Module 8

More File Operations & File Permissions

"Distrust and caution are the parents of security" - Benjamin Franklin Learning Objectives

By the end of this module, you should be able to:

 Get an overview of users and groups

 Understand file permissions and directory permissions

 Able to modify file and directory permissions

 Change the owner and group of a file

 Modify the default permissions for files and directories

1. Introduction In the previous module we discussed the Linux file system structure and some basic operations performed on files and directories. In this module we will continue our discussion on files and various file attributes like security permissions, owners, date of modification, etc. Linux being a server operating system, file permissions provide a way to secure the data of one user from others users and user groups by means of access control. In this module we will discuss various permissions provided by the OS, ways to modify the permissions and some other file attributes. Let us begin our discussion with the security of Linux system.

2. Overview of Users and Groups Linux is a network operating system; file security is the first level of security provided by the operating system. Let us first understand the concept of users and groups of Linux system.

In Linux, everyone who can log-in is considered as a user. Let us imagine that each student is provided a log-in account. Linux identifies each user by a unique user- id (UID). A special user called super-user is considered as the administrator of the operating system. The super-user has maximum privileges than any other normal user. Users can be combined together to form a group. We can also imagine that a class of students belongs to a common group. There can be different groups like staff, faculty, and students. Each group can contain one or more users. The advantage of grouping users is that we can enforce a common security rule applicable to all the users within a group. For example, we can easily disable all the users of students

1 group when the semester gets over. Each group is uniquely identified by a group-id (GID). A user may belong to multiple groups at a time. If a user is not assigned to any group then the system creates a group with the same name as user-id. We will explore the commands to create users and groups in future modules. A schematic diagram illustrating the relationship between users and groups is shown in Figure 1.

Figure 1: Linux Users and Groups

In Linux, groups command will display the group of a specified user. Similarly, id command displays user-id and group-id of the user.

Usage: groups

The above snapshot illustrates that a user Demo belongs to Group1

2

Note: 1) The details of all users existing in the system are stored in the file /etc/passwd. To see the details type the command more /etc/passwd. The format of file is : Username:Encrypted Password:UID:GID:User Info:Home Directory:Default Shell

2) The details of all groups existing in the system are stored in the file /etc/group.

3 File and Directory Security

Linux provides three levels of security to all the users. The permissions required by a user are  Login permission by providing username and password  Directory access permissions to enter his default working directory  File permissions to perform various operations on a file like reading a file, appending a file or to execute a file.

There are 3 basic permissions required to perform any operation on a file or a directory. The permissions are read, write and execute which can be enforced on individual users (owners of the file/directory), group of users and all other users. We can provide read/write/execute permission or a combination of these permissions to a file or a directory. Figure 2 illustrates the permissions triplet.

Figure 2: Users and Permissions

The system uses specific symbolic codes to denote permissions, operations and on whom the permissions are applied. The list of symbolic codes is illustrated in Table 1.

Symbol Purpose Description r Permission Read permission w Permission Write permission x Permission Execute permission u User Apply permissions to user/owner g Group Apply permissions to group o Others Apply permissions to others a All Apply permissions to users(u), groups(g) and others(o) + Add operation Add permissions - Remove operation Remove permissions = Assign operation Assign permissions

Table 1: Symbolic Codes 3

In Linux, by applying long directory listing you can see 10 characters. The first character shows the file type. Next 9 characters are permissions, consisting of three groups: owner, group, others. Each group consists of three symbols: rwx (in order), if some permission is denied, then a dash "-" is used instead. Example: -rwxr-xr-x 0123456789

The system maintains a data structure called file access control list (FACL) to identify the permissions of files and directories. Nine bits are reserved to indicate the “rwx” permissions for any file or directory. In linux, getfacl command displays the access permissions of any file.

Usage: getfacl

The above snap-shot illustrates the use of getfacl command. The access control list is used to determine access permissions of any object like file or a directory. When a user makes a request to perform some operation on a file or a directory, the system internally checks the FACL, if the request made by the user is valid then the user is given permission to perform the corresponding operation.

File Permissions:

File permissions can be granted to owner, group and all others. The three basic permissions of a file are read, write and execute. The r (read) permission means we can see the contents of that file, including opening the file with an application such as vi editor. It also allows copying a file. The w(write) permission means that we can make changes to the file. If we do not have the write permission to a file when opening it in vi, the file will be opened as read-only. If we make changes to it, we will have to save the file using a new name. A file with write permissions can be deleted. If we have write permission to a file but do not have read permission, we will not be able to open that file with a text editor such as vi. Instead, will get an access denied error message. The x (execute) permission means we can run(execute) that file by typing its name at a command prompt. In most of the cases, programs, utilities and

4 scripts contain execute permission. If we try to execute a text file, we will get an error message. The absence of any permission is represented by a ‘-‘. Table 2 summarizes the file access permissions.

