Basics: Mode, User and Group Ownership¶
Owner and Permissions¶
Types of permissions
Read (
r)Write (
w)Execute (
x)
Separate permissions for …
User (
u): the owning user of the entryGroup (
g): the owning group of the entryOthers (
o): all others
A Simple Example¶
The typical ls -l output:
$ ls -l tasks.csv
-rw-rw-r-- 1 jfasch team 396 Jun 8 14:49 tasks.csv
Three groups of “bits”: rw-, rw-, r--
Bits |
Meaning |
|---|---|
|
Read- and writable for owning user ( |
|
Read- and writable for owning group ( |
|
Readable for all others: those who are neither user
|
First column (-) is irrelevant (type: regular file)
Permission Check: User¶
Can user ``jfasch`` write the file?
Which triplet to check?
jfaschis the owner of the file⟶ The first triplet:
rw-
⟶ yes,
jfaschcan write(likewise,
jfaschwill be able to read)
Permission Check: Group¶
Can user ``teammember42`` write the file?
Which triplet to check?
teammember42is notjfasch⟶ not the first tripletIs
teammember42a member of groupteam?$ id teammember42 uid=1001(teammember42) gid=1002(teammember42) groups=1002(teammember42),1001(team)
Answer: yes
⟶ second triplet,
rw-
⟶ yes,
teammember42can write(likewise,
teammember42will be able to read)
Permission Check: Others¶
Can user ``manfromthestreet`` read the file?
Which triplet to check?
manfromthestreetis notjfasch⟶ not the first tripletIs
manfromthestreeta member of groupteam?$ id manfromthestreet uid=1002(manfromthestreet) gid=1003(manfromthestreet) groups=1003(manfromthestreet)
Answer: no
⟶ not the second triplet
⟶
manfromthestreetis among the othersThird triplet,
r--⟶ no,
manfromthestreetcannot write(
manfromthestreetcan read though)
Execute Permissions¶
$ ls -l /bin/ls
-rwxr-xr-x ... /bin/ls
Facts …
An executable file does not have to end with
.exeto be executable… it simply is executable
Directory Permissions¶
$ ls -ld /etc
drwxr-xr-x ... 07:54 /etc
Read permissions: content (list of names) is readable
Execute permissions: to access a file (e.g. for reading), one has to have execute permissions on the parent directory and all directories along the path
The right to
cdinto the directory
Permission Bits, octal¶
|
Binary |
Shell command |
|---|---|---|
|
|
|
|
|
|
|
|
|
Default Permissions - umask¶
The U-Mask …
Bit field
Subtracted from default permissions at file/directory creation
Process attribute ⟶ inherited
umask in action¶$ umask
0022
$ touch /tmp/file
$ ls -l /tmp/file
umask: How Does it Work?¶
umasksubtracted from default permissionsumaskis an (inherited) process attributeDefault permissions at file creation:
rw-rw-rw-
Default permissions |
|
|
|
|
|
|
|
Outcome |
|
|
|
Shell Commands¶
Permission modification (set to octal value)
$ chmod 755 /bin/script.sh
Permission modification (differential symbolic)
$ chmod u+x,g-wx,o-rwx /bin/script.shGroup ownership modification (only root and members of the group can do this)
$ chgrp team /tmp/fileOwnership modification (only root)
# chown jfasch /tmp/filechmod,chown, andchgrpunderstand-Rfor “recursive”.
Set-UID Bit¶
Set-UID Bit: motivation
Ugly hack!
Encrypted passwords in
/etc/passwd(or/etc/shadow, nowadays)Only
rootcan modifyI (
jfasch) want to change my passwordHave to ask
rootto edit/etc/passwdor/etc/shadowfor merootis annoyed by me
$ ls -l /bin/passwd
-rws--x--x 1 root root ... /bin/passwd
Sticky Bit¶
Sticky bit: motivation
Ugly hack!
Everyone has write permissions in
/tmp⟶ everyone can create files
⟶ everyone can remove files
Chaos: everyone can remove each other’s files
$ ls -ld /tmp
drwxrwxrwt ... /tmp