Chapter 10. Permissions and Ownership
If you create a file when the umask is set to 022, the file's permissions is as follows:
-rw-r--r-- 1 root root 881 Feb 17 09:11 file1
chown owner:group
Changes both the user owner and group owner
chomd -h
Changes symbolic links, not the original file
chown owner:
Changes the user owner and sets the group owner to the primary group of the current user
The default permissions with no umask value set are
For files: rw-rw-rw- (or 666) For directories: rwxrwxrwx (or 777)
umask value changes the default permissions of a created object based on the following formula:
Maximum default value - umask value = create value
Having problems with users abusing the wall command? Take away the SGID access:
chmod 0555 /usr/bin/wall
If you know a file exists but don't know the permissions and you are told to make sure it's executable by all permission trios
chmod a+x file1 Alternatively, you can leave the "a" off and get all the trios by default: chmod +x file1
Use the symbolic values to set permissions, you can change them all at once:
chmod a=rwx file
Run the same find command and then compare the results to the original with the diff command
diff /root/latestfindperm /mnt/usb/findperm.orig
If you create a directory with the same umask set, the directory's permissions are as follows:
drwxr-xr-x 2 root root 4096 Feb 17 14:47 dir1
Ensure that users in a shared directory can't delete anyone else's files
drwxrwxrwt 29 root 4096 Jun 2 17:27 /tmp The t in place of the others execute permission indicates this is a sticky bit directory. The /tmp directory is a location where all users must be able to create files. Unfortunately, the permission that allows users to create files also allows them to delete files—all files—in that directory.
Consider the following output of the ls -l command: -rw-rwxr-x 2 fred users 0 Jan 26 13:08 22 test.mp3 Which of the following statements is true? a. The user fred has only read permission on test.mp3. b. The user fred has only read and write permission on test.mp3. c. The user fred has read, write and execute permission on test.mp3. d. The user fred has no permission on test.mp3.
B. The user fred is the owner of the file, so only the owner permission set (rw-) applies. The "r" stands for read and the "w" stands for write.
Which of the following is the equivalent to the command chmod 644 file.txt? a. chmod a+r,ug+w file.txt b. chmod u+rw,g+r,o+r file.txt c. chmod u=rw,go=r file.txt d. chmod ugo+r,u+w file.txt
C. Answer C is correct because it sets all the permissions equal to 644. The other answers only change some permissions, so it is possible that the execute permission could be still set for user owner, group owner, or others, and the write permissions could still be set for group owner and others.
Which command adds execute permission to all permission sets (owner, group, and others)? a. chmod u+x file b. chmod u=x file c. chmod a+x file d. chmod g+x file
C. C is correct because the letter "a" in a+x stands for "all," the "+" character adds the permission, and the "x" stands for the execute permission.
Special permissions can be set either of two ways
numeric or symbolic, just like setting other permissions with the chmod command.
For example, say a user named fred is the user owner of the file object /home/fred/22AcaciaAvenue.mp3 and is also a member of the group owner of that object. The file's listing has the following permissions set:
-rw-r-xr-x 2 fred users 0 Jan 26 13:08 22 AcaciaAvenue.mp3 The fred user's permissions might seem to span the various trios, but because fred is the user owner, he matches the first trio and stops there. In other words, the user fred has read and write permission, but not execute, even though fred is a member of the users group and members of that group do have execute permission on this file.
As a regural user change login shell
-rws--x-- 1 root root 15432 Apr 29 2013 /usr/bin/chsh The s in place of the user owner's execute permission indicates this is an SUID command. When this command executes, it modifies the contents of the /etc/passwd file. The /etc/passwd file is not normally something that can be modified by non-root users;
The first bit of the 10 shown is the type of object:
.—Indicates that this is a normal file l—Indicates that this is a symlink (symbolic link), which is a file that points to another object b—Indicates that this is a block device file c—Indicates that this is a character device file d—Indicates that this is a directory
These permissions have similar, but slightly different, meanings for directories:
4—Read, which is the ability to view the directory's contents (using the ls command). However, to see file attributes (such as with the -l option to the ls command), execute permission on the directory is also required. 2—Write, which is the ability to add and delete files in the directory. This is a powerful permission for directories as a user can delete every file in a directory, even files that she doesn't own, if she has the write permission on the directory. Caveat: For write permission to be valid, the user also must have execute permission. 1—Execute; the user can use the cd command to get into the directory or use the directory in a pathname. For example, if the user attempts to execute cd /home/bob, the user needs execute permission on the / directory, the home directory, and the bob directory.
