|
|
File and
Directory Security
Linux Tips by Burleson Consulting |
Linux file security is quite simplistic in design, yet
quite effective in controlling access to files and directories.
Directories and the files which are stored in them are
arranged in a hierarchical tree structure. Access can be controlled for both
the files and the directories allowing a very flexible level of access.
This chapter will introduce Linux file and directory
access permissions and show how those permissions can be manipulated to suit the
system requirements.
File Security Model
In Linux, every file and every directory are owned by a
single user on that system. Each file and directory also has a security group
associated with it that has access rights to the file or directory. If a user
is not the directory or file owner nor assigned to the security group for the
file, that user is classified as other and may still have certain rights to
access the file.
Each of the three file access categories, owner, group,
and other, has a set of three access permissions associated with it. The access
permissions are read, write, and execute.
A user may belong to more than one group. Regardless of
how many groups a user belongs to if permissions are granted on a file or
directory to one of the user's groups they will have the granted level of
access. You can check what groups a user belongs to with the groups command.
$ groups tclark
tclark : authors users
The groups command is called with one argument, the
username you want to investigate. As you can see in the output above the output
lists the username and all the groups they belong to. In this output tclark
belongs to the groups authors and users.
From the information previously presented about file and
directory commands, using the ?l option with the ls command will display the
file and directory permissions as well as the owner and group as demonstrated
below:
File Permissions, Owner, & Group
$ ls -l
total 12
-rw-rw-r-- 1 tclark authors 2229 Jan 13 21:35
declaration.txt
-rw-rw-r-- 1 tclark authors 1310 Jan 13 17:48
gettysburg.txt
-rw-rw-r-- 1 tclark authors 360 Jan 13 17:48
preamble.txt
The ls ?l command is the best way to view file and
directory ownership and permissions. Now let's look at what each of these
permissions do.
File Permissions
File permissions are represented by positions two
through ten of the ls ?l display. The nine character positions consist of three
groups of three characters. Each three character group indicates read (r),
write (w), and execute (x) permissions.
The three groups indicate permissions for the owner,
group, and other users respectively.
In the example above, both the owner and the group have
read (r) and write (w) permissions for the file, while other users have only
read (r) permission.
The example below indicates read, write, and execute (rwx)
permissions for the owner, read and execute (r-x) permissions for the group, and
no permissions for other users (---).
The alphabetic permission indicators are commonly
assigned numeric values according to the scheme shown in Table 6.1 below:
Alpha |
Numeric |
Permission |
- |
0 |
No permission granted |
x |
1 |
Execute permission granted |
w |
2 |
Write permission granted |
r |
4 |
Read permission granted |
Table 6.1: Alphabetic permission indicators and their
common values
Then, each three character permission group can be
assigned a number from zero to seven calculated by adding together the three
individual numeric permissions granted. For example, if the owner has read,
write, and execute permissions, the owner?s permissions can be represented by
the single digit 7 (4+2+1). If the group has read and execute permissions, that
can be represented by the single digit 5 (4+0+1). If other users have no
permissions, that can be represented by the single digit 0 (0+0+0). These three
numbers would then be listed in the order of owner, group, other, in this case
750 as a way to definitively describe the permissions on this file.
Here are some examples of typical file permissions and
their appropriate numeric equivalent:
Alpha
Numeric
Permissions
rwxr-xr--
754
Owner has read, write, and execute. Group has read and
execute. Others have read only
rw-rw-r--
664
Owner has read and write. Group has read and write.
Others have read only.
rwxr-x-r-x
755
Owner has read, write, and execute. Group has read and
execute. Others have read and execute.
rw-r-----
640
Owner has read and write. Group has read only. Others
have no access.
r--------
400
Owner has read only. Group has no access. Others have
no access
Table 6.2: Alpha and numeric representations of file
permissions
Later in this chapter we will learn how to change file
permissions using numbers like these, but first we have to cover a little more
background on permissions.
