MANAGE FILE OWNERSHIP AND PERMISSIONS
Ownership
-rwxr--r-- 1 student admin 4096 Aug 21 10:11 myfile.txt
# chown root myfile.txt
Now check by listing;
# ls -l
-rwxr--r-- 1 root admin 4096 Aug 21 10:11 myfile.txt
Look, user "student" has changed to "root". Same like it if we want to change group of this file then we use chgrp command.
# chgrp spower myfile.txt
Now check by listing;
# ls -l
-rwxr--r-- 1 root spower 4096 Aug 21 10:11 myfile.txt
Ownership
- chown
- chgrp
- files and folders
- chmod
- umask
- SUID (Set User ID)
- SGID (Group User ID) &
- Sticky Bit
=======================================================================
OWNERSHIP:-rwxr--r-- 1 student admin 4096 Aug 21 10:11 myfile.txt
Here; file named "myfile" is created by user student and its group is admin. If we want to change the owner of this group, we use chown command.
# chown root myfile.txt
Now check by listing;
# ls -l
-rwxr--r-- 1 root admin 4096 Aug 21 10:11 myfile.txt
Look, user "student" has changed to "root". Same like it if we want to change group of this file then we use chgrp command.
# chgrp spower myfile.txt
Now check by listing;
# ls -l
-rwxr--r-- 1 root spower 4096 Aug 21 10:11 myfile.txt
Here, you can see user has changed from user "student" to "root" and its group has changed from "admin" to "spower".
Full Permission for everything is 777. So, how this default permissions be set? We must set umask value to set default permission.
Default Permission = Full Permission - Umask Value
For root umask value is 0022 and for normal user umask value is 0002. If we want to change default permission we must change umask value from file /etc/bashrc.
chmod: Change File Mode Bits
We use chmod command to change permissions of a file or directory.
For Example;
drwxr-xr-x 1 root root 4096 Aug 21 10:11 mydir
user: rwx: 4+2+1 =7
group: r-x: 4+1 = 5
other: r-x: 4+1 = 5
In this example permission for mydir is 755. If we want to change its permission, so that group members can only read this directory and other can not do anything (neither read nor write nor execute), we must use chmod command to provide 740 permission.
user: rwx: 4+2+1 = 7
group: r--: 4+0+0 = 4
other: ---: 0+0+0 = 0
# chmod 740 mydir
# ls -l
drwxr----- 1 root root 4096 Aug 21 10:11 mydir
========================================================================
SPECIAL PERMISSION:
There are three types how can we set special permissions;
Implementation of SUID on file:
Mehtod 1:
# chmod u+s tecadmin.txt
# ls -l tecadmin.txt
-rwsr-xr-x 1 root root 0 Mar 8 02:06 tecadmin.txt
Method 2:
# chmod 4655 tecadmin.txt
# ls -l tecadmin.txt
-rwSr-xr-x 1 root root 0 Mar 8 02:06 tecadmin.txt
For e.g. every user can switch to each other as SUID is set on /bin/su file:
[root@server1] # ll /bin/su
-rwsr-xr-x 1 root root 36440 Jan 14 2010 /bin/su
=> Now we set SGID and full permission to the group grp1
# chmod 2775 /data
drwxr-sr-x. 2 root grp1 4096 Aug 20 14:18 /data
# touch /data/file1.txt
# mkdir /data/newdir
========================================================================
Now, delete root file file2.txt from user student,
$ rm /data/file2.txt
rm: remove write-protected regular empty file '/data/file2.txt'? //here type y and press enter
rm: cannot remove '/data/file2.txt' : Operation not permitted
root: For root default permission of a directory is 755 and of a file is 644.
normal user: For normal user default permission of a directory is 775 and of file is 664.
Full Permission for everything is 777. So, how this default permissions be set? We must set umask value to set default permission.
Default Permission = Full Permission - Umask Value
For root umask value is 0022 and for normal user umask value is 0002. If we want to change default permission we must change umask value from file /etc/bashrc.
chmod: Change File Mode Bits
We use chmod command to change permissions of a file or directory.
For Example;
drwxr-xr-x 1 root root 4096 Aug 21 10:11 mydir
user: rwx: 4+2+1 =7
group: r-x: 4+1 = 5
other: r-x: 4+1 = 5
In this example permission for mydir is 755. If we want to change its permission, so that group members can only read this directory and other can not do anything (neither read nor write nor execute), we must use chmod command to provide 740 permission.
user: rwx: 4+2+1 = 7
group: r--: 4+0+0 = 4
other: ---: 0+0+0 = 0
# chmod 740 mydir
# ls -l
drwxr----- 1 root root 4096 Aug 21 10:11 mydir
========================================================================
SPECIAL PERMISSION:
There are three types how can we set special permissions;
- SUID
- SGID and
- Sticky Bit
1. SUID:
If SUID bit is set on a file and a user executed it, the process will have the same rights as the owner of the file being executed. Sometimes, users say its Super User ID but its actually Set User ID. We can set this bit on executable files. There are some files which can be execute only by root but we also can execute them by normal user by the permission set by root. But this is really very dangerous. Because this file can also be run by the user which do not has root access.
