Difference between revisions of "OPS102 - Permissions"
Chris Tyler (talk | contribs) (→Viewing Permissions) |
Chris Tyler (talk | contribs) |
||
Line 1: | Line 1: | ||
In multi-user operating systems it is important to be able to control access to information. This is usually done at the file and directory levels. | In multi-user operating systems it is important to be able to control access to information. This is usually done at the file and directory levels. | ||
+ | |||
+ | == Discretionary versus Mandatory Access Controls == | ||
+ | |||
+ | There are two broad categories of access controls applied to files and directories: | ||
+ | * Discretionary Access Controls (DACs) - these are access controls that can be set to any value at the discretion of the users or administrators of the computer system. | ||
+ | * Mandatory Access Controls (MACs) - these are access controls that are applied across the entire system in a uniform way, and cannot be individually overridden by the users or administrators. An example of a Mandatory Access Control system is SELinux (security-enhanced Linux), a system originally developed by the National Security Agency of the US Federal Government and now part of the Linux Kernel (via KSM - Kernel Security Models). SELinux uses type enforcement and labelling of both resources (files, network connections) and processes to determine whether a specific process should have access to a specific resource, and to deny access when it does not. SELinux is used in several operating systems, including Fedora, CentOS, Red Hat Enterprise Linux, and Android. | ||
+ | |||
+ | In this OPS102 course, we will be looking only at DACs. | ||
== Linux File Permissions == | == Linux File Permissions == | ||
− | Unix-like operating systems, such as Linux, provide a simple model for maintaining file and directory permissions. There is a more advanced model available, called File Access Control Lists (File ACLs or FACLs), but it is more complicated to manage, and experience has shown that the simpler model is more likely to be used. | + | Unix-like operating systems, such as Linux, provide a simple model for maintaining file and directory permissions. There is a more advanced model available, called File Access Control Lists (File ACLs or FACLs - see below), but it is more complicated to manage, and experience has shown that the simpler model is more likely to be used. |
+ | |||
+ | Linux systems also provide | ||
=== Permission Communities === | === Permission Communities === | ||
Line 9: | Line 19: | ||
There are three '''communities''' of users for each file: | There are three '''communities''' of users for each file: | ||
− | * '' | + | * ''User'' -- the one user that owns the file |
* ''Group'' -- the group of users that is the group-owner of the file | * ''Group'' -- the group of users that is the group-owner of the file | ||
* ''Other'' -- every other user of the computer system | * ''Other'' -- every other user of the computer system | ||
+ | |||
+ | These communitities are presented in this order, so remember the sequence!: User - Group - Other (u g o) | ||
=== Permissions === | === Permissions === | ||
Line 19: | Line 31: | ||
* '''Read''' -- the ability to read a file. | * '''Read''' -- the ability to read a file. | ||
* '''Write''' -- the ability to write to the file, including permission to add to, change, or truncate (shorten) the file. | * '''Write''' -- the ability to write to the file, including permission to add to, change, or truncate (shorten) the file. | ||
− | * ''' | + | * '''eXecute''' -- the ability to run (execute) a file. |
+ | |||
+ | Remember this sequence also!: Read - Write - eXecute (r w x) | ||
When applied to directories, these permissions are interpreted differently: | When applied to directories, these permissions are interpreted differently: | ||
Line 25: | Line 39: | ||
* '''Read''' -- the ability to ''see'' the names of the files and subdirectories within the directory. This is also called "search" permission. | * '''Read''' -- the ability to ''see'' the names of the files and subdirectories within the directory. This is also called "search" permission. | ||
* '''Write''' -- the ability to create/delete files and subdirectories within the directory. | * '''Write''' -- the ability to create/delete files and subdirectories within the directory. | ||
− | * ''' | + | * '''eXecute''' -- the ability to access files with the directory. If turned off, the files cannot be accessed, and metadata about each file (such as the owner, group owner, file length, permissions, and timestamps) cannot be accessed either. This is sometimes called ''passthrough'' permission. |
