Users
● Every user is assigned a unique User ID number (UID ) UID 0 identifies root.
● Users' names and UIDs are stored in /etc/ passwd.
● Users are assigned a home directory and a program that is run when they log in (usually a shell).
● Users cannot read, write or execute each others' files without permission.
Groups
● Users are assigned to groups.
● Each group is assigned a unique Group ID number (gid ).
● GIDs are stored in /etc/group.
● Each user is given their own private group Can be added to other groups for additional access.
● All users in a group can share files that belong to the group.
Linux File Security
● Every file is owned by a UID and a GID.
● Every process runs as a UID and one or more GIDs
Usually determined by who runs the process
● Three access categories:
Processes running with the same UID as the file(user )
Processes running with the same GID as the file(group )
All other processes (other ).
Permissions
Four symbols are used when displaying permissions:
r: permission to read a file or list a directory's contents
w: permission to write to a file or create and remove files from a directory
x: permission to execute program or change into a directory and do a long listing of the directory
- : no permission (in place of the r, w, or x)
Examine Permission
File permissions may be viewed using ls -l
$ ls -l /bin/login
-rwxr-xr-x 1 root root 19080 Apr 1 18:26 /bin/login
-rwxr-x--- 1 andersen trusted 2948 Oct 11 14:07 myscript
● Read, Write and Execute for the owner, andersen.
● Read and Execute for members of the trusted group.
● No access for all others.
Changing File Ownership
● Only root can change a file's owner
● Only root or the owner can change a file's group
● Ownership is changed with chown: chown [-R] user_name file|directory
● Group-Ownership is changed with chgrp: chgrp [-R] group_name file|directory
How to set file permissions - symbolic mode ? The symbolic mode is pretty easy to remember. First, you decide if you set permissions for the user (u), the group (g), others (o), or all of the three (a). Then, you either add a permission (+), remove it (-), or wipe out the previous permissions and add a new one (=). Next, you decide if you set the read permission (r), write permission (w), or execute permission (x). Last, you'll tell chmod which file's permissions you want to change.
Let's have a couple of examples. Suppose we have a regular file called testfile, and the file has full access permissions for all the groups (long directory listing would show -rwxrwxrwx as the file's permissions).
Wipe out all the permissions but add read permission for everybody: $chmod a=r testfile After the command, the file's permissions would be -r--r--r--
Add execute permissions for group: $ chmod g+x testfile Now, the file's permissions would be -r--r-xr--
Add both write and execute permissions for the file's owner. Note how you can set more than one permission at the same time: $ chmod u+wx testfile After this, the file permissions will be -rwxr-xr--
Remove the execute permission from both the file's owner and group. Note, again, how you can set them both at once: $ chmod ug-x testfileNow, the permissions are -rw-r--r--
As a summary, have a look at this quick reference for setting file permissions in symbolic mode:
Which user?
|
u
|
user/owner
|
g
|
group
|
o
|
other
|
a
|
all
|
What to do?
|
+
|
add this permission
|
-
|
remove this permission
|
=
|
set exactly this permission
|
Which permissions?
|
r
|
read
|
w
|
write
|
x
|
execute
|
How to set file permissions - numeric mode ?
The other mode in which chmod can be used is the numeric mode. In the numeric mode, the file permissions aren't represented by characters. Instead, they are represented by a three-digit octal number. 4 = read (r) 2 = write (w)1 = execute (x) 0 = no permission (-)
To get the permission bits you want, you add up the numbers accordingly. For example, the rwx permissions would be 4+2+1=7, rx would be 4+1=5, and rw would be 4+2=6. Because you set separate permissions for the owner, group, and others, you'll need a three-digit number representing the permissions of all these groups.
Let's have an example. $ chmod 755 testfile This would change thetestfile's permissions to -rwxr-xr-x. The owner would have full read, write, and execute permissions (7=4+2+1), the group would have read and execute permissions (5=4+1), and the world would have the read and execute permissions as well.
Let's have another example: $ chmod 640 testfile In this case, testfile's permissions would be -rw-r-----. The owner would have read and write permissions (6=4+2), the group would have read permissions only (4), and the others wouldn't have any access permissions (0).
The numeric mode may not be as straightforward as the symbolic mode, but with the numeric mode, you can more quickly and efficiently set the file permissions. This quick reference for setting file permissions in numeric mode might help:
Which number?
|
0
|
---
|
1
|
--x
|
2
|
-w-
|
3
|
-wx
|
4
|
r--
|
5
|
r-x
|
6
|
rw-
|
7
|
rwx
|
/