LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/GNU-Linux-Tools-Summary/html/x9543.htm

1120 lines
16 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>File Permissions</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="GNU/Linux Command-Line Tools Summary"
HREF="book1.htm"><LINK
REL="UP"
TITLE="Security"
HREF="c9295.htm"><LINK
REL="PREVIOUS"
TITLE="Security"
HREF="c9295.htm"><LINK
REL="NEXT"
TITLE="Archiving Files"
HREF="c9978.htm"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>GNU/Linux Command-Line Tools Summary</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="c9295.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 14. Security</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="c9978.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="FILE-PERMISSIONS"
></A
>File Permissions</H1
><P
>Use <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
> ls <A
NAME="AEN9547"
></A
>-l </I
></SPAN
><A
NAME="AEN9549"
></A
>to see the permissions of files (list-long). They will appear like this, note that I have added spaces <A
NAME="AEN9551"
></A
>between permissions to make it easier to read:</P
><P
>Where: r <A
NAME="AEN9554"
></A
>= read, w <A
NAME="AEN9556"
></A
>= write,<A
NAME="AEN9558"
></A
> x = execute <A
NAME="AEN9560"
></A
></P
><PRE
CLASS="SCREEN"
> - rwx rw- r-- 1 <A
NAME="LINKS"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
> newuser newuser
type<A
NAME="TYPE"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
>owner<A
NAME="OWNER"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
>group<A
NAME="GROUP"
><IMG
SRC="../images/callouts/4.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(4)"></A
>others<A
NAME="OTHERS"
><IMG
SRC="../images/callouts/5.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(5)"></A
></PRE
><DIV
CLASS="CALLOUTLIST"
><DL
COMPACT="COMPACT"
><DT
><A
HREF="x9543.htm#LINKS"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
></DT
><DD
>
This number is the number of hard links (pointers) to this file. You can use <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>ln </I
></SPAN
>to create another hard-link to the file.
</DD
><DT
><A
HREF="x9543.htm#TYPE"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
></DT
><DD
> This is the type of file. '-' means a regular file, 'd' would mean a directory, 'l' would mean a link. There are also other types such as 'c' for character device and 'b' for block device (found in the /dev/ directory).
</DD
><DT
><A
HREF="x9543.htm#OWNER"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
></DT
><DD
> These are the permissions for the owner of the file (the user who created the file).
</DD
><DT
><A
HREF="x9543.htm#GROUP"
><IMG
SRC="../images/callouts/4.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(4)"></A
></DT
><DD
> These are the permissions for the group, any users who belong is the same group as the user who created the file will have these permissions.
</DD
><DT
><A
HREF="x9543.htm#OTHERS"
><IMG
SRC="../images/callouts/5.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(5)"></A
></DT
><DD
> These are the permissions for everyone else. Any user who is outside the group will have these permissions to the file.
</DD
></DL
></DIV
><P
>The two names at the end are the username <A
NAME="AEN9581"
></A
>and group <A
NAME="AEN9583"
></A
>respectively.<A
NAME="AEN9585"
></A
></P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>chmod</DT
><DD
><P
><A
NAME="AEN9592"
></A
>Change <A
NAME="AEN9594"
></A
>file access <A
NAME="AEN9596"
></A
>permissions for a file(s).</P
><P
>There are two methods <A
NAME="AEN9599"
></A
>to change <A
NAME="AEN9601"
></A
>permissions using <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>chmod</I
></SPAN
>; letters <A
NAME="AEN9604"
></A
>or numbers.<A
NAME="AEN9606"
></A
></P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>Letters&nbsp;Method:</DT
><DD
><P
>use a + or - (plus or minus <A
NAME="AEN9613"
></A
>sign) to add <A
NAME="AEN9615"
></A
>or remove <A
NAME="AEN9617"
></A
>permissions for a file respectively. Use an equals <A
NAME="AEN9619"
></A
>sign =, to specify <A
NAME="AEN9621"
></A
>new <A
NAME="AEN9623"
></A
>permissions and remove <A
NAME="AEN9625"
></A
>the old <A
NAME="AEN9627"
></A
>ones for the particular <A
NAME="AEN9629"
></A
>type of user(s). </P
><P
>You can use<SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
> chmod <A
NAME="AEN9633"
></A
>letter</I
></SPAN
> where the letters <A
NAME="AEN9635"
></A
>are:</P
><P
><SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>a</I
></SPAN
> (all (everyone))<SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>, u</I
></SPAN
> (user)<SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>,</I
></SPAN
> <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>g</I
></SPAN
> (group) and <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>o</I
></SPAN
> (other).</P
></DD
></DL
></DIV
><P
>Examples:</P
><PRE
CLASS="SCREEN"
>chmod u+rw somefile</PRE
><P
>This would give the user read and write <A
NAME="AEN9646"
></A
>permission.</P
><PRE
CLASS="SCREEN"
>chmod o-rwx somefile</PRE
><P
>This will remove <A
NAME="AEN9650"
></A
>read/write/execute permissions from other users (doesn't include <A
NAME="AEN9652"
></A
>users within your group).</P
><PRE
CLASS="SCREEN"
>chmod a+r<SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
> </I
></SPAN
>somefile</PRE
><P
>This will give everyone <A
NAME="AEN9657"
></A
>read permission <A
NAME="AEN9659"
></A
>for the file.</P
><PRE
CLASS="SCREEN"
>chmod a=rx somefile</PRE
><P
>This would give everyone execute and read permission to the file, if anyone had write <A
NAME="AEN9663"
></A
>permission it would be removed.</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>Numbers&nbsp;Method:</DT
><DD
><P
>you can also use numbers <A
NAME="AEN9670"
></A
>(instead of letters) to change <A
NAME="AEN9672"
></A
>file permissions. Where:</P
><P
>r <A
NAME="AEN9675"
></A
>(read) = 4 w <A
NAME="AEN9677"
></A
>(write) = 2 x (execute) = 1 </P
></DD
></DL
></DIV
><P
>Numbers <A
NAME="AEN9680"
></A
>can be added together so you can specify read/write/execute permissions; read+write = 6, read+execute = 5, read+write+execute = 7</P
><P
>Examples:</P
><PRE
CLASS="SCREEN"
>chmod 777 somefile</PRE
><P
>This would give everyone read/write/execute permission on &ldquo;this_file&rdquo;. The first number <A
NAME="AEN9685"
></A
>is user, second is group <A
NAME="AEN9687"
></A
>and third is everyone else (other).</P
><PRE
CLASS="SCREEN"
>chmod 521 somefile</PRE
><P
>This would give the user read and execute <A
NAME="AEN9691"
></A
>permission, and the group <A
NAME="AEN9693"
></A
>write<A
NAME="AEN9695"
></A
> permission <A
NAME="AEN9697"
></A
>(but not read permission!) and everyone else execute <A
NAME="AEN9699"
></A
>permission. (Note that it's just an example, settings like that don't really make sense...).</P
></DD
><DT
>chown</DT
><DD
><P
><A
NAME="AEN9705"
></A
>Changes the ownership <A
NAME="AEN9707"
></A
>rights <A
NAME="AEN9709"
></A
>of a file (hence the name 'chown' - change owner<A
NAME="AEN9711"
></A
>). This program can only be used by root. </P
><P
>Use the<SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
> -R <A
NAME="AEN9715"
></A
></I
></SPAN
> option to change <A
NAME="AEN9717"
></A
>things recursively,<A
NAME="AEN9719"
></A
> in other words, all matching <A
NAME="AEN9721"
></A
>files including <A
NAME="AEN9723"
></A
>those in subdirectories.<A
NAME="AEN9725"
></A
></P
><P
>Command syntax:</P
><PRE
CLASS="SCREEN"
>chown owner:group the_file_name</PRE
></DD
><DT
>sticky&nbsp;bit</DT
><DD
><P
><A
NAME="AEN9733"
></A
>Only the person <A
NAME="AEN9735"
></A
>who <A
NAME="AEN9737"
></A
>created the file within a directory may delete<A
NAME="AEN9739"
></A
> it, even if other people <A
NAME="AEN9741"
></A
>have write <A
NAME="AEN9743"
></A
>permission. You can turn <A
NAME="AEN9745"
></A
>it on by typing: </P
