Ownership and Permissions
Earlier in this chapter, when we tried to cd to root's login directory, we received the following friendly message:
[newuser@localhost newuser]$ cd /root bash: /root: Permission denied [newuser@localhost newuser]$ |
That was one demonstration of Linux's security features. Linux, like UNIX, is a multi-user system, and file permissions are one way the system uses to protect against any type of tampering -- malicious or accidental.
One way to gain entry when we see we're denied permission is to su to root, as we learned earlier. That's because whoever knows the root password has complete access.
[newuser@localhost newuser]$ su Password: your root password [root@localhost newuser]# cd /root [root@localhost /root]# |
But switching to superuser isn't always convenient -- or smart, since it's so easy to mistakenly mess up important configuration files.
All files and directories are "owned" by the person who created them. We created the file sneakers.txt in our login directory, so sneakers.txt "belongs" to us.
That means, we can specify who's allowed to read the file, write to the file or, if it's an application instead of a text file, who can execute the file.
Reading, writing and executing are the three main settings in permissions.
Since every user on the system is placed into a group when that user is created, then we can also specify whether certain groups can read, write to, or execute our file.
Let's take a closer look at sneakers.txt with the ls command using the -l (long) option (see Figure 15-16).
[newuser@localhost newuser]$ ls -l sneakers.txt -rw-rw-r-- 1 newuser newuser 150 Mar 19 08:08 sneakers.txt |
There's quite a bit of detail here. We can see who can read (r) and write to (w) the file, as well as who created the file (newuser) and to which group the owner belongs (newuser).
 | Your default group |
|---|---|
Remember that, by default, your group was the login name you chose. |
Other information to the right of the group includes the file name, date and time of its creation as well as size.
How do all those dashes and letters fit together? It's not as hard to read as it might seem. Let's take a look:
-rw-rw-r-- |
There are 10 slots in this column. The first slot represents the type of file. The remaining nine slots are actually three sets of permissions for three different categories of users.
Those three sets are: the owner of the file, the group in which the file belongs and "others," meaning users and groups other than the owner of the file (newuser) and those in newuser's group (which is also newuser).
Let's stretch out these file settings a bit:
- (rw-) (rw-) (r--) 1 newuser newuser | | | | type owner group others |
The first item, which specifies the file type, can show one of the following:
d -- a directory
- -- a regular file (rather than directory or link)
l -- a symbolic link to another program or file elsewhere on the system
Beyond the first item, in the following three sets, we'll see one of the following:
r -- file can be read
w -- file can be written to
x -- file can be executed (if it's a program)
When we see a dash in owner, group or others, it means that particular permission hasn't been granted.
Let's look again at first column of sneakers.txt and identify its permissions. (See Figure 15-17)
[newuser@localhost newuser]$ ls -l sneakers.txt -rw-rw-r-- 1 newuser newuser 150 Mar 19 08:08 sneakers.txt [newuser@localhost newuser]$ |
The file's owner, newuser, has permission to read and write to the file; it's not a program, so newuser doesn't have permission to execute it. The group, newuser, has permission to read and write to sneakers.txt, as well. Similar to the program notation for owner newuser, there's no execute permission for group newuser.
In the last set, we can see that those who aren't either the user newuser or in the group called newuser can read the file, but can't write to it or execute it.
We can use the chmod command to change a file's permissions.
Let's work a bit more on sneakers.txt to change the permissions with the chmod command.
The original file looks like this, with its initial permissions settings:
-rw-rw-r-- 1 newuser newuser 150 Mar 19 08:08 sneakers.txt |
As long as we're the owner of the file -- or we're logged into the root account -- we can change permissions in any combination of settings for the owner, group and others.
Right now, the owner (that's us) and our group (which is newuser) can read and write to the file.
Anyone outside of our group can only read the file (r--).
 | Permissions are necessary |
|---|---|
Remember that file permissions are a security feature. Whenever you allow everyone to read, write to and execute files, you may be increasing your risk of tampering. As a rule, then, you should shy away from allowing everyone to read and write to a file. |
In this case, however, let's say that we want to allow everyone to write to the file, so they can read it, write notes in it and save it. That means we'll have to change the change the "others" section of the file permissions.
Since we're the owner of the file, we don't have to su to root to do it. Let's take a look at the file first. At the shell prompt, type:
ls -l sneakers.txt |
which gives us this file information:
-rw-rw-r-- 1 newuser newuser 150 Mar 19 08:08 sneakers.txt |
Now, type the following:
chmod o+w sneakers.txt |
To check our results, we can list the file's details again. Now, the file looks like this:
-rw-rw-rw- 1 newuser newuser 150 Mar 19 08:08 sneakers.txt |
There's our result: Now, everyone can read and write to the file (Figure 15-18).
When we typed o+w, we were saying, "for others, add write permission to the file sneakers.txt."
If we want to remove read and write permissions from sneakers.txt (even though it's only a sketchy shopping list), we could use the chmod command to take away both the read and write permissions like so:
chmod go-rw sneakers.txt |
and the result will look like this:
-rw------- 1 newuser newuser 150 Mar 19 08:08 sneakers.txt |
By typing go-rw, then, we were saying "for the group and others, remove read and write permission to the file sneakers.txt."
You might think of these settings as a kind of shorthand when you want to change permissions with chmod, because all you really have to do is remember a few symbols and letters with the chmod command.
Here a list of what the shorthand represents:
Identities
u -- the user who owns the file (that is, the owner)
g -- the group to which the user belongs
o -- others (not the owner or the owner's group)
a -- everyone (u, g, and o)
Permissions
r -- read access
w -- write access
x -- execute access
Actions
+ -- adds the permission
- -- removes the permission
= -- makes it the only permission
Want to test it out? Let's remove all permission from sneakers.txt -- for everyone.
chmod a-rw sneakers.txt |
Now, let's see if we can read the file:
[newuser@localhost newuser]$ cat sneakers.txt cat: sneakers.txt: Permission denied [newuser@localhost newuser]$ |
Guess it worked; even we can't get into the file. But since the file belongs to us, we can always change its permissions to allow us read and write access. (See Figure 15-19)
[newuser@localhost newuser]$ chmod u+rw sneakers.txt [newuser@localhost newuser]$ cat sneakers.txt buy some sneakers then go to the coffee shop then buy some coffee bring the coffee home take off shoes put on sneakers make some coffee relax! [newuser@localhost newuser]$ |
Here are some common examples of settings that can be used with chmod:
g+w -- adds write access for the group
o-rwx -- removes all permissions for others
u+x -- allows the file owner to execute the file
a+rw -- allows everyone to read and write to the file
ug+r -- allows the owner and group to read the file
g=rx -- lets the group only read and execute (not write)
By adding the -R option, we can change permissions for entire directory trees.
There's a slight twist, however, because we can't really "execute" a directory as we would an application. Instead, when we add or remove execute permission for a directory, we're really allowing (or denying) permission to search through that directory.
To allow everyone read and write access to the tigger directory in our login directory, we just type:
chmod -R a+rw tigger |
But… if we don't allow others to have execute permission to tigger, it doesn't matter who has read or write access, because no one will be able to get into the directory -- unless they know the exact filename they want.
For example, let's type:
chmod a-x tigger |
to remove execute access to all.
Here's what happens now when we try to cd to into tigger:
[newuser@localhost newuser]$ cd tigger bash: tigger: Permission denied [newuser@localhost newuser]$ |
Let's restore ours and our group's access.
chmod ug+x tigger |
Now, if we check our work with ls -dl we'll see that only others will be denied access to tigger.