Welcome to post 23 of my 100 day challenge. Checkout my introduction for some background.
This is post eight of my LFCS series. This post is the fourth part of file system and storage. In it I will be discussing file permissions and attributes. For the first three parts see post 5, post 6 and post 7.
You can go back to the overview post for a brief introduction or take a look at post one for instructions on setting up the exam practice system which I will be using throughout this series. For the posts regarding the Linux Command Line see posts 2, 3 and 4.
This post is quite long so you might want to set a side some time to go through it properly.
LFCS filesystem & storage part 4
Basic Permissions for files
|(R)ead||Provides ability to open files and view contents.|
|(W)rite||Provides ability to overwrite or modify the file.|
|e(X)ecute||To run the file. E.g. a script or application.|
Basic permissions for directories
|(R)ead||Provides ability to view directory contents.|
|(W)rite||Provides ability to delete or create files and directories inside directory.|
|e(X)ecute||Provides ability to go into (cd) the directory.|
Setting or viewing the default permissions of a file/directory
You can view or set the default permissions of a file or folder with the umask command. The umask command is a utility that determines how file permissions are set for new files.
You can discover the default umask of our vm by issuing the umask command on the terminal:
[root@centospractice ~]# umask 0022
|umask Octal Value||File Permissions||Directory Permissions|
|7||--- (none)||--- (none)|
In this case with a mask of 0022 the default permissions on files would be rw-r–r– (644) for files and rwxr-xr-x (755) for directories.
To change permissions for files or directories we can use the following commands:
|chown*||Change the owner of a file/directory.|
|chgrp||Change group ownership of a file/directory.|
|chmod||Change access rights to a file/directory.|
|chmod +rx <filename>||Adds Read and Execute permissions for Owner, Group and Others.|
|chmod g+w filename||Adds write permissions to Group.|
|chmod go-w||Removes write permissions for Group and Others.|
|* Denotes a command that must be run as the root user.|
Change the permissions on test.txt to let both the User and Group have read access whilst others have no access.
[root@centospractice ~]# ll | grep test.txt -rw-r--r--. 1 root root 0 Apr 27 23:51 test.txt [root@centospractice ~]# chmod u+r-w,g+r,o-rwx test.txt [root@centospractice ~]# ll | grep test.txt -r--r-----. 1 root root 0 Apr 27 23:51 test.txt
Decimal representations of permissions:
You can use numbers instead of letters. Although I find the letter representation more obvious.
If in the above example we used numbers it would be represented like so:
[root@centospractice ~]# chmod 440 test.txt [root@centospractice ~]# ll | grep test.txt -r--r-----. 1 root root 0 Apr 27 23:51 test.txt
Special permision bits
Linux provides items known as “Special Bits” that can be applied to files and directories in order to change their default behaviour. These special bits are useful if the basic file and directory permissions are not enough for the situation. An example is if there are several users with different default groups and are members of another group but you need them to have write access to certain files. The three sticky bits are the setuid bit, the setgid bit and the sticky bit.
The setuid bit allows us to set which user a program can be executed as. This enables us to be able to run a script as another user e.g. root.
An example of this is being able to run a script with root privileges whilst being logged in as a user who wouldn’t normally have them.
[root@centospractice ~]# chown root /opt/test.sh [root@centospractice ~]# chmod +x /opt/test.sh [root@centospractice ~]# chmod +s /opt/test.sh
Create a user called testuser who has a password of testuser to test this out:
[root@centospractice ~]# passwd testuser Changing password for user testuser. New password: BAD PASSWORD: it is based on a dictionary word Retype new password: passwd: all authentication tokens updated successfully.
Login as testuser and run the script:
[testuser@centospractice ~]$ /opt/test.sh Hiya Matey [testuser@centospractice ~]$ ls -l /opt/test.sh -rwsr-sr-x. 1 root root 18 Apr 28 00:45 /opt/test.sh
When we ran the script test.sh we ran it with all the rights of the root user even though we were logged in as testuser and testuser was the owner of the process test.sh was running in. Using s in the user section of the permission sets the setuid bit.
setgid allows us to stipulate what group ownership a directory plus all of its subdirectories and files has. For example if we set the setgid bit on directory /opt/testfiles to group testgroup, then any files or subdirectories created will also have testgroup as the owner of the files and folders. This is useful if the files and directories are on a shared network drive as it allows us to set group membership on these files and add individual users to those groups to grant them effective permissions.
[root@centospractice ~]# chgrp testgroup /opt/testfiles [root@centospractice ~]# chmod g+s /opt/testfiles [root@centospractice ~]# ls -l | grep /opt/testfiles drwxr-sr-x 2 testuser testgroup 4096 Apr 28 00:58 testfiles [testuser@centospractice ~]$ whoami testuser [testuser@centospractice ~]$ echo "Test file info" > /opt/testfiles/test.txt [testuser@centospractice ~]$ ls -l /opt/testfiles/ total 1 -rw-r--r-- 1 testuser testgroup 28 Apr 01:00 test.txt
Can you see above that the new file has the group testgroup?
The sticky bit also known as the Save Test Attribute bit can only be set at the directory level. It enforces that only a file owner can delete their own file within the specified directory regardless of any other permissions. In the example below /opt/testfiles as the group testgroup and a file that testuser has created with the sticky bit but it is only testuser that can delete the file even if there are other members of that group.
[root@centospractice ~]# chmod +t /opt/testfiles [root@centospractice ~]# ls -l | grep ^d drwxr-sr-t 2 testuser testgroup 4096 Apr 28 01:04 /opt/morefiles
Now we can see that the sticky bit flag is set by the t in the permissions in the last line of the output above.
Decimal expressions of special bits
|0||There is no special bit set.|
|1||Sticky bit is set.|
|2||Setgid bit is set.|
|4||Setuid bit is set.|
Finding files on the file system
There are several methods you can use to find files in Linux. The first one is find. You run find by providing it with a location which it will then search through the file system from that point.
[root@centospractice ~]# find ~/ -name test.sh -print /opt/test.sh
An alternative is to use the locate utility. Locate uses a database of filenames in the system. Assuming this database is upto date searches made with locate are much faster then searching on the actual filesystem. On your linux system there should be a cron job running on a daily basis that executes the updatedb utility and keeps this database upto date. Of course if you have done some work on a day where it has already run then the changes you have made will not be available to locate until it runs again. In order to pull in recent changes you can run the updatedb command manually from the shell.
[root@centospractice ~]# updatedb [root@centospractice ~]# locate test.sh /opt/test.sh
My personal favourite when searching for files and folders and in some cases the contents within is to use the grep utility. You can see my introduction to the grep command in LFCS command line part 2.
[testuser@centospractice ~]$ grep -irl "Hiya" /opt /opt/test.sh [testuser@centospractice ~]$ grep -irH "Hiya" /opt /opt/test.sh:echo "Hiya Matey"
Tune in tomorrow for the fifth part of my revision article on LFCS Filesystem & storage where we will discuss creating partitions and mounting file systems at boot time with fstab.
Can you improve on any of the tips I’ve discussed here? If you can let me know in the comments.