If execute permission is enabled for a directory but read permission has not been enabled, the affected community cannot view a directory listing to determine filenames, but if they know the name of a file within that directory, they may still access it. | If execute permission is enabled for a directory but read permission has not been enabled, the affected community cannot view a directory listing to determine filenames, but if they know the name of a file within that directory, they may still access it. | ||
Line 33: | Line 47: | ||
Permissions may be viewed with the <code>ls -l</code> command (the <code>ls</code> command with the <code>-l</code> "long detailed listing" option). For example: | Permissions may be viewed with the <code>ls -l</code> command (the <code>ls</code> command with the <code>-l</code> "long detailed listing" option). For example: | ||
− | $ ls -l /etc/hosts | + | $ '''ls -l /etc/hosts''' |
-rw-r--r--. 1 root root 386 Nov 27 2022 /etc/hosts | -rw-r--r--. 1 root root 386 Nov 27 2022 /etc/hosts | ||
Line 43: | Line 57: | ||
r-- the group has read permission | r-- the group has read permission | ||
r-- others have read permission | r-- others have read permission | ||
+ | |||
+ | To view the permisions on a directory, you may need to specify the <code>-d</code> option to the <code>ls</code> command, which causes it to display the specified directory instead of the ''contents'' of that directory. For example: | ||
+ | |||
+ | $ '''ls -l /''' # displays the contents of the root directory | ||
+ | total 68 | ||
+ | dr-xr-xr-x. 2 root root 4096 Jan 18 2023 afs | ||
+ | lrwxrwxrwx. 1 root root 7 Jan 18 2023 bin -> usr/bin | ||
+ | dr-xr-xr-x. 6 root root 4096 Sep 15 22:56 boot | ||
+ | drwxr-xr-x. 23 root root 4860 Sep 26 10:41 dev | ||
+ | drwxr-xr-x. 178 root root 12288 Sep 26 09:42 etc | ||
+ | drwxr-xr-x. 5 root root 4096 May 30 14:27 home | ||
+ | lrwxrwxrwx. 1 root root 7 Jan 18 2023 lib -> usr/lib | ||
+ | lrwxrwxrwx. 1 root root 9 Jan 18 2023 lib64 -> usr/lib64 | ||
+ | drwx------. 2 root root 16384 Apr 13 17:42 lost+found | ||
+ | drwxr-xr-x. 2 root root 4096 Jan 18 2023 media | ||
+ | drwxr-xr-x. 5 root root 4096 Jun 14 10:45 mnt | ||
+ | drwxr-xr-x. 5 root root 4096 Sep 6 10:09 opt | ||
+ | dr-xr-xr-x. 489 root root 0 Sep 26 06:26 proc | ||
+ | dr-xr-x---. 10 root root 4096 Sep 25 05:31 root | ||
+ | drwxr-xr-x. 56 root root 1480 Sep 26 10:28 run | ||
+ | lrwxrwxrwx. 1 root root 8 Jan 18 2023 sbin -> usr/sbin | ||
+ | drwxr-xr-x. 2 root root 4096 Jan 18 2023 srv | ||
+ | dr-xr-xr-x. 13 root root 0 Sep 26 10:26 sys | ||
+ | drwxrwxrwt. 25 root root 580 Sep 26 10:51 tmp | ||
+ | drwxr-xr-x. 13 root root 4096 May 30 09:33 usr | ||
+ | drwxr-xr-x. 21 root root 4096 May 30 12:46 var | ||
+ | |||
+ | $ '''ls -l -d /''' # displays the root directory itself | ||
+ | dr-xr-xr-x. 19 root root 4096 Sep 4 15:05 / | ||
+ | |||
+ | === Setting Permissions === | ||
+ | |||
+ | The permissions on a file are also called the permission ''mode'' of the file, so the command to change the permissions is called <code>chmod</code> ("change mode"). | ||
+ | |||
+ | The <code>chmod</code> command can be used in either of two ways: with symbolic or numeric permissions. | ||
+ | |||
+ | In either case, the command accepts the mode as the first positional argument, and the filename(s) (or patterns) as the remaining positional arguments: | ||
+ | |||
+ | chmod ''mode'' ''filename'' <nowiki>[...]</nowiki> | ||
+ | |||
+ | ==== Using Symbolic Mode ==== | ||
+ | |||
+ | Symbolic mode represents permissions as a list of one or more communities, represented by a letter: | ||
+ | |||
+ | u (user) | ||
+ | g (group) | ||
+ | o (other) | ||
+ | a (all - a short form to specify ugo) | ||
+ | |||
+ | This is followed by an action symbol: | ||
+ | |||
+ | + (add permissions) | ||
+ | - (remove permissions) | ||
+ | = (set permissions) | ||
+ | |||
+ | The difference between +/- and = is that +/- will add or remove the specified permissions while leaving other permissions unchanged, while = will explicitly set the permissions to exactly the value specified. | ||
+ | |||
+ | This is followed zero or more of these letters, representing permissions: | ||
+ | |||
+ | r (read) | ||
+ | w (write) | ||
+ | x (execute - note that this is lowercase) | ||
+ | X (execute if applied to a directory, or nothing if applied to a file -- note that this is UPPERCASE) | ||
+ | |||
+ | Here is an example: | ||
+ | |||
+ | $ '''touch test001''' # create a file for testing | ||
+ | $ '''ls -l test001''' # show the current permissions | ||
+ | -rw-r--r--. 1 chris chris 0 Sep 26 11:20 test001 | ||
+ | |||
+ | $ '''chmod g+w test001''' # to '''g'''roup, add ('''+''') '''w'''rite permission | ||
+ | $ '''ls -l test001''' | ||