Implementation of SUID on file:
Mehtod 1:
# chmod u+s tecadmin.txt
# ls -l tecadmin.txt
-rwsr-xr-x 1 root root 0 Mar 8 02:06 tecadmin.txt
Method 2:
# chmod 4655 tecadmin.txt
# ls -l tecadmin.txt
-rwSr-xr-x 1 root root 0 Mar 8 02:06 tecadmin.txt
For e.g. every user can switch to each other as SUID is set on /bin/su file:
[root@server1] # ll /bin/su
-rwsr-xr-x 1 root root 36440 Jan 14 2010 /bin/su
here, s shows that SUID is enable on this file, by this reason every user can switch each other. But if we remove this bit, then no normal user can switch to another user (It is understood that root user has full access).
[root@server1] # chmod u-s /bin/su
-rwxr-xr-x 1 root root 36440 Jan 14 2010 /bin/su
Now, check switching in normal users
[student@server1] $ su - user1
Password: <type password of user1 and press enter>
su: incorrect password
========================================================================
2. SGID:
[root@server1] # chmod u-s /bin/su
-rwxr-xr-x 1 root root 36440 Jan 14 2010 /bin/su
Now, check switching in normal users
[student@server1] $ su - user1
Password: <type password of user1 and press enter>
su: incorrect password
========================================================================
2. SGID:
Same as SUID, The process will have the same group rights of the file being executed. If SGID bit is set on any directory, all sub directories and files created inside will get same group ownership as main directory, it doesn’t matter who is creating.
Implementation of SGID on directory:
# chmod g+s /test/
# ls -ld /test
drwxrwsrwx 2 root root 4096 Mar 8 03:12 /test
Now swich to other user and create a file in /test directory.
# su - tecadmin
$ cd /test/
$ touch tecadmin.net.txt
$ ls -l tecadmin.net.txt
-rw-rw-r-- 1 tecadmin root 0 Mar 8 03:13 tecadmin.net.txt
For e.g. we create a directory /data & also create a group grp1. Now, change its groupowner from root to grp1. Now if we want every future created file or directory should have the group ownership of grp1, then we should set SGID, like;
# mkdir /data //to create /data directory
# ls -l /
drwxr-xr-x. 2 root root 4096 Aug 20 14:18 /data
# groupadd grp1 //to create a group
# chgrp grp1 /data //to create a group
# ll -d /data
drwxr-xr-x. 2 root grp1 4096 Aug 20 14:18 /data
=> Now we set SGID and full permission to the group grp1
# chmod 2775 /data
drwxr-sr-x. 2 root grp1 4096 Aug 20 14:18 /data
# touch /data/file1.txt
# mkdir /data/newdir
# ll /data
drwxr-sr-x. 2 root g1 4096 Aug 20 14:28 newdir
-rw-r--r--. 1 root g1 0 Aug 20 14:28 file1.txt
drwxr-sr-x. 2 root g1 4096 Aug 20 14:28 newdir
-rw-r--r--. 1 root g1 0 Aug 20 14:28 file1.txt
========================================================================
Sticky Bit:
The sticky bit is used to indicate special permissions for files and directories. If a directory with sticky bit enabled, will restricts deletion of file inside it. It can be removed by root, owner of file or who have write permission on it. This is usefull for publically accessible directories like /tmp.
Implementation of Sticky bit on file:
Method 1:
# chmod o+t tecadmin.txt
# ls -l tecadmin.txt
-rw-r--r-T 1 root root 0 Mar 8 02:06 tecadmin.txt
Mothod 2:
# chmod 1777 tecadmin.txt
# ls -l tecadmin.txt
-rwxrwxrwt 1 root root 0 Mar 8 02:06 tecadmin.txt
For e.g, there is one directory /data. This directory has full permission. Every user including root has some files in it. But as this file has full permission normal user can also delete, move or update another user's files. In this case, to prevent our files from another users we may use sticky bit.
# mkdir /data
# chmod 777 /data
# touch /data/file{1,2}.txt
# su - student
$ touch /data/file{3,4}.txt
$ exit
# ls -l /data
This shows file1.txt and file2.txt created by user root and file3.txt & file4.txt created by user student. As this directory /data has full access, student user can delete its file, like;
$ rm /data/file1.txt
rm: remove write-protected regular empty file '/data/file1.txt'? //here type y and press enter
=> To prevent our file from other users we have to set sticky bit
# chmod o+t /data
drwxrwxrwt 2 root root 4096 Mar 8 02:06 /data
Now, delete root file file2.txt from user student,
$ rm /data/file2.txt
rm: remove write-protected regular empty file '/data/file2.txt'? //here type y and press enter
rm: cannot remove '/data/file2.txt' : Operation not permitted
Now, user cannot delete, move or update root files till sticky bit is on. Hence; your files are save.
=====================================================================
Thanks for reading this article...
=====================================================================
Thanks for reading this article...
No comments:
Post a Comment