LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/GNU-Linux-Tools-Summary/html/file-permissions.html

784 lines
13 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>File Permissions</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="GNU/Linux Command-Line Tools Summary"
HREF="index.html"><LINK
REL="UP"
TITLE="Security"
HREF="security.html"><LINK
REL="PREVIOUS"
TITLE="Some basic Security Tools"
HREF="some-basic-security-tools.html"><LINK
REL="NEXT"
TITLE="Archiving Files"
HREF="backing-up-files.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>GNU/Linux Command-Line Tools Summary</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="some-basic-security-tools.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 14. Security</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="backing-up-files.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="FILE-PERMISSIONS"
></A
>14.2. File Permissions</H1
><P
>Use <EM
> ls -l </EM
>to see the permissions of files (list-long). They will appear like this, note that I have added spaces between permissions to make it easier to read:</P
><P
>Where: r = read, w = write, x = execute </P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> - rwx rw- r-- 1 <A
NAME="LINKS"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
> newuser newuser
type<A
NAME="TYPE"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
>owner<A
NAME="OWNER"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
>group<A
NAME="GROUP"
><IMG
SRC="../images/callouts/4.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(4)"></A
>others<A
NAME="OTHERS"
><IMG
SRC="../images/callouts/5.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(5)"></A
></PRE
></FONT
></TD
></TR
></TABLE
><DIV
CLASS="CALLOUTLIST"
><DL
COMPACT="COMPACT"
><DT
><A
HREF="file-permissions.html#LINKS"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
></DT
><DD
>
This number is the number of hard links (pointers) to this file. You can use <EM
>ln </EM
>to create another hard-link to the file.
</DD
><DT
><A
HREF="file-permissions.html#TYPE"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
></DT
><DD
> This is the type of file. '-' means a regular file, 'd' would mean a directory, 'l' would mean a link. There are also other types such as 'c' for character device and 'b' for block device (found in the /dev/ directory).
</DD
><DT
><A
HREF="file-permissions.html#OWNER"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
></DT
><DD
> These are the permissions for the owner of the file (the user who created the file).
</DD
><DT
><A
HREF="file-permissions.html#GROUP"
><IMG
SRC="../images/callouts/4.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(4)"></A
></DT
><DD
> These are the permissions for the group, any users who belong is the same group as the user who created the file will have these permissions.
</DD
><DT
><A
HREF="file-permissions.html#OTHERS"
><IMG
SRC="../images/callouts/5.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(5)"></A
></DT
><DD
> These are the permissions for everyone else. Any user who is outside the group will have these permissions to the file.
</DD
></DL
></DIV
><P
>The two names at the end are the username and group respectively.</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>chmod</DT
><DD
><P
>Change file access permissions for a file(s).</P
><P
>There are two methods to change permissions using <EM
>chmod</EM
>; letters or numbers.</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>Letters<EFBFBD>Method:</DT
><DD
><P
>use a + or - (plus or minus sign) to add or remove permissions for a file respectively. Use an equals sign =, to specify new permissions and remove the old ones for the particular type of user(s). </P
><P
>You can use<EM
> chmod letter</EM
> where the letters are:</P
><P
><EM
>a</EM
> (all (everyone))<EM
>, u</EM
> (user)<EM
>,</EM
> <EM
>g</EM
> (group) and <EM
>o</EM
> (other).</P
></DD
></DL
></DIV
><P
>Examples:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>chmod u+rw somefile</PRE
></FONT
></TD
></TR
></TABLE
><P
>This would give the user read and write permission.</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>chmod o-rwx somefile</PRE
></FONT
></TD
></TR
></TABLE
><P
>This will remove read/write/execute permissions from other users (doesn't include users within your group).</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>chmod a+r<EM
> </EM
>somefile</PRE
></FONT
></TD
></TR
></TABLE
><P
>This will give everyone read permission for the file.</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>chmod a=rx somefile</PRE
></FONT
></TD
></TR
></TABLE
><P
>This would give everyone execute and read permission to the file, if anyone had write permission it would be removed.</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>Numbers<EFBFBD>Method:</DT
><DD
><P
>you can also use numbers (instead of letters) to change file permissions. Where:</P
><P
>r (read) = 4 w (write) = 2 x (execute) = 1 </P
></DD
></DL
></DIV
><P
>Numbers can be added together so you can specify read/write/execute permissions; read+write = 6, read+execute = 5, read+write+execute = 7</P
><P
>Examples:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>chmod 777 somefile</PRE
></FONT
></TD
></TR
></TABLE
><P
>This would give everyone read/write/execute permission on &#8220;this_file&#8221;. The first number is user, second is group and third is everyone else (other).</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>chmod 521 somefile</PRE
></FONT
></TD
></TR
></TABLE
><P
>This would give the user read and execute permission, and the group write permission (but not read permission!) and everyone else execute permission. (Note that it's just an example, settings like that don't really make sense...).</P
></DD
><DT
>chown</DT
><DD
><P
>Changes the ownership rights of a file (hence the name 'chown' - change owner). This program can only be used by root. </P
><P
>Use the<EM
> -R </EM
> option to change things recursively, in other words, all matching files including those in subdirectories.</P
