Changes

Jump to: navigation, search

File permissions

1,954 bytes added, 7 years ago
Started to talk about setuid, setgid and sticky bits.
__NOTOC__== File permissions ==
== File = Common permissions ===
With Linux, the most common way to handle user rights provides three distinct rights on files. The meaning of these rights for directories (which '''are''' files in Linux) is slightly different.
<pre>
-rwx Octal Permissions0000 000 0 None0001 001 1 Execution only0010 010 2 Read only0100 100 4 Write only0111 111 7 All (ie. Read and Write and Execution)0110 110 6 All but Execution (ie. Read and Write)
</pre>
; The group of the file (<code>g</code> as group): Typically the main group of the owner
; The others (<code>o</code> as others): Anybody else
 
File permissions are thus represented with nine bits. The three most significant representing the owner rights and the three least significant representing others rights. For instance, a typical file permission is <code>640</code> which means <q style="font-style:italic">The owner can read an write, the group have a read-only access, and other can't even read it</q>.
 
=== Alter permissions meaning ===
 
There is actually three more bits that allow you to alter the meaning of other permissions
 
{|class="table table-striped"
! Subject || Right (Oct. repr.) || Name || Description
|-
|rowspan=3| '''File''' || <code>s/S (4)</code> || Setuid bit || -
|-
|| <code>s/S (2)</code> || Setgid bit || -
|-
|| <code>t/T (1)</code> || Sticky bit || -
|-
|rowspan=3| '''Directory''' || <code>s/S (4)</code> || Setuid bit || -
|-
|| <code>s/S (2)</code> || Setgid bit || -
|-
|| <code>t/T (1)</code> || Sticky bit || -
|}
 
=== Going further ===
As you would have notice, this does not provide a fine-grained way to manage permissions, but this is quite light, simple, and sufficient for most usages. However, if you think you need a really fine-grained level, you should consider looking at [[SELinux]].
Generally you will want to have restrictive yet functional permissions. 777 on everything is a bad idea, especially files containing plain text passwords. 600 is common for files like this, with a high level user. mediawiki's LocalSettings.php has database passwords. A good method to lock this down is to change its permissions to 600, and set the file owner as the webserver's user.
 
=== Can I have write permission on a file while not being allowed to read it? ===
 
Yes, you can! Example:
 
<console>
##i### echo "$USER: You can't read! >:)" > /tmp/test
##i### ls -l /tmp/test
-rw-r--r-- 1 root root 6 Oct 2 07:30 /tmp/test
##i### chmod o-r+w /tmp/test
##i### ls -l /tmp/test
-rw-r---w- 1 root root 6 Oct 2 07:30 /tmp/test
##i### cat /tmp/test
root: You can't read! >:)
##i### su anyuser
##i##$ cat /tmp/test/
cat: /tmp/test: Permission denied
##i##$ vi /tmp/test/
---[Permission Denied]---
##i##$ echo "$USER: But I can write! :)" >> /tmp/test
##i##$ exit
##i### cat /tmp/test
root: You can't read! >:)
anyuser: But I can write! :)
</console>
 
I don't know if this has an actual application though. Maybe if you need to allow some users to write (and truncate) logs in the same file but you don't want them to be able read what others wrote...
[[Category:HOWTO]]
[[Category:First Steps]]
wiki-staff
336
edits

Navigation menu