LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/intro-linux/html/sect_03_04.html

1595 lines
29 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>File security</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Introduction to Linux"
HREF="index.html"><LINK
REL="UP"
TITLE="About files and the file system"
HREF="chap_03.html"><LINK
REL="PREVIOUS"
TITLE="Manipulating files"
HREF="sect_03_03.html"><LINK
REL="NEXT"
TITLE="Summary"
HREF="sect_03_05.html"></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Introduction to Linux: </TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="sect_03_03.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 3. About files and the file system</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="sect_03_05.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="sect_03_04"
></A
>3.4. File security</H1
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="sect_03_04_01"
></A
>3.4.1. Access rights: Linux's first line of defense</H2
><P
>The Linux security model is based on the one used on UNIX systems, and is as rigid as the UNIX security model (and sometimes even more), which is already quite robust. On a Linux system, every file is owned by a user and a group user. There is also a third category of users, those that are not the user owner and don't belong to the group owning the file. For each category of users, read, write and execute permissions can be granted or denied.</P
><P
>We already used the <EM
>long</EM
> option to list files using the <B
CLASS="command"
>ls <TT
CLASS="option"
>-l</TT
></B
> command, though for other reasons. This command also displays file permissions for these three user categories; they are indicated by the nine characters that follow the first character, which is the file type indicator at the beginning of the file properties line. As seen in the examples below, the first three characters in this series of nine display access rights for the actual user that owns the file. The next three are for the group owner of the file, the last three for other users. The permissions are always in the same order: read, write, execute for the user, the group and the others. Some examples:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>marise:~&#62;</TT
> <B
CLASS="command"
>ls -l To_Do</B
>
-rw-rw-r-- 1 marise users 5 Jan 15 12:39 To_Do
<TT
CLASS="prompt"
>marise:~&#62;</TT
> <B
CLASS="command"
>ls -l /bin/ls</B
>
-rwxr-xr-x 1 root root 45948 Aug 9 15:01 /bin/ls*
</PRE
></FONT
></TD
></TR
></TABLE
><P
>The first file is a regular file (first dash). Users with user name <EM
>marise</EM
> or users belonging to the group <EM
>users</EM
> can read and write (change/move/delete) the file, but they can't execute it (second and third dash). All other users are only allowed to read this file, but they can't write or execute it (fourth and fifth dash).</P
><P
>The second example is an executable file, the difference: everybody can run this program, but you need to be <EM
>root</EM
> to change it.</P
><P
>The Info pages explain how the <B
CLASS="command"
>ls</B
> command handles display of access rights in detail, see the section <EM
>What information is listed</EM
>.</P
><P
>For easy use with commands, both access rights or modes and user groups have a code. See the tables below.</P
><DIV
CLASS="table"
><A
NAME="AEN3805"
></A
><P
><B
>Table 3-7. Access mode codes</B
></P
><TABLE
BORDER="1"
CLASS="CALSTABLE"
><THEAD
><TR
><TH
ALIGN="LEFT"
VALIGN="MIDDLE"
>Code</TH
><TH
ALIGN="LEFT"
VALIGN="MIDDLE"
>Meaning</TH
></TR
></THEAD
><TBODY
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>0 or -</TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>The access right that is supposed to be on this place is not granted.</TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>4 or r</TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>read access is granted to the user category defined in this place</TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>2 or w</TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>write permission is granted to the user category defined in this place</TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>1 or x</TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>execute permission is granted to the user category defined in this place</TD
