- How to manage Linux permissions for users, groups, and others
- Linux security
- Setting up a playground
- How do I create directories and files?
- How do I manage ownership and groups?
- How do I manage permissions?
- How do I use absolute mode?
- More Linux resources
- How do I use symbolic mode?
- Special permissions and Access Control Lists
- Wrap up
- Understanding Basic File Permissions and ownership in Linux
- Viewing Permissions
- Permission Groups
- Permission Set
- File Ownership
- Default Group Ownership
- File and Directory Permissions
- Changing File Permissions
How to manage Linux permissions for users, groups, and others
Photo by Min An from Pexels
Managing access to resources is a fundamental task for sysadmins. This responsibility consists of three components: identities, resources, and permissions. This article covers several user, group, and file management commands to control access to resources. The article uses a «How do I…?» format, and it assumes you have a few resources to work with. Specifically, I cover the following topics:
- Creating directories and files
- Managing ownership and associated groups
- Setting permissions with absolute and symbolic modes
Linux security
Setting up a playground
I’ve been in IT for about 25 years, and most of that time was spent as a technical trainer. That means that the things that I write are usually structured as some sort of lab or other hands-on opportunity. It’s just how I cover material. With that in mind, I’ll assume you have a couple of identities and resources to experiment with as you read the rest of the article. You can use the following commands to set up a playground. It’s best to do this on a virtual machine rather than your personal Linux box, but these tasks are relatively harmless.
Create two new users and two new groups to work with. Note that you do not need to configure passwords for the users in this exercise, as you won’t log on with those accounts.
Note: You would use the passwd user01 command to set the user’s password.
In your home directory, create a new directory named playground :
Change into the
/playground directory by using the cd command. You are ready to work with the commands and concepts below.
When you’ve completed the article and learned the techniques I’ve covered, delete the two user accounts, the groups, and the playground directory. Use rm -fR /playground , userdel user01 , and groupdel groupA to remove the resources.
How do I create directories and files?
Use the mkdir command to create directories. The touch command is one of many ways to create files.
How do I create a directory named Resources ?
How do I create a directory path (a series of directories that don’t yet exist)?
Note: The goal here is to create the 2020data directory, but the given path’s data directory does not yet exist. The -p option creates parent directories as needed to complete the path.
How do I create a file named file1 ?
How do I create several files at once?
How do I manage ownership and groups?
In the playground directory, display the current owner and group associated with the Resources directory and the files.
How do I display permission, owners, and groups?
The ls -l command displays directory contents in long format. The long format contains both permissions and ownership. You can see that the user account that created the resources also owns those resources. The group association is also that user’s primary group.
How do I change the user/owner associated with file1 ?
How do I change the group associated with file1 ?
How do I change the owner and group at the same time for file2 ?
There is a specific chgrp command, but I prefer only to memorize one command ( chown ) and apply it to both functions (user and group associations) rather than chown for the user and then have to recall chgrp for the group.
So how do I use chgrp ?
How do I change the user/group for a directory and all of its contents?
The above task provides a recursive configuration. Technically, recursive commands are repeated on each specified object. Effectively, recursive means «this and everything in it.» In the above example, you are configuring the related user/group for the Resources directory and everything in it. Without the -R option, you would only affect the Resources directory itself, but not its contents.
How do I manage permissions?
The change mode or chmod command sets permissions. The syntax is straight-forward:
Here are two examples of manipulating permissions for file2 :
But wait! Those appear to be radically different examples (they’re not, actually). What are all those letters and numbers?
We need to discuss absolute mode and symbolic mode.
How do I use absolute mode?
Absolute mode is one of two ways of specifying permissions. I’ve seen this mode referred to as octal or numeric mode, but the term I learned was absolute. That term also makes the most sense to me because it’s an absolute statement of the desired permissions. I always told my students that this seemed like the most complex of the two modes but is actually the simplest. Usually, they agreed.
