Using Basic File Permissions

Securing Files and Directories

• One of the important functions of a secure system is to limit access to authorized users
and prevent unauthorized users from accessing the files or directories.
• UNIX and Linux use two basic means to prevent unauthorized access to a system:
– To authenticate both a privileged user account and an unprivileged user account by
verifying that the username and password exist and have been correctly entered
– To protect file and directory access, the UNIX and Linux OSes assign a standard set
of access permissions at the time of file and directory creation. These permissions
are called an Access Control List (ACL).

6-2
File and Directory Permissions (ACL)

• All files and directories in UNIX and Linux have a default set of standard access
permissions.
• These access permissions control who can access what files, and provides a
fundamental level of security to the files and directories in a system.
• The standard set of access permissions are established by a user’s umask settings. The
umask command is described in more detail later in this lesson.

6-3
Viewing Permission Categories

To view the permissions for files and directories, use the ls -l or ls –n commands.

$ ls -l dante
-rw-r--r-- 1 oracle 1319 Mar 15 11:23 dante

r--
r = Readable
rw- r--
w = Writeable
User/ Group Other x = Executable
Owner
- = No permission

File type

6-4
Permission Groups

• There are three permission groups:

– User (Owner) who owns the file or directory
– Group
– Other
• The table describes the permission groups and their scope:

Permission Groups Description

User/Owner (u) Permissions used by the assigned user/owner of the file or directory
Group (g) Permissions used by members of the group that owns the file or directory
Other (o) Permissions used by all users other than the file owner, and members of the
group that owns the file or the directory

6-5
Interpreting File and Directory Permissions
Permissions Access for a File
Read (r) You can display file contents and
copy the file.
Write (w) You can modify the file contents, but
only if you also have read
permissions.
Execute (x) You can execute the file if it is an
executable. You can execute a shell
script if you also have read and
execute permissions.
Access for a Directory
You can list the directory contents with the ls
command.
You can modify the contents of a directory, by
deleting (rm) a file. You must also have the
execute permission for this to happen.
You can use the cd command to access the
directory. If you also have read access, you can
run the ls –l command on the directory to list
the contents. If you do not have read access,
you can run the ls command as long as you
know the file name.
6-6
Determining File or Directory Access Permissions

• The ls –l and ls -n commands display the ownership of files and directories and their
corresponding permissions.
• All files and directories have an associated username and a user identification number
(UID) and a group name and a group identification number (GID).
• To view the UIDs and GIDs, run the ls -n command on the /var/adm directory.

$ ls -n /var/adm
total 244
drwxrwxr-x 5 4 4 512 Nov 15 14:55 acct
-rw------- 1 5 2 0 Jun 7 12:28 aculog
drwxr-xr-x 2 4 4 512 Jun 7 12:28 exacct
-r--r--r-- 1 0 0 308056 Nov 19 14:35 lastlog
drwxr-xr-x 2 4 4 512 Jun 7 12:28 log
...(output truncated)

6-7
Interpreting the ls –n Command

• The ls -n command displays the UID and GID listing of file information.
File type (e.g.: ’-’ for a regular file or ’d’ for a directory)
Permissions Set
Link count

UID
GID
Size Last modification
date and time
File or
directory name

$ ls -n drwxrw-r-x 5 1000 10 512 Feb 22 14:51 dir1

-rw-rw-r-- 1 1000 10 0 Feb 22 14:51 file1

r = readable
w = writable
x = executable
- = no permission

6-8
Changing Ownership on Files or Directories

• Every file and directory in UNIX and Linux is owned by somebody.

• The ls –l command shows the username and the group that owns the object.
• The ls –n command shows the UID and GID numbers corresponding to who owns the
object.
• There are two commands:
– The chown command can be used to change both username and group ownership.
– The chgrp command changes only group ownership.