><PRE
CLASS="SCREEN"
>chmod 1700<SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
> </I
></SPAN
>somedirectory (where 1 = sticky bit)</PRE
><P
>or (where <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>t</I
></SPAN
> represents <A
NAME="AEN9751"
></A
>the sticky <A
NAME="AEN9753"
></A
>bit)</P
><PRE
CLASS="SCREEN"
>chmod +t somedirectory</PRE
><P
>To turn <A
NAME="AEN9757"
></A
>it off <A
NAME="AEN9759"
></A
>you would need to type:</P
><PRE
CLASS="SCREEN"
>chmod 0700 somefile (where the zero would mean no sticky bit)</PRE
><P
>or (where <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>t </I
></SPAN
> represents <A
NAME="AEN9764"
></A
>the sticky <A
NAME="AEN9766"
></A
>bit)</P
><PRE
CLASS="SCREEN"
>chmod -t somefile<A
NAME="AEN9769"
></A
></PRE
><P
>Note that the permissions <A
NAME="AEN9772"
></A
>aren't relevant <A
NAME="AEN9774"
></A
>in the numbers <A
NAME="AEN9776"
></A
>example, only the first number (1 = on, 0 = off).</P
><P
>An example of a sticky <A
NAME="AEN9779"
></A
>directory is usually /tmp</P
></DD
><DT
>suid</DT
><DD
><P
>Allow SUID/SGID (switch user ID/switch group <A
NAME="AEN9785"
></A
>ID) access.<A
NAME="AEN9787"
></A
> You would normally use <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>chmod</I
></SPAN
> to turn <A
NAME="AEN9790"
></A
>this on or off <A
NAME="AEN9792"
></A
>for a particular file, suid <A
NAME="AEN9794"
></A
>is generally considered a security <A
NAME="AEN9796"
></A
>hazard so be careful <A
NAME="AEN9798"
></A
>when using this. </P
><P
>Example:</P
><PRE
CLASS="SCREEN"
>chmod u+s file_name</PRE
><P
>This will give everyone permission to execute <A
NAME="AEN9803"
></A
>the file with the permissions of the user who set the +s switch.<A
NAME="AEN9805"
></A
> </P
><DIV
CLASS="CAUTION"
><P
></P
><TABLE
CLASS="CAUTION"
BORDER="1"
WIDTH="90%"
><TR
><TD
ALIGN="CENTER"
><B
>Security Hazard</B
></TD
></TR
><TR
><TD
ALIGN="LEFT"
><P
>This is obviously a security hazard. You should avoid using the suid flag unless necessary.</P
></TD
></TR
></TABLE
></DIV
></DD
></DL
></DIV
><P
></P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>chattr</DT
><DD
><P
><SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
><A
NAME="AEN9817"
></A
></I
></SPAN
>Change file system attributes (works on ext2fs and possibly others...). Use the <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>-R</I
></SPAN
> option to change <A
NAME="AEN9820"
></A
>files recursively,<SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
> chattr </I
></SPAN
>has a large number <A
NAME="AEN9823"
></A
>of attributes <A
NAME="AEN9825"
></A
>which can be set <A
NAME="AEN9827"
></A
>on a file, read the manual<A
NAME="AEN9829"
></A
> page <A
NAME="AEN9831"
></A
>for further information.</P
><P
>Example:</P
><PRE
CLASS="SCREEN"
>chattr +i /sbin/lilo.conf<A
NAME="AEN9835"
HREF="#FTN.AEN9835"
><SPAN
CLASS="footnote"
>[1]</SPAN
></A
></PRE
><P
>This sets <A
NAME="AEN9840"
></A
>the 'immutable' flag <A
NAME="AEN9842"
></A
>on a file. Use a '+' to add <A
NAME="AEN9844"
></A
>attributes <A
NAME="AEN9846"
></A
>and a '-' to take them away. The +i will prevent <A
NAME="AEN9848"
></A
>any changes (accidental or otherwise) to the &ldquo;lilo.conf&rdquo; file. If you wish to modify <A
NAME="AEN9850"
></A
>the lilo.conf file you will need to unset <A
NAME="AEN9852"
></A
>the immutable<A
NAME="AEN9854"
></A
> flag:<A
NAME="AEN9856"
></A
><SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
> chattr -i</I
></SPAN
>.<A
NAME="AEN9859"
></A
> Note some flags <A
NAME="AEN9861"
></A
>can only be used by root;<A
NAME="AEN9863"
></A
> <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>-i</I
></SPAN
>, <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>-a</I
></SPAN
> and probably <A
NAME="AEN9867"
></A
>many others.</P
><P
>Note there are many different <A
NAME="AEN9870"
></A
>attributes <A
NAME="AEN9872"
></A
>that chattr can change,<A
NAME="AEN9874"
></A
> here are a few more which may be useful:</P
><P
></P
><UL
><LI
><P
>A<A
NAME="AEN9879"
></A
> (no Access time) --- if a file or directory has this attribute set, whenever it is accessed,<A
NAME="AEN9881"
></A
> either for reading <A
NAME="AEN9883"
></A
>of for writing,<A
NAME="AEN9885"
></A
> it's last <A
NAME="AEN9887"
></A
>access time<A
NAME="AEN9889"
></A
> will not be updated.<A
NAME="AEN9891"
></A
> This can be useful, for example, on files or directories <A
NAME="AEN9893"
></A
>which are very often accessed <A
NAME="AEN9895"
></A
>for reading, especially since this parameter is the only one which changes on an inode <A
NAME="AEN9897"
></A
>when it's opened.<A
NAME="AEN9899"
></A
></P
></LI
><LI
><P
>a<A
NAME="AEN9903"
></A
> (append only) --- if a file has this attribute <A
NAME="AEN9905"
></A
>set and is open for writing, the only operation possible will be to append <A
NAME="AEN9907"
></A
>data <A
NAME="AEN9909"
></A
>to it's previous contents. For a directory, this means that you can only add <A
NAME="AEN9911"
></A
>files to it, but not rename <A
NAME="AEN9913"
></A
>or delete any existing <A
NAME="AEN9915"
></A
>file. Only root can set or clear this attribute.</P
></LI
><LI
><P
>s<A
NAME="AEN9919"
></A
> (secure deletion) --- when such a file or directory with this attribute<A
NAME="AEN9921"
></A
> set is deleted,<A
NAME="AEN9923"
></A
> the blocks <A
NAME="AEN9925"
></A
>it was occupying <A
NAME="AEN9927"
></A
>on disk <A
NAME="AEN9929"
></A
>are written back with zeroes <A
NAME="AEN9931"
></A
>(similar to using <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>shred</I
></SPAN
>). Note that this does work on the ext2,<A
NAME="AEN9934"
></A
> and ext3 <A
NAME="AEN9936"
></A
>filesystems but is unlikely to work on others (please see the documentation <A
NAME="AEN9938"
></A
>for the filesystem <A
NAME="AEN9940"
></A
>you are using). You may also like to see <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>shred</I
></SPAN
><A
NAME="AEN9943"
></A
>, please see <A
HREF="c2690.htm"
>Chapter 7</A
></P
></LI
></UL
></DD
><DT
>lsattr</DT
><DD
><P
><A
NAME="AEN9950"
></A
>(list attributes). This will list <A
NAME="AEN9952"
></A
>if whether a file has any special <A
NAME="AEN9954"
></A
>attributes (as set by chattr). Use the <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>-R</I
></SPAN
> option to list recursively <A
NAME="AEN9957"
></A
>and try using the <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>-d<A
NAME="AEN9960"
></A
></I
></SPAN
> option <A
NAME="AEN9962"
></A
>to list directories <A
NAME="AEN9964"
></A
>like other files rather than listing <A
NAME="AEN9966"
></A
>their contents.<A
NAME="AEN9968"
></A
></P
><P
>Command syntax:</P
><PRE
CLASS="SCREEN"
>lsattr</PRE
><P
>This will list files in the current <A
NAME="AEN9973"
></A
>directory, you may also like to specify<A
NAME="AEN9975"
></A
> a directory or a file:</P
><PRE
CLASS="SCREEN"
>lsattr /directory/or/file</PRE
></DD
></DL
></DIV
></DIV
><H3
CLASS="FOOTNOTES"
>Notes</H3
><TABLE
BORDER="0"
CLASS="FOOTNOTES"
WIDTH="100%"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="5%"
><A
NAME="FTN.AEN9835"
HREF="x9543.htm#AEN9835"
><SPAN
CLASS="footnote"
>[1]</SPAN
></A
></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="95%"
><P
>This example and tiny parts of the explanation have been taken from the <SPAN
CLASS="PRODUCTNAME"
>Linux</SPAN
> Online Classroom, see [4] in the <A
HREF="b12722.htm"
><I
>Bibliography</I
></A
> for further information. </P
></TD
></TR
></TABLE
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="c9295.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="book1.htm"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="c9978.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Security</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="c9295.htm"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Archiving Files</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink