Skip to content

Latest commit

 

History

History
279 lines (171 loc) · 8.22 KB

02.Understanding_file_permissions.md

File metadata and controls

279 lines (171 loc) · 8.22 KB
Raw

File permissions

Since Linux is a multi-user operating system, it is necessary to provide security to prevent people from accessing each other’s confidential files. So Linux divides authorization into 2 levels,

  1. Ownership: Each file or directory has assigned with 3 types of owners i. User: Owner of the file who created it. ii. Group: Group of users with the same access permissions to the file or directory. iii. Other: Applies to all other users on the system

  2. Permissions: Each file or directory has following permissions for the above 3 types of owners.

    i. Read: Give you the authority to open and read a file and lists its content for a directory.

    ii. Write: Give you the authority to modify the contents of a file and add, remove and rename files stored in the directory.

    iii. Execute: Give you the authority to run the program in Unix/Linux.

    The permissions are indicated with below characters,

      r = read permission

  w = write permission

  x = execute permission

  \- = no permission

    The above authorization levels represented in a diagram

There is a need to restrict own file/directory access to others.

Change access: The chmod command is used to change the access mode of a file. This command is used to set permissions (read, write, execute) on a file/directory for the owner, group and the others group.

chmod [reference][operator][mode] file...

Example
chmod ugo-rwx test.txt

There are 2 ways to use this command,

  1. Absolute mode: The file permissions will be represented in a three-digit octal number.

    The possible permissions types represented in a number format as below.

    Permission Type Number Symbol
    No Permission 0 ---
    Execute 1 --x
    Write 2 -w-
    Execute + Write 3 -wx
    Read 4 r--
    Read + Execute 5 r-x
    Read + Write 6 rw-
    Read + Write + Execute 7 rwx

Let's update the permissions in absolute mode with an example as below,

 chmode 764 test.txt

  1. Symbolic mode: In the symbolic mode, you can modify permissions of a specific owner unlike absolute mode.

    The owners are represented as below,

    Owner Description
    u user/owner
    g group
    o other
    a all

    and the list of mathematical symbols to modify the file permissions as follows,

    Operator Description
    + Adds permission
    - Removes the permission
    = Assign the permission

Changing Ownership and Group: It is possible to change the the ownership and group of a file/directory using chown command.

chown user filename
chown user:group filename

Example:
chown John test.txt
chown John:Admin test.txt

Change group-owner only: Sometimes you may need to change group owner only. In this case, chgrp command need to be used


Modifying permissions

To set or change permissions, use the chmod (short for change mode) command (see the manpages for more details).

When using this command, we specify the following:

  • Whom to change permissions for: u for the user(owner), g for the group and o for all other users.
  • How to change permission: + (plus sign) to add permissions, — (minus sign) to remove permissions or =(equal sign) to leave as is.
  • What permission to change: r for read, w for write, x for execute.
  • Using the information above, let’s take away the read permission for users outside the group and add write and execute permissions to the group as follows:

$ sudo chmod g+wx,o-r leads.txt

$ sudo chmod g+wx,o-r developers.txt

$ sudo chmod g+wx,o-r sre.txt

Run the ls -l command to view the modified permissions. The output should be: -rw-rwx--- 1 adminuser leads 0 Aug 15 19:42 leads.txt -rw-rwx--- 1 adminuser developers 0 Aug 15 19:42 developers.txt -rw-rwx--- 1 adminuser sre 0 Aug 15 19:42 sre.txt To demonstrate that files belonging to one group cannot be accessed by another group, login as a different user; for example, user5(who belongs to the developers group), using the following command:

$ sudo su user5

Now, let’s attempt to read a file that does not belong to the developers group. Run the following command to view the leads.txt file:

$ cat leads.txt

You should get a warning that says:

cat: leads.txt: Permission denied

This is expected because user5 does not have the permission to read the contents of the leads.txt file since the file belongs to the leads group, and not the developers group.


Create users

We will need admin privileges to create users — however, using the root user context is generally avoided, for security reasons.

First, create a regular user using the useradd command following this syntax:

$ useradd -m <name-of-user>

And then, assign admin privileges to this user as follows:

$usermod -aG sudo <username>

Now, this admin user has superuser privileges and will not need to type in a password with the sudo command.

Let’s switch to the admin superuser using the following command:

$ sudo su <adminuser>

And then create more users with the useradd command:

$ sudo useradd -m <name of user>

Do this for the number of users you need to create — 15 users in this case.

chgrp group_name filename

View users

All users in the system are stored in the /etc/passwd directory. To view all users, run the following command:

$ getent passwd

This should output something similar to the following:

root:x:0:0:root:/root:/bin/bash ... user1:x:1002:1002::/home/user1:/bin/sh user2:x:1003:1002::/home/user2:/bin/sh user3:x:1004:1002::/home/user3:/bin/sh user4:x:1006:1003::/home/user4:/bin/sh user5:x:1007:1003::/home/user5:/bin/sh ... Each entry has the following features:

  • the username: user1
  • the encrypted password: x
  • the unique identifier (UID) for the user: 100x
  • the user group ID (GID): 100x
  • the General Electric Comprehensive Operating Supervisor (GECOS) field — which is empty in this case. (This field contains general information as a string of comma-delimited attributes, for example, full name; phone number; etc)
  • the user home directory: /home/user1
  • the default login shell for the user: /bin/sh

Example:

sudo chgrp Administrator test.txt


Delete users

To delete a user, run the command:

$ sudo userdel -f <user> This removes all related user data, along with all the files in the user’s home directory -f, --force.


Add users to a group

To add the 15 users to groups, let’s create three different groups — a group for team leads leads, one for developers developers and another for the site reliability engineering team sre — and then add the users to the groups.

Use the groupadd command to create a group with the following syntax:

$ sudo groupadd <groupname>

So for our case, we will create three different groups like so:

$ sudo groupadd leads $ sudo groupadd developers $ sudo groupadd sre Next, add the already created users to each group assuming each user fits the group role, using the gpasswd command with the following syntax:

$ sudo gpasswd -A <user> -M <user,user,user> <groupname>

The gpasswd command allows you to manage the creation of groups and members of groups — the -A flag defines group administrators and the -M flag defines the members of the group as a comma-separated list (see the man pages for more details).


View groups

All groups in the system are stored in the /etc/groups directory. To view all groups, run the following command:

$ getent group

This should give an output similar to:

leads:x:1002:user1,user2,user15 developers:x:1003:user3,user4,user5,user6,user7,user8,user9 sre:x:1004:user10,user11,user12,user13,user14 Next, let’s define the level of access allowed for each group.


Next | Variables and Data Types