Difference between pages "Package:Bash" and "File permissions"
m |
(Started to talk about setuid, setgid and sticky bits.) |
||
| Line 1: | Line 1: | ||
== File permissions == | |||
=== Common permissions === | |||
With Linux, the most common way to handle user rights provides three distinct rights on files. The meaning of these rights for directories (which '''are''' files in Linux) is slightly different. | |||
{|class="table table-striped" | {|class="table table-striped" | ||
|| | ! Subject || Right (Oct. repr.) || Description || Typical granted commands | ||
|- | |- | ||
|| <code> | |rowspan=3| '''File''' || <code>r (4)</code> || Read || cat ''f'', less ''f'', grep ''f'', file ''f'' | ||
|- | |- | ||
|| <code> | || <code>w (2)</code> || Write || sed -i ''f'', shred ''f'', truncate ''f'', vi ''f'' | ||
|- | |- | ||
|| <code> | || <code>x (1)</code> || Execution || /absolute/path/to/''f'', relative/path/to/''f'' | ||
|- | |- | ||
|| <code> | |rowspan=3| '''Directory''' || <code>r (4)</code> || List contents || ls ''d'' | ||
|- | |- | ||
|| <code> | || <code>w (2)</code> || Create/Remove files || touch ''d''/a_file, mkdir ''d''/a_dir, rm ''d''/a_file, rmdir ''d''/a_dir, chmod ''d''/a_file, chown ''d''/a_dir | ||
|- | |- | ||
|| <code> | || <code>x (1)</code> || Browse hierarchy || cd ''d'', pushd ''d'' | ||
|} | |||
You would notice that rights octal representation is coded with powers of 2. This is a common way to represent bunch two-states settings that can be independently toggled. Indeed, a file does not properly ''have'' a list of permissions set, you should see this rather as a a bit string (where a '''1''' at the position '''i''' means '''ON''' and a '''0''' means '''OFF''' for the right coded '''2<sup>i</sup>'''). | |||
An example is worth 1000 words: | |||
<pre> | |||
rwx Octal Permissions | |||
000 0 None | |||
001 1 Execution only | |||
010 2 Read only | |||
100 4 Write only | |||
111 7 All (ie. Read and Write and Execution) | |||
110 6 All but Execution (ie. Read and Write) | |||
</pre> | |||
File permissions are split into three categories of users: | |||
; The owner of the file (<code>u</code> as user): Typically the creator of the file | |||
; The group of the file (<code>g</code> as group): Typically the main group of the owner | |||
; The others (<code>o</code> as others): Anybody else | |||
File permissions are thus represented with nine bits. The three most significant representing the owner rights and the three least significant representing others rights. For instance, a typical file permission is <code>640</code> which means <q style="font-style:italic">The owner can read an write, the group have a read-only access, and other can't even read it</q>. | |||
=== Alter permissions meaning === | |||
There is actually three more bits that allow you to alter the meaning of other permissions | |||
{|class="table table-striped" | |||
! Subject || Right (Oct. repr.) || Name || Description | |||
|- | |||
|rowspan=3| '''File''' || <code>s/S (4)</code> || Setuid bit || - | |||
|- | |- | ||
|| <code> | || <code>s/S (2)</code> || Setgid bit || - | ||
|- | |- | ||
||<code> | || <code>t/T (1)</code> || Sticky bit || - | ||
|- | |- | ||
|| <code> | |rowspan=3| '''Directory''' || <code>s/S (4)</code> || Setuid bit || - | ||
|- | |- | ||
|| <code> | || <code>s/S (2)</code> || Setgid bit || - | ||
|- | |- | ||
|| <code> | || <code>t/T (1)</code> || Sticky bit || - | ||
|} | |||
=== Going further === | |||
As you would have notice, this does not provide a fine-grained way to manage permissions, but this is quite light, simple, and sufficient for most usages. However, if you think you need a really fine-grained level, you should consider looking at [[SELinux]]. | |||
== Manage user and groups == | |||
Users, and Groups are named, and numbered. the lower the number the more permissions the account has. For example root user has the number 0, and root group has the number 0. To display this information: | |||
<console>###i## cat /etc/passwd | |||
###i## cat /etc/group</console> | |||
=== Add user === | |||
You can add user with useradd. | |||
<console> | |||
###i## useradd -g users -G wheel,portage,audio,video,usb,cdrom,tty -m <username> | |||
</console> | |||
=== Delete user === | |||
You can delete user with userdel. | |||
<console> | |||
###i## userdel <username> | |||
</console> | |||
{{fancynote|If you want to remove user files as well (home directory and mail spool, use the <code>-r</code> option: | |||
<console> | |||
###i## userdel -r <username> | |||
</console> | |||
}} | |||
=== List groups === | |||
You can list groups with group. | |||
<console> | |||
$##i## groups | |||
$##i## groups <username> | |||
</console> | |||
=== Add or remove user from group === | |||
You can add or remove user from group with gpasswd. | |||
<console> | |||
###i## gpasswd -a <user> <group> | |||
###i## gpasswd -d <user> <group> | |||
</console> | |||
=== Create or delete groups === | |||
You can create or delete groups with groupadd. | |||
<console> | |||
###i## groupadd <group> | |||
###i## groupdel <group> | |||
</console> | |||
== Manage rights on files == | |||
=== Change file permissions === | |||
You can change file permissions with <code>chmod</code>. | |||
<console> | |||
$##i## chmod <u><g><o> <file> | |||
</console> | |||
Where <nowiki><u>, <g> and <o></nowiki> are respectively the octal representation of the rights you want to set for the owner, the group and others. | |||
<pre>7 = 4+2+1 (read/write/execute) | |||
6 = 4+2 (read/write) | |||
5 = 4+1 (read/execute) | |||
4 = 4 (read) | |||
3 = 2+1 (write/execute) | |||
2 = 2 (write) | |||
1 = 1 (execute)</pre> | |||
=== Change owner and group of file === | |||
You can change owner and group of a file with <code>chown</code>. | |||
<console> | |||
###i## chown <user>:<group> <file> | |||
</console> | |||
You can change owner of a directory and children recursively with: | |||
<console> | |||
###i## chown -R <user>:<group> <folder> | |||
</console> | |||
=== Security === | |||
Generally you will want to have restrictive yet functional permissions. 777 on everything is a bad idea, especially files containing plain text passwords. 600 is common for files like this, with a high level user. mediawiki's LocalSettings.php has database passwords. A good method to lock this down is to change its permissions to 600, and set the file owner as the webserver's user. | |||
=== Can I have write permission on a file while not being allowed to read it? === | |||
Yes, you can! Example: | |||
<console> | |||
##i### echo "$USER: You can't read! >:)" > /tmp/test | |||
##i### ls -l /tmp/test | |||
-rw-r--r-- 1 root root 6 Oct 2 07:30 /tmp/test | |||
##i### chmod o-r+w /tmp/test | |||
##i### ls -l /tmp/test | |||
-rw-r---w- 1 root root 6 Oct 2 07:30 /tmp/test | |||
##i### cat /tmp/test | |||
root: You can't read! >:) | |||
##i### su anyuser | |||
##i##$ cat /tmp/test/ | |||
cat: /tmp/test: Permission denied | |||
##i##$ vi /tmp/test/ | |||
---[Permission Denied]--- | |||
##i##$ echo "$USER: But I can write! :)" >> /tmp/test | |||
##i##$ exit | |||
##i### cat /tmp/test | |||
root: You can't read! >:) | |||
anyuser: But I can write! :) | |||
</console> | |||
I don't know if this has an actual application though. Maybe if you need to allow some users to write (and truncate) logs in the same file but you don't want them to be able read what others wrote... | |||
[[Category:HOWTO]] | |||
[[Category:First Steps]] | |||
Revision as of 06:18, October 2, 2014
File permissions
Common permissions
With Linux, the most common way to handle user rights provides three distinct rights on files. The meaning of these rights for directories (which are files in Linux) is slightly different.
| Subject | Right (Oct. repr.) | Description | Typical granted commands |
|---|---|---|---|
| File | r (4) |
Read | cat f, less f, grep f, file f |
w (2) |
Write | sed -i f, shred f, truncate f, vi f | |
x (1) |
Execution | /absolute/path/to/f, relative/path/to/f | |
| Directory | r (4) |
List contents | ls d |
w (2) |
Create/Remove files | touch d/a_file, mkdir d/a_dir, rm d/a_file, rmdir d/a_dir, chmod d/a_file, chown d/a_dir | |
x (1) |
Browse hierarchy | cd d, pushd d |
You would notice that rights octal representation is coded with powers of 2. This is a common way to represent bunch two-states settings that can be independently toggled. Indeed, a file does not properly have a list of permissions set, you should see this rather as a a bit string (where a 1 at the position i means ON and a 0 means OFF for the right coded 2i).
An example is worth 1000 words:
rwx Octal Permissions 000 0 None 001 1 Execution only 010 2 Read only 100 4 Write only 111 7 All (ie. Read and Write and Execution) 110 6 All but Execution (ie. Read and Write)
File permissions are split into three categories of users:
- The owner of the file (
uas user) - Typically the creator of the file
- The group of the file (
gas group) - Typically the main group of the owner
- The others (
oas others) - Anybody else
File permissions are thus represented with nine bits. The three most significant representing the owner rights and the three least significant representing others rights. For instance, a typical file permission is 640 which means The owner can read an write, the group have a read-only access, and other can't even read it
.
Alter permissions meaning
There is actually three more bits that allow you to alter the meaning of other permissions
| Subject | Right (Oct. repr.) | Name | Description |
|---|---|---|---|
| File | s/S (4) |
Setuid bit | - |
s/S (2) |
Setgid bit | - | |
t/T (1) |
Sticky bit | - | |
| Directory | s/S (4) |
Setuid bit | - |
s/S (2) |
Setgid bit | - | |
t/T (1) |
Sticky bit | - |
Going further
As you would have notice, this does not provide a fine-grained way to manage permissions, but this is quite light, simple, and sufficient for most usages. However, if you think you need a really fine-grained level, you should consider looking at SELinux.
Manage user and groups
Users, and Groups are named, and numbered. the lower the number the more permissions the account has. For example root user has the number 0, and root group has the number 0. To display this information:
root # cat /etc/passwd root # cat /etc/group
Add user
You can add user with useradd.
root # useradd -g users -G wheel,portage,audio,video,usb,cdrom,tty -m <username>
Delete user
You can delete user with userdel.
root # userdel <username>
If you want to remove user files as well (home directory and mail spool, use the -r option:
root # userdel -r <username>
List groups
You can list groups with group.
user $ groups user $ groups <username>
Add or remove user from group
You can add or remove user from group with gpasswd.
root # gpasswd -a <user> <group> root # gpasswd -d <user> <group>
Create or delete groups
You can create or delete groups with groupadd.
root # groupadd <group> root # groupdel <group>
Manage rights on files
Change file permissions
You can change file permissions with chmod.
user $ chmod <u><g><o> <file>
Where <u>, <g> and <o> are respectively the octal representation of the rights you want to set for the owner, the group and others.
7 = 4+2+1 (read/write/execute) 6 = 4+2 (read/write) 5 = 4+1 (read/execute) 4 = 4 (read) 3 = 2+1 (write/execute) 2 = 2 (write) 1 = 1 (execute)
Change owner and group of file
You can change owner and group of a file with chown.
root # chown <user>:<group> <file>
You can change owner of a directory and children recursively with:
root # chown -R <user>:<group> <folder>
Security
Generally you will want to have restrictive yet functional permissions. 777 on everything is a bad idea, especially files containing plain text passwords. 600 is common for files like this, with a high level user. mediawiki's LocalSettings.php has database passwords. A good method to lock this down is to change its permissions to 600, and set the file owner as the webserver's user.
Can I have write permission on a file while not being allowed to read it?
Yes, you can! Example:
root ##i### echo "$USER: You can't read! >:)" > /tmp/test root ##i### ls -l /tmp/test -rw-r--r-- 1 root root 6 Oct 2 07:30 /tmp/test root ##i### chmod o-r+w /tmp/test root ##i### ls -l /tmp/test -rw-r---w- 1 root root 6 Oct 2 07:30 /tmp/test root ##i### cat /tmp/test root: You can't read! >:) root ##i### su anyuser root ##i##$ cat /tmp/test/ cat: /tmp/test: Permission denied root ##i##$ vi /tmp/test/ ---[Permission Denied]--- root ##i##$ echo "$USER: But I can write! :)" >> /tmp/test root ##i##$ exit root ##i### cat /tmp/test root: You can't read! >:) anyuser: But I can write! :)
I don't know if this has an actual application though. Maybe if you need to allow some users to write (and truncate) logs in the same file but you don't want them to be able read what others wrote...