The bit values equate to the following permissions for files:
4—Read, which is the ability to view the file's contents. 2—Write, which is the ability to change the file's contents. 1—Execute; the file can be executed. (The read is also needed for a script, but binaries can execute with only the execute permission.)
numeric mode
A method using octal numbers for setting object permissions. The two modes of manipulating the permissions for an object are numeric and symbolic. Both modes have their place; the numeric method is better for changing all permissions while the symbolic method is better for changing one or two permissions.
symbolic mode
A method using symbols for setting object permissions.
Which of the following commands sets the SUID permission? (Choose two.) a. chmod u+s file b. chmod g+s file c. chmod 2755 file d. chmod 4755 file
A, D. Answers A and D are correct. The SUID permission can be set symbolically by using u+s or numerically by using 4XXX (with XXX being regular permissions). Answers B and C set the SGID permission, not the SUID permission.
You have been asked to find all the SUID files on the system. Which of the following commands completes this task? a. find / -perm -6000 b. find / -permission -6000 c. find / -mode -6000 d. find / -umask -6000
A. A is correct because the -perm option is used to search for files by permission.
Consider the following ls -l output: What are the permissions for the user fred on the sample.mp3? a. Read, write, and execute b. Read and execute c. Read and write d. Only read
A. A is correct because the user fred is the owner of the file and the owner's permissions are rwx, which stands for read, write, and execute.
Consider the following command: umask 077 Assuming this command was executed in the current shell, which of the following are true? (Choose two.) a. A new directory created in this shell would have the permissions of rw-------. b. A new directory created in this shell would have the permissions of rwx------. c. A new file created in this shell would have the permissions of rw-------. d. A new file created in this shell would have the permissions of rwx------.
B, C. Answers B and C are correct. The umask 077 command "masks out" all permissions for group and others. The maximum permissions of directories is normally rwxrwxrwx, so the resulting new permissions would be rwx------. The maximum permissions of directories is normally rw-rwrw-, so the resulting new permissions would be rw-------.
Consider the following command chown bob:bin file.txt Which of the following statements are true? (Choose two.) a. This changes the user owner of file.txt to bin. b. This changes the user owner of file.txt to bob. c. This changes the group owner of file.txt to bin. d. This changes the group owner of file.txt to bob.
B, C. The chown command can change both user owner and group owner. The user owner is listed first, followed by a ":" character and then the group owner.
Which command sets the sticky bit permission on the /dir directory? a. chown +t /dir b. chmod o+t /dir c. chmod u+t /dir d. chmod g+t /dir
B. B is correct because the chmod command is used to set permissions. The letter "o" in o+t stands for "others," which is where the sticky bit permission is applied in the permission set. The "+" character adds the permission, and the "t" stands for the sticky bit permission.
chown :group
Changes only the group owner and leaves the user owner unaffected
chown owner
Changes only the user owner
chgrp -h
Changes symbolic links, not the original file
Which command lets you alter the default permissions in a shell? a. chmod b. chgrp c. chown d. umask
D. A is not correct as the chmod command changes permission on an existing object. Answer B is not correct as the chgrp command changes group ownership of an existing object. Answer C is not correct as the chown command changes user and/or group ownership of an existing object.
The user nick owns the file.txt file. He is a member of the payroll and sales group, with the payroll group being his primary group. He executes the following command: chgrp sales file.txt Which of the following statements is true? a. This command fails because nobody but the root user can change the group ownership of a file. b. This command fails because a user can only change the group ownership of a file to his primary group. c. This command fails because the order of the arguments is wrong. d. This command works and changes the group owner of the file to sales.
D. A user can change the group ownership of a file owned by that user to any group the user is a member of.
The execute permission for directories provides what access? a. The ability to list file names in a directory b. The ability to add files to the directory c. The ability to remove files from the directory d. The ability to change into the directory
D. Answer A is incorrect because this is the access provided by the read permission. Answers B and C are incorrect because these are the access provided by the write permission.
Other
If the user is neither the user owner nor a member of the group owner, this is the permission trio in effect.
