CONTROLLING ACCESS

TO
FILES
• GOAL
• Set Linux file-system permissions on files and to interpret the security effects
of different permission settings.
• OBJECTIVES
• Change the permissions and ownership of files using command-line tools.
• Control the default permissions of new files created by users, explain the
effect of special permissions, and use special permissions and default
permissions to set the group owner of files created in a particular directory.
• SECTIONS
• Managing File System Permissions from the Command Line (and Guided
Exercise)
• Managing Default Permissions and File Access (and Guided Exercise)
• LAB
• Controlling Access to Files
Linux file-system permissions
• File permissions control access to files.
• The Linux file permissions system is simple but flexible, which makes it
easy to understand and apply, yet still able to handle most normal
permission cases easily
• Files have three categories of user to which permissions apply.
• The file is owned by a user, normally the one who created the file.
• The file is also owned by a single group, usually the primary group of the user who
created the file, but this can be changed. Different permissions can be set for the
owning user, the owning group,
• and for all other users on the system that are not the user or a member of the
owning group.
Effects of Permissions on Files and
Directories
• Three categories of permissions apply: read, write, and execute. The
following table explains how these permissions affect access to files
and directories.
Viewing file and directory permissions and
ownership
• The -l option of the ls command shows more detailed information
about file permissions and ownership:
[user@host~]$ ls –l /var/log/lastlog
-rw-rw-r-- 1 root utmp 292292 Jul 24 11:16 /var/log/lastlog

User(owner)
group(owner)
Type Link Count filename
File size
User permission Last Modification
group permission Date and time
Other users permission Type:
- File
d Directory
l Symbolic link
b Block device
c Character device
• The first character of the long listing is the file type. You interpret it
like this:
• - is a regular file.
• d is a directory.
• l is a soft link.
• Other characters represent hardware devices (b and c) or other special-
purpose files (p and s).
• The next nine characters are the file permissions. These are in three
sets of three characters:
• permissions that apply to the user that owns the file,
• the group that owns the file, and
• all other users.
• If the set shows rwx, that category has all three permissions, read,
write, and execute. If a letter has been replaced by -, then that
category does not have that permission.
• You can use the -d option to to show detailed information about a
directory itself, and not its contents.
EXAMPLES OF PERMISSION
EFFECTS
• Given the below four users information and list of files

[database1@host dir]$ ls -la

total 24
drwxrwxr-x. 2 database1 consultant1 4096 Apr 4 10:23
drwxr-xr-x. 10 root root 4096 Apr 1 17:34 ..
-rw-rw-r--. 1 operator1 operator1 1024 Apr 4 11:02 lfile1
-rw-r--rw-. 1 operator1 consultant1 3144 Apr 4 11:02 lfile2
-rw-rw-r--. 1 database1 consultant1 10234 Apr 4 10:14 rfile1
-rw-r-----. 1 database1 consultant1 2048 Apr 4 10:18 rfile2
EFFECT WHY IS THIS TRUE?
User operator1 is a member of the consultant1 group, and that
The user operator1 can change the contents of rfile1.
group has both read and write permissions on rfile1.
The user database1 can view and modify the contents of User database1 owns the file and has both read and write
rfile2. access to rfile2.
The user operator1 can view but not modify the contents User operator1 is a member of the consultant1 group, and that
of rfile2 (without deleting it and recreating it). group only has read access to rfile2.
other permissions apply to users database2 and contractor1,
The users database2 and contractor1 do not have any
and those
access to the contents of rfile2.
permissions do not include read or write permission.
User and group operator1 have write permission on the file,
operator1 is the only user who can change the contents
other users do not. But the only member of group operator1 is
of lfile1 (without deleting it and recreating it).
user operator1.
User database2 is not the user that owns the file and is not in
The user database2 can change the contents of lfile2. group consultant1, so other permissions apply. Those grant
write permission.
The user database1 can view the contents of lfile2, but User database1 is a member of the group consultant1, and
cannot modify the contents of lfile2 (without deleting it that group only has read permissions on lfile2. Even though
and recreating other
it). has write permission, the group permissions take precedence.
User database1 has write permissions on the directory
containing both files (shown by .), and therefore can delete
The user database1 can delete lfile1 and lfile2.
any file in that directory. This is true even if database1 does
not have write permission on the file itself.
Changing file and directory permissions
• The command used to change permissions from the command line is
chmod, which means "change mode" (permissions are also called the
mode of a file).
• The chmod command takes a permission instruction followed by a list
of files or directories to change.
• The permission instruction can be issued either symbolically (the
symbolic method) or numerically (the numeric method).
Changing Permissions with the Symbolic
Method
• Command syntax is

• Who is u, g, o, a (for user, group, other, all)

• What is +, -, = (for add, remove, set exactly)
• Which is r, w, x (for read, write, execute)
• The symbolic method of changing file permissions uses letters to
represent the different groups of permissions: u for user, g for group,
o for other, and a for all.
Examples
• Remove read and write permission for group and other on file1:

• Add execute permission for everyone on file2:

Changing Permissions with the Numeric
Method
• In the example below the # character represents a digit.

• Each digit represents permissions for an access level: user, group, other.
• The digit is calculated by adding together numbers for each permission you want to
add, 4 for read, 2 for write, and 1 for execute.
• For example to set the permissions -rwxr-x---
• For the user, rwx is calculated as 4+2+1=7.
• For the group,r-x is calculated as 4+0+1=5,
• and for other users, --- is represented with 0.
• Putting these three together, the numeric representation of those permissions is 750.
• This calculation can also be performed in the opposite direction. Look
at the permissions 640.
• For the user permissions, 6 represents read (4) and write (2), which displays
as rw-
• For the group part, 4 only includes read (4) and displays as r--.
• The 0 for other provides no permissions (---)
• Hence the final set of symbolic permissions for this file is -rw-r-----.
Examples
• Set read and write permissions for user, read permission for group
and other, on samplefile:

• Set read, write, and execute permissions for user, read and execute
permissions for group, and no permission for other on sampledir:
Changing file and directory user or group
ownership
• A newly created file is owned by the user who creates that file. By
default, new files have a group ownership that is the primary group of
the user creating the file.
• Only root can change the user that owns a file. Group ownership,
however, can be set by root or by the file's owner. root can grant file
ownership to any group, but regular users can make a group the
owner of a file only if they are a member of that group.
• File ownership can be changed with the chown (change owner)
command. For example, to grant ownership of the test_file file to the
student user, use the following command:
• chown can be used with the -R option to recursively change the
ownership of an entire directory tree. The following command grants
ownership of test_dir and all files and subdirectories within it to user
student:

• The chown command can also be used to change group ownership of

a file by preceding the group name with a colon (:). For example, the
following command changes the group test_dir to admins:
• The chown command can also be used to change both owner and
group at the same time by using the owner:group syntax. For
example, to change the ownership of test_dir to visitor and the group
to guests, use the following command:

• Instead of using chown, some users change the group ownership by

using the chgrp command. This command works just like chown,
except that it is only used to change group ownership and the colon
(:) before the group name is not required.
exercise
special permissions
• Special permissions constitute a fourth permission type in addition to
the basic user, group, and other types. As the name implies, these
permissions provide additional access-related features over and
above what the basic permission types allow. The below table details
the impact of special permissions, summarized in the table below.
special permissions:- SUID
• The setuid permission on an executable file means that commands
run as the user owning the file, not as the user that ran the
command. One example is the passwd command:

• In a long listing, you can identify the setuid permissions by a

lowercase s where you would normally expect the x (owner execute
permissions) to be. If the owner does not have execute permissions,
this is replaced by an uppercase S.
special permissions:- SETGID
• The special permission setgid on a directory means that files created
in the directory inherit their group ownership from the directory,
rather than inheriting it from the creating user. This is commonly used
on group collaborative directories to automatically change a file from
the default private group to the shared group, or if files in a directory
should be always owned by a specific group. An example of this is
the /run/log/journal directory:
• If setgid is set on an executable file, commands run as the group that
owns that file, not as the user that ran the command, in a similar way
to setuid works. One example is the locate command:

• In a long listing, you can identify the setgid permissions by a

lowercase s where you would normally expect the x (group execute
permissions) to be. If the group does not have execute permissions,
this is replaced by an uppercase S.
special permissions:- sticky bit
• Lastly, the sticky bit for a directory sets a special restriction on
deletion of files. Only the owner of the file (and root) can delete files
within the directory. An example is /tmp:

• In a long listing, you can identify the sticky permissions by a lowercase

t where you would normally expect the x (other execute permissions)
to be. If other does not have execute permissions, this is replaced by
an uppercase T.
Setting Special Permissions
• Symbolically: setuid = u+s; setgid = g+s; sticky = o+t
• Numerically (fourth preceding digit): setuid = 4; setgid = 2; sticky = 1
• Examples
• Add the setgid bit on directory:

• Set the setgid bit and add read/write/execute permissions for user
and group, with no access for others, on directory:
Default file permissions
• When you create a new file or directory, it is assigned initial
permissions. There are two things that affect these initial permissions.
The first is whether you are creating a regular file or a directory. The
second is the current umask.
• If you create a new directory, the operating system starts by assigning
it octal permissions 0777 (drwxrwxrwx).
• If you create a new regular file, the operating system assignes it octal
permissions 0666 (-rw-rw-rw-). You always have to explicitly add
execute permission to a regular file. This
Default Permisions:- umask
• However, the shell session will also set a umask to further restrict the
permissions that are initially set. This is an octal bitmask used to clear
the permissions of new files and directories created by a process. If a bit
is set in the umask, then the corresponding permission is cleared on
new files.
• For example, the umask 0002 clears the write bit for other users. The
leading zeros indicate the special, user, and group permissions are not
cleared. A umask of 0077 clears all the group and other permissions of
newly created files.
• The umask command without arguments will display the current value
of the shell's umask:
umask Example
• The following example explains how the umask affects the
permissions of files and directories.
• By setting the umask value to 0, the file permissions for other change
from read to read and write. The directory permissions for other
changes from read and execute to read, write, and execute.
• To mask all file and directory permissions for other, set the umask
value to 007.
• A umask of 027 ensures that new files have read and write
permissions for user and read permission for group. New directories
have read and write access for group and no permissions for other.

• The default umask for users is set by the shell startup scripts. By
default, if your account's UID is 200 or more and your username and
primary group name are the same, you will be assigned a umask of
002. Otherwise, your umask will be 022.
exercise