+ | -rw-rw-r--. 1 chris chris 0 Sep 26 11:20 test001 | ||
+ | |||
+ | $ '''chmod o-r test001''' # to '''o'''ther, remove ('''-''') '''r'''ead permission | ||
+ | $ '''ls -l test001''' | ||
+ | -rw-rw----. 1 chris chris 0 Sep 26 11:20 test001 | ||
+ | |||
+ | $ '''chmod u=rw,go= test001''' # set '''u'''ser to have only '''r'''ead and '''w'''rite, '''g'''roup and '''o'''ther to have nothing | ||
+ | $ '''ls -l test001''' | ||
+ | -rw-------. 1 chris chris 0 Sep 26 11:20 test001 | ||
+ | |||
+ | And another example using a directory: | ||
+ | |||
+ | $ '''mkdir apple''' # create a directory for testing | ||
+ | $ '''touch apple/honeycrisp''' # create some files in that directory | ||
+ | $ '''touch apple/gala''' | ||
+ | $ '''touch apple/ambrosia''' | ||
+ | $ '''ls -l -d apple''' # see the permissions on the directory | ||
+ | drwxr-xr-x. 2 chris chris 100 Sep 26 11:26 apple | ||
+ | $ '''ls -l apple''' # see the files | ||
+ | total 0 | ||
+ | -rw-r--r--. 1 chris chris 0 Sep 26 11:26 ambrosia | ||
+ | -rw-r--r--. 1 chris chris 0 Sep 26 11:25 gala | ||
+ | -rw-r--r--. 1 chris chris 0 Sep 26 11:25 honeycrisp | ||
+ | |||
+ | $ '''chmod a=rx apple''' # set permission (for all) to read and execute only | ||
+ | $ '''ls -l -d apple''' | ||
+ | dr-xr-xr-x. 2 chris chris 100 Sep 26 11:26 apple | ||
+ | $ '''ls -l apple''' # note that we can still see inside the directory | ||
+ | total 0 | ||
+ | -rw-r--r--. 1 chris chris 0 Sep 26 11:26 ambrosia | ||
+ | -rw-r--r--. 1 chris chris 0 Sep 26 11:25 gala | ||
+ | -rw-r--r--. 1 chris chris 0 Sep 26 11:25 honeycrisp | ||
+ | $ '''touch apple/macintosh''' # we cannot create a file in the directory | ||
+ | touch: cannot touch 'apple/macintosh': Permission denied | ||
+ | $ '''mv apple/gala apple/fuji''' # we cannot rename a file | ||
+ | mv: cannot move 'apple/gala' to 'apple/fuji': Permission denied | ||
+ | $ '''rm apple/gala''' # we cannot remove a file | ||
+ | rm: cannot remove 'apple/gala': Permission denied | ||
+ | |||
+ | $ '''chmod a=r apple''' # set permission to read only | ||
+ | $ '''ls -l -d apple''' | ||
+ | dr--r--r--. 2 chris chris 100 Sep 26 11:26 apple | ||
+ | $ '''ls -l apple''' # we can see the filenames (r) but not the details (x) | ||
+ | ls: cannot access 'apple/ambrosia': Permission denied | ||
+ | ls: cannot access 'apple/gala': Permission denied | ||
+ | ls: cannot access 'apple/honeycrisp': Permission denied | ||
+ | total 0 | ||
+ | -????????? ? ? ? ? ? ambrosia | ||
+ | -????????? ? ? ? ? ? gala | ||
+ | -????????? ? ? ? ? ? honeycrisp | ||
+ | $ '''cat apple/ambrosia''' # we cannot access any files in that directory (x) | ||
+ | cat: apple/ambrosia: Permission denied | ||
+ | |||
+ | $ '''chmod a=x apple''' # set permission to execute (passthrough) only | ||
+ | $ '''ls -l -d apple''' | ||
+ | d--x--x--x. 2 chris chris 100 Sep 26 11:26 apple | ||
+ | $ '''ls -l apple''' # we cannot see the list of files in that directory | ||
+ | ls: cannot open directory 'apple': Permission denied | ||
+ | $ '''ls -l apple/gala''' # however, if we know the exact name of the file, we can view it | ||
+ | -rw-r--r--. 1 chris chris 0 Sep 26 11:25 apple/gala | ||
+ | |||
+ | ==== Using Numeric Mode ==== | ||
+ | |||
+ | You can also specify a mode using a number. Each digit has a range of 0 to 7, so these are known as ''octal'' (base eight) numbers. An extra zero is often written in front of the number to indicate that the number is in octal. | ||
+ | |||
+ | When a numeric value is used to specify the permission mode, all of the permissions for all of the communities must be set at the same time. You cannot add or remove some permissions, or set permission for just some of the communities, as you can with symbolic mode. | ||
+ | |||
+ | The digits are written from left-to-right in the order of the communities (u g o), with each digit being the sum of the granted permission according to these values: | ||
+ | |||
+ | '''4''' read | ||
+ | '''2''' write | ||
+ | '''1''' execute | ||
+ | |||
+ | Examples: | ||
+ | * '''rwx''' would have a value of 7 (4+2+1) | ||
+ | * '''rw-''' would have a value of 6 (4+2) | ||
+ | * '''r--''' would have a value of 4 (4) | ||
+ | |||
+ | Therefore these permissions are equivalent: | ||
+ | |||
+ | rwxrw-r-- 0764 | ||
+ | rwxrwxrwx 0777 | ||
+ | rw-r--r-- 0744 | ||
+ | rwx--x--x 0711 | ||
+ | |||
+ | Here are some examples of <code>chmod</code> commands with numeric modes: | ||
+ | |||
+ | $ '''touch example001''' | ||
+ | $ '''ls -l example001''' | ||
+ | -rw-r--r--. 1 chris chris 0 Sep 26 11:45 example001 | ||
+ | |||
+ | $ '''chmod 0111 example001''' | ||
+ | $ '''ls -l example001''' | ||
+ | ---x--x--x. 1 chris chris 0 Sep 26 11:45 example001 | ||
+ | |||
+ | $ '''chmod 0764 example001''' | ||
+ | $ '''ls -l example001''' | ||
+ | -rwxrw-r--. 1 chris chris 0 Sep 26 11:45 example001 | ||
+ | |||
+ | $ '''chmod 0640 example001''' | ||
+ | $ '''ls -l example001''' | ||
+ | -rw-r-----. 1 chris chris 0 Sep 26 11:45 example001 | ||
+ | |||
+ | === Controlling Permissions on New Files and Directories === | ||
+ | |||
+ | There is a setting known as <code>umask</code> which controls the permissions assigned to new files and directories. The umask value is a numeric mode which represents the permissions which are '''not''' permitted on new files. | ||
+ | |||
+ | The actual permission which is given to new files is a combination of two values: | ||
+ | # The mode requested by the software creating the file (using the <code>open</code>, <code>openat</code>, or <code>creat</code> system calls), except for | ||
+ | # The modes prohibited by the umask value. | ||
+ | |||
+ | For example, a umask value of 0022 represents the permissions ----w--w- (write permission for group and other). Therefore, any new files or directories will be created ''without'' these permissions. | ||
+ | |||
+ | The umask value can be viewed or set with the <code>umask</code> command. Here are some examples: | ||
+ | |||
+ | $ '''umask''' # view the current umask | ||
+ | 0022 | ||
+ | |||
+ | $ '''touch testfile0022''' # umask of 0022 will deny write for group and other | ||
+ | $ '''ls -l testfile0022''' | ||
+ | -rw-r--r--. 1 chris chris 0 Sep 26 11:54 testfile0022 | ||
+ | |||
+ | $ '''umask 0000''' # umask of 0000 will not deny any permissions | ||
+ | $ '''touch testfile0000''' | ||
+ | $ '''ls -l testfile0000''' | ||
+ | -rw-rw-rw-. 1 chris chris 0 Sep 26 11:54 testfile0000 | ||
+ | |||
+ | $ '''umask 0027''' # umask of 0027 will deny group write, plus all permissions for other | ||
+ | $ '''touch testfile0027''' | ||
+ | $ '''ls -l testfile0027''' | ||
+ | -rw-r-----. 1 chris chris 0 Sep 26 11:55 testfile0027 | ||
+ | |||
+ | Note that the umask value is specific to the process that is currently running, and it inherited by child processes. That means that if you're using multiple shells (perhaps in multiple windows), each shell's umask value is specific to that shell, and changing it will not affect the other active shells. However, any command or program that you run from that shell will inherit the umask value. In a future topic in this course, we'll look at how to set up a umask value so that it is applied to every new shell. | ||
+ | |||
+ | === Special Permissions === | ||
+ | |||
+ | (Note that this is an advanced topic - these permissions are not used on the majority of files). | ||
+ | |||
+ | There are three additional, "special" permissions: | ||
+ | |||
+ | * Set User ID (SUID) - when applied to an executable program file, this permission changes the effective user ID from the user executing the file to the owner of the file for the duration of the process. For example, if a user <code>jdoe</code> executes the <code>passwd</code> command (which is owned by the <code>root</code> user and has the Set User ID permission enabled), the effective user ID is temporarily changed to <code>root</code> while that command is executing. This enables the <code>passwd</code> command to change the user's password in the <code>/etc/shadow</code> file, which they otherwise do not have access to. | ||
+ | * Set Group ID (SGID) - when applied to an executable program file, this permission is similar to SUID, but it changes the effective group ID instead of the effective user ID. When applied to a directory, this causes all newly-created files and directories with that directory to be owned by the same group that owns the directory. For example, if the directory <code>/var/www/html/</code> is owned by the group <code>website</code>, then any file or directory created within <code>/var/www/html/</code> will automatically be owned by the group <code>website</code> instead of the group of the person creating the file. | ||
+ | * Sticky bit (t) - when applied to a directory, any file within that directory may be renamed or deleted only by the owner of the file, by the owner of the directory, or by a privileged process (for example, <code>root</code>, the master system administrator), regardless of any other permissions that might be set. The system's temporary directoriers (<code>/tmp</code> and <code>/var/tmp</code>) have this turned on. | ||
+ | |||
+ | These permissions are represented in the <code>ls -l</code> output as modifications of the 'x' character: | ||
+ | * SUID changes the user's x character to an s (or S if eXecute is not turned on) | ||
+ | * SGID changes the group's x character to an s (or S if eXecute is not turned on) | ||
