Differences

This shows you the differences between two versions of the page.

--- ops102:permissions [2024/01/24 04:20] – [Linux File Permissions] chris
+++ ops102:permissions [2024/05/28 21:27] (current) – external edit 127.0.0.1
@@ Line 6: / Line 6: @@
 There are two broad categories of access controls applied to files and directories:
   *  Discretionary Access Controls (DACs) - these are access controls that can be set to any value at the discretion of the users or administrators of the computer system.
-  *  Mandatory Access Controls (MACs) - these are access controls that are applied across the entire system in a uniform way, and cannot be individually overridden by the users or administrators. An example of a Mandatory Access Control system is SELinux (security-enhanced Linux), a system originally developed by the National Security Agency of the US Federal Government and now part of the Linux Kernel (via KSM - Kernel Security Models). SELinux uses type enforcement and labelling of both resources (files, network connections) and processes to determine whether a specific process should have access to a specific resource, and to deny access when it does not. SELinux is used in several operating systems, including Android, Fedora, CentOS, and Red Hat Enterprise Linux.
+  *  Mandatory Access Controls (MACs) - these are access controls that are applied across the entire system in a uniform way, and cannot be individually overridden by the users or administrators. An example of a Mandatory Access Control system is SELinux (security-enhanced Linux), a system originally developed by the National Security Agency of the US Federal Government and now part of the Linux Kernel (via KSM - Kernel Security Modules). SELinux uses //type enforcement// and //labelling// of both resources (such as files and network connections) and processes (running programs) to determine whether a specific process should have access to a specific resource, and to deny access when it does not. SELinux is used in several operating systems, including Android, Fedora, CentOS, and Red Hat Enterprise Linux.
 In this OPS102 course, we will be looking only at DACs.
@@ Line 19: / Line 19: @@
   *  **User** -- the one user that owns the file
-  *  **Group** -- the group of users that is the group-owner of the file
+  *  **Group** -- the group of users that owns the file
   *  **Other** -- every other user of the computer system
 These communitities are presented in this order, so remember the sequence!: User - Group - Other (u g o)
+Note that each file has both an individual user and a group owner. The ''ls -l'' command shows the user and group owner in the third and fourth columns of output.
 ====  Permissions  ====
@@ Line 37: / Line 39: @@
   *  **Read** -- the ability to //see// the names of the files and subdirectories within the directory. This is also called "search" permission.
-  *  **Write** -- the ability to create/delete files and subdirectories within the directory.
+  *  **Write** -- the ability to create/delete/rename files and subdirectories within the directory.
-  *  **eXecute** -- the ability to access files with the directory. If turned off, the files cannot be accessed, and metadata about each file (such as the owner, group owner, file length, permissions, and timestamps) cannot be accessed either. This is sometimes called //passthrough// permission.
+  *  **eXecute** (**access**) -- the ability to access files with the directory. If turned off, the files cannot be accessed, and metadata about each file (such as the owner, group owner, file length, permissions, and timestamps) cannot be accessed either. You can think of this as **access** permission when applied to directories. This is sometimes called //passthrough// permission.
+If execute permission is enabled for a directory but read permission has not been enabled, the affected community cannot view a directory listing to determine filenames, but if they know the name of a file within that directory, they may still access it.
+If read permission is enabled for a directory but execute permission has not been enabled, the affected community can view the names of files in a directory (but only the names, not permissions, file size, ownership, or any other information), but they will have no access to use the files in any way.
+However, read and execute permission are almost always assigned to a directory together.
-If execute permission is enabled for a directory but read permission has not been enabled, the affected community cannot view a directory listing to determine filenames, but if they know the name of a file within that directory, they may still access it.
+In order to access a file, a user must have execute permission on __all__ of the directories from the root directory to the directory containing the file. For example, on the file ''/home/jdoe/ops102/practice/info.txt'', a user must have execute permission on all four directories (home, jdoe, ops102, practice) to access the file.
-In order to access a file, a user must have execute permission on __all__ of the directories from the root directory to the directory containing the file. For example, on the file ''/home/jdoe/ops102/practice/info.txt'', the user must have execute permission on all four directories (home, jdoe, ops102, practice) to access the file.