></TR
></TBODY
></TABLE
></DIV
><DIV
CLASS="table"
><A
NAME="AEN3825"
></A
><P
><B
>Table 3-8. User group codes</B
></P
><TABLE
BORDER="1"
CLASS="CALSTABLE"
><THEAD
><TR
><TH
ALIGN="LEFT"
VALIGN="MIDDLE"
>Code</TH
><TH
ALIGN="LEFT"
VALIGN="MIDDLE"
>Meaning</TH
></TR
></THEAD
><TBODY
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>u</TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>user permissions</TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>g</TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>group permissions</TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>o</TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>permissions for others</TD
></TR
></TBODY
></TABLE
></DIV
><P
>This straight forward scheme is applied very strictly, which allows a high level of security even without network security. Among other functions, the security scheme takes care of user access to programs, it can serve files on a need-to-know basis and protect sensitive data such as home directories and system configuration files.</P
><P
>You should know what your user name is. If you don't, it can be displayed using the <B
CLASS="command"
>id</B
> command, which also displays the default group you belong to and eventually other groups of which you are a member:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>tilly:~&#62;</TT
> <B
CLASS="command"
>id</B
>
uid=504(tilly) gid=504(tilly) groups=504(tilly),100(users),2051(org)
</PRE
></FONT
></TD
></TR
></TABLE
><P
>Your user name is also stored in the environment variable <TT
CLASS="varname"
>USER</TT
>:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>tilly:~&#62;</TT
> <B
CLASS="command"
>echo $USER</B
>
tilly
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="sect_03_04_02"
></A
>3.4.2. The tools</H2
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="sect_03_04_02_01"
></A
>3.4.2.1. The chmod command</H3
><P
>A normal consequence of applying strict file permissions, and sometimes a nuisance, is that access rights will need to be changed for all kinds of reasons. We use the <B
CLASS="command"
>chmod</B
> command to do this, and eventually <EM
>to chmod</EM
> has become an almost acceptable English verb, meaning the changing of the access mode of a file. The <B
CLASS="command"
>chmod</B
> command can be used with alphanumeric or numeric options, whatever you like best.</P
><P
>The example below uses alphanumeric options in order to solve a problem that commonly occurs with new users:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>asim:~&#62;</TT
> <B
CLASS="command"
>./hello</B
>
bash: ./hello: bad interpreter: Permission denied
<TT
CLASS="prompt"
>asim:~&#62;</TT
> <B
CLASS="command"
>cat hello</B
>
#!/bin/bash
echo "Hello, World"
<TT
CLASS="prompt"
>asim:~&#62;</TT
> <B
CLASS="command"
>ls -l hello</B
>
-rw-rw-r-- 1 asim asim 32 Jan 15 16:29 hello
<TT
CLASS="prompt"
>asim:~&#62;</TT
> <B
CLASS="command"
>chmod u+x hello</B
>
<TT
CLASS="prompt"
>asim:~&#62;</TT
> <B
CLASS="command"
>./hello</B
>
Hello, World
<TT
CLASS="prompt"
>asim:~&#62;</TT
> <B
CLASS="command"
>ls -l hello</B
>
-rwxrw-r-- 1 asim asim 32 Jan 15 16:29 hello*
</PRE
></FONT
></TD
></TR
></TABLE
><P
>The <B
CLASS="command"
>+</B
> and <B
CLASS="command"
>-</B
> operators are used to grant or deny a given right to a given group. Combinations separated by commas are allowed. The Info and man pages contain useful examples. Here's another one, which makes the file from the previous example a private file to user <EM
>asim</EM
>:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>asim:~&#62;</TT
> <B
CLASS="command"
>chmod u+rwx,go-rwx hello</B
>
<TT
