Module 8 More File Operations & File Permissions "Distrust and caution are the parents of security" - Benjamin Franklin Learning Objectives By the end of this module, you should be able to: Get an overview of users and groups Understand file permissions and directory permissions Able to modify file and directory permissions Change the owner and group of a file Modify the default permissions for files and directories 1. Introduction In the previous module we discussed the Linux file system structure and some basic operations performed on files and directories. In this module we will continue our discussion on files and various file attributes like security permissions, owners, date of modification, etc. Linux being a server operating system, file permissions provide a way to secure the data of one user from others users and user groups by means of access control. In this module we will discuss various permissions provided by the OS, ways to modify the permissions and some other file attributes. Let us begin our discussion with the security of Linux system. 2. Overview of Users and Groups Linux is a network operating system; file security is the first level of security provided by the operating system. Let us first understand the concept of users and groups of Linux system. In Linux, everyone who can log-in is considered as a user. Let us imagine that each student is provided a log-in account. Linux identifies each user by a unique user- id (UID). A special user called super-user is considered as the administrator of the operating system. The super-user has maximum privileges than any other normal user. Users can be combined together to form a group. We can also imagine that a class of students belongs to a common group. There can be different groups like staff, faculty, and students. Each group can contain one or more users. The advantage of grouping users is that we can enforce a common security rule applicable to all the users within a group. For example, we can easily disable all the users of students 1 group when the semester gets over. Each group is uniquely identified by a group-id (GID). A user may belong to multiple groups at a time. If a user is not assigned to any group then the system creates a group with the same name as user-id. We will explore the commands to create users and groups in future modules. A schematic diagram illustrating the relationship between users and groups is shown in Figure 1. Figure 1: Linux Users and Groups In Linux, groups command will display the group of a specified user. Similarly, id command displays user-id and group-id of the user. Usage: groups <user_name> The above snapshot illustrates that a user Demo belongs to Group1 2 Note: 1) The details of all users existing in the system are stored in the file /etc/passwd. To see the details type the command more /etc/passwd. The format of file is : Username:Encrypted Password:UID:GID:User Info:Home Directory:Default Shell 2) The details of all groups existing in the system are stored in the file /etc/group. 3 File and Directory Security Linux provides three levels of security to all the users. The permissions required by a user are Login permission by providing username and password Directory access permissions to enter his default working directory File permissions to perform various operations on a file like reading a file, appending a file or to execute a file. There are 3 basic permissions required to perform any operation on a file or a directory. The permissions are read, write and execute which can be enforced on individual users (owners of the file/directory), group of users and all other users. We can provide read/write/execute permission or a combination of these permissions to a file or a directory. Figure 2 illustrates the permissions triplet. Figure 2: Users and Permissions The system uses specific symbolic codes to denote permissions, operations and on whom the permissions are applied. The list of symbolic codes is illustrated in Table 1. Symbol Purpose Description r Permission Read permission w Permission Write permission x Permission Execute permission u User Apply permissions to user/owner g Group Apply permissions to group o Others Apply permissions to others a All Apply permissions to users(u), groups(g) and others(o) + Add operation Add permissions - Remove operation Remove permissions = Assign operation Assign permissions Table 1: Symbolic Codes 3 In Linux, by applying long directory listing you can see 10 characters. The first character shows the file type. Next 9 characters are permissions, consisting of three groups: owner, group, others. Each group consists of three symbols: rwx (in order), if some permission is denied, then a dash "-" is used instead. Example: -rwxr-xr-x 0123456789 The system maintains a data structure called file access control list (FACL) to identify the permissions of files and directories. Nine bits are reserved to indicate the “rwx” permissions for any file or directory. In linux, getfacl command displays the access permissions of any file. Usage: getfacl <file_name> The above snap-shot illustrates the use of getfacl command. The access control list is used to determine access permissions of any object like file or a directory. When a user makes a request to perform some operation on a file or a directory, the system internally checks the FACL, if the request made by the user is valid then the user is given permission to perform the corresponding operation. File Permissions: File permissions can be granted to owner, group and all others. The three basic permissions of a file are read, write and execute. The r (read) permission means we can see the contents of that file, including opening the file with an application such as vi editor. It also allows copying a file. The w(write) permission means that we can make changes to the file. If we do not have the write permission to a file when opening it in vi, the file will be opened as read-only. If we make changes to it, we will have to save the file using a new name. A file with write permissions can be deleted. If we have write permission to a file but do not have read permission, we will not be able to open that file with a text editor such as vi. Instead, will get an access denied error message. The x (execute) permission means we can run(execute) that file by typing its name at a command prompt. In most of the cases, programs, utilities and 4 scripts contain execute permission. If we try to execute a text file, we will get an error message. The absence of any permission is represented by a ‘-‘. Table 2 summarizes the file access permissions. Symbol Description r Open and Read a file w Add contents to a file, Modify the contents of the file x Execute/Run a file if it is a program - Permission is not granted Table 2: File Permissions and Related Operations The snap-shot shown below illustrates file permissions. There are 5 text files in the directory “MyDir”, file1.txt is granted all permissions to owner, group and others whereas file2.txt is granted all permissions to owner and group. file5.txt is granted all the permissions to the owner but only read and execute permissions to group. Directory Permissions: Directory permissions are similar to file permissions except that they are applied to directories rather than files. The r(read) permission allows to list the files in a given directory. It allows seeing the contents within the directory. If we do not want someone else to see the contents of a directory, it can be achieved by removing the read permissions from that directory. The w(write) permission allows to add or delete entries in a directory. This allows us to create, delete or copy a file in that directory. We can also create or delete sub-directories within that directory. The x(execute) permission makes that directory permissible to navigate. The cd command will allow us to move to a directory with execute permission. Table 3 summarizes the directory access permissions. Symbol Description r Browse the directory and list the files of a directory w Create or Delete directories, files or links in a directory x Navigate into the directory - Permission is not granted Table 3: Directory Permissions and Related Operations 5 4 Modifying File Permissions (chmod) In the previous sections we discussed the permissions associated with files and directories, users can change these permissions. The system creates files or directories with some default permissions, if a user wants to modify the permissions it can be done using chmod command. There are two ways to use the chmod command: 1) Symbolic Codes (Generally used to modify existing permissions) 2) Octal Notations (Generally used to assign new permissions by removing the previous) chmod using Symbolic Codes: Symbolic codes are mentioned in table 1, operators are used to modify the permissions. Assignment operator(=) is used to set any permission, plus sign (+) is used to add permissions, minus (-) sign is used to remove the permissions, while using +/- operators the previous permissions are preserved. The syntax of chmod command is : Usage: chmod -options modes <file/directory> Some of the widely used options are as follows: -f Do not display a diagnostic message if chmod could not modify the mode for a file or directory -R Recursively change the permissions of directories and their contents. -v Cause chmod to be verbose, showing filenames as the mode is modified.