Chmod, Chgrp, and Chown ACCESS GRANTED! Marquis

Command Line: Access Control LINUXUSER

chmod, chgrp, and chown ACCESS GRANTED! Marquis, www.photocase.com

A sophisticated system of users and permissions precisely controls who has access to what on Linux. At the command line, you can define ownership with the chmod, chgrp, and chown tools. BY HEIKE JURZIK • Write permission: Users can change files and directories and store their changes. This also includes the ability to delete. ranular access privileges for files for more granular permission assign- • Execute permission: For programs, ex- and directories are what make ments to files. ecute permission means that the user GLinux a safe operating system. is permitted to run the program. Exe- A precise definition of who is permitted Rights and Obligations cute for a directory means that the to read, modify data, or execute specific For every file (and thus for directories, programs provides excellent protection device files, and so on), Linux precisely Table 1: Permissions against any prying eyes and intentional defines who is permitted to read, write, Overview misconfiguration. and execute that file. Additionally, every Octal number Letters The administrator, root, is subject to file belongs to a user and to a group. 0 --- no restrictions, and this includes assign- The three permissions are assigned sepa- 1 --x ing read, write, and execute permissions rately for these three categories and for 2 -w- to other users throughout the system. If users who do not belong to any of the 3 (= 2+1) -wx you are the owner of a file or directory, three categories: 4 r-- you can grant access to these resources • Read permission: Users can display 5 (= 4+1) r-x to other accounts. If you are also a mem- the content of a file or folder on 6 (= 4+2) rw- ber of a specific group, you can modify screen, copy the file, and do a few 7 (= 4+2+1) rwx the group ownership of files and folders other things.

87 WWW.LINUX - MAGAZINE.COM ISSUE 78 MAY 2007 87 LINUXUSER Command Line: Access Control

root 4096 Jan 28 19:51 /tmp/

The /tmp folder stores temporary files for multiple users. If everybody had the right to read, write, and execute these files, in theory, everybody would be able to clean up the system and delete arbitrary data. However, the t bit prevents this from happening, ensuring that users can only delete their own files (or those files for which they have been given write permission). The exception to this rule is Figure 1: Most file managers provide an option for viewing file permissions. that the owner of the folder with the sticky bit is also allowed to delete within user is permitted to change to the Although this is a potential security that folder. directory (the user will additionally risk, the s bit has its uses. Many pro- need read permission to be able to grams, including su, sudo, mount, or Modifying Permissions view the folder content). passwd in the following example rely The chmod program lets you modify file on the s bit: and directory permissions, assuming you Discover Permissions are the owner or the system administra- To discover the permissions for a file, $ ls -l /usr/bin/passwd tor, and understands two different kinds you can either switch to a detailed folder -rwsr-xr-x 1 root root U of command. view in a graphical file manager like 27132 Jul 11 20:06 U In one mode, you can use letters to de- Konqueror or Nautilus, or you can sim- /usr/bin/passwd* fine permissions. In this case, u stands ply set the -l flag for the ls command. for “user” (owner), g for “group,” and o In both cases, permissions are indi- The passwd program modifies pass- for “others” (all other users); r stands for cated by the letters r (for “read”), w (for words, accessing the /etc/shadow file in “read,” w for “write,” x for “execute,” s “write”), and x (for “execute”). The first the process to enter the new password. for the setuid/ setgid bit, and t for the block of three shows the permissions for By default, the file is protected against sticky bit. the owner, the second block refers to the write access by nonprivileged users and A combination of these letters with group, and the third block refers to all reserved for use by the administrator to plus, minus, and equals signs tells users. Folders are indicated by a d (for prevent just anybody manipulating the chmod to add, remove, or assign, respec- “directory”) at the start of the list (see passwords. The s bit executes the tively, precisely these permissions. For Figure 1). passwd program as the root user and example, to give a group read and write enters the new password in /etc/shadow permissions for a file, you just type Special Permissions on behalf of root. chmod g+rw file. Linux also has two special permissions: The other special permission, the t bit, Removing permissions follows the the s bit (also known as the setuid/ set- commonly occurs in shared directories same pattern: the chmod o-rwx file com- gid bit) and the t bit (also known as the (read, write, and execute permissions for mand removes all permissions for all sticky bit). Both replace the x in the rwx all) in place of the execute flag to ensure users who are neither the owner nor block of three. that users are only allowed to modify – members in the owner group. The s is commonly seen with execut- and thus delete – their own data. You are also able to combine these two able files, whereas the t bit is more com- The sticky bit is also typically set for commands like this: mon with directories. /tmp, as seen here: As the name setuid/ setgid bit (set user chmod g+rw,o-rwx datei ID and set group ID, respectively) would $ ls -ld /tmp suggest, this bit executes a program with drwxrwxrwt 16 root U As mentioned previously, an equals sign the permissions of a user or group no lets you assign precisely the permissions matter who runs the program. In this GLOSSARY specified at the command line. For ex- way, nonprivileged users can access re- Octal numbers: The octal system uses ample, the command: sources they would not normally be able base 8; that is, it includes just eight num- to access. bers between 0 and 7. The next number chmod ugo=rxw directory after 7 is 10, 20 follows 17, and so on. Tip Every number in an octal number is gives the owner, group members, and all represented by three bits; in the case of other users read, write, and execute per- Instead of ugo, you could simply say a permissions, the three bits specify what missions for the specific directory that is for “all” with chmod. a user class is allowed to do [1]. in question.

88 ISSUE 78 MAY 2007 WWW.LINUX - MAGAZINE.COM 88 Command Line: Access Control LINUXUSER

The chmod program also understands Let’s imagine you just set up a new ac- The use of find can help you avoid letters. When you run the tool, you can count called mike, and you’ve set up a this kind of dilemma: pass in three- or four-digit octal numbers home directory for Mike and copied criti- instead of letters. cal configuration files from /etc/skel. find directory -type f -exec You can calculate the numbers as fol- Your last step would be to give Mike chmod a-x "{}" ";" lows: 4 stands for read permission, 2 for the permissions he needs to set up shop write permission, and 1 for execute per- and use his home directory and the sub- The find command first discovers the mission. The first number refers to the directories below it. files (-type f) and then runs chmod owner, the second number to the group, The following command hands over against them, ignoring the directory. and the third to all others. the home directory and all the files in On this basis, you can see that, for it (including the hidden configuration From the Beginning example, 644 would mean u=rw,go=r files) to the user mike: The umask specifies the default permis- (resulting in rw-r--r--), or 777 would be sions assigned to newly created files and a=rwx (resulting in rwxrwxrwx). The chown -R mike /home/mike directories. Typing the umask command “Permissions Overview” table provides without setting any parameters reveals more details. The -R option used here tells chown to the current setting: To set the s or t bit, you need to add act recursively (this will be explained this as a fourth number at the start of more later). It is also useful to be able to $ umask the block of three. define a new group owner for the data at 0022 The number 4 represents the s bit for the same time: the owner (setuid), 2 sets the s bit for What you see here is a four-digit octal the group (setgid), and 1 sets the t bit. chown -R mike:mike /home/mike number that specifies what to subtract Listing 1 gives an example. from the the default values (0666 for In other words, you just append the files, 0777 for directories). In other Changing Group group name (some distributions have a words, new files are assigned 0644 Memberships default group called users, whereas other (rw-r--r--), and new folders are assigned As a “normal” user, you are allowed to distributions use the account name as 0755 (rwxr-xr-x) when they are created. assign your own files to specific groups; the default group), with a colon to sepa- To change the umask, enter the file and however, this assumes that you are a rate it from the account name. the new value at the command line: member of the group in question. The following command tells you your own Across the Board umask 0077 group memberships: All three tools – chmod, chgrp, and chown – support an -R parameter for re- This entry means that new files and $ groups cursive actions. For example, if you want directories are only available to their huhn dialout cdrom U to permit the members of the video owner. The umask is valid for the cur- floppy audio group to access a directory and the files rent shell, but you can add an entry to video it contains, just type: your bash configuration file ~/.bashrc to make the change permanent. Working To assign a file to the audio group, you chgrp -R video directory as root, you also could add a global just type: entry to /etc/profile to modify the umask The -R option can also save you much for the system. ■ chgrp audio Datei typing when used in combination with the chmod command. INFO Changing Owners To remove read, write, and execute [1] Octal numbers: and Groups permissions from this folder for all users http:// en. wikipedia. org/ wiki/ Octal On a Linux system, the system adminis- who are not the owner or members of trator is allowed to assign new owners the video group, just type: and new groups to files and directories. Heike Jurzik studied chmod -R o-rwx directory German, Computer Listing 1: Example Science and English Word of Warning at the University of 01 $ ls -l script.sh Cologne, Germany. Be careful when you run recursive com- She discovered 02 -rw-r--r-- 1 huhn huhn 3191789 mands that remove the execute flag. If Linux in 1996 and Oct 6 05:01 script.sh you mistakenly type a-x, instead of o-x, has been fascinated 03 $ chmod 4755 script.sh you will discover that you have locked with the scope of the Linux com-

04 $ ls -l script.sh yourself out: chmod removes execute THEAUTHOR mand line ever since. In her leisure permissions from the parent directory time you might find Heike hanging 05 -rwsr-xr-x 1 huhn huhn 3191789 and your ability to change to the direc- out at Irish folk sessions or visiting Oct 6 05:01 script.sh tory and modify the files. Ireland.