><P
>Command syntax:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>chown owner:group the_file_name</PRE
></FONT
></TD
></TR
></TABLE
></DD
><DT
>sticky<EFBFBD>bit</DT
><DD
><P
>Only the person who created the file within a directory may delete it, even if other people have write permission. You can turn it on by typing: </P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>chmod 1700<EM
> </EM
>somedirectory (where 1 = sticky bit)</PRE
></FONT
></TD
></TR
></TABLE
><P
>or (where <EM
>t</EM
> represents the sticky bit)</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>chmod +t somedirectory</PRE
></FONT
></TD
></TR
></TABLE
><P
>To turn it off you would need to type:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>chmod 0700 somefile (where the zero would mean no sticky bit)</PRE
></FONT
></TD
></TR
></TABLE
><P
>or (where <EM
>t </EM
> represents the sticky bit)</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>chmod -t somefile</PRE
></FONT
></TD
></TR
></TABLE
><P
>Note that the permissions aren't relevant in the numbers example, only the first number (1 = on, 0 = off).</P
><P
>An example of a sticky directory is usually /tmp</P
></DD
><DT
>suid</DT
><DD
><P
>Allow SUID/SGID (switch user ID/switch group ID) access. You would normally use <EM
>chmod</EM
> to turn this on or off for a particular file, suid is generally considered a security hazard so be careful when using this. </P
><P
>Example:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>chmod u+s file_name</PRE
></FONT
></TD
></TR
></TABLE
><P
>This will give everyone permission to execute the file with the permissions of the user who set the +s switch. </P
><DIV
CLASS="CAUTION"
><P
></P
><TABLE
CLASS="CAUTION"
WIDTH="90%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/caution.gif"
HSPACE="5"
ALT="Caution"></TD
><TH
ALIGN="LEFT"
VALIGN="CENTER"
><B
>Security Hazard</B
></TH
></TR
><TR
><TD
>&nbsp;</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>This is obviously a security hazard. You should avoid using the suid flag unless necessary.</P
></TD
></TR
></TABLE
></DIV
></DD
></DL
></DIV
><P
></P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>chattr</DT
><DD
><P
><EM
></EM
>Change file system attributes (works on ext2fs and possibly others...). Use the <EM
>-R</EM
> option to change files recursively,<EM
> chattr </EM
>has a large number of attributes which can be set on a file, read the manual page for further information.</P
><P
>Example:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>chattr +i /sbin/lilo.conf<A
NAME="AEN9835"
HREF="#FTN.AEN9835"
><SPAN
CLASS="footnote"
>[1]</SPAN
></A
></PRE
></FONT
></TD
></TR
></TABLE
><P
>This sets the 'immutable' flag on a file. Use a '+' to add attributes and a '-' to take them away. The +i will prevent any changes (accidental or otherwise) to the &#8220;lilo.conf&#8221; file. If you wish to modify the lilo.conf file you will need to unset the immutable flag:<EM
> chattr -i</EM
>. Note some flags can only be used by root; <EM
>-i</EM
>, <EM
>-a</EM
> and probably many others.</P
><P
>Note there are many different attributes that chattr can change, here are a few more which may be useful:</P
><P
></P
><UL
><LI
><P
>A (no Access time) --- if a file or directory has this attribute set, whenever it is accessed, either for reading of for writing, it's last access time will not be updated. This can be useful, for example, on files or directories which are very often accessed for reading, especially since this parameter is the only one which changes on an inode when it's opened.</P
></LI
><LI
><P
>a (append only) --- if a file has this attribute set and is open for writing, the only operation possible will be to append data to it's previous contents. For a directory, this means that you can only add files to it, but not rename or delete any existing file. Only root can set or clear this attribute.</P
></LI
><LI
><P
>s (secure deletion) --- when such a file or directory with this attribute set is deleted, the blocks it was occupying on disk are written back with zeroes (similar to using <EM
>shred</EM
>). Note that this does work on the ext2, and ext3 filesystems but is unlikely to work on others (please see the documentation for the filesystem you are using). You may also like to see <EM
>shred</EM
>, please see <A
HREF="working-with-the-file-system.html"
>Chapter 7</A
></P
></LI
></UL
></DD
><DT
>lsattr</DT
><DD
><P
>(list attributes). This will list if whether a file has any special attributes (as set by chattr). Use the <EM
>-R</EM
> option to list recursively and try using the <EM
>-d</EM
> option to list directories like other files rather than listing their contents.</P
><P
>Command syntax:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>lsattr</PRE
></FONT
></TD
></TR
></TABLE
><P
>This will list files in the current directory, you may also like to specify a directory or a file:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>lsattr /directory/or/file</PRE
></FONT
></TD
></TR
></TABLE
></DD
></DL
></DIV
></DIV
><H3
CLASS="FOOTNOTES"
>Notes</H3
><TABLE
BORDER="0"
CLASS="FOOTNOTES"
WIDTH="100%"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="5%"
><A
NAME="FTN.AEN9835"
HREF="file-permissions.html#AEN9835"
><SPAN
CLASS="footnote"
>[1]</SPAN
></A
></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="95%"
><P
>This example and tiny parts of the explanation have been taken from the <SPAN
CLASS="PRODUCTNAME"
>Linux</SPAN
> Online Classroom, see [4] in the <A
HREF="references.html"
><I
>Bibliography</I
></A
> for further information. </P
></TD
></TR
></TABLE
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="some-basic-security-tools.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="backing-up-files.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Some basic Security Tools</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="security.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Archiving Files</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink