User Tools

Site Tools


linux:sysadmin:access_rights_management

Access Rights Management on Linux

Basics

The command “ls -al” list the file entries and their permissions settings:

ls -al /home/
total 28
drwxr-xr-x  5 root       root       4096 Aug 28 14:16 .
drwxr-xr-x 23 root       root       4096 Dec 24 08:57 ..
drwx------  3 custuser   custuser   4096 Dec 24 14:27 custuser
drwx------  3 nttuser    nttuser    4096 Aug 17 10:08 nttuser

See the picture below for an explanation of the meaning:

file permissions

Numerical representation:

Number Rights
4 read
2 write
1 execute
0 no permission

chown - change owner

The command chown changes the file group and ownership.

Example

Change the owner of file example.txt to custuser and the group to admin:

chown custuser:admin example.txt

Change the owner recursively of directory exampledir and all its contents to custuser and the group to admin:

chown -R custuser:admin exampledir

chmod - change file permissions

Use the chmod command to change permissions. This example shows how to change the permissions on sneakers.txt with the chmod command. If you are the owner of the file or are logged into the root account you can change any permissions for the owner, group, and others. Right now, the owner and group can read and write to the file. Anyone outside of the group can only read the file (r–).

:!: Remember that file permissions are a security feature. Whenever you allow anyone else to read, write to, and execute files, you are increasing the risk of files being tampered with, altered, or deleted. As a rule, you should only grant read and write permissions to those who truly need them.

In the following example, you want to allow everyone to write to the file, so they can read it, write notes in it, and save it. That means you will have to change the “others” section of the file permissions.

Take a look at the file first. At the shell prompt, you would type:

ls -l sneakers.txt

The previous command displays this file information:

 -rw-rw-r--    1 sam sam     150 Mar 19 08:08 sneakers.txt

Now, you would type the following:

chmod o+w sneakers.txt

The above command tells the system you want to give others write permission to the file sneakers.txt. To check the results, list the file's details again. Now, the file looks like this:

 -rw-rw-rw-    1 sam sam     150 Mar 19 08:08 sneakers.txt

Now, everyone can read and write to the file.

To remove read and write permissions from sneakers.txt use the chmod command to take away both the read and write permissions.

chmod go-rw sneakers.txt

By typing go-rw, you are telling the system to remove read and write permissions for the group and for others from the file sneakers.txt.

The result will look like this:

 -rw-------    1 sam sam    150 Mar 19 08:08 sneakers.txt

Think of these settings as a kind of shorthand when you want to change permissions with chmod, because all you really have to do is remember a few symbols and letters with the chmod command.

Here is a list of what the shorthand represents:

Identities: u - the user who owns the file (that is, the owner) g - the group to which the user belongs o - others (not the owner or the owner's group) a - everyone or all (u, g, and o)

Permissions: r - read access w : write access x : execute access

Actions: + : adds the permission - : removes the permission = : makes it the only permission

Want to test your permissions skills: Remove all permissions from sneakers.txt : for everyone.

chmod a-rwx sneakers.txt

Now, see if you can read the file with the command cat sneakers.txt, which should return the following:

 cat: sneakers.txt: Permission denied

Removing all permissions, including your own, successfully locked the file. But since the file belongs to you, you can always change its permissions back with the following command:

chmod u+rw sneakers.txt

Here are some common examples of settings that can be used with chmod: g+w - adds write access for the group o-rwx - removes all permissions for others u+x - allows the file owner to execute the file a+rw - allows everyone to read and write to the file ug+r - allows the owner and group to read the file g=rx - allows only the group to read and execute (not write)

By adding the -R option, you can change permissions for entire directory trees.

Because you can not really “execute” a directory as you would an application, when you add or remove execute permission for a directory, you are really allowing (or denying) permission to search through that directory.

If you do not allow others to have execute permission to the directory tigger, it will not matter who has read or write access. No one will be able to get into the directory unless they know the exact file name.

For example:

Create a directory called tigger with the command:

mkdir tigger

Then type:

chmod a-x tigger

to remove everyone's execute permissions on the directory tiger.

Here is what happens now when you try to cd to into tigger:

bash: tigger: Permission denied

Next, restore your own and your group's access:

chmod ug+x tigger

Now, if you check your work with ls -l you will see that only others will be denied access to the tigger directory.

There is also a shorthand method of chmod. Here is another way to change permissions, although it may seem a little complex at first.

Go back to the original permissions for sneakers.txt:

 -rw-rw-r--    1 sam sam     150 Mar 19 08:08 sneakers.txt

Each permission setting can be represented by a numerical value:

r = 4 w = 2 x = 1 - = 0

When these values are added together, the total is used to set specific permissions. For example, if you want read and write permissions, you would have a value of 6; 4 (read) + 2 (write) = 6.

For sneakers.txt, here are the numerical permissions settings:

  -  (rw-)   (rw-)  (r--)
      |       |      |
    4+2+0   4+2+0  4+0+0

The total for the user is six, the total for the group is six, and the total for others is four. The permissions setting is read as 664.

If you want to change sneakers.txt so those in your group will not have write access, but can still read the file, remove the access by subtracting two (2) from that set of numbers.

The numerical values, then, would become six, four, and four (644).

To implement these new settings, type:

chmod 644 sneakers.txt

Now verify the changes by listing the file.

 ls -l sneakers.txt
-rw-r--r--    1 sam sam     150 Mar 19 08:08 sneakers.txt

Now, neither the group nor others have write permission to sneakers.txt. To return the group's write access for the file, add the value of w (2) to the second set of permissions.

chmod 664 sneakers.txt

:!: Setting permissions to 666 will allow everyone to read and write to a file or directory. Setting permissions to 777 allows everyone read, write, and execute permission. These permissions could allow tampering with sensitive files, so in general, it is not a good idea to use these settings.

Here is a list of some common settings, numerical values and their meanings:

 -rw------- (600) - Only the owner has read and write permissions.
-rw-r--r-- (644) - Only the owner has read and write permissions;
                   Tthe group and others have read only.
-rwx------ (700) - Only the owner has read, write, and execute permissions.
-rwxr-xr-x (755) - The owner has read, write, and execute permissions; 
                   The group and others have only read and execute.
-rwx--x--x (711) - The owner has read, write, and execute permissions;
                   The group and others have only execute.
-rw-rw-rw- (666) - Everyone can read and write to the file. 
                   (Be careful with these permissions.)
-rwxrwxrwx (777) - Everyone can read, write, and execute. 
                   (Again, this permissions setting can be hazardous.) 

Here are some common settings for directories:

 drwx------ (700) - Only the user can read, write in this directory.
drwxr-xr-x (755) - Everyone can read the directory; 
                   users and groups have read and execute permissions.
/srv/wiki.niwos.com/data/pages/linux/sysadmin/access_rights_management.txt · Last modified: 2011/03/21 12:26 (external edit)