Each access level (read, write, execute) has an octal value:
| Access level | Octal value |
| Read | 4 |
| Write | 2 |
| Execute | 1 |
Each identity (user, group, others) has a position:
| Identity | Position |
| User | First or left-most |
| Group | Middle |
| Others | Last or right-most |
More Linux resources
The absolute mode syntax states the desired permissions from left to right.
How do I grant the user (owner) read, write, and execute, the group read-only, and all others no access to file2 by using absolute mode?
The three permissions values are associated with identities:
ugo
740
- The 7 is assigned to the user and is the sum of 4+2+1 or read+write+execute (full access)
- The 4 is assigned to the group and is the sum of 4+0+0 (read-only)
- The 0 is assigned to others and is the sum of 0+0+0 (no access)
In this example, the user has rwx, the group has r only, and all others have no access to file2 .
Let’s look at one more example.
How do I grant the user (owner) read and write, the group read-only, and all others read-only to file2 ?
- The user has 6 (read and write)
- The group has 4 (read-only)
- All others have 4 (read-only)
I find this easier because there are no calculations involved. I’m not concerned with adding or subtracting specific permissions based on the current settings. Instead, I say, «set the permissions to be this,» and that’s the end result I get. It’s an absolute statement.
How do I set permissions for the Resources directory and all of its contents by using absolute mode?
How do I use symbolic mode?
Symbolic mode uses more symbols, but the symbols are simpler to understand. That’s attractive to sysadmins that are new to standard Linux permissions.
Each access level has a symbol:
| Access level | Symbol |
| Read | r |
| Write | w |
| Execute | x |
Each identity has a symbol:
| Identity | Symbol |
| User | u |
| Group | g |
| Others | o |
There are also operators to manipulate the permissions:
| Task | Operator |
| Grant a level of access | + |
| Remove a level of access | — |
| Set a level of access | = |
The general chmod command syntax is the same:
Here is an example:
How do I remove the read permissions from others for file2 by using symbolic mode?
This example removes ( — ) the read ( r ) permission from others ( o ) for file2 .
Here’s another simple example:
How do I grant the read and write permissions to the group for file2 ?
This one gives ( + ) read and write ( rw ) to the group ( g ) for file2 .
How do I set permissions for a directory and all of its contents by using symbolic mode?
Special permissions and Access Control Lists
The above discussion covers standard Linux permissions—applying rwx to the user, group, and all others. Linux has far more flexibility, however. Special permissions permit users to run applications with other credentials, control the inheritance of group associations, and keep files from being changed accidentally. Check out this great article on special permissions.
Linux also has a way of enforcing different permissions for different users and groups. Access Control Lists (ACLs) permit sysadmins to define permissions for more than just one user and one group, which adds a great deal more flexibility to standard permissions. For example, user01 can be granted rw- to file1 , while user02 can be granted r— to file1 . Here is a great article on ACLs.
Wrap up
Creating resources, managing users, and setting permissions are fundamental tasks for Linux users. My goal was to provide a quick and easy guide based on common questions or tasks that we must all accomplish regularly. If you’re new to Linux, having a solid grasp of the eight commands discussed above will make your sysadmin life much easier.
Источник
Understanding Basic File Permissions and ownership in Linux
All files and directories in Linux have a standard set of access permissions. These access permissions control who can access what files, and provides a fundamental level of security to the files and directories in a system.
Viewing Permissions
To view the permissions for files and directories, use the ls -l or ls –n commands.
The first field of information displayed by the ls -l command is the file type. The file type typically specifies whether it is a file or a directory. A file is represented by a hyphen (-). A directory is represented by the letter d.
The remaining fields represent the permission groups: owner, group, and other.
Permission Groups
There are three permissions groups:
The table describes the permission groups and their scope:
| Permission | Description |
|---|---|
| Owner | Permissions used by the assigned owner of the file or directory |
| Group | Permissions used by members of the group that owns the file or directory |
| Other | Permissions used by all users other than the file owner, and members of the group that owns the file or the directory |
Permission Set
– Each permission group has three permissions, called a permission set.