CLASS="prompt"
>asim:~&#62;</TT
> <B
CLASS="command"
>ls -l hello</B
>
-rwx------ 1 asim asim 32 Jan 15 16:29 hello*
</PRE
></FONT
></TD
></TR
></TABLE
><P
>The kind of problem resulting in an error message saying that permission is denied somewhere is usually a problem with access rights in most cases. Also, comments like, <SPAN
CLASS="QUOTE"
>"It worked yesterday,"</SPAN
> and <SPAN
CLASS="QUOTE"
>"When I run this as root it works,"</SPAN
> are most likely caused by the wrong file permissions.</P
><P
>When using <B
CLASS="command"
>chmod</B
> with numeric arguments, the values for each granted access right have to be counted together per group. Thus we get a 3-digit number, which is the symbolic value for the settings <B
CLASS="command"
>chmod</B
> has to make. The following table lists the most common combinations:</P
><DIV
CLASS="table"
><A
NAME="AEN3908"
></A
><P
><B
>Table 3-9. File protection with chmod</B
></P
><TABLE
BORDER="1"
CLASS="CALSTABLE"
><THEAD
><TR
><TH
ALIGN="LEFT"
VALIGN="MIDDLE"
>Command</TH
><TH
ALIGN="LEFT"
VALIGN="MIDDLE"
>Meaning</TH
></TR
></THEAD
><TBODY
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
><B
CLASS="command"
>chmod <TT
CLASS="parameter"
><I
>400</I
></TT
> <TT
CLASS="filename"
>file</TT
></B
></TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>To protect a file against accidental overwriting.</TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
><B
CLASS="command"
>chmod <TT
CLASS="parameter"
><I
>500</I
></TT
> <TT
CLASS="filename"
>directory</TT
></B
></TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>To protect yourself from accidentally removing, renaming or moving files from this directory.</TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
><B
CLASS="command"
>chmod <TT
CLASS="parameter"
><I
>600</I
></TT
> <TT
CLASS="filename"
>file</TT
></B
></TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>A private file only changeable by the user who entered this command.</TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
><B
CLASS="command"
>chmod <TT
CLASS="parameter"
><I
>644</I
></TT
> <TT
CLASS="filename"
>file</TT
></B
></TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>A publicly readable file that can only be changed by the issuing user.</TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
><B
CLASS="command"
>chmod <TT
CLASS="parameter"
><I
>660</I
></TT
> <TT
CLASS="filename"
>file</TT
></B
></TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>Users belonging to your group can change this file, others don't have any access to it at all.</TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
><B
CLASS="command"
>chmod <TT
CLASS="parameter"
><I
>700</I
></TT
> <TT
CLASS="filename"
>file</TT
></B
></TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>Protects a file against any access from other users, while the issuing user still has full access.</TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
><B
CLASS="command"
>chmod <TT
CLASS="parameter"
><I
>755</I
></TT
> <TT
CLASS="filename"
>directory</TT
></B
></TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>For files that should be readable and executable by others, but only changeable by the issuing user.</TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
><B
CLASS="command"
>chmod <TT
CLASS="parameter"
><I
>775</I
></TT
> <TT
CLASS="filename"
>file</TT
></B
></TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>Standard file sharing mode for a group.</TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
><B
CLASS="command"
>chmod <TT
CLASS="parameter"
><I
>777</I
></TT
> <TT
CLASS="filename"
>file</TT
></B
></TD
><TD
ALIGN="LEFT"
VALIGN="MIDDLE"
>Everybody can do everything to this file.</TD
></TR
></TBODY
></TABLE
></DIV
><P
>If you enter a number with less than three digits as an argument to <B
CLASS="command"
>chmod</B
>, omitted characters are replaced with zeros starting from the left. There is actually a fourth digit on Linux systems, that precedes the first three and sets special access modes. Everything about these and many more are located in the Info pages.</P
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="sect_03_04_02_02"
></A
>3.4.2.2. Logging on to another group</H3
><P
>When you type <B
CLASS="command"
>id</B
> on the command line, you get a list of all the groups that you can possibly belong to, preceded by your user name and ID and the group name and ID that you are currently connected with. However, on many Linux systems you can only be actively logged in to one group at the time. By default, this active or <EM
>primary group</EM
> is the one that you get assigned from the <TT
CLASS="filename"
>/etc/passwd</TT
> file. The fourth field of this file holds users' primary group ID, which is looked up in the <TT
CLASS="filename"
>/etc/group</TT
> file. An example:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>asim:~&#62;</TT
> <B
CLASS="command"
>id</B
>
uid=501(asim) gid=501(asim) groups=100(users),501(asim),3400(web)
<TT
CLASS="prompt"
>asim:~&#62;</TT
> <B
CLASS="command"
>grep <TT
CLASS="parameter"
><I
>asim</I
></TT
> <TT
CLASS="filename"
>/etc/passwd</TT
></B
>
asim:x:501:501:Asim El Baraka:/home/asim:/bin/bash
<TT
CLASS="prompt"
>asim:~&#62;</TT
> <B
CLASS="command"
>grep <TT
CLASS="parameter"
><I
>501</I
></TT
> <TT
CLASS="filename"
>/etc/group</TT
></B
>
asim:x:501:
</PRE
></FONT
></TD
></TR
></TABLE
><P
>The fourth field in the line from <TT
CLASS="filename"
>/etc/passwd</TT
> contains the value <SPAN
CLASS="QUOTE"
>"501"</SPAN
>, which represents the group <EM
>asim</EM
> in the above example. From <TT
CLASS="filename"
>/etc/group</TT
> we can get the name matching this group ID. When initially connecting to the system, this is the group that <EM
>asim</EM
> will belong to.</P
><DIV
CLASS="note"
><P
></P
><TABLE
CLASS="note"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/note.gif"
HSPACE="5"
ALT="Note"></TD
><TH
ALIGN="LEFT"
VALIGN="CENTER"
><B
>User private group scheme</B
></TH
></TR
><TR
><TD
>&nbsp;</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>In order to allow more flexibility, most Linux systems follow the so-called <EM
>user private group scheme</EM
>, that assigns each user primarily to his or her own group. This group is a group that only contains this particular user, hence the name <SPAN
CLASS="QUOTE"
>"private group"</SPAN
>. Usually this group has the same name as the user login name, which can be a bit confusing.</P
></TD
></TR
></TABLE
></DIV
><P
>Apart from his own private group, user <EM
>asim</EM
> can also be in the groups <EM
>users</EM
> and <EM
>web</EM
>. Because these are secondary groups to this user, he will need to use the <B
CLASS="command"
>newgrp</B
> to log into any of these groups (use <B
CLASS="command"
>gpasswd</B
> for setting the group password first). In the example, <EM
>asim</EM
> needs to create files that are owned by the group <EM
>web</EM
>.</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>asim:/var/www/html&#62;</TT
> <B
CLASS="command"
>newgrp <TT
CLASS="parameter"
><I
>web</I
></TT
></B
>
<TT
CLASS="prompt"
>asim:/var/www/html&#62;</TT
> <B
CLASS="command"
>id</B
>
uid=501(asim) gid=3400(web) groups=100(users),501(asim),3400(web)
</PRE
></FONT
></TD
></TR
></TABLE
><P
>When <EM
>asim</EM
> creates new files now, they will be in group ownership of the group <EM
>web</EM
> instead of being owned by the group <EM
>asim</EM
>:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>asim:/var/www/html&#62;</TT
> <B
CLASS="command"
>touch <TT
CLASS="filename"
>test</TT
></B
>
<TT
CLASS="prompt"
>asim:/var/www/html&#62;</TT
> <B
CLASS="command"
>ls <TT
CLASS="option"
>-l</TT
> <TT
CLASS="filename"
>test</TT
></B
>
-rw-rw-r-- 1 asim web 0 Jun 10 15:38 test
</PRE
></FONT
></TD
></TR
></TABLE
><P
>Logging in to a new group prevents you from having to use <B
CLASS="command"
>chown</B
> (see <A
HREF="sect_03_04.html#sect_03_04_02_04"
>Section 3.4.2.4</A
