LPI Linux Certification/Manage File Permissions And Ownership

Detailed Objectives
(LPIC-1 Version 5.0)

Weight: 3

Description: Candidates should be able to control file access through the proper use of permissions and ownerships.

Key Knowledge Areas:
 * Manage access permissions on regular and special files as well as directories.
 * Use access modes such as suid, sgid and the sticky bit to maintain security.
 * Know how to change the file creation mask.
 * Use the group field to grant file access to group members.

The following is a partial list of the used files, terms and utilities:

Changing file owner and group
To change the owner of a file or directory, use chown.

chown yann mon_fichier.txt

To change the group of a file or directory, use chgrp.

chgrp dialout caller

The programs gpasswd and yast2 allow you to administrate groups.

gpasswd [-A user,...] [-M user,...] group
 * -A: Add users with group administrator privileges.
 * -M: Add members in group.

Group administrators can add or delete members of the group

gpasswd -d toto users gpasswd -a toto users

Group administrators can set or remove the password for the group.

gpasswd users gpasswd -r users

More privileges
It is possible to give more privileges to an user when it executes a particular script or program by setting the uid or gid bit of the file.

If the bit is set, the process will inherit the permissions of the owner of the file not the permissions of the user. To set the effective uid or gid, use chmod.

chmod 2640 [file] # (2) gid is inheritable for group. chmod 4640 [file] # (4) uid is inheritable for user.

Example of such program is /bin/passwd.

The sticky bit can also be set and can make the program text segment resident in RAM. chmod 1640 [file] (1) The file program stays in RAM.

File and Directory Permissions
The permission of a file or of a directory can be viewed with ls -l.

Examples of file permissions:

ls -l readme -rwxrw 1 toto users 14 Jul 5 10:00 readme

This means read,write, and execution permissions for user toto, read and write permissions for members of group users. No permissions for others. (0760)

ls -l /etc/hosts -rw-r--r-- 1 root root 14 Jul 5 10:00 /etc/hosts

This means read and write permissions for user root, read permissions for members of group root and all others. (0644)

Examples of directory permissions:

ls -ld /bin drwxr-xr-x 2 root root 4096 Jul 5 10:00 /bin

This means read,write, and execution permissions for user root, read and execution permissions for members of group root and others. (0755)

ls -l /home/toto drwxr-xr-x 10 toto users 4096 Jul 5 1:00 /home/toto

This means read, write, and execution permissions for user toto, read and execution permissions for members of group users and others. (0755)

Default permissions
The default permissions when creating a file are 0666 and when creating a directory are 0777. Most of the systems overwrite this at boot time with the program umask. Generally the mask value is 022. It means the write for group and other will be blocked. To check or change the mask value, do:

umask umask 066

Examples for file: default: rw- rw- rw- (0666) umask: 0 2 2 (0022) Block result: rw- r-- r-- (0644)

Examples for directory: default: rwx rwx rwx (0777) umask: 0 2 2 (0022) Block result: rwx r-x r-x (0755)

Calculating umasks
Finding the correct umask is not all that easy of a process, but certainly doable. The final permission of a file is the result of a logical AND operation between the negation of the umask and the default permission. (The same applies to directories)

In order to visualize this, we translate the octal default permissions into binary form first:

octal: 0666 binary: 000 110 110 110

octal: 0777 binary: 000 111 111 111

Then we take the umask. This time we'll use 0027 for our umaks and translate that into binary. Then invert (~) it.

octal: 0027 binary: 000 000 010 111 ~:     111 111 101 000

Now, to get the actual permission for a file, we logically AND it with the default permissions and translate back into octal:

default permission: 000 110 110 110 ~ umask:           111 111 101 000 logical AND:       000 110 100 000 octal representation: 0640

And the same for directories:

default permission: 000 111 111 111 ~ umask:            111 111 101 000 logical AND:       000 111 101 000 octal representation: 0750

Changing file permissions
To change permissions on a file or directory, use chmod. To overwrite the existing permissions, do:

chmod 0755 /tmp #rwx for user, rx for group and others

To change add or cancel some permissions without overwriting all the existing permissions, do:

chmod u+w readme # Add write permission for user chmod +r readme # Add read permission for everybody chmod -r readme # Remove read permission for everybody chmod u+x,g=r readme # Add execution for user and set read for group chmod u=rwx,go=rx readme # Set read write and execution for user, read and execution for group and others

To change in recursive mode, use the -R option.

chmod -R +x /sbin/*

Exercises

 * Exercises results

1) Write the command line by using letters with chmod to set the following permissions:

rwxrwxr-x : rwxr--r-- : r--r- : rwxr-xr-x : rwxr-xr-x : r-x--x--x : -w-rx : -xrwx :

2) Write the command line by using octal numbers with chmod to set the following permissions:

rwxrwxrwx : --x--x--x : r---w---x : -w--- : rw-r- : rwx--x--x :

3) With the following umask values what would be the files and directories creation permissions?

umask = 0027 File permissions: Directory permissions:

umask = 0011 File permissions: Directory permissions:

umask = 0541 File permissions: Directory permissions:

umask = 0777 File permissions: Directory permissions:

4) Create two user accounts

Logging in id: tst1, group users, with bash shell, home directory /home/tst1 Logging in id: tst2, group public, with bash shell, home directory /home/tst2 For the two accounts set a password.

Logging in as tst1 and copy /bin/ls into tst1 home directory as myls. Change the owner of myls to tst1 and the permissions to 0710. What does this permission value mean?

Logging in as tst2 and try to use /home/tst1/myls to list your current directory. Does it work ?

Create in /etc/group and /etc/gshadow a new group labo with tst1 and tst2. Change the owner group of myls to labo.

Try again from tst2 account to execute /home/tst1/myls to list your current directory. Does it work?

Exercises results