File Permissions

Nix file permissions is a way that allows a user to restrict access to a file or directory on the file system. For files a user can specity who can read the filem who can write to the file and who can execute the file. for directories a user can specify who can read the directory, who can write to the directory and who can execite programs located in the directory.

Files
Lets look at a simple example of a file.

[code:1:9ec0b4d447]
($:~)=> [b]ls -a notes.txt[/b]
-rw-rw-r-- 1 soup4you2 soup4you2 852B Feb 22 00:26 note.txt
[/code:1:9ec0b4d447]


Here we execute ls -l The ls command lists the contents of the directory, or in the case, only the file notex.txt the -l option lists the file in long form, which displays quite a bit of information about the file. The output lists the following info:

[code:1:9ec0b4d447]
-rw-rw-r-- 1 soup4you2 users 852B Feb 22 00:26 note.txt
|-Permissions | | |-Number Of Bytes
|-Number Of Links | |-Date Last Modified
|-Owner |-Group |-Name
[/code:1:9ec0b4d447]

Notice that this file has one owner (soup4you2) and belongs to one group (users) the owner and group are important when we dicuss file permissions.

The file permissions are as follows:

-rw-rw-r--



The information is divided into four parts

[code:1:9ec0b4d447]
- rw- rw- r--
|-File Type | |-World Permissions
|-Owner Permissions
|-Group Permissions
[/code:1:9ec0b4d447]


the first part of the output is the file type. Common file types are as follows:

[code:1:9ec0b4d447]
- A Normal File
d A Directory
l A Symbolic link
s A Socket
[/code:1:9ec0b4d447]


Following the file type are three groups of these characters representing the permissions for the owner group and world. Three characters indicate weather or not permissions is granted to read the file (r), write to the file (w) or execute the file (x). If permissions is granted the letter is present. If permissions is denied the letter is well you guessed it sparky not there and a (-) in it's place. Here's another example

rwxr-x--x



The first three characters are the permissions for the owner. the permissions rwx indicate that the owner can read the file, write to the file and execure the file. the next three characters are the permissions for the group associated with the file. the next three characters are the permissions for the group associated with the file. The permissions r-x indicate that members of the group can read the file and execute the file but cannot write to the file. The last three characters are the permissions for the rest of the world. cannot read the file and cannot write to the file but can execute the file. Getting this yet.. It only gets more fun from here.

Take notice that the three permissions are either granted or denied, either on or off (i've got to get specific.. you might be a slobbering drunk who needs all the help they can). Since the permissions can be considered either on or off the permissions can be thought of as colection of 0s or 1s. Forinstance "rwx" has read, write and execute permissions on. Therefore we can write these permissions as "111" and in octal format the value as 7. Similarly "r-x" has read permissions and execute permissions on and write off. therefore we can write these permissions as 101 and in octal format the value 5.

If we put this idea in practice for owner/group/world permissions. then the permissions rwxr-x--x in binary format are 111101001 and if we treat this as a series of three groups of octal numbers the value is 750

Changing File Permissions

The chmod command changes file permissions you would use it like such:

chmod mode file [file ...]



To see how to use chmod lets look at a file laying around.

[code:1:9ec0b4d447]
($:~)=> ls -l a.txt
-rw-rw-r-- 1 soupx users 10 Mar 03 06:50 a.txt
[/code:1:9ec0b4d447]


To change the permissions to an explicit mode use the octal method

[code:1:9ec0b4d447]
($:~)=> chmod 751 a.txt
($:~)=> ls -l a.txt
-rwx--x--x 1 soupx users 10 Mar 03 06:50 a.txt
[/code:1:9ec0b4d447]


Do you see how the permissions 751 translated into rwxr-x-x. And look at this if your feeling saucy enough.

[code:1:9ec0b4d447]
($:~)=> chmod 640 a.txt
($:~)=> ls -l a.txt
-rw-r----- 1 soupx users 10 Mar 03 06:50 a.txt
[/code:1:9ec0b4d447]


Here 640 translates to rw-r----- You can also use the chmod command in symbolic mode as follows.. even though i dont care too much for this way.

[code:1:9ec0b4d447]
($:~)=> chmod +x a.txt
($:~)=> ls -l a.txt
-rwxr-x--x 1 soupx users 10 Mar 03 06:50 a.txt
[/code:1:9ec0b4d447]


Here chmod is used with +x which means to add executable permissions where the + character is used. It means to add the permissions where as - character means to remove. Here +x means to add executable permissions for the owner group and world. The chmod command can also be used to change permissions for a specific group:

[code:1:9ec0b4d447]
($:~)=> chmod g-r a.txt
($:~)=> ls -l a.txt
-rwx--x--x 1 soupx users 10 Mar 03 06:50 a.txt
[/code:1:9ec0b4d447]


This shows chmod being executed with g-r which means "remove group executable permissions" Are you getting tired of my bad spelling yet or have you drank enough to where you just dont care anymore?

Sticky Bits

If a user has write permissions to a directory that user can delete files and directories within it, even if those files are not owned by the user and permissions are set sot htat the user cannot read or write the file:

[code:1:9ec0b4d447]
($:~)=> ls -ld temp
($:~)=> ls -l a.txt
drwxrwxrwx 1 soupx users 10 Mar 03 06:50 temp
[/code:1:9ec0b4d447]


We see here that the temp directory is owned by soupx yet writeable by the world. This is bad because somebody else not in the group or owner can delete the file even though they cannot see it. Well i'm a few beers into this so i'm going to skip right along to our next topic..

Default Permissions and Umask

When a user creates a file or directory that file or directory is given default permissions:

[code:1:9ec0b4d447]
($:~)=> touch a.txt
($:~)=> mkdir testdir
($:~)=> ls -l
total 1
-rw-rw-r-- 1 soupx users 10 Mar 03 06:50 a.txt
drwxrwxr-x 1 soupx users 10 Mar 03 06:50 testdir
[/code:1:9ec0b4d447]


Notice that the default permissions for the user soupx are 644 fir files and 775 for directories. Default file and directory permissions are set acordingly to the value of the users umask value. The umask value is dued to mask off bits from the most permissive default values 666 for files and 777 for directories. To display your umask just type in umask

[code:1:9ec0b4d447]
($:~)=> umask
002
[/code:1:9ec0b4d447]


The user soupx has a umask value of 002. A simple way to determine the value of soupx's default permissions when soupx creates a file or directory to simple subtract the value of umask from the system default permission values.

[code:1:9ec0b4d447]
Files: Directories
666 777
[u]002[/u] [u]002[/u]
664 775
[/code:1:9ec0b4d447]


To change your default permission change your umask value to create the most restrictive permission use a value of 777 which would give out the equivelant of 000 permissions. Of course this is too restrictive since soupx does not have read and write permissions for new files (pretty shitty ehh?) To create files and directories with the most practical restrictive permissions use a umask value of 077 which will grant read/write/execute for the owner but nothing for the group or world. so it would retain file permissions values of 700. If you wish to change your umask value permently add it in your users login profile.

You talked about sticky but what about SUID and SGID? For those *cough* occasions *cough* :P

nice soup, covers most things, thanks for the effort!

i was soooo drunk when i wrote that... it does need to talk about suid and sgid.. and also chflags.. plus i dont like the way i talked about how permissions are figured out..

Read Permissions you should give a value of 4
Write Permissions you should give a value of 2
Execute Permissions you should give a value of 1

so if you want read+execute permissions you add 4 + 1 and get 5
you do this for each of the 3 parts user/group/other

[code:1:e784b7fc4f]
U = User G = Group O = Other (not U or G)

Triplet for u: rwx => 4 + 2 + 1 = 7
Triplet for g: r-x => 4 + 0 + 1 = 5
Tripler for o: r-x => 4 + 0 + 1 = 5
Which makes : 755

-U- --G-- --O--
-rwxr-xr-x 1 nick users 382 Jan 19 11:49
-drwxr-xr-x 3 nick users 1024 Jan 19 11:19 lib/
-rwxr-xr-x 1 nick users 1874 Jan 19 10:23 socktest.pl

all goes by 4 2 1
[/code:1:e784b7fc4f]

BSDjunkie did a good job of explaining how to get a value for a umask


The easiest way to figure out what umask to use, is to take the octal number and subtract it from 777.

So, if you wanted all new files to be created in your directory as 754 , subtrack that from 777, 777-754=023.

A default mode of 755 would be 777-755 = 022. This is the default umask on most systems as far as I know.

Being drunk/being tired/being high/having the shit beaten out of you + writting is always a bad idea I have found :shock:

I don't know what the big deal is with all this permissions talk... just do a
chmod -R 777 /

:twisted:

World writeable just makes for less headaches :lol:

Of course I jest. For anyone just getting into the nitty gritty of things like perms and umask and various other Admin type functions, I strongly recommend Essential System Administration by O'Reilly (http://www.oreilly.com/catalog/esa2/)

Oh, and say something in there about the huge vuln in using -R because of sym links, alot of cron jobs actually run chmod -R so they are screwed :) :twisted: