Table of Contents
- About the Lead Authors
- About the Contributing Authors
- Tell Us What You Think!
- I. Red Hat Linux Installation and User Services
- Chapter 1. Introduction to Red Hat Linux
- Chapter 2. Installation of Your Red Hat System
- Chapter 3. LILO and Other Boot Managers
- Chapter 4. Configuring the X Window System, Version 11
- Chapter 5. Window Managers
- Chapter 6. Connecting to the Internet
- Chapter 7. IRC, ICQ, and Chat Clients
- Chapter 8. Using Multimedia and Graphics Clients
- II. Configuring Services
- Chapter 9. System Startup and Shutdown
- Chapter 10. SMTP and Protocols
- Chapter 11. FTP
- Chapter 12. Apache Server
- Chapter 13. Internet News
- Chapter 14. Domain Name Service and Dynamic Host Configuration Protocol
- Chapter 15. NIS: Network Information Service
- Chapter 16. NFS: Network Filesystem
- Chapter 17. Samba
- III. System Administration and Management
- Chapter 18. Linux Filesystems, Disks, and Other Devices
- Chapter 19. Printing with Linux
- Chapter 20. TCP/IP Network Management
- Chapter 21. Linux System Administration
- Chapter 22. Backup and Restore
- Chapter 23. System Security
- IV. Red Hat Development and Productivity
- Chapter 24. Linux C/C++ Programming Tools
- Chapter 25. Shell Scripting
- Chapter 26. Automating Tasks
- Chapter 27. Configuring and Building Kernels
- Chapter 28. Emulators, Tools, and Window Clients
- V. Appendixes
- A. The Linux Documentation Project
- B. Top Linux Commands and Utilities
- C. The GNU General Public License
- D. Red Hat Linux RPM Package Listings
File and Directory Permissions
As I stated in the introduction to this chapter, file and directory permissions are the basics for providing security on a system. These, along with the authentication system, provide the basis for all security. Unfortunately, many people do not know what permissions on directories mean, or they assume that permissions mean the same thing they do on files. The following section describes the permissions on files; after that, the permissions on directories are described.
The permissions for files are split into three sections: the owner of the file, the group associated with the file, and everyone else (the world). Each section has its own set of file permissions, which provide the ability to read, write, and execute (or, of course, to deny the same). These permissions are called a file's filemode. Filemodes are set with the chmod command.
The object's permissions can be specified in two ways—the numeric coding system or the letter coding system. Using the letter coding system, the three sections are referred to as u for user, g for group, o for other, or a for all three. The three basic types of permissions are r for read, w for write, and x for execute. Combinations of r, w, and x with the three groups provide the permissions for files. In the following example, the owner of the file has read, write, and execute permissions, and everyone else has read access only:
$ ls -l test -rwxr--r-- 1 dpitts users 22 Sep 15 00:49 test
The command ls -l tells the computer to give you a long (-l) listing (ls) of the file (test). The resulting line is shown in the second code line and tells you a number of things about the file. First, it tells you the permissions. Next, it tells you how many links the file has. It then tells you who owns the file (dpitts) and what group is associated with the file (users). Following the ownership section, the date and timestamp for the last time the file was modified is given. Finally, the name of the file is listed (test). The permissions are actually made up of four sections. The first section is a single character that identifies the type of object listed. Check Table 23.1 to determine the options for this field.
Table 23.1. Object Type Identifier
|b||Block special file|
|c||Character special file|
Following the file type identifier are the three sets of permissions: rwx (owner), r-- (group), and r-- (other).
The permissions on a directory are the same as those used by files: read, write, and execute. The actual permissions, however, mean different things. For a directory, read access provides the capability to list the names of the files in the directory but does not allow the other attributes to be seen (owner, group, size, and so on). Write access provides the capability to alter the directory contents. This means the user could create and delete files in the directory. Finally, the execute access enables the user to make the directory the current directory.
Table 23.2 summarizes the differences between the permissions for a file and those for a directory.
Table 23.2. File Permissions Versus Directory Permissions
|r||View the contents||Search the contents|
|w||Alter file contents||Alter directory contents|
|x||Run executable file||Make it the current directory|
Combinations of these permissions also allow certain tasks. For example, I previously mentioned that it takes both read and execute permissions to execute a script. This is because the shell must first read the file to see what to do with it. (Remember that #! /local/bin/perl tells the shell to execute the /local/bin/perl executable, passing the rest of the file to the executable.) Other combinations allow certain functionality. Table 23.3 describes the combinations of permissions and what they mean, both for a file and for a directory.