 ====  Viewing Permissions  ====
@@ Line 58: / Line 65: @@
 <code>
  rw-   the user who owns the file has read and write permission
- r--   the group has read permission
+ r--   the group that owns the file has read permission
  r--   others have read permission</code>
@@ Line 91: / Line 98: @@
  $ ls -l -d /      # displays the root directory itself
  dr-xr-xr-x. 19 root root 4096 Sep  4 15:05 /</code>
+You can also view permissions as an [[#using_numeric_mode|octal number]] using the ''stat'' command - note the value marked "Access":
+<code>
+$ stat /etc/hosts
+  File: /etc/hosts
+  Size: 386       	Blocks: 8          IO Block: 4096   regular file
+Device: 253,0	Inode: 4194708     Links: 1
+Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
+Context: system_u:object_r:net_conf_t:s0
+Access: 2024-01-23 16:29:33.807860342 -0500
+Modify: 2022-11-27 10:26:24.000000000 -0500
+Change: 2023-05-30 03:00:51.739043061 -0400
+ Birth: 2023-05-30 03:00:51.738043061 -0400</code>
 ====  Setting Permissions  ====
@@ Line 100: / Line 121: @@
 In either case, the command accepts the mode as the first positional argument, and the filename(s) (or patterns) as the remaining positional arguments:
-<code>
+''chmod //mode// //filename// ...''
- chmod //mode// //filename// <nowiki>[[...]]</nowiki></code>
 ===  Using Symbolic Mode  ===
@@ Line 118: / Line 138: @@
  + (add permissions)
  - (remove permissions)
-======  (set permissions)</code>
+ = (set permissions)</code>
 The difference between +/- and = is that +/- will add or remove the specified permissions while leaving other permissions unchanged, while = will explicitly set the permissions to exactly the value specified.
-This is followed zero or more of these letters, representing permissions:
+This is followed by zero or more of these letters, representing permissions:
 <code>
@@ Line 129: / Line 149: @@
  x (execute - note that this is lowercase)
  X (execute if applied to a directory, or nothing if applied to a file -- note that this is UPPERCASE)</code>
+Therefore the symbolic notation ''g+rx'' instructs chmod to add read and execute permission to the group community, and ''a-w'' instructs chmod to remote write permission from all of the communities (user, group, and other).
 Here is an example:
@@ Line 236: / Line 258: @@
  $ ls -l example001
  -rw-r-----. 1 chris chris 0 Sep 26 11:45 example001</code>
+=== Recursively Setting Permissions ===
+It is sometimes useful to use the chmod ''-R'' option to recursively set all the permissions on a directory and all of its contents. However, it is quite common to need to set execute permissions on directories but not on files. You can indicate this to ''chmod'' using a capital X for the execute permission.
+  # Don't do this! It will set Execute permission on files and directories.
+  chmod -R go+rx publicdir
+  # Instead, do this: it will set Execute permission on directories only, and not on files
+  # (Notice the capital X in the symbolic permissions)
+  chmod -R go+rX publicdir
+=== Other useful chmod Options ===
+<code>
+  -v    Verbose: show information about each file processed (whether changed or not)
+  -c    Changes: show information about each change made (no output for unchanged files)</code>
 ====  Controlling Permissions on New Files and Directories  ====
@@ Line 245: / Line 284: @@
   -  The modes prohibited by the umask value.
-For example, a umask value of 0022 represents the permissions ''----w--w-'' (write permission for group and other). Therefore, any new files or directories will be created //without// these permissions.
+For example, a umask value of 0022 represents the permissions ''----w--w-'' (write permission for group and other). Therefore, any new files or directories will be created //without// these permissions. This is the default permission on Matrix.
 The umask value can be viewed or set with the ''umask'' command.
@@ Line 266: / Line 305: @@
  -rw-r-----. 1 chris chris 0 Sep 26 11:55 testfile0027</code>
-Note that the umask value is specific to the process that is currently running, and it inherited by child processes. That means that if you're using multiple shells (perhaps in multiple windows), each shell's umask value is specific to that shell, and changing it will not affect the other active shells. However, any command or program that you run from that shell will inherit the umask value. In a future topic in this course, we'll look at how to set up a umask value so that it is applied to every new shell.
+To ensure that no one else has __any__ access to new files and directories that you create on Matrix (unless you change the permission mode of the file after it is created), set your umask to 0077: ''umask 0077''
+Note that the umask value is specific to the process that is currently running, and it inherited by child processes. That means that if you're using multiple shells (perhaps in multiple windows), each shell's umask value is specific to that shell, and changing it will not affect the other active shells. However, any command or program that you run from that shell will inherit the umask value. You can set the default umask value for all future bash sessions by placing a umask command into your ''~/.bashrc'' file.