User owner
If the user is the user owner, this is the permission trio in effect
Group owner
If the user's primary or secondary groups are this group, but only if that user is not the user owner, this is the permission trio in effect.
access control list
In Linux permissions, a system that makes it possible to grant permissions to more than one user and more than one group. Access control lists also allow administrators to set default permissions for specific directories.
chomd -R
Operates recursively through directories
chgrp -R
Recursively affects the target and all children
chomd -v
Reports all files
chgrp -v
Shows a line of output for every object, regardless of the actions performed on the object
chgrp -c
Shows a line of output only for changed objects
chomd -f
Suppresses error messages
SUID
The Set User ID (SUID) permission allows users to run a program as if they were the user owner of the program; in most cases the user owner is the root user. The numeric value of this permission set is 4XXX (where "XXX" is replaced by the numeric values for the trio sets mentioned previously).
permission trios
The permission sets for the object user owner, group owner, and others.
Sticky bit
This permission set is used to keep "nonowners" from deleting files in a common directory (numeric = 1XXX). In a sticky bit directory, only the owner of the file or the owner of the directory can delete the file (root always can delete files as well).
The symbolic mode uses a letter to identify the trios:
User owner = u, group owner = g, other = o, and all = a A qualifier (+ to add, - to remove, or = to assign) The permissions being set (r = read, w = write, and x = execute)
chgrp command
When just the group owner needs to be changed. Syntax of the command is straightforward: chgrp staff file1
SGID
When set on a directory, the Set Group ID (SGID) permission automatically gives group ownership of all new files created in the directory to the group owner of the directory (numeric = 2XXX). When set on a file, the SGID allows users to run a program as if they were the group owner of the file.
wall command
allows users to send messages to the terminal windows of all users logged in. Normally this would be a security issue; you don't want a user to interfere with another user's terminal window. Having a message pop up in a terminal where a user is working can be distracting
Say the user bertrandr has a directory that he wants to set all the files to the permission of 640 to make the files more secure.
chmod -R 640 /home/bertrandr/data/*
Set the SUID permission on the file:
chmod 4XXX /some/program
If you are told that the current permissions for an object are 644 and you are asked to ensure that all users have read and write access to that object
chmod 666 file1 The chmod command works great on groups of files, too: chmod 644 /home/lukec/*.txt
Set both the SUID and SGID bits for the program (which is somewhat rare, but permitted):
chmod 6XXX /some/program
Add SGID permission to the /home/project directory
chmod g+s /home/project As the preceding command changes the group ownership to be the projects group, this means all new files created in the /home/project directory are automatically group owned by the group owner of the directory (which would have to be set to the project group, of course).
Change the group owner's permissions to r-x
chmod g=rx mystuff
Change the other or everyone else's permissions to r
chmod o=r mystuff
Second way to set special permissions is to use the symbolic mode. For example, to add SUID on a file:
chmod u+s /some/program
Set several special bits at once even with the symbolic mode
chmod u+s,g+s /some/program
If you do not want users to change their login shells
chmod u-s /usr/bin/chsh
Change just the user owner's permissions to rwx
chmod u=rwx mystuff
If for some reason you decide that an entire directory tree of files needs to have its ownership changed, you can change them all
chown -R root:accounting /accounting
Let's say that now the file needs to be owned by another user who cuts the checks, fluchre; you can change just the user owner without having to bother with the group owner:
chown fluchre snuffysexpenses.txt
Say the user martha does expenses and needs to have ownership of the file and you, as the administrator, want to change the group ownership of this file to the accounting group. To accomplish this task
chown martha:accounting snuffysexpenses.txt
The chown command accepts both of the following commands as valid
chown snuffy:users file1 chown snuffy.users file1
Search the entire system for all files that have the SUID bit set, regardless of the other permissions.
find / -perm -4000
Install the system and then run a find command that reports any file that has an SUID bit set
find / -perm -4000 -ls
Search for any object in the /usr/bin directory and all subdirectories that has the exact permissions of rwxrwxrwx
find /usr/bin -perm 777
chmod command
is used when modifying or altering an object's permission trio bits. Only the root and object's owner can alter permissions.
Allow the wall program to have write access to the terminal device files group owned by the tty group:
ls -l /dev/tty1
Demonstration of SUID
ls -l /usr/bin/chsh su - student $ chsh /bin/csh exit chmod u-s /usr/bin/chsh su - student chsh /bin/bash
View the umask for your current shell
umask 0022 This just means that of the four possible positions to mask out (special permissions, user owner permissions, group owner permissions, and other permissions), the last two have the write permission masked out or not used.
chomd -c
Reports only which files were changed
chown command
used to set the user owner, group owner, or a combination of the two with one command. The format for the chown command is: chown -options user:group object