>) or calling your system administrator to change ownerships for you.</P
><P
>See the manpage for <B
CLASS="command"
>newgrp</B
> for more information.</P
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="sect_03_04_02_03"
></A
>3.4.2.3. The file mask</H3
><P
>When a new file is saved somewhere, it is first subjected to the standard security procedure. Files without permissions don't exist on Linux. The standard file permission is determined by the <EM
>mask</EM
> for new file creation. The value of this mask can be displayed using the <B
CLASS="command"
>umask</B
> command:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>bert:~&#62;</TT
> <B
CLASS="command"
>umask</B
>
0002
</PRE
></FONT
></TD
></TR
></TABLE
><P
>Instead of adding the symbolic values to each other, as with <B
CLASS="command"
>chmod</B
>, for calculating the permission on a new file they need to be subtracted from the total possible access rights. In the example above, however, we see 4 values displayed, yet there are only 3 permission categories: <EM
>user</EM
>, <EM
>group</EM
> and <EM
>other</EM
>. The first zero is part of the special file attributes settings, which we will discuss in <A
HREF="sect_03_04.html#sect_03_04_02_04"
>Section 3.4.2.4</A
> and <A
HREF="sect_04_01.html#sect_04_01_06"
>Section 4.1.6</A
>. It might just as well be that this first zero is not displayed on your system when entering the <B
CLASS="command"
>umask</B
> command, and that you only see 3 numbers representing the default file creation mask.</P
><P
>Each UNIX-like system has a system function for creating new files, which is called each time a user uses a program that creates new files, for instance, when downloading a file from the Internet, when saving a new text document and so on. This function creates both new files and new directories. Full read, write and execute permission is granted to everybody when creating a new directory. When creating a new file, this function will grant read and write permissions for everybody, but set execute permissions to none for all user categories. This, before the mask is applied, a directory has permissions <EM
>777</EM
> or <EM
>rwxrwxrwx</EM
>, a plain file <EM
>666</EM
> or <EM
>rw-rw-rw-</EM
>.</P
><P
>The <EM
>umask</EM
> value is subtracted from these default permissions after the function has created the new file or directory. Thus, a directory will have permissions of <EM
>775</EM
> by default, a file <EM
>664</EM
>, if the mask value is <EM
>(0)002</EM
>. This is demonstrated in the example below:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>bert:~&#62;</TT
> <B
CLASS="command"
>mkdir newdir</B
>
<TT
CLASS="prompt"
>bert:~&#62;</TT
> <B
CLASS="command"
>ls -ld newdir</B
>
drwxrwxr-x 2 bert bert 4096 Feb 28 13:45 newdir/
<TT
CLASS="prompt"
>bert:~&#62;</TT
> <B
CLASS="command"
>touch newfile</B
>
<TT
CLASS="prompt"
>bert:~&#62;</TT
> <B
CLASS="command"
>ls -l newfile</B
>
-rw-rw-r-- 1 bert bert 0 Feb 28 13:52 newfile
</PRE
></FONT
></TD
></TR
></TABLE
><DIV
CLASS="note"
><P
></P
><TABLE
CLASS="note"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/note.gif"
HSPACE="5"
ALT="Note"></TD
><TH
ALIGN="LEFT"
VALIGN="CENTER"
><B
>Files versus directories</B
></TH
></TR
><TR
><TD
>&nbsp;</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>A directory gets more permissions by default: it always has the <EM
>execute</EM
> permission. If it wouldn't have that, it would not be accessible. Try this out by chmodding a directory 644!</P
></TD
></TR
></TABLE
></DIV
><P
>If you log in to another group using the <B
CLASS="command"
>newgrp</B
> command, the mask remains unchanged. Thus, if it is set to <EM
>002</EM
>, files and directories that you create while being in the new group will also be accessible to the other members of that group; you don't have to use <B
CLASS="command"
>chmod</B
>.</P
><P
>The <EM
>root</EM
> user usually has stricter default file creation permissions:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;[root@estoban root]# umask
022
</PRE
></FONT
></TD
></TR
></TABLE
><P
>These defaults are set system-wide in the shell resource configuration files, for instance <TT
CLASS="filename"
>/etc/bashrc</TT
> or <TT
CLASS="filename"
>/etc/profile</TT
>. You can change them in your own shell configuration file, see <A
HREF="chap_07.html"
>Chapter 7</A
> on customizing your shell environment.</P
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="sect_03_04_02_04"
></A
>3.4.2.4. Changing user and group ownership</H3
><P
>When a file is owned by the wrong user or group, the error can be repaired with the <B
CLASS="command"
>chown</B
> (change owner) and <B
CLASS="command"
>chgrp</B
> (change group) commands. Changing file ownership is a frequent system administrative task in environments where files need to be shared in a group. Both commands are very flexible, as you can find out by using the <TT
CLASS="option"
>--help</TT
> option.</P
><P
>The <B
CLASS="command"
>chown</B
> command can be applied to change both user and group ownership of a file, while <B
CLASS="command"
>chgrp</B
> only changes group ownership. Of course the system will check if the user issuing one of these commands has sufficient permissions on the file(s) she wants to change.</P
><P
>In order to only change the user ownership of a file, use this syntax:</P
><P
><B
CLASS="command"
>chown <TT
CLASS="parameter"
><I
>newuser</I
></TT
> <TT
CLASS="filename"
>file</TT
></B
> </P
><P
>If you use a colon after the user name (see the Info pages), group ownership will be changed as well, to the primary group of the user issuing the command. On a Linux system, each user has his own group, so this form can be used to make files private:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>jacky:~&#62;</TT
> <B
CLASS="command"
>id</B
>
uid=1304(jacky) gid=(1304) groups=1304(jacky),2034(pproject)
<TT
CLASS="prompt"
>jacky:~&#62;</TT
> <B
CLASS="command"
>ls -l my_report</B
>
-rw-rw-r-- 1 jacky project 29387 Jan 15 09:34 my_report
<TT
CLASS="prompt"
>jacky:~&#62;</TT
> <B
CLASS="command"
>chown jacky: my_report</B
>
<TT
CLASS="prompt"
>jacky:~&#62;</TT
> <B
CLASS="command"
>chmod o-r my_report</B
>
<TT
CLASS="prompt"
>jacky:~&#62;</TT
> <B
CLASS="command"
>ls -l my_report</B
>
-rw-rw---- 1 jacky jacky 29387 Jan 15 09:34 my_report
</PRE
></FONT
></TD
></TR
></TABLE
><P
>If <EM
>jacky</EM
> would like to share this file, without having to give everybody permission to write it, he can use the <B
CLASS="command"
>chgrp</B
> command:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>jacky:~&#62;</TT
> <B
CLASS="command"
>ls -l report-20020115.xls</B
>
-rw-rw---- 1 jacky jacky 45635 Jan 15 09:35 report-20020115.xls
<TT
CLASS="prompt"
>jacky:~&#62;</TT
> <B
CLASS="command"
>chgrp project report-20020115.xls</B
>
<TT
CLASS="prompt"
>jacky:~&#62;</TT
> <B
CLASS="command"
>chmod o= report-20020115.xls</B
>
<TT
CLASS="prompt"
>jacky:~&#62;</TT
> <B
CLASS="command"
>ls -l report-20020115.xls</B
>
-rw-rw---- 1 jacky project 45635 Jan 15 09:35 report-20020115.xls
</PRE
></FONT
></TD
></TR
></TABLE
><P
>This way, users in the group <EM
>project</EM
> will be able to work on this file. Users not in this group have no business with it at all.</P
><P
>Both <B
CLASS="command"
>chown</B
> and <B
CLASS="command"
>chgrp</B
> can be used to change ownership recursively, using the <TT
CLASS="option"
>-R</TT
> option. In that case, all underlying files and subdirectories of a given directory will belong to the given user and/or group.</P
><DIV
CLASS="note"
><P
></P
><TABLE
CLASS="note"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/note.gif"
HSPACE="5"
ALT="Note"></TD
><TH
ALIGN="LEFT"
VALIGN="CENTER"
><B
>Restrictions</B
></TH
></TR
><TR
><TD
>&nbsp;</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>On most systems, the use of the <B
CLASS="command"
>chown</B
> and <B
CLASS="command"
>chgrp</B
