Introduction to Unix file permissions

Talk presented by Kim Oldfield to the Linux Users of Victoria Inc. on Tuesday, December 2, 2003.

Basic attributes of a file

owner, eg kim
group, eg users
permission bits, eg rw-r--r--
special bits, eg d,l,c

Users

Name: eg kim
Number (uid), used internally by the kernel: eg 1006
Defined in /etc/passwd. eg
kim:x:1006:100:Kim Oldfield,,,:/home/kim:/bin/bash
The columns in /etc/passwd are:
1. Username
2. Encrypted password, or 'x' if the password hash is stored in /etc/shadow
3. User ID, uid - number for this user
4. Group ID, gid - number for the default group for this user
5. Full name, or other description
6. User's home directory, typically /home/username, but can be anywhere.
7. User's shell

To find out your current username and uid, primary group an gid, and additional groups you are a member of run id.

bash> id
uid=1006(kim) gid=1006(kim) groups=1006(kim),4(adm),29(audio)

Commands
`chown user file`	Change the owner of file to user
`chown user.group file`	Change file's owner to user and group to group.

chown can only be used by root.

Groups

Name: eg users
Number (gid): eg 100, used internally by the kernel
Defined in /etc/group
audio:x:29:kim,jason
The columns in /etc/group are:
1. Group name, eg audio
2. Encrypted group password, or 'x' if the password hash is stored in /etc/gshadow
3. Group number (gid), eg 29
4. List of user name for people who are members of this group

Commands
`chgrp group file`	Change file's group to group.

Adding users or groups

All of these commands require that you are root. To become root from an ordinary user run su and enter the root password when prompted.

Commands
`adduser`	Adds a users. You will be prompted for the username, password, full name, and other details.
`vipw`	Edit /etc/password. This locks the file, and does some sanity checking on your changes before making them permanent. /etc/shadow can be edited with `vipw -s`
`addgroup`	Create a new group. You will be prompted for the name.
`adduser username groupname`
	Adds username to the group groupname
`vigr`	Edit /etc/group. This locks the file, and does some sanity checking on your changes before making them permanent. /etc/gshadow can be edited with `vigr -s`

Changes to group membership take place the next time you login.

Permission bits - an example

bash> ls -l /etc/shadow
-rw-r-----  1 root shadow  680 Nov  2 18:49 shadow

Each of these characters correspond to type, and permissions for the user, group, and others.

The first '-' indicates that this is a regular file.

'rw-' indicates that the owner of the file (root), is able to read an write to the file. The '-' indicates that root is not allowed to run the file.

'r--' indicates that anyone who is a member of the group 'shadow' is able to read to the file.

'---' indicates that anyone who is not root and not a member of the group 'shadow' (ie 'others') are not able to read or write to the file.

Permissions

ls shows permissions as a 10 character string, for example -rw-r--r--. The characters can be interpreted as TUUUGGGOOO where:

T Type
UUU Rights for the owner of the file
GGG Rights for users in the group
OOO Rights for others, not listed above

T is one of:

- file
d directory
c character device
b block device
l symbolic link

Character and block devices are usually in /dev

The permissions on a symbolic link are always lrwxrwxrwx. This means that anyone can see where the links points. Who can read, write, or execute the file (or directory or device) the link points to is determined by the permissions on that file, not the link.

Each of the permission triplets, UUU, GGG, and OOO, can consist of:

File permissions:
r allows reading
w allows writing
x allows execution (*)

Directory permissions:
r	allows reading of files, size, etc
w	allows creating and deleting of files (see also t below)
x	allows access to files and directories below if you take away x that stops access to the directory, files, and all sub directories

Commands
`chmod g+r file`	Allow group to read
`chmod u+w file`	Allow user to write
`chmod a+x file`	Allow everyone (user, group, and other) to execute
`chmod o-r file`	Disallow others to read
`chmod ug+r file`	Disallow others to read
`chmod g+w,o-r file`	Allow group write, disallow other read
`chmod u=rw file`	Set user permissions to read and write.

Octal numerical representation

Add up the values for the rights required.

r	4
w	2
x	1

For example: converting rwxr-x--- to octal:
7 = 4+2+1 = r + w + x
5 = 4+1 = r + x (not write)
0 = no rights
So rwxr-x--- is 750 in octal.

Octal values can be given to chmod, so chmod 750 file

Set uid and set gid on files

When run Unix executables can use the effective rights of a different user or group. This is shown by having an 's' rather than 'x'. For example:

bash> ls -l /bin/su
-rwsr-xr-x  1 root   root    22904 Apr 27  2003 /bin/su

When su is run it runs with the same rights as the user root.

Any program which is suid or sgid must be written very carefully to make sure that it can not be abused by malicious users to do things they shouldn't.

Commands
`chmod u+s`	Set the suid bit
`chmod u-s`	Clear the suid bit
`chmod g+s`	Set the sgid bit
`chmod g-s`	Clear the sgid bit

Set uid and set gid on directories

Set gid on a directory means that all new files and directories created in that directory will have the same group as that directory.

When set gid is not set on a directory then the group used for new files and directories is the default group for that user.

Does anyone know what suid on a directory does?

The sticky bit - /tmp directory

Normally (without 't') any user who has write permission to a directory can delete any files in the directory regardless of who owns it, even if they can't read or write to the file.

With 't' set, only the owner of a file can delete it.

This is used on /tmp

bash> ls -ld /tmp
drwxrwxrwt  8 root   root    4096 Nov  2 19:27 /tmp

Commands
`chmod +t directory`	Set the sticky bit on a directory
`chmod -t directory`	Remove the sticky bit from a directory

umask - default permissions

The logical not of your umask is used as the default permission for files or directories created by you.

A typical umask is 002, not(002) = 775 (in octal). 775 corresponds to rwxrwxr-x, or the owner and group can read, write, and execute, while others can only read or execute, but not run. Where the file isn't executable rw-rw-r-- will be used.

Most Linux distributions will configure a group for every user, eg my username is kim, and there is also a group kim, of which I am the only member. The default mask is 0002 so by default all files I create are group writable, but this isn't a problem as I'm the only person in the group.

If you have a group of people (eg staff) who you would like to be able to write to a directory tree then change the base directory group to staff, and chmod g+s. Assuming each user has a umask of 0002 then all files and directories created will be writable by everyone in group.

Commands
`umask`	display current umask
`umask 002`	set umask to 002

More information

For more information about any of the commands or files mentioned earlier see the appropriate man page. Note that most commands are in section 1 of the manual, while section 5 details file formats.

Commands
`man 1 passwd`	View the man page for the passwd(1) command.
`man 5 passwd`	View the man page for the passwd(5) file.
`man -a passwd`	View the all man pages for passwd.
`man chmod`	View the man page for the chmod(1) command.

This presentation is available from http://oldfield.wattle.id.au/luv/permissions.html

T	Type
UUU	Rights for the owner of the file
GGG	Rights for users in the group
OOO	Rights for others, not listed above

File permissions:
r	allows reading
w	allows writing
x	allows execution (*)