Difference between revisions of "File permissions"

m (What the hell was this "worths" doing here?)
 
(10 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== chmod ==
+
__NOTOC__
You can change file permissions with:
+
 
 +
== File permissions ==
 +
 
 +
With Linux, the most common way to handle user rights provides three distinct rights on files. The meaning of these rights for directories (which '''are''' files in Linux) is slightly different.
 +
 
 +
{|class="table table-striped"
 +
! Subject                  || Right (Oct. repr.) || Description        || Typical granted commands
 +
|-
 +
|rowspan=3| '''File'''      || <code>r (4)</code> || Read                || cat ''f'', less ''f'', grep ''f'', file ''f''
 +
|-
 +
                            || <code>w (2)</code> || Write              || sed -i ''f'', shred ''f'', truncate ''f'', vi ''f''
 +
|-
 +
                            || <code>x (1)</code> || Execution          || /absolute/path/to/''f'', relative/path/to/''f''
 +
|-
 +
|rowspan=3| '''Directory''' || <code>r (4)</code> || List contents      || ls ''d''
 +
|-
 +
                            || <code>w (2)</code> || Create/Remove files || touch ''d''/a_file, mkdir ''d''/a_dir, rm ''d''/a_file, rmdir ''d''/a_dir, chmod ''d''/a_file, chown ''d''/a_dir
 +
|-
 +
                            || <code>x (1)</code> || Browse hierarchy    || cd ''d'', pushd ''d''
 +
|}
 +
 
 +
You would notice that rights octal representation is coded with powers of 2. This is a common way to represent bunch two-states settings that can be independently toggled. Indeed, a file does not properly ''have'' a list of permissions set, you should see this rather as a a bit string (where a '''1''' at the position '''i''' means '''ON''' and a '''0''' means '''OFF''' for the right coded '''2<sup>i</sup>''').
 +
 
 +
An example is worth 1000 words:
 +
 
 +
<pre>
 +
-rwx    Octal    Permissions
 +
0000      0      None
 +
0001      1      Execution only
 +
0010      2      Read only
 +
0100      4      Write only
 +
0111      7      All (ie. Read and Write and Execution)
 +
0110      6      All but Execution (ie. Read and Write)
 +
</pre>
 +
 
 +
File permissions are split into three categories of users:
 +
 
 +
; The owner of the file (<code>u</code> as user): Typically the creator of the file
 +
; The group of the file (<code>g</code> as group): Typically the main group of the owner
 +
; The others (<code>o</code> as others): Anybody else
 +
 
 +
As you would have notice, this does not provide a fine-grained way to manage permissions, but this is quite light, simple, and sufficient for most usages. However, if you think you need a really fine-grained level, you should consider looking at [[SELinux]].
 +
 
 +
== Manage user and groups ==
 +
 
 +
Users, and Groups  are named, and numbered.  the lower the number the more permissions the account has.  For example root user has the number 0, and root group has the number 0.  To display this information:
 +
<console>###i## cat /etc/passwd
 +
###i## cat /etc/group</console>
 +
 
 +
=== Add user ===
 +
 
 +
You can add user with useradd.
 +
 
 
<console>
 
<console>
$##bl## chmod [r][g][u] [file]
+
###i## useradd -g users -G wheel,portage,audio,video,usb,cdrom,tty -m <username>
 
</console>
 
</console>
[r] = number for root permissions, [g] = number for group permissions and [u] = number for user permissions.
 
<pre>7 = 4+2+1 (read/write/execute)
 
6 = 4+2 (read/write)
 
5 = 4+1 (read/execute)
 
4 = 4 (read)
 
3 = 2+1 (write/execute)
 
2 = 2 (write)
 
1 = 1 (execute)</pre>
 
  
== chown ==
+
=== Delete user ===
You can change owner and group of file with:
+
 
 +
You can delete user with userdel.
 +
 
 
<console>
 
<console>
###i## chown [user]:[group] [file]
+
###i## userdel <username>
 
</console>
 
</console>
You can change owner of folder and files inside recursively with:
+
 
 +
{{fancynote|If you want to remove user files as well (home directory and mail spool, use the <code>-r</code> option:
 
<console>
 
<console>
###i## chown -R [user]:[group] [folder]
+
###i## userdel -r <username>
 
</console>
 
</console>
 +
}}
 +
 +
=== List groups ===
 +
 +
You can list groups with group.
  
== gpasswd ==
 
You can add user to group with:
 
 
<console>
 
<console>
###i## gpasswd -a [user] [group]
+
$##i## groups
 +
$##i## groups <username>
 
</console>
 
</console>
You can remove a user from a group with:
+
 
 +
=== Add or remove user from group ===
 +
 
 +
You can add or remove user from group with gpasswd.
 +
 
 
<console>
 
<console>
###i## gpasswd -d [user] [group]
+
###i## gpasswd -a <user> <group>
 +
###i## gpasswd -d <user> <group>
 
</console>
 
</console>
  
== useradd ==
+
=== Create or delete groups ===
You can add a new user with:
+
 
 +
You can create or delete groups with groupadd.
 +
 
 
<console>
 
<console>
###i## useradd -g users -G wheel,audio,portage -m [user]
+
###i## groupadd <group>
###i## passwd [user]
+
###i## groupdel <group>
 
</console>
 
</console>
You can delete a user with:
+
 
 +
== Manage rights on files ==
 +
 
 +
=== Change file permissions ===
 +
 
 +
You can change file permissions with <code>chmod</code>.
 +
 
 
<console>
 
<console>
###i## userdel [user]
+
$##i## chmod <u><g><o> <file>
 
</console>
 
</console>
  
== groupadd ==
+
Where <nowiki><u>, <g> and <o></nowiki> are respectively the octal representation of the rights you want to set for the owner, the group and others.
You can add a new group with:
+
 
 +
<pre>7 = 4+2+1 (read/write/execute)
 +
6 = 4+2 (read/write)
 +
5 = 4+1 (read/execute)
 +
4 = 4 (read)
 +
3 = 2+1 (write/execute)
 +
2 = 2 (write)
 +
1 = 1 (execute)</pre>
 +
 
 +
=== Change owner and group of file ===
 +
 
 +
You can change owner and group of a file with <code>chown</code>.
 +
 
 
<console>
 
<console>
###i## groupadd [group]
+
###i## chown <user>:<group> <file>
 
</console>
 
</console>
You can delete a group with:
+
 
 +
You can change owner of a directory and children recursively with:
 +
 
 
<console>
 
<console>
###i## groupdel [group]
+
###i## chown -R <user>:<group> <folder>
 
</console>
 
</console>
 +
 +
=== Security ===
 +
 +
Generally you will want to have restrictive yet functional permissions.  777 on everything is a bad idea, especially files containing plain text passwords.  600 is common for files like this, with a high level user.  mediawiki's LocalSettings.php has database passwords.  A good method to lock this down is to change its permissions to 600, and set the file owner as the webserver's user.
  
 
[[Category:HOWTO]]
 
[[Category:HOWTO]]
 
[[Category:First Steps]]
 
[[Category:First Steps]]

Latest revision as of 09:03, 28 September 2014


File permissions

With Linux, the most common way to handle user rights provides three distinct rights on files. The meaning of these rights for directories (which are files in Linux) is slightly different.

Subject Right (Oct. repr.) Description Typical granted commands
File r (4) Read cat f, less f, grep f, file f
w (2) Write sed -i f, shred f, truncate f, vi f
x (1) Execution /absolute/path/to/f, relative/path/to/f
Directory r (4) List contents ls d
w (2) Create/Remove files touch d/a_file, mkdir d/a_dir, rm d/a_file, rmdir d/a_dir, chmod d/a_file, chown d/a_dir
x (1) Browse hierarchy cd d, pushd d

You would notice that rights octal representation is coded with powers of 2. This is a common way to represent bunch two-states settings that can be independently toggled. Indeed, a file does not properly have a list of permissions set, you should see this rather as a a bit string (where a 1 at the position i means ON and a 0 means OFF for the right coded 2i).

An example is worth 1000 words:

-rwx    Octal    Permissions
0000      0      None
0001      1      Execution only
0010      2      Read only
0100      4      Write only
0111      7      All (ie. Read and Write and Execution)
0110      6      All but Execution (ie. Read and Write)

File permissions are split into three categories of users:

The owner of the file (u as user)
Typically the creator of the file
The group of the file (g as group)
Typically the main group of the owner
The others (o as others)
Anybody else

As you would have notice, this does not provide a fine-grained way to manage permissions, but this is quite light, simple, and sufficient for most usages. However, if you think you need a really fine-grained level, you should consider looking at SELinux.

Manage user and groups

Users, and Groups are named, and numbered. the lower the number the more permissions the account has. For example root user has the number 0, and root group has the number 0. To display this information:

# cat /etc/passwd
# cat /etc/group

Add user

You can add user with useradd.

# useradd -g users -G wheel,portage,audio,video,usb,cdrom,tty -m <username>

Delete user

You can delete user with userdel.

# userdel <username>

Note

If you want to remove user files as well (home directory and mail spool, use the -r option:

# userdel -r <username>

List groups

You can list groups with group.

$ groups
$ groups <username>

Add or remove user from group

You can add or remove user from group with gpasswd.

# gpasswd -a <user> <group>
# gpasswd -d <user> <group>

Create or delete groups

You can create or delete groups with groupadd.

# groupadd <group>
# groupdel <group>

Manage rights on files

Change file permissions

You can change file permissions with chmod.

$ chmod <u><g><o> <file>

Where <u>, <g> and <o> are respectively the octal representation of the rights you want to set for the owner, the group and others.

7 = 4+2+1 (read/write/execute)
6 = 4+2 (read/write)
5 = 4+1 (read/execute)
4 = 4 (read)
3 = 2+1 (write/execute)
2 = 2 (write)
1 = 1 (execute)

Change owner and group of file

You can change owner and group of a file with chown.

# chown <user>:<group> <file>

You can change owner of a directory and children recursively with:

# chown -R <user>:<group> <folder>

Security

Generally you will want to have restrictive yet functional permissions. 777 on everything is a bad idea, especially files containing plain text passwords. 600 is common for files like this, with a high level user. mediawiki's LocalSettings.php has database passwords. A good method to lock this down is to change its permissions to 600, and set the file owner as the webserver's user.