> commands is restricted for non-privileged users. If you are not the administrator of the system, you can not change user nor group ownerships for security reasons. If the usage of these commands would not be restricted, malicious users could assign ownership of files to other users and/or groups and change behavior of those users' environments and even cause damage to other users' files.</P
></TD
></TR
></TABLE
></DIV
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="sect_03_04_02_05"
></A
>3.4.2.5. Special modes</H3
><P
>For the system admin to not be bothered solving permission problems all the time, special access rights can be given to entire directories, or to separate programs. There are three special modes:</P
><P
></P
><UL
><LI
><P
>Sticky bit mode: After execution of a job, the command is kept in the system memory. Originally this was a feature used a lot to save memory: big jobs are loaded into memory only once. But these days memory is inexpensive and there are better techniques to manage it, so it is not used anymore for its optimizing capabilities on single files. When applied to an entire directory, however, the sticky bit has a different meaning. In that case, a user can only change files in this directory when she is the user owner of the file or when the file has appropriate permissions. This feature is used on directories like <TT
CLASS="filename"
>/var/tmp</TT
>, that have to be accessible for everyone, but where it is not appropriate for users to change or delete each other's data. The sticky bit is indicated by a <EM
>t</EM
> at the end of the file permission field:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>mark:~&#62;</TT
> <B
CLASS="command"
>ls -ld /var/tmp</B
>
drwxrwxrwt 19 root root 8192 Jan 16 10:37 /var/tmp/
</PRE
></FONT
></TD
></TR
></TABLE
><P
>The sticky bit is set using the command <B
CLASS="command"
>chmod <TT
CLASS="parameter"
><I
>o+t</I
></TT
> <TT
CLASS="filename"
>directory</TT
></B
>. The historic origin of the <SPAN
CLASS="QUOTE"
>"t"</SPAN
> is in UNIX' <EM
>save Text access</EM
> feature.</P
></LI
><LI
><P
>SUID (set user ID) and SGID (set group ID): represented by the character <EM
>s</EM
> in the user or group permission field. When this mode is set on an executable file, it will run with the user and group permissions on the file instead of with those of the user issuing the command, thus giving access to system resources. We will discuss this further in <A
HREF="chap_04.html"
>Chapter 4</A
>.</P
></LI
><LI
><P
>SGID (set group ID) on a directory: in this special case every file created in the directory will have the same group owner as the directory itself (while normal behavior would be that new files are owned by the users who create them). This way, users don't need to worry about file ownership when sharing directories:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>mimi:~&#62;</TT
> <B
CLASS="command"
>ls -ld /opt/docs</B
>
drwxrws--- 4 root users 4096 Jul 25 2001 docs/
<TT
CLASS="prompt"
>mimi:~&#62;</TT
> <B
CLASS="command"
>ls -l /opt/docs</B
>
-rw-rw---- 1 mimi users 345672 Aug 30 2001-Council.doc
</PRE
></FONT
></TD
></TR
></TABLE
><P
>This is the standard way of sharing files in UNIX.</P
><DIV
CLASS="note"
><P
></P
><TABLE
CLASS="note"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/note.gif"
HSPACE="5"
ALT="Note"></TD
><TH
ALIGN="LEFT"
VALIGN="CENTER"
><B
>Existing files are left unchanged!</B
></TH
></TR
><TR
><TD
>&nbsp;</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>Files that are being moved to a SGID directory but were created elsewhere keep their original user and group owner. This may be confusing.</P
></TD
></TR
></TABLE
></DIV
></LI
></UL
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="sect_03_03.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="sect_03_05.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Manipulating files</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="chap_03.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Summary</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink