1. What are file permissions
Every file or folder in Linux has access permissions. There are three types of permissions (what allowed to do with a file):- read access
- write access
- execute access
- the owner of the file
- the group that the owner belongs to
- other users
Simply put, for each file it can be specified who can read or write from/to the file. For programs or scripts it also can be set if they are allowed to be executed.
2. File permissions notation
2.1. Textual representation like "-rwxr--r--"
It is used in Linux long directory listings. It
consists of 10 characters. The first character shows the file type. Next 9 characters are permissions,
consisting of three groups: owner, group, others. Each group consists of three
symbols: rwx (in this order), if some permission is denied, then a dash "-" is used instead.
Example:
-rwxr--r--
0123456789
- Symbol in the position 0 ("-")is the type of the file. It is either "d" if the item is a directory, or "l" if it is a link, or "-" if the item is a regular file.
- Symbols in positions 1 to 3 ("rwx") are permissions for the owner of the file.
- Symbols in positions 4 to 6 ("r--") are permissions for the group.
- Symbols in positions 7 to 9 ("r--") are permissions for others.
| r | Read access is allowed |
| w | Write access is allowed |
| x | Execute access is allowed |
| - | Replaces "r", "w" or "x" if according access type is denied |
2.1.1. Examples
| -rwxr-xr-x | File, owner has read, write, execute permissions, group: only read and execute permissions, others: only read and execute permissions. |
| dr-x------ | Directory, owner has read and execute access, group and others have no access |
2.2. Numeric (octal) representation like "644"
If a numeric representation is used (like in chmod command, for example), then it is in the octal format (with the base of 8), and digits involved are 0 to 7. Octal format is used for the simplicity of understanding: every octal digit combines read, write and execute permissions together. Respective access rights for owner, group and others (in this order) are the last three digits of the numeric file permissions representation. Example: "0644". Here the second digit ("6" in the example) stands for rights of the owner, the third digit ("4" in the example) stands for rights of the group, the fourth digit ("4" in the example) stands for rights of others.This table shows what numeric values mean:
| Octal digit | Text equivalent | Binary value | Meaning |
|---|---|---|---|
| 0 | --- | 000 | All types of access are denied |
| 1 | --x | 001 | Execute access is allowed only |
| 2 | -w- | 010 | Write access is allowed only |
| 3 | -wx | 011 | Write and execute access are allowed |
| 4 | r-- | 100 | Read access is allowed only |
| 5 | r-x | 101 | Read and execute access are allowed |
| 6 | rw- | 110 | Read and write access are allowed |
| 7 | rwx | 111 | Everything is allowed |
2.2.1. Examples
| 644 |
owner: read and write permissions, group: only read permissions, others: only read permissions. |
| 755 |
owner: read, write and execute permissions, group: read and execute permissions, others: read and execute permissions. |
2.2.2. Why there is a leading zero?
In programming, for instance, in C language, leading zero means that the value is in the octal format. Basically, it can be omitted. Owner, group and others rights are the last three digits of the permissions.2.2.3. Four meaningful digits like "4755"
There are cases when you may come across four non-zero digits, in this case the first meaningful (non-zero) digit combines the following bits (in this order, high to low): SUID, SGID, sticky bit. We also know that the last three are for owner, group and others.3. Difference in access permissions for files and folders
Access permissions for files and folders mean different things from the user standpoint. The table below shows the difference.| Access type | File | Folder |
|---|---|---|
| Read | If the file contents can be read | If the directory listing can be obtained |
| Write | If user or process can write to the file (change its contents) | If user or process can change directory contents somehow: create new or delete existing files in the directory or rename files. |
| Execute | If the file can be executed | If user or process can access the directory, that is, go to it (make it to be the current working directory) |
4. Permissions required for web server
Web server assigns the rights of the web-server-specific user, typically user "nobody", to the connected web client, as if "nobody" is connected to the web server. "Nobody" doesn't belong to your group and thus it inherits permissions that "others" have to your files.- For generic files such as html or images, etc you usually need to set 644 permissions. It is because "nobody" needs to read the file, and thus the file should be readable by others, hence 4 (read only) permissions for both group and others. For yourself you need a right to read and write (hence 6) to the file.
- For scripts you need 755 rights. The script should be executable by "nobody". The script file should also be readable by "nobody", as the file is interpreted by an interpreter such as Perl and therefore must be readable. Thus it must combine read and execute permissions for "others", as "nobody" belongs to "others" group. For yourself you need to have also write access, getting 755 as a result.
