Module 17

Ownership and Permissions

Exam Objective
5.3 Managing File Permissions and Ownership

Objective Description
Understanding and manipulating file permissions and
ownership settings.
Ownership
File Ownership
● File ownership is critical for security.

● By default, users will own the files they create. Ownership can be
changed by admin.

● Every file also has a group owner. By default, primary group of user
who creates file will be group owner of any new files.

● Remember: UIDs and GIDs are associated with username and

group name.

● The id command can be used to view user UID, GID, username, and
group name(s).
File Ownership
● When a user creates a file with the touch command it will belong to
the current user and their primary group.

● File ownership can be confirmed using the long listing -l option of

the ls command.
sysadmin@localhost:~$ touch /tmp/filetest1
sysadmin@localhost:~$ ls -l /tmp/filetest1
-rw-rw-r--. 1 sysadmin sysadmin 0 Oct 21 10:18 /tmp/filetest1
Changing Groups
● To create a file under a different group, use the newgrp command to change your
current primary group.

● Use the groups command to view user group information.

● Verify new primary group using the id command:

sysadmin@localhost:~$ id
uid=502(sysadmin) gid=503(sysadmin)
groups=503(sysadmin),10001(research),10002(development)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sysadmin@localhost:~$ newgrp research
sysadmin@localhost:~$ id
uid=502(sysadmin) gid=10001(research)
groups=503(sysadmin),10001(research),10002(development)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

The newgrp command opens a new shell; as long as the user stays in that shell, the primary group
won't change. To switch the primary group back to the original, the user can leave the new shell by
running the exit command.
Changing Group Ownership
● To change the group owner of existing file, use the chgrp command.

● The root user can use chgrp command to change group owner of
any file. A regular user can change group owner of the file to a
group they are a member of:
sysadmin@localhost:~$ touch sample
sysadmin@localhost:~$ ls -l sample
-rw-rw-r-- 1 sysadmin sysadmin 0 Dec 10 00:44 sample
sysadmin@localhost:~$ chgrp research sample
sysadmin@localhost:~$ ls -l sample
-rw-rw-r--. 1 sysadmin research 0 Oct 23 22:12 sample‌​
Permissions
Permissions
● To display the file type and permissions of a file, use the ls -l
command:
root@localhost:~# ls -l /etc/passwd
-rw-r--r--. 1 root root 4135 May 27 21:08 /etc/passwd

● File Type:
-rw-r--r--. 1 root root 4135 May 27 21:08 /etc/passwd

The first character of each line indicates the type of file. Possible values for file types:
- regular file c character file
d directory p pipe file
l symbolic link s socket file
b block file
Permissions
● Permission Groups
-rw-r--r--. 1 root root 4135 May 27 21:08 /etc/passwd

The next nine characters demonstrate the permissions of the file. These determine the level of access
a user will have on the file.

○ User Owner:

-rw-r--r--. 1 root root 4135 May 27 21:08 /etc/passwd

Characters 2-4 indicate the permissions for the user that owns the file.

○ Group Owner:

-rw-r--r--. 1 root root 4135 May 27 21:08 /etc/passwd

Characters 5-7 indicate permissions for the group that owns the file.
 Permissions
○ Other Permissions:

-rw-r--r--. 1 root root 4135 May 27 21:08 /etc/passwd

Characters 8-10 indicate the permissions for others or what is sometimes referred to as the world's
permissions.
Permission Types
● Each group is attributed three types of permissions: read, write, and
execute:

● Read:
○ File - allows process to read contents of the file, which means contents can be
viewed and copied.
○ Directory - Names of directory are listed, but no other details are available.
Permission Types
● Write:
○ File - Can be written to by the process. The w permission requires r permission to work.
○ Directory - Files can be added to or removed from the directory. The w permission requires the x
permission to work.

● Execute:
○ File - a file can be executed or run as a process.
○ Directory - User can use the cd command to get into directory and use pathname to access files
in directory.
Example Scenario
Based on the following information, what access would the user bob
have on the file abc.txt?

drwxr-xr-x. 17 root root 4096 23:38 /

drwxr-xr--. 10 root root 128 03:38 /data
-rwxr-xr--. 1 bob bob 100 21:08 /data/abc.txt

Answer: None.

In order to do anything with the file, the user must first "get into" the /data directory. The permissions
for bob for the /data directory are the permissions for "others" (r--), which means bob can't even use
the cd command to get into the directory. If the execute permission (--x) was set for the directory,
then the user bob would be able to "get into" the directory, meaning the permissions of the file itself
would apply.
drwxr-xr--. 10 root root 128 03:38 /data

Lesson Learned: The permissions of all parent directories must be considered before considering the
permissions on a specific file. (Important Note: Read another five scenarios on netacad.com)
Changing Permissions
● There are two techniques that can be used with this command:
symbolic and numeric.

● Symbolic Method
○ The chmod (change mode) command is used to change permissions on a directory.
○ Characters indicate which permission group (user, group, others) to apply the
changes to:
Changing Permissions
○ Next, choose an indicator to indicate how to modify permissions:

○ Lastly, use the following characters to specify the permission type to change:

○ Example: To give the user owner read permission on a file named abc.txt, you
could use the following command:

root@localhost:~# chmod u+r abc.txt

Changing Permissions
● Numeric Method
○ Based on the octal numbering system where each permission type is assigned a
numeric value.
○ Numeric values: 4 = Read (100), 2 = Write (010), 1 = Execute (001)

○ By using a combination of numbers from 0 to 7, any possible combination of read,

write and execute permissions can be specified for a single permission group set:
7 = rwx (111) 3 = -wx (011)
6 = rw- (110) 2 = -w- (010)
5 = r-x (101) 1 = --x (001)
4 = r-- (100) 0 = --- (000)

○ Example: To set the permissions of a file named abc.txt to be rwxr-xr-- you

could use the following command:
root@localhost:~]# chmod 754 abc.txt
Default Permissions
● The umask command is used to determine default permissions that are set when a file
or directory is created.
● The umask value is subtracted from the maximum allowable default permissions.
● Maximum default values for files and directories:

○ File = rw-rw-rw-

○ Directory = rwxrwxrwx
● The umask command can be used to display the current umask value:

sysadmin@localhost:~$ umask
0002

- First 0 means umask is given as octal number.

- Second 0 indicates which permission to subtract from default user owner permissions.
- Third 0 indicates which permission to subtract from default group owner’s permissions.
- Last 2 indicates which permission to subtract from default other’s permissions.
Default Permissions
● How does umask work?
● Assume that the umask is set to 027:
File default 667
Umask -027
Result 640

● The 027 umask means that, by default new files would receive 640 or rw-
r----- permissions:

sysadmin@localhost:~$ umask 027

sysadmin@localhost:~$ touch sample
sysadmin@localhost:~$ ls -l sample
-rw-r-----. 1 sysadmin sysadmin 0 Oct 28 20:14 sample