Working with Permissions
Under Linux (and UNIX), everything in the file system, including directories and devices, is a file. And every file on your system has an accompanying set of permissions based on ownership. These permissions provide data security by giving specific permission settings to every single item denoting who may read, write, and/or execute the file. These permissions are set individually for the file’s owner, for members of the group the file belongs to, and for all others on the system.
You can examine the default permissions for a file you create by using the umask command, which lists default permissions using the number system explained next, or by using the touch command and then the ls command’s long-format listing like this:
matthew@seymour:~$ touch file matthew@seymour:~$ ls -l file -rw-r--r-- 1 matthew matthew 0 2010-06-30 13:06 file
In this example, the touch command is used to quickly create a file. The ls command then reports on the file, displaying the following (from left to right):
- The type of file created—Common indicators of the type of file are in the leading letter in the output. A blank (which is represented by a dash, as in the preceding example) designates a plain file, d designates a directory, c designates a character device (such as /dev/ttyS0), and b is used for a block device (such as /dev/sda).
- Permissions—Read, write, and execute permissions for the owner, group, and all others on the system. (You learn more about these permissions later in this section.)
- Number of links to the file—The number one (1) designates that there is only one file, whereas any other number indicates that there might be one or more hard-linked files. Links are created with the ln command. A hard-linked file is an exact copy of the file, but it might be located elsewhere on the system. Symbolic links of directories can also be created, but only the root operator can create a hard link of a directory.
- The owner—The account that owns the file; this is originally the file creator, but you can change this designation using the chown command.
- The group—The group of users allowed to access the file; this is originally the file creator’s main group, but you can change this designation using the chgrp command.
- File size and creation/modification date—The last two elements indicate the size of the file in bytes and the date the file was created or last modified.
Assigning Permissions
Under Linux, permissions are grouped by owner, group, and others, with read, write, and execute permission assigned to each, like so:
Owner Group Others rwx rwx rxw
Permissions can be indicated by mnemonic or octal characters. Mnemonic characters are
- r indicates permission for an owner, member of the owner’s group, or others to open and read the file.
- w indicates permission for an owner, member of the owner’s group, or others to open and write to the file.
- x indicates permission for an owner, member of the owner’s group, or others to execute the file (or read a directory).
In the previous example for the file named file, the owner, matthew, has read and write permission. Any member of the group named matthew may only read the file. All other users may only read the file. Also note that default permissions for files created by the root operator (while using sudo or a root account) will be different because of umask settings assigned by the shell.
Many users prefer to use numeric codes, based on octal (base 8) values, to represent permissions. Here’s what these values mean:
- 4 indicates read permission.
- 2 indicates write permission.
- 1 indicates execute permission.
In octal notation, the previous example file has a permission setting of 664 (read + write or 4 + 2, read + write or 4 + 2, read-only or 4). Although you can use either form of permissions notation, octal is easy to use quickly after you visualize and understand how permissions are numbered.
Directory Permissions
Directories are also files under Linux. For example, again use the ls command to show permissions like this:
matthew@seymour:~$ mkdir directory matthew@seymour:~$ ls -ld directory drwxr-xr-x 2 matthew matthew 4096 2010-06-30 13:23 directory
In this example, the mkdir command is used to create a directory. The ls command and its -ld option is used to show the permissions and other information about the directory (not its contents). Here you can see that the directory has permission values of 755 (read + write + execute or 4 + 2 + 1, read + execute or 4 + 1, and read + execute or 4 + 1).
This shows that the owner can read and write to the directory and, because of execute permission, also list the directory’s contents. Group members and all other users can list only the directory contents. Note that directories require execute permission for anyone to be able to view their contents.
You should also notice that the ls command’s output shows a leading d in the permissions field. This letter specifies that this file is a directory; normal files have a blank field in its place. Other files, such as those specifying a block or character device, have a different letter.
For example, if you examine the device file for a Linux serial port, you will see:
matthew@seymour:~$ ls -l /dev/ttyS0 crw-rw---- 1 root dialout 4, 64 2010-06-30 08:13 /dev/ttyS0
Here, /dev/ttyS0 is a character device (such as a serial communications port and designated by a c) owned by root and available to anyone in the dialout group. The device has permissions of 660 (read + write, read + write, no permission).
On the other hand, if you examine the device file for an IDE hard drive, you see:
matthew@seymour:~$ ls -l /dev/sda brw-rw-- -- 1 root disk 8, 0 2010-06-30 08:13 /dev/sda
In this example, b designates a block device (a device that transfers and caches data in blocks) with similar permissions. Other device entries you will run across on your Linux system include symbolic links, designated by s.
Altering File Permissions with chmod
You can use the chmod command to alter a file’s permissions. This command uses various forms of command syntax, including octal or a mnemonic form (such as u, g, o, or a and rwx, and so on) to specify a desired change. The chmod command can be used to add, remove, or modify file or directory permissions to protect, hide, or open up access to a file by other users (except for the root account or a user with super-user permission and using sudo, either of which can access any file or directory on a Linux system).
The mnemonic forms of chmod’s options are (when used with a plus character, +, to add, or a minus sign, -, to remove):
- u—Adds or removes user (owner) read, write, or execute permission
- g—Adds or removes group read, write, or execute permission
- o—Adds or removes read, write, or execute permission for others not in a file’s group
- a—Adds or removes read, write, or execute permission for all users
- r—Adds or removes read permission
- w—Adds or removes write permission
- x—Adds or removes execution permission
For example, if you create a file, such as a readme.txt, the file will have default permissions (set by the umask setting in /etc/bashrc) of
-rw-r--r-- 1 matthew matthew 0 2010-06-30 13:33 readme.txt
As you can see, you can read and write the file. Anyone else can only read the file (and only if it is outside your home directory, which will have read, write, and execute permission set only for you, the owner). You can remove all write permission for anyone by using chmod, the minus sign, and aw like so:
matthew@seymour:~$ chmod a-w readme.txt matthew@seymour:~$ ls -l readme.txt -r--r--r-- 1 matthew matthew 0 2010-06-30 13:33 readme.txt
Now, no one can write to the file (except you, if the file is in your home or /tmp directory because of directory permissions). To restore read and write permission for only you as the owner, use the plus sign and the u and rw options like so:
matthew@seymour:~$ chmod u+rw readme.txt matthew@seymour:~$ ls -l readme.txt -rw-r--r-- 1 matthew matthew 0 2010-06-30 13:33 readme.txt
You can also use the octal form of the chmod command, for example, to modify a file’s permissions so that only you, the owner, can read and write a file. Use the chmod command and a file permission of 600, like this:
matthew@seymour:~$ chmod 600 readme.txt matthew@seymour:~$ ls -l readme.txt -rw------- 1 matthew matthew 0 2010-06-30 13:33 readme.txt
If you take away execution permission for a directory, files might be hidden inside and may not be listed or accessed by anyone else (except the root operator, of course, who has access to any file on your system). By using various combinations of permission settings, you can quickly and easily set up a more secure environment, even as a normal user in your home directory.
File Permissions with chgrp
You can use the chgrp command to change the group to which a file belongs.
matthew@seymour:~$ chgrp wheel filename
Changing File Permissions with chown
You can use the chown command to change the owner of a file.
matthew@seymour:~$ chown matthew filename
You can also use the chown command to change the group of a file at the same time.
matthew@seymour:~$ chown matthew:wheel filename
Understanding Set User ID and Set Group ID Permissions
Two more types of permission are “set user ID”, known as suid, and “set group ID,” or sgid, permissions. These settings, when used in a program, enable any user running that program to have program owner or group owner permissions for that program. These settings enable the program to be run effectively by anyone, without requiring that each user’s permissions be altered to include specific permissions for that program.
One commonly used program with suid permissions is the passwd command:
matthew@seymour:~$ ls -l /usr/bin/passwd -rwsr-xr-x 1 root root 42856 2010-01-26 10:09 /usr/bin/passwd
This setting allows normal users to execute the command (as root) to make changes to a root-only accessible file, /etc/passwd.
You also can assign similar permission with the chfn command. This command allows users to update or change finger information in /etc/passwd. You accomplish this permission modification by using a leading 4 (or the mnemonic s) in front of the three octal values.
Files or programs that have suid or guid permissions can sometimes present security holes because they bypass normal permissions. This problem is compounded if the permission extends to an executable binary (a command) with an inherent security flaw because it could lead to any system user or intruder gaining root access. In past exploits, this typically happened when a user fed a vulnerable command with unexpected input (such as a long pathname or option); the command would fail, and the user would be presented a root prompt. Although Linux developers are constantly on the lookout for poor programming practices, new exploits are found all the time, and can crop up unexpectedly, especially in newer software packages that haven’t had the benefit of peer developer review.
Savvy Linux system administrators keep the number of suid or guid files present on a system to a minimum. The find command can be used to display all such files on your system:
matthew@seymour:~$ sudo find / -type f -perm /6000 -exec ls -l {} \;
Note that the programs do not necessarily have to be removed from your system. If your users really do not need to use the program, you can remove the programs execute permission for anyone. You have to decide, as the root operator, whether your users are allowed, for example, to mount and unmount CD-ROMs or other media on your system. Although Linux-based operating systems can be set up to accommodate ease of use and convenience, allowing programs such as mount to be suid might not be the best security policy. Other candidates for suid permission change could include the chsh, at, or chage commands.Working with Files
Managing files in your home directory involves using one or more easily remembered commands.
Creating a File with touch
To create an empty file called filename within your current directory:
matthew@seymour:~$ touch filename
To edit this file, you will need to use a text editor. Several are discussed in Chapter 11. However, it is sometimes useful to create an empty file as this creates an access record because of the time and date information that is connected to the file. You can also use touch to update this information, called a timestamp, without otherwise accessing or modifying a file.
You can create a file in a different location by changing what is after touch. To create a new file in /home/matthew/randomdirectory, if I was already in my home directory, I could use:
matthew@seymour:~$ touch randomdirectory/newfile
or from anywhere using an absolute path:
matthew@seymour:~$ touch /home/matthew/randomdirectory/newfile
or from anywhere using a path shortcut:
matthew@seymour:~$ touch ~/randomdirectory/newfile
Creating a Directory with mkdir
To create an empty directory called newdirectory within your current directory:
matthew@seymour:~$ mkdir newdirectory
You can create a directory in a different location by changing what is after mkdir. To create a new directory in /home/matthew/music, if I was already in my home directory, I could use:
matthew@seymour:~$ mkdir music/newdirectory
or from anywhere using an absolute path:
matthew@seymour:~$ mkdir /home/matthew/music/newdirectory
or from anywhere using a path shortcut:
matthew@seymour:~$ mkdir ~/music/newdirectory
Deleting a Directory with rmdir
To delete an empty directory named directoryname:
matthew@seymour:~$ rmdir directoryname
You can remove a directory in a different location by changing what is after rmdir. To remove a directory in /home/matthew/music, if I was already in my home directory, I could use:
matthew@seymour:~$ rmdir music/directoryname
or from anywhere using an absolute path:
matthew@seymour:~$ rmdir /home/matthew/music/directoryname
or from anywhere using a path shortcut:
matthew@seymour:~$ rmdir ~/music/directoryname
The directory must be empty to be removed using rmdir. However, there is a way to remove a directory with its contents using rm.