5. Permissions set for FTP-uploaded files
When you upload files to your web hosting accounts, you become the owner of the files. Usually, by default files get 644 permissions, and depending on provider's FTP server configuration they may get different permissions in different situations. You also can change the file permissions with FTP client or by executing a chmod command in telnet.6. Set user ID, set group ID, sticky bit
In addition to the basic permissions discussed above, there are also three bits of information defined for files in Linux:- SUID or setuid: change user ID on execution. If setuid bit is set, when the file will be executed by a user, the process will have the same rights as the owner of the file being executed.
- SGID or setgid: change group ID on execution. Same as above, but inherits rights of the group of the owner of the file on execution. For directories it also may mean that when a new file is created in the directory it will inherit the group of the directory (and not of the user who created the file).
- Sticky bit. It was used to trigger process to "stick" in memory after it is finished, now this usage is obsolete. Currently its use is system dependant and it is mostly used to suppress deletion of the files that belong to other users in the folder where you have "write" access to.
6.1. Numeric representation
| Octal digit | Binary value | Meaning |
|---|---|---|
| 0 | 000 | setuid, setgid, sticky bits are cleared |
| 1 | 001 | sticky bit is set |
| 2 | 010 | setgid bit is set |
| 3 | 011 | setgid and sticky bits are set |
| 4 | 100 | setuid bit is set |
| 5 | 101 | setuid and sticky bits are set |
| 6 | 110 | setuid and setgid bits are set |
| 7 | 111 | setuid, setgid, sticky bits are set |
6.2. Textual representation
| SUID | If set, then replaces "x" in the owner permissions to
"s", if owner has execute permissions, or to "S"
otherwise. Examples: -rws------ both owner execute and SUID are set -r-S------ SUID is set, but owner execute is not set |
| SGID | If set, then replaces "x" in the group permissions to
"s", if group has execute permissions, or to "S"
otherwise. Examples: -rwxrws--- both group execute and SGID are set -rwxr-S--- SGID is set, but group execute is not set |
| Sticky | If set, then replaces "x" in the others permissions to
"t", if others have execute permissions, or to "T"
otherwise. Examples: -rwxrwxrwt both others execute and sticky bit are set -rwxrwxr-T sticky bit is set, but others execute is not set |
Permissions
The purpose of this lesson is to introduce how you can control access to your files.
Concepts
The files in your Unix account are yours to use as you wish (for the
most part, the Unix system administrator truly "owns" them.)
You might want to make sure that someone out exploring the Unix file system
doesn't visit your home directory and look at your files' contents. Or
perhaps, you are working with others and want to share your files. The
way to control who gets to see what in your directories is where
permissions come in.
Setting File Permissions
Use the Unix chmod command to set the permissions of your files and directories.
Setting Permissions
The chmod command uses as an argument a string which describes the
permissions for a file. The permission description can be in the form of
a number that is exactly three digits. Each digit of this number is a
code for the permissions level of three types of people that might
access this file:
- Owner (you)
- Group (a group of other users that you set up)
- World (anyone else browsing around on the file system)
The value of each digit is set according to what rights each of the types of people listed above have to manipulate that file.
Permissions are set according to numbers. Read is 4. Write is 2.
Execute is 1. The sums of these numbers give combinations of these
permissions:
- 0 = no permissions whatsoever; this person cannot read, write, or execute the file
- 1 = execute only
- 2 = write only
- 3 = write and execute (1+2)
- 4 = read only
- 5 = read and execute (4+1)
- 6 = read and write (4+2)
- 7 = read and write and execute (4+2+1)
Permissions are given using these digits in a sequence of three: one for owner, one for group, one for world.
Let's look at how I can make it impossible for anyone else to do anything with my apple.txt file but me:
$ chmod 700 apple.txt $If someone else tries to look into apple.txt, they get an error message:
$ cat apple.txt cat: apple.txt: Permission denied $If I want other people to be able to read apple.txt, I would set the file permissions like this:
$ chmod 744 apple.txt $
Detecting File Permissions
You can use the ls command with the -l option to show the file permissions set. For example, for apple.txt, I can do this:$ ls -l apple.txt -rwxr--r-- 1 december december 81 Feb 12 12:45 apple.txt $
The sequence -rwxr--r-- tells the permissions set for the file
apple.txt. The first - tells that apple.txt is a file. The next three
letters, rwx, show that the owner has read, write, and execute
permissions. Then the next three symbols, r--, show that the group
permissions are read only. The final three symbols, r--, show that the
world permissions are read only.
No comments:
Post a Comment