File and Directory Security Linux Tips by Burleson Consulting

Linux file security is quite simplistic in design, yet quite effective in controlling access to files and directories. 

Directories and the files which are stored in them are arranged in a hierarchical tree structure.  Access can be controlled for both the files and the directories allowing a very flexible level of access.

This chapter will introduce Linux file and directory access permissions and show how those permissions can be manipulated to suit the system requirements.

File Security Model

In Linux, every file and every directory are owned by a single user on that system.  Each file and directory also has a security group associated with it that has access rights to the file or directory.  If a user is not the directory or file owner nor assigned to the security group for the file, that user is classified as other and may still have certain rights to access the file.

Each of the three file access categories, owner, group, and other, has a set of three access permissions associated with it.  The access permissions are read, write, and execute. 

A user may belong to more than one group.  Regardless of how many groups a user belongs to if permissions are granted on a file or directory to one of the user's groups they will have the granted level of access.  You can check what groups a user belongs to with the groups command.

$ groups tclark
tclark : authors users

The groups command is called with one argument, the username you want to investigate.  As you can see in the output above the output lists the username and all the groups they belong to.  In this output tclark belongs to the groups authors and users.

From the information previously presented about file and directory commands,  using the ?l option with the ls command will display the file and directory permissions as well as the owner and group as demonstrated below:

File Permissions, Owner, & Group

$ ls -l
total 12
-rw-rw-r--    1 tclark   authors      2229 Jan 13 21:35 declaration.txt
-rw-rw-r--    1 tclark   authors      1310 Jan 13 17:48 gettysburg.txt
-rw-rw-r--    1 tclark   authors       360 Jan 13 17:48 preamble.txt

The  ls ?l command is the best way to view file and directory ownership and permissions.  Now let's look at what each of these permissions do.

File Permissions

File permissions are represented by positions two through ten of the ls ?l display.  The nine character positions consist of three groups of three characters.  Each three character group indicates read (r), write (w), and execute (x) permissions. 

The three groups indicate permissions for the owner, group, and other users respectively.

In the example above, both the owner and the group have read (r) and write (w) permissions for the file, while other users have only read (r) permission.

The example below indicates read, write, and execute (rwx) permissions for the owner, read and execute (r-x) permissions for the group, and no permissions for other users (---).

The alphabetic permission indicators are commonly assigned numeric values according to the scheme shown in Table 6.1 below:

Alpha	Numeric	Permission
-	0	No permission granted
x	1	Execute permission granted
w	2	Write permission granted
r	4	Read permission granted

Table 6.1: Alphabetic permission indicators and their common values

Then, each three character permission group can be assigned a number from zero to seven calculated by adding together the three individual numeric permissions granted.  For example, if the owner has read, write, and execute permissions, the owner?s permissions can be represented by the single digit 7 (4+2+1).  If the group has read and execute permissions, that can be represented by the single digit 5 (4+0+1).  If other users have no permissions, that can be represented by the single digit 0 (0+0+0).  These three numbers would then be listed in the order of owner, group, other, in this case 750 as a way to definitively describe the permissions on this file.

Here are some examples of typical file permissions and their appropriate numeric equivalent:

Alpha
Numeric
Permissions
rwxr-xr--
754

Owner has read, write, and execute. Group has read and execute. Others have read only

rw-rw-r--
664

Owner has read and write.  Group has read and write.  Others have read only.

rwxr-x-r-x
755

Owner has read, write, and execute.  Group has read and execute.  Others have read and execute.

rw-r-----
640

Owner has read and write.  Group has read only.  Others have no access.

r--------

400

Owner has read only.  Group has no access.  Others have no access

Table 6.2: Alpha and numeric representations of file permissions

Later in this chapter we will learn how to change file permissions using numbers like these, but first we have to cover a little more background on permissions.

There are some additional abbreviations that can be used with commands that manipulate permissions.  These abbreviations are:

* u: user owner?s permissions

* g: group?s permissions

* o: other?s permissions

These abbreviations can also be used to change permissions on files.  As we will see later, they will allow you to manipulate one level of the permissions (perhaps just the permissions granted to group) without changing the others.

First we'll look a little closer at manipulating the owner and group information of files and directories, then we'll get back to the permissions.

Change File Ownership

As stated earlier in this chapter every file and directory in Linux has an owner and a group associated with it.  The need commonly arises where the user or group ownership for files or directories needs to be changed.  For example, if user the sally, in group finance is responsible for a number of files and Sally gets transferred to the purchasing group the ownership of the files might need to be changed to Marge because Marge is the user who is taking Sally?s place in finance.  The chown command is used to change file or directory ownership.

As another example if a number of files that are currently accessed by the test group are ready for production and need to be changed to the prod group, the chgrp command can be used to give access to the prod group.

Actually the chown command can be used to change both user and group ownership, while the chgrp command can only be used to change group ownership.  This command will be covered later in this chapter.  When using either chown or chgrp commands, the system will first check the permissions of the user issuing the commands to make certain they have sufficient permissions to make the change.

Now we'll look at some examples of how to use the chown and chgrp commands.  We'll start with the chgrp command, then look at chown and then finally see how chown can be used to do the work of both!

Change Group Ownership

The chgrp command is used to change the group with which a file is associated.  The first thing you will need to provide this command is the group which you want to change the file or directory to.  After that you can list a single file or directory to be changed or list separate entities separated by spaces.  The chgrp command will not have any affect on the access granted to the group (the rw- in the middle of the three permissions sets) but will change who can use those permissions.

Using the chgrp Command on a File

# ls -l
total 12
-rw-rw-r--    1 tclark   authors      2229 Jan 13 21:35 declaration.txt
-rw-rw-r--    1 tclark   authors      1310 Jan 13 17:48 gettysburg.txt
-rw-rw-r--    1 tclark   authors       360 Jan 13 17:48 preamble.txt
# chgrp presidents gettysburg.txt
# ls -l
total 12
-rw-rw-r--    1 tclark   authors      2229 Jan 13 21:35 declaration.txt
-rw-rw-r--    1 tclark   presidents     1310 Jan 13 17:48 gettysburg.txt
-rw-rw-r--    1 tclark   authors       360 Jan 13 17:48 preamble.txt

The chgrp command works the same for directories as it does for files.  In the following example, the group ownership of the directory called examples will be changed.  Directories are identified by the letter d in the first column of the ls ?l display.

Using the chgrp Command on a Directory

# ls -l
total 4
-rw-rw-r--    1 tclark   tclark          0 Jan 13 21:13 example1.fil
-rw-rw-r--    1 tclark   tclark          0 Jan 13 21:13 example2.xxx
drwxrwxr-x    2 tclark   tclark       4096 Jan 13 21:35 examples
# chgrp authors examples
# ls -l
total 4
-rw-rw-r--    1 tclark   tclark          0 Jan 13 21:13 example1.fil
-rw-rw-r--    1 tclark   tclark          0 Jan 13 21:13 example2.xxx
drwxrwxr-x    2 tclark   authors      4096 Jan 13 21:35 examples

You can change the group for multiple files and/or directories by using the ?R (recursive) option for the chgrp command.  This is one of the few commands (we'll see two of the others shortly) which use an upper-case R for the recursive option.  When applied on a directory the ?R option will apply the chgrp command to the directory and all its subdirectories and files.  Care should be taken when using the ?R option.

Next we'll look at changing the ownership of files.

This is an excerpt from "Easy Linux Commands" by Linux guru Jon Emmons.  You can purchase it for only $19.95 (30%-off) at this link.