+ | * The sticky bit changes other's x character to a t (or T if the eXecute is not turned on) | ||
+ | |||
+ | When using symbolic modes with <code>chmod</code>, the permissions are requested as follows: | ||
+ | * SUID is "s" permission in the "u" community | ||
+ | * SGID is "s" permission in the "g" community | ||
+ | * Sticky is "t" permission in the "o" community | ||
+ | |||
+ | When using numeric modes with <code>chmod</code>, these special permissions are represented as an additional octal digit to the left of the three basic octal permission digits. The value of these special permissions is: | ||
+ | * '''4''' SUID | ||
+ | * '''2''' SGID | ||
+ | * '''1''' Sticky | ||
+ | |||
+ | Examples: | ||
+ | $ '''cp /usr/bin/cp mycp''' # make a private copy of the 'cp' command | ||
+ | $ '''ls -l mycp''' # view the original permissions | ||
+ | -rwxr-xr-x. 1 chris chris 145488 Sep 26 12:21 mycp | ||
+ | $ '''chmod u+s mycp''' # add SUID | ||
+ | $ '''ls -l mycp''' # view the new permissions | ||
+ | -rwsr-xr-x. 1 chris chris 145488 Sep 26 12:2$ ls -l -d /usr/bin/passwd /tmp | ||
+ | drwxrwxrwt. 26 root root 600 Sep 26 12:21 /tmp | ||
+ | -rwsr-xr-x. 1 root root 32760 Jan 18 2023 /usr/bin/passwd | ||
+ | 1 mycp | ||
+ | |||
+ | $ '''cp /usr/bin/mv mymv''' # make a private copy of the 'mv' command | ||
+ | $ '''ls -l mymv''' # view the original permissions | ||
+ | -rwxr-xr-x. 1 chris chris 137280 Sep 26 12:21 mymv | ||
+ | $ '''chmod 06755 mymv''' # turn on SUID and SGID and set permissions to rwxr-xr-x | ||
+ | $ '''ls -l mymv''' # view the new permissions | ||
+ | -rwsr-sr-x. 1 chris chris 137280 Sep 26 12:21 mymv | ||
+ | |||
+ | $ '''ls -l -d /usr/bin/passwd /tmp''' # view some existing files with special permissions | ||
+ | drwxrwxrwt. 26 root root 600 Sep 26 12:21 /tmp | ||
+ | -rwsr-xr-x. 1 root root 32760 Jan 18 2023 /usr/bin/passwd | ||
+ | |||
+ | == Access Control Lists == | ||
+ | |||
+ | Windows and Linux both offer File Access Control Lists (FACLs or ACLs) to provide fine-grained control of file access. ACLs allow individual file permissions to be granted or denied to individual users and groups. However, the management of ACLs can be a complicated subject, and even experienced users sometimes misconfigure ACLs! | ||
+ | |||
+ | Due to this complexity, we will not be covering ACLs in this introductory course. | ||
+ | |||
+ | However, on a Windows system, basic manipulation of ACLs can be performed using the Windows Explorer file manager. Select a file which is stored on an NTFS filesystem (most internal hard disks or solid state disks, but not external drives) and right-click on it to view the file's Properties. Select the Security tab on the dialog that is displayed to view the users for which ACLs have been created, and the basic permissions that have been allowed or denied for that user on the selected file. Note that the effective permission will be a combination of the permissions allowed/denied on the file as well as on the parent directories. |
Revision as of 12:50, 26 September 2023
In multi-user operating systems it is important to be able to control access to information. This is usually done at the file and directory levels.
Contents
Discretionary versus Mandatory Access Controls
There are two broad categories of access controls applied to files and directories:
- Discretionary Access Controls (DACs) - these are access controls that can be set to any value at the discretion of the users or administrators of the computer system.
- Mandatory Access Controls (MACs) - these are access controls that are applied across the entire system in a uniform way, and cannot be individually overridden by the users or administrators. An example of a Mandatory Access Control system is SELinux (security-enhanced Linux), a system originally developed by the National Security Agency of the US Federal Government and now part of the Linux Kernel (via KSM - Kernel Security Models). SELinux uses type enforcement and labelling of both resources (files, network connections) and processes to determine whether a specific process should have access to a specific resource, and to deny access when it does not. SELinux is used in several operating systems, including Fedora, CentOS, Red Hat Enterprise Linux, and Android.
In this OPS102 course, we will be looking only at DACs.
Linux File Permissions
Unix-like operating systems, such as Linux, provide a simple model for maintaining file and directory permissions. There is a more advanced model available, called File Access Control Lists (File ACLs or FACLs - see below), but it is more complicated to manage, and experience has shown that the simpler model is more likely to be used.