6-9
Changing Both username and group Ownership

• The syntax for the chown command is:

$ chown [options] [newusername][:newgroup] filename

$ ls -l dante
-rw-r--r-- 1 student class 1319 Mar 15 11:23 dante
$ chown oracle:oracle dante
$ ls -l dante
-rw-r--r-- 1 oracle oracle 1319 Mar 15 11:23 dante

• You can change the ownership only for files and directories that you own. However, the
system administrator can change the ownership of any object.
• For more information about the chown command options, see the chown man pages.
Caution: If you change the username ownership of a file or directory, you have just given
that object away, and you cannot get it back without help from the system administrator.

6 - 10
Changing group Ownership

• The syntax for the chgrp command is:

$ chgrp [options] newgroup filename

• For more information about the chgrp command options, see the chgrp man pages.

Note: If you still own a file or directory, you can always change the group ownership.

6 - 11
Changing Permissions

• You can change the permissions on files and directories by using the chmod command.
• Either the user/owner of the file or directory, or the root user can use the chmod
command to change permissions.
• The chmod command can be used in either symbolic or octal mode.
– Symbolic mode uses a combination of letters and symbols to add or remove
permissions for each permission group.
– Octal mode, also called absolute mode, uses octal numbers to represent each
permission group.

6 - 12
Changing Permissions: Symbolic Mode

$ chmod symbolic_mode filename

who op permissions

u User (Owner) Permissions

g Group Permissions
o Other Permissions
a All Permissions (User, Group, & Other)

+ Add Permissions
- Remove Permissions
= Assign Permissions Absolutely

r Read
w Write
x Execute

6 - 13
Changing Permissions: Symbolic Mode

• The syntax for the chmod command in symbolic mode is:

$ chmod [options] [symbolic_mode] filename

• The format of the symbolic_mode consists of three parts: [ugoa] [+-=] [rwx]
– The user category [ugoa]: User/owner, group, other, or all
– The function to be performed [+-=]: Add, remove or set equal
– The permissions affected [rwx]: Read, write, and execute
Plus special file permissions and sticky bit [st](described in the next slide)
• If the option is g+x, the executable permission is added to the group permissions.
• For more information about the chmod command options, see the chmod man pages.

6 - 14
Changing Permissions: Octal Mode

• The syntax for the chmod command in octal mode is:

$ chmod [octal_mode] filename

• The octal_mode, sometime called the absolute_mode, option consists of three octal
numbers, 4, 2, and 1, that represent a combination (sum) of the permissions, from 0–7,
for the file or directory.

Octal Value Permission

4 Read
2 Write
1 Execute

6 - 15
Changing Permissions: Octal Mode

Octal Value Permission Binary

7 rwx 111 (4+2+1)
6 rw- 110 (4+2+0)
5 r-x 101 (4+0+1)
4 r-- 100 (4+0+0)
3 -wx (see the notes page) 011 (0+2+1)
2 -w- (see the notes page) 010 (0+2+0)
1 --x (see the notes page) 001 (0+0+1)
0 --- 000 (0+0+0)

6 - 16
Changing Permissions: Octal Mode

• You can modify the permissions for each category of users by combining the octal
numbers.
• The first set of octal numbers defines user/owner permissions, the second set defines
group permissions, and the third set defines other permissions.

Octal Mode Permissions

640 rw-r-----

644 rw-r--r--

750 rwxr-x---

751 rwxr-x--x (see the notes

page)
755 rwxr-xr-x

777 rwxrwxrwx

6 - 17
Changing Permissions: Octal Mode

• Set permissions so that the owner, group, and other have read and execute access only.

$ chmod 555 dante

$ ls -l dante
-r-xr-xr-x 1 oracle oracle 1319 Jan 22 14:51 dante

• The chmod command fills in any missing octal digits to the left with zeros.
$ chmod 44 dante
$ ls -l dante
----r--r-- 1 oracle oracle 1319 Jan 22 14:51 dante

Note: chmod 44 dante becomes chmod 044 dante.

6 - 18