = 4+0+1 = 5 rwx r-x --- = 750
--- = 0+0+0 = 0

Version 1.0 linuxslides.blogspot.com

4.1 QUIZ

Change from symbolic to octal, or vice versa:

1. rw r-- ---
2. rwx --x –x
3. 544
4. 755

Version 1.0 linuxslides.blogspot.com

5.0 Changing file permissions
There are two ways to change permissions :
1.Change perm 2.Change ownership

rwx r-x --- john scientists projects/

chmod chown chgrp

rw- r-- r-- jack officeboy

(user) (group)

REQUIREMENT: Only the owner can change the permissions

Version 1.0 linuxslides.blogspot.com

5.1 Chmod
Adding rights, from existing:
$ chmod u+rw,g+r,o+w secret.doc
(adding rights rw to user, r to group, w to others )
Removing rights, from existing:
$ chmod u-x,g-rw,o-r secret.doc
(removing rights x from user, rw from group, r from others)
Setting new rights and over writting the existing:
$ chmod u=rw,g=r,o= secret.doc
(setting new rights rw to user, r to group, --- to others)
Setting new rights using octal:
$ chmod 640 secret.doc
(setting new rights rw to user, r to group, --- to others)

Version 1.0 linuxslides.blogspot.com

5.2 Lab

1.Enter to your home directory ($ cd)

2.Create an empty file “lab” ($ touch lab)
3.Check the permissions of the file
4.Change the file permissions to rwx r-x r-x
5.Change again to 644
6.Change again so the file is executable for all
7.Learn and check chmod manual ($ man
chmod)

Version 1.0 linuxslides.blogspot.com

5.3 Chown
Change user ownership, from john to jack:
$ chown jack secret.doc
(file secret.doc now belongs to user boni)
Change group ownership, from scientists to officeboy:
$ chgrp officeboy secret.doc
(file secret.doc now belongs to group officeboy)
Change user and group ownership at the same time:
$ chown jack.officeboy secret.doc
or
$ chown jack:officeboy secret.doc
(file secret.doc now belongs to user jack & group officeboy)

Version 1.0 linuxslides.blogspot.com

5.4 Lab

1.Enter to your home directory ($ cd)

2.Create an empty file “lab2” ($ touch lab2)
3.Check the ownership of the file
4.Change the ownership to other user
5.Change the ownership to other group
6.Change back to the previous ownership (with
single command)
7.Learn and check chgrp manual ($ man chgrp)

Version 1.0 linuxslides.blogspot.com

6.0 Extra file permissions
SUID (Set User ID)
Executable files with SUID, when executed will change the user ID of the
executor, to the owner of the file/application (even though the original
role of the executor only other). After the execution is finished, the user ID
change back to the original.

SGID (Set Group ID)

Executable files with SGID, when executed will change the user ID of the
executor, to the group of the file/application (even though the original
role of the executor only other). After the execution is finished, the user ID
change back to the original.
Sticky Bit
Executable files with sticky bit, after execution will remain stay in memory.
So it will accelerate the file access if there are other users who wants to
execute the same file.

Version 1.0 linuxslides.blogspot.com

6.1 Positions of extra file permissions

attribute position chmod symbolic chmod octal

suid
--s --- --- chmod u+s file chmod 4xxx file
(set user id)

sgid
--- --s --- chmod g+s file chmod 2xxx file
(set group id)

sticky bit --- --- --T chmod +t file chmod 1xxx file

Version 1.0 linuxslides.blogspot.com

6.2 Contoh Kasus SUID/SGID
1. User john wants to change his login password:
2. So He executes the command:
$ /usr/bin/passwd joni
3. Command passwd above will change the password restored
in /etc/shadow
4. But wait! User john can't modifies /etc/shadow,
take a look at the permissions:
$ ls -l /etc/shadow
-rw-r----- 1 root shadow 1118 2009-09-24 11:48 /etc/shadow
5. john position as other have no rights at all, even modifying the file.
Only user root can do that.
6. So john (and others) in order to change his password, he have to
become root.
7. This is accomplished by giving the SUID rights at the executable
file passwd:
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 29104 2008-04-03 08:08 /usr/bin/passwd
Version 1.0 linuxslides.blogspot.com
6.3 Lab

1.Enter your home directory ($ cd)

2.Create an empty file “lab3” ($ touch lab3)
3.Check the permissions of the file
4.Add SUID right at the file
5.Add SGID right at the file
6.Remove SUID and SGID rights from the file
7.Add Sticky Bit permission at the file

Version 1.0 linuxslides.blogspot.com

7.0 User Mask (Umask)
Create three files with touch, and check the permissions:
$ touch file1 file2 file3
$ ls -l file1 file2 file3
-rw-r--r-- 1 john scientists 0 2009-09-27 21:38 file1
-rw-r--r-- 1 john scientists 0 2009-09-27 21:38 file2
-rw-r--r-- 1 john scientists 0 2009-09-27 21:38 file3

Create three directories with mkdir, and check the permissions:

$ mkdir dir1 dir2 dir3
$ ls -ld dir1 dir2 dir3
drwxr-xr-x 2 john scientists 4096 2009-09-27 21:43 dir1
drwxr-xr-x 2 john scientists 4096 2009-09-27 21:43 dir2
drwxr-xr-x 2 john scientists 4096 2009-09-27 21:43 dir3

From above we can see that the default permission for file is 644, and for
directory is 755.
Version 1.0 linuxslides.blogspot.com
7.1 Change Umask

The default permission is determined by the value of user mask (umask):

$ umask
0022
For file: 666 - 22 = 644 For directory: 777 - 22 = 755

Change the value of user mask (umask):

$ umask 33
For file: 666 - 33 = 633 For directory: 777 - 33 = 744

The change above is temporarily, when computer restart it will change back to
0022. If we want to change permanently, define the umask value inside
/etc/profile.

Version 1.0 linuxslides.blogspot.com

7.2 Lab

1.Go to your home directory ($ cd)

2.Check the current umask value
3.Change the umask value to 54
4.Create some files and check the permissions
5.Create some directories and check the
permissions
6.Change back the umask value to 22
7.Find the umask setting inside /etc/profile

Version 1.0 linuxslides.blogspot.com