Talk presented by Kim Oldfield to the Linux Users of Victoria Inc. on Tuesday, December 2, 2003.
/home/username, but can be anywhere.
To find out your current username and uid, primary group an gid, and
additional groups you are a member of run
bash> id uid=1006(kim) gid=1006(kim) groups=1006(kim),4(adm),29(audio)
|Change the owner of file to user|
|Change file's owner to user and group to group.|
chown can only be used by root.
|Change file's group to group.|
All of these commands require that you are root. To become root from an
ordinary user run
su and enter the root password when
|Adds a users. You will be prompted for the username, password, full name, and other details.|
||Edit /etc/password. This locks the file, and does some sanity checking
on your changes before making them permanent. /etc/shadow can be edited with
||Create a new group. You will be prompted for the name.|
|Adds username to the group groupname|
||Edit /etc/group. This locks
the file, and does some sanity checking on your changes before making them
permanent. /etc/gshadow can be edited with |
Changes to group membership take place the next time you login.
bash> ls -l /etc/shadow -rw-r----- 1 root shadow 680 Nov 2 18:49 shadow
Each of these characters correspond to type, and permissions for the user, group, and others.
The first '-' indicates that this is a regular file.
'rw-' indicates that the owner of the file (root), is able to read an write to the file. The '-' indicates that root is not allowed to run the file.
'r--' indicates that anyone who is a member of the group 'shadow' is able to read to the file.
'---' indicates that anyone who is not root and not a member of the group 'shadow' (ie 'others') are not able to read or write to the file.
ls shows permissions as a 10 character string, for example
-rw-r--r--. The characters can be interpreted as
|UUU||Rights for the owner of the file|
|GGG||Rights for users in the group|
|OOO||Rights for others, not listed above|
T is one of:
Character and block devices are usually in /dev
The permissions on a symbolic link are always lrwxrwxrwx. This means that anyone can see where the links points. Who can read, write, or execute the file (or directory or device) the link points to is determined by the permissions on that file, not the link.
Each of the permission triplets, UUU, GGG, and OOO, can consist of:
|x||allows execution (*)|
|r||allows reading of files, size, etc|
|w||allows creating and deleting of files (see also t below)|
|x||allows access to files and directories below if you take away x that stops access to the directory, files, and all sub directories|
|Allow group to read|
|Allow user to write|
|Allow everyone (user, group, and other) to execute|
|Disallow others to read|
|Disallow others to read|
|Allow group write, disallow other read|
|Set user permissions to read and write.|
Add up the values for the rights required.
For example: converting rwxr-x--- to octal:
7 = 4+2+1 = r + w + x
5 = 4+1 = r + x (not write)
0 = no rights
So rwxr-x--- is 750 in octal.
Octal values can be given to
chmod 750 file
When run Unix executables can use the effective rights of a different user or group. This is shown by having an 's' rather than 'x'. For example:
bash> ls -l /bin/su -rw
sr-xr-x 1 root root 22904 Apr 27 2003 /bin/su
su is run it runs with the same rights as the user
Any program which is suid or sgid must be written very carefully to make sure that it can not be abused by malicious users to do things they shouldn't.
|Set the suid bit|
|Clear the suid bit|
|Set the sgid bit|
|Clear the sgid bit|
Set gid on a directory means that all new files and directories created in that directory will have the same group as that directory.
When set gid is not set on a directory then the group used for new files and directories is the default group for that user.
Does anyone know what suid on a directory does?
Normally (without 't') any user who has write permission to a directory can delete any files in the directory regardless of who owns it, even if they can't read or write to the file.
With 't' set, only the owner of a file can delete it.
This is used on /tmp
bash> ls -ld /tmp drwxrwxrw
t8 root root 4096 Nov 2 19:27 /tmp
|Set the sticky bit on a directory|
|Remove the sticky bit from a directory|
The logical not of your
umask is used as the default
permission for files or directories created by you.
A typical umask is 002, not(002) = 775 (in octal). 775 corresponds to rwxrwxr-x, or the owner and group can read, write, and execute, while others can only read or execute, but not run. Where the file isn't executable rw-rw-r-- will be used.
Most Linux distributions will configure a group for every user, eg my username is kim, and there is also a group kim, of which I am the only member. The default mask is 0002 so by default all files I create are group writable, but this isn't a problem as I'm the only person in the group.
If you have a group of people (eg staff) who you would like to be able to
write to a directory tree then change the base directory group to staff, and
chmod g+s. Assuming each user has a umask of 0002 then all
files and directories created will be writable by everyone in group.
|display current umask|
|set umask to 002|
For more information about any of the commands or files mentioned earlier see the appropriate man page. Note that most commands are in section 1 of the manual, while section 5 details file formats.
|View the man page for the passwd(1) command.|
|View the man page for the passwd(5) file.|
|View the all man pages for passwd.|
|View the man page for the chmod(1) command.|
This presentation is available from http://oldfield.wattle.id.au/luv/permissions.html