Symbol Description r Open and Read a file w Add contents to a file, Modify the contents of the file x Execute/Run a file if it is a program - Permission is not granted

Table 2: File Permissions and Related Operations

The snap-shot shown below illustrates file permissions. There are 5 text files in the directory “MyDir”, file1.txt is granted all permissions to owner, group and others whereas file2.txt is granted all permissions to owner and group. file5.txt is granted all the permissions to the owner but only read and execute permissions to group.

Directory Permissions:

Directory permissions are similar to file permissions except that they are applied to directories rather than files. The r(read) permission allows to list the files in a given directory. It allows seeing the contents within the directory. If we do not want someone else to see the contents of a directory, it can be achieved by removing the read permissions from that directory. The w(write) permission allows to add or delete entries in a directory. This allows us to create, delete or copy a file in that directory. We can also create or delete sub-directories within that directory. The x(execute) permission makes that directory permissible to navigate. The cd command will allow us to move to a directory with execute permission. Table 3 summarizes the directory access permissions.

Symbol Description r Browse the directory and list the files of a directory w Create or Delete directories, files or links in a directory x Navigate into the directory - Permission is not granted

Table 3: Directory Permissions and Related Operations

5

4 Modifying File Permissions (chmod)

In the previous sections we discussed the permissions associated with files and directories, users can change these permissions. The system creates files or directories with some default permissions, if a user wants to modify the permissions it can be done using chmod command. There are two ways to use the chmod command: 1) Symbolic Codes (Generally used to modify existing permissions) 2) Octal Notations (Generally used to assign new permissions by removing the previous) chmod using Symbolic Codes: Symbolic codes are mentioned in table 1, operators are used to modify the permissions. Assignment operator(=) is used to set any permission, plus sign (+) is used to add permissions, minus (-) sign is used to remove the permissions, while using +/- operators the previous permissions are preserved. The syntax of chmod command is :

Usage: chmod -options modes

Some of the widely used options are as follows: -f Do not display a diagnostic message if chmod could not modify the mode for a file or directory -R Recursively change the permissions of directories and their contents. -v Cause chmod to be verbose, showing filenames as the mode is modified. Modes can be octal digits or text characters. Mode specifies the type of permission applied to a particular file or directory.

Illustration: In the following snap-shot, the execute (x) permission is applied to file1.txt to users/owners (u) and group (g). We used the option ug+x to perform the mentioned operation.

The use of assignment operator (=) removes all previous permissions and grants the new permissions. Such kind of operation is called absolute permission assignment whereas +/- operation is called relative permission assignment as it makes modifications to the original permissions. Let us see another example that shows the difference between = and + operations.

6

Illustration: In the following snap-shot, file1.txt has write (w) permission for others, by issuing chmod o=x command the write permission is removed and a new execute (x) permission is assigned whereas by issuing chmod o+w command the previous permissions are sustained and a new write (w) permission is added for others. It must be noted that by changing the permissions for others, owners permissions are not affected.

Table 4 summarizes few operations with chmod command and symbolic codes.

Command Description chmod u=rwx file1.txt Sets read,write and execute permissions on file1.txt for users/owners chmod ugo+x file1.txt Sets execute permission on file1.txt for users,group and others chmod o-x file1.txt Removes execute permission on file1.txt for others chmod a+r file1.txt Sets read permission on file1.txt for all (ugo) chmod +r file1.txt Same as a+r, sets read permission on file1.txt for all (ugo) Table 4: Few operations with chmod command chmod using Octal Notation:

Linux and Unix are programmers friendly operating system, there are more convenient ways to use chmod command. Administrators use octal notation more frequently than using symbolic codes. Octal notations start from 0 to 7, it means that the permissions can range from 0 to 7. Octal number 4 indicates read(r), 2 indicates write(w), 1 indicates execute(x) and 0 indicates no permissions. We can combine various permissions by summing up these numbers. For example 7 (4+2+1) indicates read, write and execute permissions whereas 5 (4+1) indicates read and execute permissions respectively. It must be noted that that octal notation removes all the previous permissions and assigns new permissions. Table 5 illustrates the permissions in octal notations.