+**Warning:** be __extremely__ careful editing your ''~/.bashrc'' file, since an error may prevent you from logging in to your Matrix account. Always stay logged in to Matrix on one terminal while using a second terminal to confirm that you are able to successfully log in to the system. If you are not able to login, fix the problem using the first terminal and then re-test.
 ====  Special Permissions  ====
@@ Line 274: / Line 317: @@
 There are three additional, "special" permissions:
-  *  Set User ID (SUID) - when applied to an executable program file, this permission changes the effective user ID from the user executing the file to the owner of the file for the duration of the process. For example, if a user ''jdoe'' executes the ''passwd'' command (which is owned by the ''root'' user and has the Set User ID permission enabled), the effective user ID is temporarily changed to ''root'' while that command is executing. This enables the ''passwd'' command to change the user's password in the ''/etc/shadow'' file, which they otherwise do not have access to.
+  * **Set User ID (SUID)** - when applied to an executable program file, this permission changes the effective user ID from the user executing the file to the owner of the file for the duration of the process. For example, if a user ''jdoe'' executes the ''passwd'' command (which is owned by the ''root'' user and has the Set User ID permission enabled), the effective user ID is temporarily changed to ''root'' while that command is executing. This enables the ''passwd'' command to change the user's password in the ''/etc/shadow'' file, which they otherwise do not have access to.
-  *  Set Group ID (SGID) - when applied to an executable program file, this permission is similar to SUID, but it changes the effective group ID instead of the effective user ID. When applied to a directory, this causes all newly-created files and directories with that directory to be owned by the same group that owns the directory. For example, if the directory ''/var/www/html/'' is owned by the group ''website'', then any file or directory created within ''/var/www/html/'' will automatically be owned by the group ''website'' instead of the group of the person creating the file.
+  * **Set Group ID (SGID)** - when applied to an executable program file, this permission is similar to SUID, but it changes the effective group ID instead of the effective user ID. When applied to a directory, this causes all newly-created files and directories with that directory to be owned by the same group that owns the directory. For example, if the directory ''/var/www/html/'' is owned by the group ''website'', then any file or directory created within ''/var/www/html/'' will automatically be owned by the group ''website'' instead of the group of the person creating the file.
-  *  Sticky bit (t) - when applied to a directory, any file within that directory may be renamed or deleted only by the owner of the file, by the owner of the directory, or by a privileged process (for example, ''root'', the master system administrator), regardless of any other permissions that might be set. The system's temporary directoriers (''/tmp'' and ''/var/tmp'') have this turned on.
+  * **Sticky bit (t)** - when applied to a directory, any file within that directory may be renamed or deleted only by the owner of the file, by the owner of the directory, or by a privileged process (for example, ''root'', the master system administrator), regardless of any other permissions that might be set. The system's temporary directoriers (''/tmp'' and ''/var/tmp'') have this turned on.
 These permissions are represented in the ''ls -l'' output as modifications of the 'x' character:
@@ Line 310: / Line 353: @@
  drwxrwxrwt. 26 root root   600 Sep 26 12:21 /tmp
  -rwsr-xr-x.  1 root root 32760 Jan 18  2023 /usr/bin/passwd</code>
+==== Securing Your Account ====
+There are two ways to secure your account on Matrix:
+. If you do not want to share //any// of your files with other users, you can disable access to your home directory by turning off all permissions for the group and other communities. The command ''chmod go=  ~'' will set this. Since this turns off access permission to that directory, other users will not be able to access any of the files within your home directory, regardless of the permission on the individual file.
+. If you want to share access to //some// of your files with other users, turn on the appropriate permissions for group and/or other users, and use the ''umask'' to limit the permissions on new files and directories.
+For example, you might:
+  * Start by turning off all permissions on the files and directories that are currently in your home directory:
+  chmod -r go= ~/*
+  * Create a directory of files you wish to share, called ''~/public''. Set the permission on this directory so that group and others can access it:
+  mkdir ~/public
+  chmod go=rx ~/public
+  * Place any files that you want to share in the ''~/public'' directory and set appropriate permissions:
+  cp anyFilesYouWantToShare ~/public
+  chmod go=r ~/public
+  * Set up you umask so that, by default, other users have no access to any new files you create (place this in your ''~/.bashrc'' file to ensure that it is applied to all new bash shells that you start in the future):
+  umask 0077
+  * Ensure that users can access your ''~/public'' directory through your home directory:
+  chmod go=rx ~
 =====  Access Control Lists  =====