Linux systems also provide
Permission Communities
There are three communities of users for each file:
- User -- the one user that owns the file
- Group -- the group of users that is the group-owner of the file
- Other -- every other user of the computer system
These communitities are presented in this order, so remember the sequence!: User - Group - Other (u g o)
Permissions
Each community has three permissions for each file which may be individually turned on or off:
- Read -- the ability to read a file.
- Write -- the ability to write to the file, including permission to add to, change, or truncate (shorten) the file.
- eXecute -- the ability to run (execute) a file.
Remember this sequence also!: Read - Write - eXecute (r w x)
When applied to directories, these permissions are interpreted differently:
- Read -- the ability to see the names of the files and subdirectories within the directory. This is also called "search" permission.
- Write -- the ability to create/delete files and subdirectories within the directory.
- eXecute -- the ability to access files with the directory. If turned off, the files cannot be accessed, and metadata about each file (such as the owner, group owner, file length, permissions, and timestamps) cannot be accessed either. This is sometimes called passthrough permission.
If execute permission is enabled for a directory but read permission has not been enabled, the affected community cannot view a directory listing to determine filenames, but if they know the name of a file within that directory, they may still access it.
Viewing Permissions
Permissions may be viewed with the ls -l
command (the ls
command with the -l
"long detailed listing" option). For example:
$ ls -l /etc/hosts -rw-r--r--. 1 root root 386 Nov 27 2022 /etc/hosts
Notice that the file's owner is "root", and the file's group owner is also "root".
The first character on this line is the file type ("-" meaning a regular file), and the next nine characters represent the three communities, each having three permissions. The permissions are written as a letter -- "r", "w", or "x" -- if the permission is enabled, or a dash "-" if the permission is disabled. Therefore, in the example above:
rw- the owner has read and write permission r-- the group has read permission r-- others have read permission
To view the permisions on a directory, you may need to specify the -d
option to the ls
command, which causes it to display the specified directory instead of the contents of that directory. For example:
$ ls -l / # displays the contents of the root directory total 68 dr-xr-xr-x. 2 root root 4096 Jan 18 2023 afs lrwxrwxrwx. 1 root root 7 Jan 18 2023 bin -> usr/bin dr-xr-xr-x. 6 root root 4096 Sep 15 22:56 boot drwxr-xr-x. 23 root root 4860 Sep 26 10:41 dev drwxr-xr-x. 178 root root 12288 Sep 26 09:42 etc drwxr-xr-x. 5 root root 4096 May 30 14:27 home lrwxrwxrwx. 1 root root 7 Jan 18 2023 lib -> usr/lib lrwxrwxrwx. 1 root root 9 Jan 18 2023 lib64 -> usr/lib64 drwx------. 2 root root 16384 Apr 13 17:42 lost+found drwxr-xr-x. 2 root root 4096 Jan 18 2023 media drwxr-xr-x. 5 root root 4096 Jun 14 10:45 mnt drwxr-xr-x. 5 root root 4096 Sep 6 10:09 opt dr-xr-xr-x. 489 root root 0 Sep 26 06:26 proc dr-xr-x---. 10 root root 4096 Sep 25 05:31 root drwxr-xr-x. 56 root root 1480 Sep 26 10:28 run lrwxrwxrwx. 1 root root 8 Jan 18 2023 sbin -> usr/sbin drwxr-xr-x. 2 root root 4096 Jan 18 2023 srv dr-xr-xr-x. 13 root root 0 Sep 26 10:26 sys drwxrwxrwt. 25 root root 580 Sep 26 10:51 tmp drwxr-xr-x. 13 root root 4096 May 30 09:33 usr drwxr-xr-x. 21 root root 4096 May 30 12:46 var
$ ls -l -d / # displays the root directory itself dr-xr-xr-x. 19 root root 4096 Sep 4 15:05 /
Setting Permissions
The permissions on a file are also called the permission mode of the file, so the command to change the permissions is called chmod
("change mode").
The chmod
command can be used in either of two ways: with symbolic or numeric permissions.
In either case, the command accepts the mode as the first positional argument, and the filename(s) (or patterns) as the remaining positional arguments:
chmod mode filename [...]
Using Symbolic Mode
Symbolic mode represents permissions as a list of one or more communities, represented by a letter:
u (user) g (group) o (other) a (all - a short form to specify ugo)
This is followed by an action symbol:
+ (add permissions) - (remove permissions) = (set permissions)
The difference between +/- and = is that +/- will add or remove the specified permissions while leaving other permissions unchanged, while = will explicitly set the permissions to exactly the value specified.
This is followed zero or more of these letters, representing permissions:
r (read) w (write) x (execute - note that this is lowercase) X (execute if applied to a directory, or nothing if applied to a file -- note that this is UPPERCASE)
Here is an example:
$ touch test001 # create a file for testing $ ls -l test001 # show the current permissions -rw-r--r--. 1 chris chris 0 Sep 26 11:20 test001 $ chmod g+w test001 # to group, add (+) write permission $ ls -l test001 -rw-rw-r--. 1 chris chris 0 Sep 26 11:20 test001 $ chmod o-r test001 # to other, remove (-) read permission $ ls -l test001 -rw-rw----. 1 chris chris 0 Sep 26 11:20 test001 $ chmod u=rw,go= test001 # set user to have only read and write, group and other to have nothing $ ls -l test001 -rw-------. 1 chris chris 0 Sep 26 11:20 test001
And another example using a directory:
$ mkdir apple # create a directory for testing $ touch apple/honeycrisp # create some files in that directory $ touch apple/gala $ touch apple/ambrosia $ ls -l -d apple # see the permissions on the directory drwxr-xr-x. 2 chris chris 100 Sep 26 11:26 apple $ ls -l apple # see the files total 0 -rw-r--r--. 1 chris chris 0 Sep 26 11:26 ambrosia -rw-r--r--. 1 chris chris 0 Sep 26 11:25 gala -rw-r--r--. 1 chris chris 0 Sep 26 11:25 honeycrisp $ chmod a=rx apple # set permission (for all) to read and execute only $ ls -l -d apple dr-xr-xr-x. 2 chris chris 100 Sep 26 11:26 apple $ ls -l apple # note that we can still see inside the directory total 0 -rw-r--r--. 1 chris chris 0 Sep 26 11:26 ambrosia -rw-r--r--. 1 chris chris 0 Sep 26 11:25 gala -rw-r--r--. 1 chris chris 0 Sep 26 11:25 honeycrisp $ touch apple/macintosh # we cannot create a file in the directory touch: cannot touch 'apple/macintosh': Permission denied $ mv apple/gala apple/fuji # we cannot rename a file mv: cannot move 'apple/gala' to 'apple/fuji': Permission denied $ rm apple/gala # we cannot remove a file rm: cannot remove 'apple/gala': Permission denied $ chmod a=r apple # set permission to read only $ ls -l -d apple dr--r--r--. 2 chris chris 100 Sep 26 11:26 apple $ ls -l apple # we can see the filenames (r) but not the details (x) ls: cannot access 'apple/ambrosia': Permission denied ls: cannot access 'apple/gala': Permission denied ls: cannot access 'apple/honeycrisp': Permission denied total 0 -????????? ? ? ? ? ? ambrosia -????????? ? ? ? ? ? gala -????????? ? ? ? ? ? honeycrisp $ cat apple/ambrosia # we cannot access any files in that directory (x) cat: apple/ambrosia: Permission denied $ chmod a=x apple # set permission to execute (passthrough) only $ ls -l -d apple d--x--x--x. 2 chris chris 100 Sep 26 11:26 apple $ ls -l apple # we cannot see the list of files in that directory ls: cannot open directory 'apple': Permission denied $ ls -l apple/gala # however, if we know the exact name of the file, we can view it -rw-r--r--. 1 chris chris 0 Sep 26 11:25 apple/gala
Using Numeric Mode
You can also specify a mode using a number. Each digit has a range of 0 to 7, so these are known as octal (base eight) numbers. An extra zero is often written in front of the number to indicate that the number is in octal.
When a numeric value is used to specify the permission mode, all of the permissions for all of the communities must be set at the same time. You cannot add or remove some permissions, or set permission for just some of the communities, as you can with symbolic mode.
The digits are written from left-to-right in the order of the communities (u g o), with each digit being the sum of the granted permission according to these values:
4 read 2 write 1 execute
Examples:
- rwx would have a value of 7 (4+2+1)
- rw- would have a value of 6 (4+2)
- r-- would have a value of 4 (4)
Therefore these permissions are equivalent:
rwxrw-r-- 0764 rwxrwxrwx 0777 rw-r--r-- 0744 rwx--x--x 0711
Here are some examples of chmod
commands with numeric modes:
$ touch example001 $ ls -l example001 -rw-r--r--. 1 chris chris 0 Sep 26 11:45 example001 $ chmod 0111 example001 $ ls -l example001 ---x--x--x. 1 chris chris 0 Sep 26 11:45 example001 $ chmod 0764 example001 $ ls -l example001 -rwxrw-r--. 1 chris chris 0 Sep 26 11:45 example001 $ chmod 0640 example001 $ ls -l example001 -rw-r-----. 1 chris chris 0 Sep 26 11:45 example001
Controlling Permissions on New Files and Directories
There is a setting known as umask
which controls the permissions assigned to new files and directories. The umask value is a numeric mode which represents the permissions which are not permitted on new files.
The actual permission which is given to new files is a combination of two values:
- The mode requested by the software creating the file (using the
open
,openat
, orcreat
system calls), except for - The modes prohibited by the umask value.
For example, a umask value of 0022 represents the permissions ----w--w- (write permission for group and other). Therefore, any new files or directories will be created without these permissions.
The umask value can be viewed or set with the umask
command. Here are some examples:
$ umask # view the current umask 0022 $ touch testfile0022 # umask of 0022 will deny write for group and other $ ls -l testfile0022 -rw-r--r--. 1 chris chris 0 Sep 26 11:54 testfile0022 $ umask 0000 # umask of 0000 will not deny any permissions $ touch testfile0000 $ ls -l testfile0000 -rw-rw-rw-. 1 chris chris 0 Sep 26 11:54 testfile0000 $ umask 0027 # umask of 0027 will deny group write, plus all permissions for other $ touch testfile0027 $ ls -l testfile0027 -rw-r-----. 1 chris chris 0 Sep 26 11:55 testfile0027
Note that the umask value is specific to the process that is currently running, and it inherited by child processes. That means that if you're using multiple shells (perhaps in multiple windows), each shell's umask value is specific to that shell, and changing it will not affect the other active shells. However, any command or program that you run from that shell will inherit the umask value. In a future topic in this course, we'll look at how to set up a umask value so that it is applied to every new shell.
Special Permissions
(Note that this is an advanced topic - these permissions are not used on the majority of files).
There are three additional, "special" permissions:
- Set User ID (SUID) - when applied to an executable program file, this permission changes the effective user ID from the user executing the file to the owner of the file for the duration of the process. For example, if a user
jdoe
executes thepasswd
command (which is owned by theroot
user and has the Set User ID permission enabled), the effective user ID is temporarily changed toroot
while that command is executing. This enables thepasswd
command to change the user's password in the/etc/shadow
file, which they otherwise do not have access to. - Set Group ID (SGID) - when applied to an executable program file, this permission is similar to SUID, but it changes the effective group ID instead of the effective user ID. When applied to a directory, this causes all newly-created files and directories with that directory to be owned by the same group that owns the directory. For example, if the directory
/var/www/html/
is owned by the groupwebsite
, then any file or directory created within/var/www/html/
will automatically be owned by the groupwebsite
instead of the group of the person creating the file. - Sticky bit (t) - when applied to a directory, any file within that directory may be renamed or deleted only by the owner of the file, by the owner of the directory, or by a privileged process (for example,
root
, the master system administrator), regardless of any other permissions that might be set. The system's temporary directoriers (/tmp
and/var/tmp
) have this turned on.
These permissions are represented in the ls -l
output as modifications of the 'x' character:
- SUID changes the user's x character to an s (or S if eXecute is not turned on)
- SGID changes the group's x character to an s (or S if eXecute is not turned on)
- The sticky bit changes other's x character to a t (or T if the eXecute is not turned on)
When using symbolic modes with chmod
, the permissions are requested as follows:
- SUID is "s" permission in the "u" community
- SGID is "s" permission in the "g" community
- Sticky is "t" permission in the "o" community
When using numeric modes with chmod
, these special permissions are represented as an additional octal digit to the left of the three basic octal permission digits. The value of these special permissions is:
- 4 SUID
- 2 SGID
- 1 Sticky
Examples:
$ cp /usr/bin/cp mycp # make a private copy of the 'cp' command $ ls -l mycp # view the original permissions -rwxr-xr-x. 1 chris chris 145488 Sep 26 12:21 mycp $ chmod u+s mycp # add SUID $ ls -l mycp # view the new permissions -rwsr-xr-x. 1 chris chris 145488 Sep 26 12:2$ ls -l -d /usr/bin/passwd /tmp
drwxrwxrwt. 26 root root 600 Sep 26 12:21 /tmp -rwsr-xr-x. 1 root root 32760 Jan 18 2023 /usr/bin/passwd 1 mycp
$ cp /usr/bin/mv mymv # make a private copy of the 'mv' command $ ls -l mymv # view the original permissions -rwxr-xr-x. 1 chris chris 137280 Sep 26 12:21 mymv $ chmod 06755 mymv # turn on SUID and SGID and set permissions to rwxr-xr-x $ ls -l mymv # view the new permissions -rwsr-sr-x. 1 chris chris 137280 Sep 26 12:21 mymv $ ls -l -d /usr/bin/passwd /tmp # view some existing files with special permissions drwxrwxrwt. 26 root root 600 Sep 26 12:21 /tmp -rwsr-xr-x. 1 root root 32760 Jan 18 2023 /usr/bin/passwd
Access Control Lists
Windows and Linux both offer File Access Control Lists (FACLs or ACLs) to provide fine-grained control of file access. ACLs allow individual file permissions to be granted or denied to individual users and groups. However, the management of ACLs can be a complicated subject, and even experienced users sometimes misconfigure ACLs!
Due to this complexity, we will not be covering ACLs in this introductory course.
However, on a Windows system, basic manipulation of ACLs can be performed using the Windows Explorer file manager. Select a file which is stored on an NTFS filesystem (most internal hard disks or solid state disks, but not external drives) and right-click on it to view the file's Properties. Select the Security tab on the dialog that is displayed to view the users for which ACLs have been created, and the basic permissions that have been allowed or denied for that user on the selected file. Note that the effective permission will be a combination of the permissions allowed/denied on the file as well as on the parent directories.