File & folder security is a big part of any operating system and Linux is no exception!
These permissions allow you to choose exactly who
can access your files and folders, providing an overall enhanced security
system. This is one of the major weaknesses in the older Windows operating
systems where, by default, all users can see each other's files (Windows 95,
98, Me).
For the more superior versions of the Windows
operating system such as NT, 2000, XP and 2003 things look a lot safer as they
fully support file & folder permissions, just as Linux has since the
beginning.
Together, we'll now examine a directory listing
from our Linux lab server, to help us understand the information provided.
While a simple 'ls' will give you the file and directory listing within a given
directory, adding the flag '-l' will reveal a number of new fields that we are
about to take a look at:
It's possible that most Linux users have seen
similar information regarding their files and folders and therefore should feel
pretty comfortable with it. If on the other hand you happen to fall in to the
group of people who haven't seen such information before, then you either work
too much in the GUI interface of Linux, or simply haven't had much experience
with the operating system :)
Whatever the case, don't disappear - it's easier
than you think!!
So what does all this output mean ? Especially all those 'rwx' lines?!
Let's start from scratch, analysing the
information in the previous screenshot.
Note that the date and time column will not
always display in the format shown. If the file or directory it refers to was
created in a year different from the current one, it will then show only the
date, month and year, discarding the time of creation.
For example, if the file 'dirlist.txt' was
created on the 27th of July, 2004, then the system would show:
Jun 27 2004 dirlist.txt
instead of
Jun 27 11:28 dirlist.txt
A small but important note when examining files
and folders! Lastly, the date will change when modifying the file. As such, if
we edited a file created last year, then the next time we typed 'ls -l', the
file's date information would change to today's date. This is a way you can
check to see if files have been modified or tampered with.
The next column (purple) contains the file size in bytes - again nothing
special here.
The owner might belong to a particular group, in
which case this file is also associated with the user's group. In our example,
the left column labeled 'User' refers to the actual user that owns the file,
while the right column labeled 'group' refers to the group the file belongs to.
Looking at the file named 'dirlist.txt', we can
now understand that it belongs to the user named 'root' and group named 'sys'.
Following the permissions is the column with the cyan
border in the listing.
The system identifies files by their inode
number, which is the unique file system identifier for the file. A directory is
actually a listing of inode numbers with their corresponding filenames. Each
filename in a directory is a link to a particular inode.
Links let you give a single file more than one name. Therefore, the numbers
indicated in the cyan column specifies the number of links to
the file.
As it turns out, a directory is actually just a
file containing information about link-to-inode associations.
Next up is a very important column, that's the first one on the left
containing the '-rwx----w-' characters. These are the actual permissions set
for the particular file or directory we are examining.
To make things easier, we've split the
permissions section into a further 4 columns as shown above. The first column
indicates whether we are talking about a directory (d), file (-) or link (l).
In the newer Linux distributions, the system will
usually present the directory name in colour, helping it to stand out from the
rest of the files. In the case of a file, a dash (-) or the letter 'f' is used,
while links make the use of the letter 'l' (l). For those unfamiliar with
links, consider them something similar to the Windows shortcuts.
Column 2 refers to the user rights. This is the
owner of the file, directory or link and these three characters determine what
the owner can do with it.
The 3 characters on column 2 are the permissions for the owner (user
rights) of the file or directory. The next 3 are permissions for the group
that the file is owned by and the final 3 characters define the access
permissions for the others group, that is, everyone else not
part of the group.
So, there are 3 possible attributes that make up
file access permissions:
r - Read permission. Whether the file may be read. In the
case of a directory, this would mean the ability to list the contents of the
directory. w - Write permission. Whether the file may be written to or modified. For a directory, this defines whether you can make any changes to the contents of the directory. If write permission is not set then you will not be able to delete, rename or create a file.
x - Execute permission.
Whether the file may be executed. In the case of a directory, this attribute
decides whether you have permission to enter, run a search through that
directory or execute some program from that directory.
|
Let's take a look at another example:
The group permissions are r-x. Notice there is no write permission given here so while members of the group sys can look at the directory and list its contents, they cannot create new files or sub-directories. They also cannot delete any files or make changes to the directory content in any way.
Lastly, no one else has any access because the access attributes for others are ---.
If we assume the permissions are drw-r--r-- you see that the owner of the directory (david) can list and make changes to its contents (Read and Write access) but, because there is no execute (x) permission, the user is unable to enter it! You must have read and execute (r-x) in order to enter a directory and list its contents. Members of the group sys have a similar problem, where they seem to be able to read (list) the directory's contents but can't enter it because there is no execute (x) permission given!
Lastly, everyone else can also read (list) the directory but is unable to enter it because of the absence of the execute (x) permission.
Here are some more examples focusing on the
permissions:
-r--r--r-- :This means that owner, group
and everyone else has only read permissions to the file
(remember, if there's no 'd' or 'l', then we
are talking about a file).Modifying Ownership & Permissions
So how do you change permissions or change the
owner of a file?
Changing the owner or group owner of a file is very simple, you just type 'chown
user:group filename.ext', where 'user' and 'group' are those to whom
you want to give ownership of the file. The 'group' parameter is optional, so
if you type 'chown david file.txt', you will give
ownership of file.txt to the user named david.In the case of a directory, nothing much changes as the same command is used. However, because directories usually contain files that also need to be assigned to the new user or group, we use the '-R' flag, which stands for 'recursive' - in other words all subdirectories and their files: 'chown -R user:group dirname'.
To change permissions you use the 'chmod'
command. The possible options here are 'u' for the user,
'g' for the group, 'o' for other,
and 'a' for all three. If you don't specify
one of these letters it will change to all by default. After this you specify
the permissions to add or remove using '+' or '-'
. Let's take a look at an example to make it easier to understand:
If we wanted to add read, write and execute to the user of a particular
file, we would type the following 'chmod u+rwx file.txt'.
If on the other hand you typed 'chmod g-rw file.txt' you will
take away read and write permissions of that file for the group .
While it's not terribly difficult to modify the
permissions of a file or directory, remembering all the flags can be hard.
Thankfully there's another way, which is less complicated and much faster. By
replacing the permissions with numbers, we are able to calculate the required
permissions and simply enter the correct sum of various numbers instead of the
actual rights.
The way this works is simple. We are aware of
three different permissions, Read (r), Write
(w) and Execute (x). Each of
these permissions is assigned a number as follows:
r (read) - 4w (write) - 2
x (execute) - 1
Now, to correctly assign a permission, all you need to do is add up the level you want, so if you want someone to have read and write, you get 4+2=6, if you want someone to have just execute, it's just 1.. zero means no permissions. You work out the number for each of the three sections (owner, group and everyone else).
r, w, x Permissions
|
Calculated Number
|
---
|
0
|
--x
|
1
|
-w-
|
2
|
-wx
|
3 (2+1)
|
r--
|
4
|
r-x
|
5 (4+1)
|
rw-
|
6 (4+2)
|
rwx
|
7 (4+2+1)
|
If you want to give full access to the owner, only read and execute to the group, and only execute to everyone else, you'd work it out like this :
group: r-x = 4 + 0 + 1 = 5
everyone: --x = 0 + 0 + 1 = 1
So your number will be 751, 7 for owner, 5 for group, and 1 for everyone. The command will be 'chmod 751 file.txt'. It's simple isn't it ?
If you want to give full control to everyone
using all possible combinations, you'd give them all 'rwx' which equals to the
number '7', so the final three digit number would be '777':
For more details on the 'chmod' command, please
take a look at the man pages.
As we will see soon, the correct combination of
user and group permissions will allow us to perform our work while keeping our
data safe from the rest of the world.
For example in order for a user or group to enter a directory, they must
have at least read (r) and execute
(x) permissions on the directory, otherwise access to it is
denied:Now, what we did is alter the permission so 'everyone' has at least read and execute permissions so they are able to enter the folder - let's check it out:
The world of Linux permissions is pretty user
friendly as long as you see from the right perspective :) Practice and
reviewing the theory will certainly help you remember the most important
information so you can perform your work without much trouble.
If you happen to forget something, you can always
re-visit us - any time of the day!
Continuing on to our last page, we will provide
you with a few links to some of the world's greatest Linux resources, covering
Windows to Linux migration, various troubleshooting techniques, forums and much
more that will surely be of help.