There are some additional abbreviations that can be used
with commands that manipulate permissions. These abbreviations are:
* u: user owner?s permissions
* g: group?s permissions
* o: other?s permissions
These abbreviations can also be used to change
permissions on files. As we will see later, they will allow you to manipulate
one level of the permissions (perhaps just the permissions granted to group)
without changing the others.
First we'll look a little closer at manipulating the
owner and group information of files and directories, then we'll get back to the
permissions.
Change File Ownership
As stated earlier in this chapter every file and
directory in Linux has an owner and a group associated with it. The need
commonly arises where the user or group ownership for files or directories needs
to be changed. For example, if user the sally, in group finance is responsible
for a number of files and Sally gets transferred to the purchasing group the
ownership of the files might need to be changed to Marge because Marge is the
user who is taking Sally?s place in finance. The chown command is used to
change file or directory ownership.
As another example if a number of files that are
currently accessed by the test group are ready for production and need to be
changed to the prod group, the chgrp command can be used to give access to the
prod group.
Actually the chown command can be used to change both
user and group ownership, while the chgrp command can only be used to change
group ownership. This command will be covered later in this chapter. When
using either chown or chgrp commands, the system will first check the
permissions of the user issuing the commands to make certain they have
sufficient permissions to make the change.
Now we'll look at some examples of how to use the chown
and chgrp commands. We'll start with the chgrp command, then look at chown and
then finally see how chown can be used to do the work of both!
Change Group Ownership
The chgrp command is used to change the group with which
a file is associated. The first thing you will need to provide this command is
the group which you want to change the file or directory to. After that you can
list a single file or directory to be changed or list separate entities
separated by spaces. The chgrp command will not have any affect on the access
granted to the group (the rw- in the middle of the three permissions sets) but
will change who can use those permissions.
Using the chgrp Command on a File
# ls -l
total 12
-rw-rw-r-- 1 tclark authors 2229 Jan 13 21:35
declaration.txt
-rw-rw-r-- 1 tclark authors 1310 Jan 13 17:48
gettysburg.txt
-rw-rw-r-- 1 tclark authors 360 Jan 13 17:48
preamble.txt
# chgrp presidents gettysburg.txt
# ls -l
total 12
-rw-rw-r-- 1 tclark authors 2229 Jan 13 21:35
declaration.txt
-rw-rw-r-- 1 tclark presidents 1310 Jan 13
17:48 gettysburg.txt
-rw-rw-r-- 1 tclark authors 360 Jan 13 17:48
preamble.txt
The chgrp command works the same for directories as it
does for files. In the following example, the group ownership of the directory
called examples will be changed. Directories are identified by the letter d in
the first column of the ls ?l display.
Using the chgrp Command on a Directory
# ls -l
total 4
-rw-rw-r-- 1 tclark tclark 0 Jan 13 21:13
example1.fil
-rw-rw-r-- 1 tclark tclark 0 Jan 13 21:13
example2.xxx
drwxrwxr-x 2 tclark tclark 4096 Jan 13 21:35
examples
# chgrp authors examples
# ls -l
total 4
-rw-rw-r-- 1 tclark tclark 0 Jan 13 21:13
example1.fil
-rw-rw-r-- 1 tclark tclark 0 Jan 13 21:13
example2.xxx
drwxrwxr-x 2 tclark authors 4096 Jan 13 21:35
examples
You can change the group for multiple files and/or
directories by using the ?R (recursive) option for the chgrp command. This is
one of the few commands (we'll see two of the others shortly) which use an
upper-case R for the recursive option. When applied on a directory the ?R
option will apply the chgrp command to the directory and all its subdirectories
and files. Care should be taken when using the ?R option.
Next we'll look at changing the ownership of files.
This is an excerpt from "Easy
Linux Commands" by Linux guru Jon Emmons. You can purchase it for only
$19.95 (30%-off) at
this link.