Command Line: Access Control LINUXUSER chmod, chgrp, and chown ACCESS GRANTED! Marquis, www.photocase.com Marquis, A sophisticated system of users and permissions precisely controls who has access to what on Linux. At the command line, you can define ownership with the chmod, chgrp, and chown tools. BY HEIKE JURZIK • Write permission: Users can change files and directories and store their changes. This also includes the ability to delete. ranular access privileges for files for more granular permission assign- • Execute permission: For programs, ex- and directories are what make ments to files. ecute permission means that the user GLinux a safe operating system. is permitted to run the program. Exe- A precise definition of who is permitted Rights and Obligations cute for a directory means that the to read, modify data, or execute specific For every file (and thus for directories, programs provides excellent protection device files, and so on), Linux precisely Table 1: Permissions against any prying eyes and intentional defines who is permitted to read, write, Overview misconfiguration. and execute that file. Additionally, every Octal number Letters The administrator, root, is subject to file belongs to a user and to a group. 0 --- no restrictions, and this includes assign- The three permissions are assigned sepa- 1 --x ing read, write, and execute permissions rately for these three categories and for 2 -w- to other users throughout the system. If users who do not belong to any of the 3 (= 2+1) -wx you are the owner of a file or directory, three categories: 4 r-- you can grant access to these resources • Read permission: Users can display 5 (= 4+1) r-x to other accounts. If you are also a mem- the content of a file or folder on 6 (= 4+2) rw- ber of a specific group, you can modify screen, copy the file, and do a few 7 (= 4+2+1) rwx the group ownership of files and folders other things. 87 WWW.LINUX - MAGAZINE.COM ISSUE 78 MAY 2007 87 LINUXUSER Command Line: Access Control root 4096 Jan 28 19:51 /tmp/ The /tmp folder stores temporary files for multiple users. If everybody had the right to read, write, and execute these files, in theory, everybody would be able to clean up the system and delete arbitrary data. However, the t bit prevents this from happening, ensuring that users can only delete their own files (or those files for which they have been given write per- mission). The exception to this rule is Figure 1: Most file managers provide an option for viewing file permissions. that the owner of the folder with the sticky bit is also allowed to delete within user is permitted to change to the Although this is a potential security that folder. directory (the user will additionally risk, the s bit has its uses. Many pro- need read permission to be able to grams, including su, sudo, mount, or Modifying Permissions view the folder content). passwd in the following example rely The chmod program lets you modify file on the s bit: and directory permissions, assuming you Discover Permissions are the owner or the system administra- To discover the permissions for a file, $ ls -l /usr/bin/passwd tor, and understands two different kinds you can either switch to a detailed folder -rwsr-xr-x 1 root root U of command. view in a graphical file manager like 27132 Jul 11 20:06 U In one mode, you can use letters to de- Konqueror or Nautilus, or you can sim- /usr/bin/passwd* fine permissions. In this case, u stands ply set the -l flag for the ls command. for “user” (owner), g for “group,” and o In both cases, permissions are indi- The passwd program modifies pass- for “others” (all other users); r stands for cated by the letters r (for “read”), w (for words, accessing the /etc/shadow file in “read,” w for “write,” x for “execute,” s “write”), and x (for “execute”). The first the process to enter the new password. for the setuid/ setgid bit, and t for the block of three shows the permissions for By default, the file is protected against sticky bit. the owner, the second block refers to the write access by nonprivileged users and A combination of these letters with group, and the third block refers to all reserved for use by the administrator to plus, minus, and equals signs tells users. Folders are indicated by a d (for prevent just anybody manipulating the chmod to add, remove, or assign, respec- “directory”) at the start of the list (see passwords. The s bit executes the tively, precisely these permissions. For Figure 1). passwd program as the root user and example, to give a group read and write enters the new password in /etc/shadow permissions for a file, you just type Special Permissions on behalf of root. chmod g+rw file. Linux also has two special permissions: The other special permission, the t bit, Removing permissions follows the the s bit (also known as the setuid/ set- commonly occurs in shared directories same pattern: the chmod o-rwx file com- gid bit) and the t bit (also known as the (read, write, and execute permissions for mand removes all permissions for all sticky bit). Both replace the x in the rwx all) in place of the execute flag to ensure users who are neither the owner nor block of three. that users are only allowed to modify – members in the owner group. The s is commonly seen with execut- and thus delete – their own data. You are also able to combine these two able files, whereas the t bit is more com- The sticky bit is also typically set for commands like this: mon with directories. /tmp, as seen here: As the name setuid/ setgid bit (set user chmod g+rw,o-rwx datei ID and set group ID, respectively) would $ ls -ld /tmp suggest, this bit executes a program with drwxrwxrwt 16 root U As mentioned previously, an equals sign the permissions of a user or group no lets you assign precisely the permissions matter who runs the program. In this GLOSSARY specified at the command line. For ex- way, nonprivileged users can access re- Octal numbers: The octal system uses ample, the command: sources they would not normally be able base 8; that is, it includes just eight num- to access. bers between 0 and 7. The next number chmod ugo=rxw directory after 7 is 10, 20 follows 17, and so on. Tip Every number in an octal number is gives the owner, group members, and all represented by three bits; in the case of other users read, write, and execute per- Instead of ugo, you could simply say a permissions, the three bits specify what missions for the specific directory that is for “all” with chmod. a user class is allowed to do [1]. in question. 88 ISSUE 78 MAY 2007 WWW.LINUX - MAGAZINE.COM 88 Command Line: Access Control LINUXUSER The chmod program also understands Let’s imagine you just set up a new ac- The use of find can help you avoid letters. When you run the tool, you can count called mike, and you’ve set up a this kind of dilemma: pass in three- or four-digit octal numbers home directory for Mike and copied criti- instead of letters. cal configuration files from /etc/skel. find directory -type f -exec You can calculate the numbers as fol- Your last step would be to give Mike chmod a-x "{}" ";" lows: 4 stands for read permission, 2 for the permissions he needs to set up shop write permission, and 1 for execute per- and use his home directory and the sub- The find command first discovers the mission. The first number refers to the directories below it. files (-type f) and then runs chmod owner, the second number to the group, The following command hands over against them, ignoring the directory. and the third to all others. the home directory and all the files in On this basis, you can see that, for it (including the hidden configuration From the Beginning example, 644 would mean u=rw,go=r files) to the user mike: The umask specifies the default permis- (resulting in rw-r--r--), or 777 would be sions assigned to newly created files and a=rwx (resulting in rwxrwxrwx). The chown -R mike /home/mike directories. Typing the umask command “Permissions Overview” table provides without setting any parameters reveals more details. The -R option used here tells chown to the current setting: To set the s or t bit, you need to add act recursively (this will be explained this as a fourth number at the start of more later). It is also useful to be able to $ umask the block of three. define a new group owner for the data at 0022 The number 4 represents the s bit for the same time: the owner (setuid), 2 sets the s bit for What you see here is a four-digit octal the group (setgid), and 1 sets the t bit. chown -R mike:mike /home/mike number that specifies what to subtract Listing 1 gives an example. from the the default values (0666 for In other words, you just append the files, 0777 for directories). In other Changing Group group name (some distributions have a words, new files are assigned 0644 Memberships default group called users, whereas other (rw-r--r--), and new folders are assigned As a “normal” user, you are allowed to distributions use the account name as 0755 (rwxr-xr-x) when they are created.