Skip to content

Latest commit

 

History

History
117 lines (64 loc) · 5.42 KB

13.md

File metadata and controls

117 lines (64 loc) · 5.42 KB

Day 13 - Who has permission?

INTRO

Files on a Linux system always have associated "permissions" - controlling who has access and what sort of access. You'll have bumped into this in various ways already - as an example, yesterday while logged in as your "ordinary" user, you could not upload files directly into /var/www or create a new folder at /.

The Linux permission system is quite simple, but it does have some quirky and subtle aspects, so today is simply an introduction to some of the basic concepts.

This time you really do need to work your way through the material in the RESOURCES section!

OWNERSHIP

First let's look at "ownership". All files are tagged with both the name of the user and the group that owns them, so if we type "ls -l" and see a file listing like this:

-rw------- 	1 steve  staff  	4478979  6 Feb  2011 private.txt
-rw-rw-r-- 	1 steve  staff  	4478979  6 Feb  2011 press.txt
-rwxr-xr-x 	1 steve  staff  	4478979  6 Feb  2011 upload.bin

Then these files are owned by user "steve", and the group "staff".

PERMISSIONS

Looking at the '-rw-r--r--" at the start of a directory listing line, (ignore the first "-" for now), and see these as potentially three groups of "rwx": the permission granted to the user who owns the file, the "group", and "other people".

For the example list above:

  • private.txt - Steve has "rw" (ie Read and Write) permission, but neither the group "staff" nor "other people" have any permission at all
  • press.txt - Steve can Read and Write to this file too, but so can any member of the group "staff" - and anyone can read it
  • upload.bin - Steve can write to the file, all others can read it. Additionally all can "execute" the file - ie run this program

You can change the permissions on any file with the chmod utility. Create a simple text file in your home directory with vim (e.g. tuesday.txt) and check that you can list its contents by typing: cat tuesday.txt or less tuesday.txt.

Now look at its permissions by doing: ls -ltr tuesday.txt

-rw-rw-r-- 1 ubuntu ubuntu   12 Nov 19 14:48 tuesday.txt

So, the file is owned by the user "ubuntu", and group "ubuntu", who are the only ones that can write to the file - but any other user can read it.

Now let’s remove the permission of the user and "ubuntu" group to write their own file:

chmod u-w tuesday.txt

chmod g-w tuesday.txt

...and remove the permission for "others" to read the file:

chmod o-r tuesday.txt

Do a listing to check the result:

-r--r----- 1 ubuntu ubuntu   12 Nov 19 14:48 tuesday.txt

...and confirm by trying to edit the file with nano or vim. You'll find that you appear to be able to edit it - but can't save any changes. (In this case, as the owner, you have "permission to override permissions", so can can write with :w!). You can of course easily give yourself back the permission to write to the file by:

chmod u+w tuesday.txt

GROUPS

On most modern Linux systems there is a group created for each user, so user "ubuntu" is a member of the group "ubuntu". However, groups can be added as required, and users added to several groups.

To see what groups you're a member of, simply type: groups

On an Ubuntu system the first user created (in your case ubuntu), should be a member of the groups: ubuntu, sudo and adm - and if you list the /var/log folder you'll see your membership of the adm group is why you can use less to read and view the contents of /var/log/auth.log

The "root" user can add a user to an existing group with the command:

usermod -a -G group user

so your ubuntu user can do the same simply by prefixing the command with sudo. For example, you could add a new user fred like this:

adduser fred

Because this user is not the first user created, they don't have the power to run sudo - which your user has by being a member of the group sudo.

So, to check which groups fred is a member of, first "become fred" - like this:

sudo su fred

Then:

groups

Now type "exit" to return to your normal user, and you can add fred to this group with:

sudo usermod -a -G sudo fred

And of course, you should then check by "becoming fred" again and running the groups command.

POSTING YOUR PROGRESS

Just for fun, create a file: secret.txt in your home folder, take away all permissions from it for the user, group and others - and see what happens when you try to edit it with vim.

EXTENSION

Research:

  • umask and test to see how it's setup on your server
  • the classic octal mode of describing and setting file permissions. (e.g. chmod 664 myfile)

Look into Linux ACLs:

Also, SELinux and AppArmour:

RESOURCES

Copyright 2012-2021 @snori74 (Steve Brorens). Can be reused under the terms of the Creative Commons Attribution 4.0 International Licence (CC BY 4.0).