Introducing File Security
This section describes file security concepts and terminology needed to understand file security.
User Classes
For each file, there are three classes of users:
-
The file or directory owner--usually the user who created the file. The owner of a file can decide who has the right to read it, to write to it (make changes to it), or, if it is a command, to execute it.
-
Members of a group.
-
All others who are not the file or group owner.
Only the owner of the file or root can assign or modify file permissions.
File Permissions
Table 51-1 lists and describes the file permissions.
Table 51-1 File Permissions|
Symbol |
Permission |
Means Designated Users ... |
|---|---|---|
|
r |
Read |
Can open and read the contents of a file. |
|
w |
Write |
Can write to the file (modify its contents), add to it, or delete it. |
|
x |
Execute |
Can execute the file (if it is a program or shell script), or run it with one of the exec(1) system calls. |
|
- |
Denied |
Cannot read, write, or execute the file. |
These file permissions apply to special files such as devices, sockets, and named pipes (FIFOs), as they do to regular files.
For a symbolic link, the permissions that apply are those of the file the link points to.
Directory Permissions
Table 51-2 lists and describes the directory permissions.
Table 51-2 Directory Permissions|
Symbol |
Permission |
Means Designated Users Can ... |
|---|---|---|
|
r |
Read |
List files in the directory. |
|
w |
Write |
Add or remove files or links in the directory. |
|
x |
Execute |
Open or execute files in the directory. Also can make the directory and the directories beneath it current. |
You can protect the files in a directory (and in its subdirectories) by disallowing access to that directory. Note, however, that superuser has access to all files and directories on the system.
Default umask
When you create a file or directory, it has a default set of permissions. These default permissions are determined by the value of umask in the system file /etc/profile, or in your .cshrc or .login file. By default, the system sets the permissions on a text file to 666, granting read and write permission to user, group, and others, and to 777 on a directory or executable file.
The value assigned by umask is subtracted from the default. This has the effect of denying permissions in the same way that chmod grants them. For example, while the command chmod 022 grants write permission to group and others, umask 022 denies write permission for group and others.
Table 51-3 shows some typical umask settings, and the effect on an executable file.
Table 51-3 umask Settings for Different Security Levels|
Level of Security |
umask |
Disallows |
|---|---|---|
|
Permissive (744) |
022 |
w for group and others |
|
Moderate (740) |
027 |
w for group, rwx for others |
|
Moderate (741) |
026 |
w for group, rw for others |
|
Severe (700) |
077 |
rwx for group and others |
File Types
A file can be one of six types. Table 51-4 lists the possible file types.
Table 51-4 File Types|
Symbol |
Type |
|---|---|
|
- |
Text or program |
|
d |
Directory |
|
b |
Block special file |
|
c |
Character special file |
|
p |
Named pipe (FIFO) |
|
l |
Symbolic link |
- © 2010, Oracle Corporation and/or its affiliates