3.6 File and Directory Security
Note -
Read this section carefully. A clear understanding of file permissions is often important in day-to-day work.
File permissions help to protect files and directories from unauthorized reading and writing. Often you will have files you wish to allow others to read but not change. In other cases, you may have executable files (programs) to share. File permissions allow you to control access to your files.
These are the basic file and directory permission types:
-
r - read permission. A file must be readable to be examined or copied. A directory must be readable for you to list its contents.
-
w - write permission. A file must be writable in order for you to modify it, remove it, or rename it. A directory must be writable in order for you to add or delete files in it.
-
x - execute permission. A file with executable permissions is one you can run, such as a program. A directory must be executable for you to gain access to any of its subdirectories.
There are three categories of users for which you can set permissions:
-
Group - Other users within the same group as the user (for example, all accounting users). Groups are established and maintained by the system administrator.
3.6.1 Displaying Permissions and Status (su ls -l)
You have already used the ls command to list files. The ls command has many options. Use the -loption to display a long format list. Files and directories are listed in alphabetical order. Figure 3-2 illustrates this method for displaying files:
Figure 3-2 Displaying Permissions and Status
The very first character on the line indicates the file type. A dash (-) is an ordinary file; a d indicates a directory, and other characters can indicate other special file types.
The next nine characters indicate the permissions for the file or directory. The nine characters consist of three groups of three, showing the permissions for the owner, the owner's group, and the world, respectively. The permissions for emptyfile are rw-r--r--, indicating that the owner can read and write this file, everyone can read it, and no one can execute it. The permissions for the directory veggies2 are rwxr-xr-x, indicating that everyone has read and execute permissions, but only the owner can write to it.
In addition to file permissions, the display shows the following information:
-
Number of links to this file or directory
-
Name of the owner (user2 in this case)
-
Date and time the file or directory was last updated
-
Name of the file or directory
Use the cd command to move to your home directory, and try the ls -lcommand. Your results will differ from the example, of course.
Now try typing a command such as the following:
$ ls -l dirname
where dirname is the name of an actual directory within your file system. When you give the name of a directory, the ls -lcommand prints information on all the files and directories (if any) within that directory.
3.6.2 Listing "Hidden" Files (ls -a)
There are some files that are not listed by the ordinary ls command. These files have names beginning with the character . (called "dot"), such as .cshrc, .login and .profile. Use the ls -acommand to list these dot files:
$ ls -a . .. .cshrc .login .profile emptyfile |
Notice that the files beginning with . are listed before the other files. There are two special files in this listing: the file .is the reference for the current directory, and the file .. is the reference for the parent directory.
Generally speaking, files that begin with . are used by system utilities and are not usually modified by the user. There are a few exceptions to this.
3.6.3 Changing Permissions (chmod)
Use the chmod command to change permissions for a file or directory. You must be the owner of a file or directory, or have root access, to change its permissions. The general form of the chmod command is:
chmod permissions name |
where permissions indicates the permissions to be changed and name is the name of the affected file or directory.
The permissions can be specified in several ways. Here is one of the forms which is easiest to use:
-
Use one or more letters indicating the users involved:
-
u (for the user)
-
g (for group)
-
o (for others)
-
a (for all three of the above categories)
-
-
Indicate whether the permissions are to be added (+) or removed (-).
-
Use one or more letters indicating the permissions involved:
In the following example, write permission is added to the directory carrots for users belonging to the same group (thus, permissions is g+w and name is carrots):
$ ls -l carrots drwxr-xr-x 3 user2 1024 Feb 10 11:15 carrots $ chmod g+w carrots $ ls -l carrots drwxrwxr-x 3 user2 1024 Feb 10 11:15 carrots $ |
As you can see, the hyphen (-) in the set of characters for group is changed to a w as a result of this command.
To make this same directory unreadable and unexecutable by other users outside your group (permissions is o-rx), you would enter the following:
$ ls -l carrots drwxrwxr-x 3 user2 1024 Feb 10 11:15 carrots $ chmod o-rx carrots $ ls -l carrots drwxrwx--- 3 user2 1024 Feb 10 11:15 carrots $ |
Now, the r (for read) and the x (for execute) in the set of characters for other users are both changed to hyphens (-).
When you create a new file or directory, the system automatically assigns permissions.
In general, the default settings for new files are:
-rw-r--r--
and for new directories are:
drwxr-xr-x
So, to make a new file turnip executable by its owner (user2), you would enter the following:
$ ls -l turnip -rw-r--r-- 3 user2 1024 Feb 10 12:27 turnip $ chmod u+x turnip $ ls -l turnip -rwxr--r-- 3 user2 1024 Feb 10 12:27 turnip $ |
If you want to affect all three categories of users at once, use the -a option. To make a new file garlic executable by everyone, you would enter the following:
$ ls -l garlic -rw-r--r-- 3 user2 1024 Feb 10 11:31 garlic $ chmod a+x garlic $ ls -l garlic -rwxr-xr-x 3 user2 1024 Feb 10 11:31 garlic $ |
As a result, the x indicator appears in all three categories.
You can also change permissions for groups of files and directories using the * wildcard character. For example, you would enter the following to change the permissions for all the files in the current directory veggies so that the files can be written by you alone:
The pwd command is included in this example to illustrate that the directory on which you perform this chmod operation must be the current directory.
3.6.4 Setting Absolute Permissions
Up to this point, the discussion on permissions has only included using the chmod command to change permissions relative to their current settings. Using a different form of the chmod command, which applies numeric codes to specify permissions, you can set the permissions for a file or directory absolutely.
The syntax for this usage of the chmod command is:
chmod numcode name
where numcode is the numeric code and name is the name of the file or directory for which you are changing permissions.
The complete numeric code consists of three numbers. One number is used for each of the three categories: user, group, and others. For example the following command sets absolute read, write, and execute permissions for the user and the group, and execute permissions only for others:
$ chmod 771 garlic |
Table 3-1 illustrates how the permissions described for garlic are represented by the code 771.
Table 3-1 Permissions for garlic|
Permission |
User |
Group |
Others |
|---|---|---|---|
|
Read |
4 |
4 |
0 |
|
Write |
2 |
2 |
0 |
|
Execute |
1 |
1 |
1 |
|
Total |
7 |
7 |
1 |
Each of the columns in Table 3-1 represents one of the categories: user, group, and others. To set read permissions, you add 4 to the appropriate column. To set write permissions, you add 2. To add execute permissions, you add 1. The total in all three columns in the last row of the table is the complete numeric code.
The following is another example of this method for setting absolute permissions, with the ls -lcommand included to demonstrate the results:
$ ls -l onion -rw-r--r-- 3 user2 1024 Feb 10 11:46 onion $ chmod 755 onion $ ls -l onion -rwxr-xr-x 3 user2 1024 Feb 10 11:48 onion $ |
The permissions for the file onion are set so that the user can read, write, and execute; group members can read and execute; and others can also read and execute. Table 3-2 provides the breakdown of the numeric code used to set the permissions for onion.
Table 3-2 Permissions for onion|
Permission |
User |
Group |
Others |
|---|---|---|---|
|
Read |
4 |
4 |
4 |
|
Write |
2 |
0 |
0 |
|
Execute |
1 |
1 |
1 |
|
Total |
7 |
5 |
5 |
Of course, to provide read, write, and execute permissions for the file cabbage to yourself, your group, and all other users, you would enter the following:
$ ls -l cabbage -rw-r--r-- 3 user2 1024 Feb 10 11:51 cabbage $ chmod 777 cabbage $ ls -l cabbage -rwxrwxrwx 3 user2 1024 Feb 10 11:53 cabbage $ |
Table 3-3 provides the breakdown for this example.
Table 3-3 Permissions for cabbage|
Permission |
User |
Group |
Others |
|---|---|---|---|
|
Read |
4 |
4 |
4 |
|
Write |
2 |
2 |
2 |
|
Execute |
1 |
1 |
1 |
|
Total |
7 |
7 |
7 |
The numeric code 777 represents the maximum level of permissions you can provide.
Similar to changing relative permissions, you can also use the wildcard character * to set absolute permissions for all in the files in the current directory. For example, to set absolute permissions for all files in the current directory veggies so that you have read, write, and execute permissions; your group has read and execute permissions; and all other users have execute permissions only, you would enter the following:
The pwd command is included in this example to illustrate that the directory on which you perform this operation must be the current directory. The ls -lcommand is shown only to illustrate the changes in permissions. When setting absolute permissions, it's not necessary to know what the permissions are currently.
For more information on the chmod(1) command, refer to the man Pages(1): User Commands.
- © 2010, Oracle Corporation and/or its affiliates