Linux administration

• Three types of permissions on files, each denoted by a letter
• A permission represents an action that can be done on the file:

• Occasionally referred to as 'permission bits'
• Note that for scripts, you need both execute permission and read permission
  • The script interpreter (which runs with your permissions) needs to be able to read the script from the file

• The r, w, x permissions also have a meaning for directories
• The meanings for directories are slightly different:

• The difference between read and execute on directories is specious — having one but not the other is almost never what you want

• As well as having different types of permission, we can apply different sets of permissions to different sets of people
• A file (or directory) has an owner and a group owner
• The r, w, x permissions are specified separately for the owner, for the group owner, and for everyone else (the 'world')

• The ls -l command allows you to look at the permissions on a file:

$ ls -l
drwxr-x---  9 aaronc staff 4096 Oct 12 12:57 accounts
-rw-rw-r--  1 aaronc staff 11170 Dec 9 14:11 report.txt

• The third and fourth columns are the owner and group-owner

• The first column is the permissions:

  • One character for the file type: d for directories, - for plain files
  • Three characters of rwx permissions for the owner (or a dash if the permission isn't available)
  • Three characters of rwx permissions for the group owner
  • Three characters of rwx permissions for everyone else

• By default, the cp command makes no attempt to preserve permissions (and other attributes like timestamps)
• You can use the -p option to preserve permissions and timestamps:

$ cp -p important.txt important.txt.orig

• Alternatively, the -a option preserves all information possible, including permissions and timestamps

• If you own a file, the per-owner permissions apply to you
• Otherwise, if you are in the group that group-owns the file, the per-group permissions apply to you
• If neither of those is the case, the for-everyone-else permissions apply to you

• The chmod command changes the permissions of a file or directory
  • A file's permissions may be changed only by its owner or by the superuser
• chmod takes an argument describing the new permissions
  • Can be specified in many flexible (but correspondingly complex) ways
• Simple example:

$ chmod a+x new-program

adds (+) executable permission (x) for all users (a) on the file new-program

• Permissions can be set using letters in the following format: [ugoa][+=-][rwxX]
• The first letters indicate who to set permissions for:
  • u for the file's owner, g for the group owner, o for other users, or a for all users
• = sets permissions for files, + adds permissions to those already set, and - removes permissions
• The final letters indicate which of the r, w, x permissions to set
  • Or use capital X to set the x permission, but only for directories and already-executable files

• A common requirement is to change the permissions of a directory and its contents
• chmod accepts a -R option:

$ chmod -R g+rwX,o+rX public-directory

• Mnemonic: 'recursive'
• Adds rwx permissions on public-directory for the group owner, and adds rx permissions on it for everyone else
  • And any subdirectories, recursively
  • Any any contained executable files
  • Contained non-executable files have rw permissions added for the group owner, and r permission for everyone else

• The /tmp directory must be world-writable, so that anyone may create temporary files within it

• But that would normally mean that anyone may delete any files within it — obviously a security hole

• A directory may have 'sticky' permission:

  • Only a file's owner may delete it from a sticky directory

• Expressed with a t (mnemonic: temporary directory) in a listing:

$ ls -l -d /tmp
drwxrwxrwt  30 root root    11264 Dec 21 09:35 /tmp

• Enable 'sticky' permission with:

# chmod +t /data/tmp

• If a directory is setgid ('set group-id'), files created within it acquire the group ownership of the directory
  • And directories created within it acquire both the group ownership and setgid permission
• Useful for a shared directory where all users working on its files are in a given group
• Expressed with an s in 'group' position in a listing:

$ ls -l -d /data/projects
drwxrwsr-x  16 root staff 4096 Oct 19 13:14 /data/projects

• Enable setgid with:

# chmod g+s /data/projects

• Setgid permission may also be applied to executable files
• A process run from a setgid file acquires the group id of the file
• Note: Linux doesn't directly allow scripts to be setgid — only compiled programs

• Useful if you want a program to be able to (for example) edit some files that have a given group owner

  • Without letting individual users access those files directly

• Files may also have a setuid ('set user-id') permission
• Equivalent to setgid: a process run from a setuid file acquires the user id of the file
• As with setgid, Linux doesn't allow scripts to be setuid
• Expressed with an s in 'user' position in a listing:

$ ls -l /usr/bin/passwd
-r-s--x--x  1 root root 12244 Feb 7 2000 /usr/bin/passwd

• Enable setuid with:

# chmod u+s /usr/local/bin/program

• Use ls -l to display file permissions
  • Setuid and Setgid permissions are shown by an s in the user and group execute positions
  • The sticky bit is shown by a t in the 'other' execute position
• The letters s and t cover up the execute bits
  • But you can still tell whether the execute bits are set
  • Lowercase s or t indicates that execute is enabled (i.e., there is an x behind the letter)
  • Uppercase S or T indicates that execute is disabled (there is a - behind the letter)

• Sometimes you will find numbers referring to sets of permissions
• Calculate the number by adding one or more of the following together:

• You may use numerical permissions with chmod:

$ chmod 664 *.txt

is equivalent to:

$ chmod ug=rw,o=r *.txt

• The umask command allows you to affect the default permissions on files and directories you create:

$ umask 002

• The argument is calculated by adding together the numeric values for the rwx permissions you don't want on new files and directories
  • This example has just 2 — avoid world-writable, but turn everything else on
• Other common umask values:
  • 022 — avoid world- and group-writable, allow everything else
  • 027 — avoid group-writable, and allow no permissions for anyone else
• You normally want to put a call to umask in your shell's startup file

• a. Find out what permissions are set on your home directory (as a normal user). Can other users access files inside it?
• b. If your home directory is only accessible to you, then change the permissions to allow other people to read files inside it, otherwise change it so that they can't.
• c. Check the permissions on /bin and /bin/ls and satisfy yourself that they are reasonable.
• d. Check the permissions available on /etc/passwd and /etc/shadow.
• e. Write one command which would allow people to browse through your home directory and any subdirectories inside it and read all the files.