Introduction to File Permissions
File permissions in Linux control who can read, write, or execute a file. These permissions are critical for protecting data and ensuring that only authorized users can access or modify files. Each file and directory in a Linux system has an associated set of permissions.
Types of File Permissions
Linux file permissions are divided into three categories:
User (Owner): The user who owns the file.
Group: Users who are part of a group assigned to the file.
Others: All other users who have access to the system.
Each category has three types of permissions:
Read (r): Permission to read the file or list the directory.
Write (w): Permission to modify the file or the directory contents.
Execute (x): Permission to execute the file or access the directory.
Permissions are typically represented in a symbolic or octal notation. For example, rwxr-xr--
or 755
.
Changing File Permissions
To view and modify file permissions, we use commands like ls
, chmod
, chown
, and chgrp
.
Viewing Permissions
Use ls -l
to display file permissions:
$ ls -l
-rw-r--r-- 1 user group 1234 Jan 1 00:00 file.txt
Changing Permissions with chmod
The chmod
command modifies file permissions. It can use symbolic or numeric (octal) notation.
Symbolic Notation:
$ chmod u+x file.txt # Add execute permission for the owner
$ chmod g-w file.txt # Remove write permission for the group
$ chmod o=r file.txt # Set read-only permission for others
Octal Notation:
$ chmod 755 file.txt # rwxr-xr-x
$ chmod 644 file.txt # rw-r--r--
Changing Ownership with chown
The chown
command changes the file's owner and group.
$ chown user:group file.txt
File Permissions
Understanding File Permissions:
Create a simple file and run
ls -ltr
to see the details of the files. Refer to Notes.$ touch myfile.txt $ ls -ltr myfile.txt
Each of the three permissions are assigned to three defined categories of users. The categories are:
Owner: The owner of the file or application.
- Task: Use
chown
to change the ownership permission of a file or directory.
- Task: Use
$ sudo chown newowner myfile.txt
Group: The group that owns the file or application.
- Task: Use
chgrp
to change the group permission of a file or directory.
- Task: Use
$ sudo chgrp newgroup myfile.txt
Others: All users with access to the system (outside the users in a group).
- Task: Use
chmod
to change the other users' permissions of a file or directory.
- Task: Use
$ chmod o+w myfile.txt
Task: Change the user permissions of the file and note the changes after running
ls -ltr
.$ chmod u+x myfile.txt $ ls -ltr myfile.txt
Introduction to Access Control Lists (ACLs)
While traditional file permissions are sufficient for many use cases, they lack flexibility when you need to assign specific permissions to multiple users or groups. This is where Access Control Lists (ACLs) come in.
ACLs provide a more granular permission mechanism. They allow you to define different permissions for different users and groups on a single file or directory.
6. Using ACLs for Advanced Permissions
Viewing ACLs
Use the getfacl
command to view the ACLs of a file or directory:
$ getfacl file.txt
# file: file.txt
# owner: user
# group: group
user::rw-
user:anotheruser:rw-
group::r--
mask::rw-
other::r--
Modifying ACLs
The setfacl
command is used to set ACLs on files and directories.
Adding an ACL Entry:
$ setfacl -m u:anotheruser:rw file.txt # Give read and write permissions to 'anotheruser'
$ setfacl -m g:anothergroup:rx file.txt # Give read and execute permissions to 'anothergroup'
Removing an ACL Entry:
$ setfacl -x u:anotheruser file.txt # Remove ACL entry for 'anotheruser'
Setting Default ACLs: Default ACLs are inherited by all new files and directories created within a directory.
$ setfacl -d -m u:anotheruser:rw /mydir # Set default ACL for 'anotheruser' in 'mydir'
Checking Effective Rights
Use getfacl
to check the effective rights of a file or directory. The effective rights consider both the base permissions and the ACLs.
Access Control Lists (ACLs)
Read about ACL and try out the commands
getfacl
andsetfacl
.Task: Create a directory and set specific ACL permissions for different users and groups. Verify the permissions using
getfacl
.$ mkdir mydir $ setfacl -m u:anotheruser:rwx mydir $ setfacl -m g:anothergroup:rx mydir $ getfacl mydir
Task: Write an article about file permissions based on your understanding from the notes.
Understanding Sticky Bit, SUID, and SGID
Sticky bit, SUID (Set User ID), and SGID (Set Group ID) are special types of permissions that provide additional security and functionality.
Sticky Bit: When set on a directory, it ensures that only the file owner, the directory owner, or the root user can delete or rename files within that directory.
SUID: When set on an executable file, it allows the file to be executed with the permissions of the file owner.
SGID: When set on a directory, files created within the directory inherit the group ownership of the directory.
Tasks: Sticky Bit, SUID, and SGID
Read about sticky bit, SUID, and SGID.
Task: Create examples demonstrating the use of sticky bit, SUID, and SGID, and explain their significance.
# Sticky Bit $ mkdir /tmp/sticky $ chmod +t /tmp/sticky # SUID $ sudo chmod u+s /usr/bin/passwd # SGID $ mkdir /tmp/sgid $ chmod g+s /tmp/sgid
Backup and Restore Permissions
Backing up and restoring file permissions is essential for maintaining system integrity during migrations or major changes.
Tasks: Backup and Restore Permissions
Task: Create a script that backs up the current permissions of files in a directory to a file.
$ getfacl -R /path/to/directory > permissions_backup.txt
Task: Create another script that restores the permissions from the backup file.
$ setfacl --restore=permissions_backup.txt
Best Practices for File Permissions and ACLs
Principle of Least Privilege: Grant the minimum necessary permissions to users and groups.
Regular Audits: Periodically review permissions and ACLs to ensure they are correctly set.
Documentation: Keep a record of permissions and ACLs for critical files and directories.
User Training: Educate users about the importance of proper permission management.