Deleting a File or Directory with rm
To delete a file named filename:
matthew@seymour:~$ rm filename
You can remove a directory in a different location by changing what is after rm. To remove a directory in /home/matthew/randomdirectory, if I was already in my home directory, I could use:
matthew@seymour:~$ rm randomdirectory/filename
or from anywhere using an absolute path:
matthew@seymour:~$ rm /home/matthew/randomdirectory/filename
or from anywhere using a path shortcut:
matthew@seymour:~$ rm ~/randomdirectory/filename
If you try to use rm to remove an empty directory, you will receive an error message: rm: cannot remove `random/': Is a directory. In this case, you must use rmdir. However, you can remove a directory end its contents using rm.
Moving or Renaming a File with mv
In Linux land, moving and renaming a file are the same thing. It doesn't matter whether you are moving the directory to another or from one filename to another filename in the same directory, there is only one command to remember. To move a file named filename from ~/documents to ~/archive:
matthew@seymour:~$ mv documents/filename archive
Notice that the filename is not included in the destination. The destination here must be an existing directory. If it is not, the file will be renamed to the term used. Some examples will make this clear.
To rename a file that is in my current directory I could use:
matthew@seymour:~$ mv oldfilename newfilename
To rename a file as I move it from ~/documents to ~/archive:
matthew@seymour:~$ mv documents/oldfilename archive/newfilename
or from anywhere using an absolute path:
matthew@seymour:~$ mv /home/matthew/documents/oldfilename /home/matthew/archive/newfilename
or from anywhere using a path shortcut:
matthew@seymour:~$ rm ~/documents/oldfilename ~/archive/newfilename
Copying a File with cp
Copying works similarly to moving, but retains the original in the original location. To copy a file named filename from ~/documents to ~/archive:
matthew@seymour:~$ cp documents/filename archive
Notice that the filename is not included in the destination. The destination here must be an existing directory. If it is not, the file will be renamed to the term used. Some examples will make this clear.
To copy a file that is in my current directory I could use, and it will work exactly the same as mv, except that both files will exist afterward:
matthew@seymour:~$ cp oldfilename newfilename
To rename a file as I copy it from ~/documents to ~/archive:
matthew@seymour:~$ cp documents/oldfilename archive/newfilename
or from anywhere using an absolute path:
matthew@seymour:~$ cp /home/matthew/documents/oldfilename /home/matthew/archive/newfilename
or from anywhere using a path shortcut:
matthew@seymour:~$ cp ~/documents/oldfilename ~/archive/newfilename
Displaying the Contents of a File with cat
To view the contents of a text file named filename on your screen:
matthew@seymour:~$ cat filename
Notice that the text is displayed on your screen, but that you can not edit or work with the text in any way. This command is convenient when you want to know the contents of a file, but don't need to make any changes. Text editors for the terminal are covered in Chapter 11. This command works best with short files because the contents of longer files will scroll off of the screen too quickly to be read.
Displaying the Contents of a File with less
When you need to view the contents of a longer text file from the command line, you can use less. This produces a paged output, meaning that output will stop each time your screen is full. You can then use your up and down arrow keys and page up and page down keys to scroll through the contents of the file. Then, use q to quit and return to the command line.
matthew@seymour:~$ less filename
There was a program that did gave paged output in the early days of UNIX called more. It was the first paged output program, but did not include the ability to scroll up and down. less was written to add that capability and was named as a bit of hacker humor, because “ less is more.” You can also use more, but today it is merely an alias for less.
Using Wildcards and Regular ExpressionsEach of these commands can be used with pattern-matching strings known as wildcards or regular expressions. For example, to delete all files in the current directory beginning with the letters abc, you can use an expression beginning with the first three letters of the desired filenames. An asterisk (*) is then appended to match all these files. Use a command line with the rm command like this:
matthew@seymour:~$ rm abc*
Linux shells recognize many types of file naming wildcards, but this is different from the capabilities of Linux commands supporting the use of more complex expressions. You learn more about using wildcards in in Chapter 11, “Command Line Masterclass,” and in Chapter 13, “Automating Tasks.”