– Each set consists of read, write, and execute permissions.
– Each file or directory has three permission sets for the three types of permission groups.
– The first permission set represents the owner permissions, the second set represents the group permissions, and the last set represents the other permissions.
– The read, write, and execute permissions are represented by the characters r, w, and x, respectively.
– The presence of any of these characters, such as r, indicates that the particular permission is granted.
– A dash (–) symbol in place of a character in a permission set indicates that a particular permission is denied.
– Linux assigns initial permissions automatically when a new file or directory is created.
| Permission | Access for a file | Access for a directory |
|---|---|---|
| Read (r) | You can display file contents and copy the file. | You can list the directory contents with the ls command. |
| Write (w) | You can modify the file contents. | You can modify the contents of a directory, such as by deleting a file. You must also have the execute permission for this to happen. |
| Execute (x) | You can execute the file if it is an executable. You can execute a shell script if you also have read and execute permissions. | You can use the cd command to access the directory. If you also have read access, you can run the ls -l command on the directory to list contents. If you do not have read access, you can run the ls command as long as you know the file name. |
File Ownership
Every file is owned by a specific user (or UID) and a specific group (or GID). The chown command can be used to change just the user, or the user and group of a file. Here is an example of changing the owner of file test to user and its group to user.
The basic format for the chown command is as follows:
A period (.) can be used in place of the colon (:) separator character. Also, either the user or group name can be omitted. If the username is omitted (but the separator character is present), then the chown command behaves like the chgrp command, and only the group ownership is changed. If the group name is omitted (but the separator character is present, then the group will be set to the login group of the specified user. If both the group name and the separator character are omitted, then only the username is changed. For example, to change only the owner you could run the following:
An alternate command to change only the group of a file is the chgrp command. For example:
The chgrp command is commonly used by normal users to change the group ownership of their files. The chown command is normally used only by the root user.
Default Group Ownership
Each user can be a member of many groups (listed in the /etc/group file under several groups). Only one group will be a user’s primary group (listed in the user’s entry in /etc/password). When a user creates a file, by default the file will be owned by the user’s primary group. If they want the file to be owned by one of their other groups, they must use the chgrp command to modify the group membership. For Example :
As shown above the newly created file (file) automatically gets the group as “user”.
File and Directory Permissions
Below is sample output from ls -l command; you can see from the first character of each line that dir1 and dir2 are directories (indicated by the d) and that file1 and file2 are a regular file (indicated by the –).
The next nine characters show the file’s permissions for user, group, and others (or everyone else) as shown below, with parentheses added for clarity:
Now the owner has read and write permissions (rw-), the group has read and write permissions (rw-), and everyone else has only read permissions (r–). This is called symbolic representation because letters such as r, w, and x, are used to indicate permissions.
Permissions can also be represented numerically:
Add each section so that the permissions of the file meta (from the example above) would be 664. Here is another way to look at how we come to that number:
Adding the numbers in each section results in permissions of 664.
Changing File Permissions
The chmod command is used to alter the permissions of a file. It may be used to add or remove permissions symbolically. For example, to add execute permissions for the owner of a file you would run:
Or, to add read and write permissions for the group that owns the file, you would run:
Instead of adding permissions, the symbolic syntax of chmod can also be used to subtract or set to some absolute value as shown in these examples:
The chmod command can also explicitly set permissions using a numerical representation. For example, to set permissions on a file to rwxrwxr–, you would run:
In addition to the standard read, write, and execute permissions, chmod can also set special permissions. These are the setuid bit, the setgid bit, and the sticky bit. The following examples show setting each of these special permissions along with brief descriptions of the effect of those permissions.
Adds the setuid bit so that, if executable, this file will execute with the permissions of its owner.
Adds the setgid bit so that, if executable, this file will execute with the permissions of its group. When this is set on a directory, all files created in the directory will have the same group as the directory.
Adds the sticky bit so that users can only delete files from this directory that they created.
Источник