Octal Text Binary Meaning digit equivalent value

7

0 --- 000 All types of access permissions are denied 1 --x 001 Only Execute permission is enabled 2 -w- 010 Only Write permission is enabled Write and execute permissions are enabled 3 -wx 011 (2+1) 4 r-- 100 Only Read permission is enabled Only Read and Execute permissions are 5 r-x 101 enabled (5=4+1) Only Read and Write Permissions are enabled 6 rw- 110 (6=4+2) Everything is allowed 7 rwx 111 (7=4+3+1) Table 5: Permissions in octal notation

Illustration: In the following snap-shot, you can see that by using 000 with chmod, all permissions on file1.txt are removed, later we assigned 763 permission to file1.txt. Here 763 indicates 7(rwx for owner), 6(rw for group) 3(wx for others) different levels of permissions for user/owner, group and others.

The following table summarizes few operations using chmod command. Command Description chmod 700 file1.txt Sets read,write and execute permissions on file1.txt for users/owners chmod 111 file1.txt Sets execute permission on file1.txt for users,group and others chmod 642 file1.txt Sets read,write permission for owner, read permission for group and write permission for others on file1.txt chmod 000 file1.txt Removes all permissions on file1.txt

Table 6: Few operations with chmod command

Note: You can apply the same permissions to all files recursively. The option -R is used with chmod command to apply recursive permissions. For example the following

8 commands apply execute permission to all files for others.

$chmod -R 001 * OR $chmod -R o+x *

5 Changing the Owner (chown)

Every file has its owner, by default the creator a file is considered as the owner. The system stores the information of owners as one of the file attributes. At times it becomes necessary to change the owner of any file, you will face such situations when a file is copied from one user's account to some other user's account. The chown command is used to change the owner of any file.

Usage: chown options

The above snap-shot illustrates the use of chown command, you may notice that earlier file test.txt was owned by Demo user belonging to the group Group1, after issuing the chown command, the owner of the file is Temp who belongs to the group Group1. The chown command can be applied recursively to all files using -R option.

6 Changing the Group (chgrp)

The chgrp command is similar to chown command, it allows to change the group of any file without changing the owner. The below snap-shot illustrates the use of chgrp command where the group of file test.txt is changed from Group1 to wheel. Note that the root user belongs to wheel group.

Usage: chgrp options

9

7 Changing Default permissions (umask)

Each user has a default set of permissions given by the administrator or generated by the operating system. When we create a file or a directory using vi, there are some default permissions existing with the file. You may experiment by creating a file and viewing the permissions with ls -l command. There is a command umask provided by the system to view the default permissions. The permissions are represented in octal notation, we studied earlier. In most of the cases umask command shows 022 as default permissions. When we create a new file, the permissions that are applied to that new file are set by the system based on that individual’s file creation mask. This creation mask is called umask (user’s creation mask) and is defined in the default settings for a particular user. The mask indicates the octal numbers for the permissions that are to be denied from the default value whenever user creates a file or a directory. The default values for a directory are 777 and for a file are 666. Table 7 illustrates mask values and different permissions for file and directory.

Mask Directory Permission (777 default) File Permission (666 default) 0 7 (rwx) 6 (rw) 1 6 (rw) 6 (rw) 2 5 (rx) 4 (r) 3 4 (r) 4 (r) 4 3 (wx) 2 (w) 5 2 (w) 2 (w) 6 1 (x) 0 (none) 7 0 (none) 0 (none) Table 7: Default mask value for directory and files

Hence, a umask value of 022 for a file indicates that the owner has read, write permissions whereas group and others have read permissions. So if our umask value is 022, then any new files that are created will, by default, have the permissions 644 (666 - 022). Likewise, any new directories will, by default, be created with the permissions 755 (777 - 022).

10

8 Changing Time-stamps of a file (touch)

The filesystem stores creation time, modification time and last access time for each file. From the earlier section you might have observed that ls -l command displays the last modification time of the files. We can change the time-stamp of a file using touch command. The command can change modification time or access time of any file, options allow you to enter your own time-stamp (by default it takes system time). This command can also be used to create an empty file. The following snap-shot illustrates the use of touch command, where the file time-stamp is changed to the current system time.

Keywords Octal notation, symbolic notation, sticky bit, mask

Commands: chmod, chgrp, chown, getfacl, id, groups, setgid, setuid, touch, umask

Summary

Let us summarize the key concepts covered in this module

 Linux provides access privileges using the notion of users and groups.

 Files and directories have read, write and execute permissions.

 Permissions of files and directories can be modified using chmod command.

 The owner of a file, group of a file can be changed used chown and chgrp commands.

 Default permissions of a file or directory can be set using umask command.

11