Table 23.3. Comparison of File and Directory Permission Combinations
|---||Cannot do anything with it.||Cannot access it or any of its subdirectories.|
|r--||Can see the contents.||Can see the contents.|
|rw-||Can see and alter the contents.||Can see and alter the contents.|
|rwx||Can see and change the contents, as well as execute the file.||Can list the contents, add or remove files, and make the directory the current directory(cd to it).|
|r-x||If a script, can execute it. Otherwise, provides read and execute permission.||Provides capability to change to directory and list contents, but not to delete or add files to directory.|
|--x||Can execute if a binary.||Users can execute a binary they already know about.|
As stated, the permissions can also be manipulated with a numeric coding system. The basic concept is the same as the letter coding system. As a matter of fact, the permissions look exactly alike—the difference is the way the permissions are identified. The numeric system uses binary counting to determine a value for each permission and sets them. Also, the find command can accept the permissions as an argument, using the -perm option. In that case, the permissions must be given in their numeric form.
With binary, you count from right to left. Therefore, if you look at a file, you can easily come up with its numeric coding system value. The following file has full permissions for the owner and read permissions for the group and the world:
$ ls -la test -rwxr--r-- 1 dpitts users 22 Sep 15 00:49 test
This would be coded as 744. Table 23.4 explains how this number was achieved.
Table 23.4. Numeric Permissions
Permissions use an additive process; therefore, a person with read, write, and execute permissions to a file would have a 7 (4+2+1). Read and execute would have a value of 5. Remember, there are three sets of values, so each section would have its own value.
Table 23.5 shows both the numeric system and the character system for the permissions.
Table 23.5. Comparison of Numeric and Character Permissions
|Read and write||6||rw-|
|Read and execute||5||r-x|
|Read, write, and execute||7||rwx|
Permissions can be changed by using the chmod command. With the numeric system, the chmod command must be given the value for all three fields. Therefore, to change a file to read, write, and execute by everyone, you would issue the following command:
$ chmod 777 filename
To perform the same task with the character system, you would issue the following command:
$ chmod a+rwx filename
Of course, more than one type of permission can be specified at one time. The following command adds write access for the owner of the file and adds read and execute access to the group and everyone else:
$ chmod u+w,og+rx filename
The advantage that the character system provides is that you do not have to know the previous permissions. You can selectively add or remove permissions without worrying about the rest. With the numeric system, each section of users must always be specified. Looking at the preceding example (chmod u+w,og+rx filename ), an easier way might have been to use the numeric system and replace all those letters with three numbers: 755. The downside of the character system is apparent when complex changes are being made.
How suid and sgid Fit into This Picture
The special-purpose access modes suid and sgid add an extra character to the picture. Before examining what a file looks like with the special access modes, check Table 23.6 for the identifying characters for each of the modes and for a reminder of what they mean.
Table 23.6. Special-Purpose Access Modes
|s||suid||Sets process user ID on execution|
|s||sgid||Sets process group ID on execution|
suid and sgid are used on executables; therefore, the code is placed where the code for the executable would normally go. The following file has suid set:
$ ls -la test -rwsr--r-- 1 dpitts users 22 Sep 15 00:49 test
The difference between setting the suid and setting the sgid is the placement of the code. The same file with sgid active would look like this:
$ ls -la test -rwxr-sr-- 1 dpitts users 22 Sep 15 00:49 test
To set the suid with the character system, you execute the following command:
$ chmod u+s <filename>
To set the sgid with the character system, you execute the following command:
$ chmod g+s filename
To set the suid and the sgid using the numeric system, use these two commands:
$ chmod 2### filename $ chmod 4### filename
In both instances, you replace ### with the rest of the values for the permissions. The additive process is used to combine permissions; therefore, the following command adds suid and sgid to a file:
$ chmod 6### filename
The Default Mode for a File or Directory
The default mode for a file or directory is set with the umask, which uses the numeric system to define its value. To set the umask, you must first determine the value you want the files to have. For example, a common file permission set is 644, with which the owner has read and write permission and the rest of the world has read permission. After the value is determined, you subtract it from 777. Keeping the same example of 644, the value would be 133. This value is the umask value. Typically, this value is placed in a system file that is read when a user first logs on. After the value is set, all files created will set their permissions automatically, using this value.