Access Granted!
The shell comes with some simple commands for managing access to files and directories.
The shell comes with some simple commands for managing access to files and directories.
Granular access privileges for files and directories make Linux a safe operating system. A precise definition of who is permitted to read, modify, or execute data provides excellent protection against prying eyes and intentional misconfiguration. The root user is subject to no restrictions, and this includes assigning read, write, and execute permissions to other users throughout the system.
If you are the owner of a file or directory, you can grant access to these resources to other accounts. If you are also a member of a specific group, you can modify the group ownership of files and folders for more granular permission assignments to files.
For every file (and thus for directories, device files, etc.), Linux defines who may read, write, and execute that file. Also, every file belongs to an owner and to a group. The following three permissions are assigned separately for owners, groups, and other users:
To discover the permissions for a file at the command line, you can simply set the -l flag with the ls command (Figure 1).
Permissions are indicated by the letters r (for "read"), w (for "write"), and x (for "execute"). In the ls output, note the three sets of r, w, and x (or -) at the beginning of the file name entry.
The first block shows the permissions for the owner, the second block refers to the group, and the third block refers to all users. Folders are indicated by a d (for "directory") at the start of the list, regular files by a single dash (-), symlinks by an l (for "link"), block devices like /dev/sda1 by a b, and character devices (e.g., /dev/tty1) by a c.
Your file manager (e.g., Dolphin, Nautilus) also can show file permissions if you reset the default view (Figure 2) from the View menu.
Linux has two special permissions: the s bit (also known as the setuid/setgid bit) and the t bit (also known as the sticky bit). Both replace the x in the rwx block of three. The s is commonly seen with executable files, whereas the t bit is more common with directories.
The setuid/setgid bit (set user ID and set group ID) executes a program with the permissions of the user or group, no matter who runs the program. In this way, nonprivileged users can access resources they would not normally be able to access. Although this is a potential security risk, the s bit has its uses. Many programs, including su, sudo, mount, or passwd rely on the s bit (Listing 1).
Listing 1
Programs that use the setuid/setgid bit
01 -rwsr-xr-x 1 root root 31124 Jul 31 15:55 /bin/su 02 -rwsr-xr-x 1 root root 123448 Jun 22 18:14 /usr/bin/sudo 03 -rwsr-xr-x 1 root root 72188 Oct 22 23:54 /bin/mount 04 -rwsr-xr-x 1 root root 41292 Jul 31 15:55 /usr/bin/passwd
Permissions and Priorities
Permissions for the user, group, and all others have different priorities. If you are the owner of a file, permissions for the owner apply (the first block of the three letters). If you're not the owner, but belong to the group, the second block applies. If you're neither the owner nor a group member, the third set of permissions apply.
The passwd program, for example, modifies passwords, accessing the /etc/shadow file in the process of entering the new password.
By default, the file is protected against write access by nonprivileged users and reserved for use by the administrator to prevent just anybody from being able to manipulate the passwords. The s bit executes the passwd program as the root user and enters the new password in /etc/shadow "on behalf" of root.
The other special permission, the t bit, commonly occurs in shared directories (read, write, and execute permissions for all) in place of the execute flag to ensure that users are only allowed to modify – and therefore delete – their own data. The sticky bit is typically set for /tmp (Figure 1). This stores temporary files for multiple users.
If everybody had the right to read, write, and execute these files, in theory, everybody would be able to clean up the system and delete arbitrary data. The t bit ensures that users can delete only their own files (or those files for which they have write permission). The exception to this rule is that the owner of the folder with the sticky bit is allowed to delete within that folder.
Pages: 4
Price $15.99
(incl. VAT)