[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
slackbook:filesystem_permissions [2012/09/09 15:10 (UTC)] – [Permissions Overview] update document with original text and formatting mfillpot | slackbook:filesystem_permissions [2012/10/15 22:28 (UTC)] (current) – [SUID, SGID, and the Sticky Bit] gerardo.zamudio | ||
---|---|---|---|
Line 23: | Line 23: | ||
case, the permissions are rwxr-xr-x, the user is root and the group is | case, the permissions are rwxr-xr-x, the user is root and the group is | ||
also root. The permissions section, while grouped together, is really | also root. The permissions section, while grouped together, is really | ||
- | three seperate | + | three separate |
permissions granted to the user that owns the file. The second set of | permissions granted to the user that owns the file. The second set of | ||
three are those granted to the group owner, and the final three are | three are those granted to the group owner, and the final three are | ||
Line 36: | Line 36: | ||
|Others |r-x |Everyone else may read and execute| | |Others |r-x |Everyone else may read and execute| | ||
- | he permissions are pretty self explainatory | + | The permissions are pretty self explanatory |
files. Read, write, and execute allow you to read a file, write to it, | files. Read, write, and execute allow you to read a file, write to it, | ||
or execute it. But what do these permissions mean for directories? | or execute it. But what do these permissions mean for directories? | ||
Line 63: | Line 63: | ||
===== chmod, chown, and chgrp ===== | ===== chmod, chown, and chgrp ===== | ||
- | So now that we know what permissions are, how do we change them? And for that matter, how do we assign user and group ownership? The answer is right here in this section. | + | So now that we know what permissions are, how do we change them? And |
+ | for that matter, how do we assign user and group ownership? The answer | ||
+ | is right here in this section. | ||
+ | |||
+ | |||
+ | The first tool we'll discuss is the useful | ||
+ | **// | ||
+ | (1) command. Using **// | ||
+ | it), change the ownership of a file or | ||
+ | directory. | ||
+ | to change the user ownership, but can change the group ownership as well. | ||
- | The first tool we'll discuss is the useful chown (1) command. Using chown, we can (you guessed it), change the ownership of a file or directory. chown is historically used only to change the user ownership, but can change the group ownership as well. | ||
< | < | ||
Line 79: | Line 88: | ||
</ | </ | ||
- | By using a colon after the user account, you may also specify a new group account. | + | |
+ | By using a colon after the user account, you may also specify a new | ||
+ | group account. | ||
< | < | ||
Line 89: | Line 101: | ||
</ | </ | ||
- | chown can also be used recursively to change the ownership of all files and directories below a target directory. The following command would change all the files under the directory | + | |
+ | **//chown//** can also be used recursively to change | ||
+ | the ownership of all files and directories below a target directory. | ||
+ | The following command would change all the files under the directory | ||
+ | '' | ||
< | < | ||
- | darkstar:~# chown -R root:root /tmp/foo/b | + | darkstar:~# chown -R root:root / |
- | </ | + | |
+ | |||
+ | Specifying a colon and a group name without a user name will simply | ||
+ | change the group for a file and leave the user ownership intact. | ||
- | Specifying a colon and a group name without a user name will simply change the group for a file and leave the user ownership intact. | ||
< | < | ||
Line 106: | Line 125: | ||
</ | </ | ||
- | The younger brother of chown is the slightly less useful chgrp(1). This command works just like chown, except it can only change the group ownership of a file. Since chown can already do this, why bother with chgrp? The answer is simple. Many other operating systems use a different version of chown that cannot change the group ownership, so if you ever come across one of those, now you know how. | ||
- | There' | + | The younger brother of **// |
+ | slightly less useful **// | ||
+ | command works just like **// | ||
+ | it can only change the group | ||
+ | ownership of a file. Since **// | ||
+ | already do this, why bother with | ||
+ | **// | ||
+ | operating systems use a | ||
+ | different version of **// | ||
+ | change the group ownership, so | ||
+ | if you ever come across one of those, now you know how. | ||
+ | |||
+ | |||
+ | There' | ||
+ | permissions. The first is a much easier concept to grasp. The tool for | ||
+ | changing permissions on a file or directory is | ||
+ | **//chmod//**(1). The syntax for it | ||
+ | is nearly identical to that for **//chown//**, but | ||
+ | rather than | ||
+ | specify a user or group, the administrator must specify either a set of | ||
+ | octal permissions or a set of alphabetic permissions. Neither one is | ||
+ | especially easy to grasp the first time. We'll begin with the less | ||
+ | complicated octal permissions. | ||
+ | |||
+ | |||
+ | Octal permissions derive their name from being assigned by one of eight | ||
+ | digits, namely the numbers 0 through 7. Each permissions is assigned a | ||
+ | number that is a power of 2, and those numbers are added together to | ||
+ | get the final permissions for one of the permission sets. If this | ||
+ | sounds confusing, maybe this table will help. | ||
- | Octal permissions derive their name from being assigned by one of eight digits, namely the numbers 0 through 7. Each permissions is assigned a number that is a power of 2, and those numbers are added together to get the final permissions for one of the permission sets. If this sounds confusing, maybe this table will help. | ||
**Table 10.2. Octal Permissions** | **Table 10.2. Octal Permissions** | ||
Line 118: | Line 164: | ||
|Execute |1| | |Execute |1| | ||
- | By adding these values together, we can reach any number between 0 and 7 and specify all possible permission combinations. For example, to grant both read and write privilages | + | By adding these values together, we can reach any number between 0 and |
+ | 7 and specify all possible permission combinations. For example, to | ||
+ | grant both read and write privileges | ||
+ | use the number 6. The number 3 would grant write and execute | ||
+ | permissions, | ||
+ | number for each of the three sets when using octal permissions. It's | ||
+ | not possible to specify only a set of user or group permissions this | ||
+ | way for example. | ||
< | < | ||
Line 128: | Line 182: | ||
</ | </ | ||
- | chmod can also use letter values along with + or - to grant or deny permissions. While this may be easier to remember, it's often easier to use the octal permissions. | + | |
+ | **//chmod//** can also use letter values along with | ||
+ | < | ||
+ | While this may be easier to | ||
+ | remember, it's often easier to use the octal permissions. | ||
**Table 10.3. Alphabetic Permissions** | **Table 10.3. Alphabetic Permissions** | ||
Line 142: | Line 201: | ||
|Others/ | |Others/ | ||
- | To use the letter values with chmod, you must specify which set to use them with, either " | + | To use the letter values with **//chmod//**, you |
+ | must specify which set to use them with, either | ||
+ | group, and //" | ||
+ | adding or removing permissions with the //" | ||
+ | sets can be changed at once by separating | ||
< | < | ||
Line 162: | Line 226: | ||
</ | </ | ||
- | Which you prefer to use is entirely up to you. There are places where one is better than the other, so a real Slacker will know both inside out. | ||
+ | Which you prefer to use is entirely up to you. There are places where | ||
+ | one is better than the other, so a real Slacker will know both inside | ||
+ | out. | ||
===== SUID, SGID, and the " | ===== SUID, SGID, and the " | ||
- | We're not quite done with permissions just yet. There are three other " | + | We're not quite done with permissions just yet. There are three other |
+ | //" | ||
+ | SUID, SGID, and the sticky bit. When a file has one or more of these | ||
+ | permissions set, it behaves in special ways. The SUID and SGID | ||
+ | permissions change the way an application is run, while the sticky bit | ||
+ | restricts deletion of files. These permissions are applied with | ||
+ | **//chmod//** | ||
+ | like read, write, and execute, but with a twist. | ||
+ | |||
+ | |||
+ | SUID and SGID stand for //"Set User ID"// and //"Set Group ID"// respectively. | ||
+ | When an application with one of these bits is set, the application runs | ||
+ | with the user or group ownership permissions of that application | ||
+ | regardless of what user actually | ||
+ | executed it. Let's take a look at a common SUID application, | ||
+ | **// | ||
- | SUID and SGID stand for "Set User ID" and "Set Group ID" respectively. When an application with one of these bits is set, the application runs with the user or group ownership permissions of that application regardless of what user actually executed it. Let's take a look at a common SUID application, | ||
< | < | ||
Line 179: | Line 259: | ||
</ | </ | ||
- | Notice the permissions on passwd. Instead of an x in the user's execute slot, we have an s. This tells us that passwd is a SUID program, and when we run it, the process will run as the user " | ||
- | So what about the sticky bit? The sticky bit restricts the ability to move or delete files and is only ever set on directories. Non-root users cannot move or delete any files under a directory with the sticky bit set unless they are the owner of that file. Normally anyone with write permission to the file can do this, but the sticky bit prevents it for anyone but the owner (and of course, root). Let's take a look at a common " | + | Notice the permissions on **// |
+ | an < | ||
+ | < | ||
+ | **// | ||
+ | it, the process will run as the user //" | ||
+ | that actually executed it. The reason for this is readily apparent as | ||
+ | soon as you look at the two files it modifies. Neither | ||
+ | ''/ | ||
+ | are writable by anyone other than root. Since users need to change | ||
+ | their personal information, | ||
+ | run as root in order to modify those files. | ||
+ | |||
+ | |||
+ | So what about the sticky bit? The sticky bit restricts the ability to | ||
+ | move or delete files and is only ever set on directories. Non-root | ||
+ | users cannot move or delete any files under a directory with the sticky | ||
+ | bit set unless they are the owner of that file. Normally anyone with | ||
+ | write permission to the file can do this, but the sticky bit prevents | ||
+ | it for anyone but the owner (and of course, root). Let's take a look at | ||
+ | a common | ||
< | < | ||
Line 188: | Line 287: | ||
</ | </ | ||
- | Naturally, being a directory for the storage of temporary files sytem wide, /tmp needs to be readable, | + | |
+ | Naturally, being a directory for the storage of temporary files system | ||
+ | wide, '' | ||
+ | executable by anyone and everyone. Since any user is likely to have a | ||
+ | file or two stored here at any time, it only makes good sense to | ||
+ | prevent other users from deleting those files, so the sticky bit has | ||
+ | been set. You can see it by the presence of the < | ||
+ | place of the < | ||
**Table 10.5. SUID, SGID, and " | **Table 10.5. SUID, SGID, and " | ||
- | ^Permission | + | ^Permission Type ^Octal Value ^Letter Value| |
|SUID |4 |s| | |SUID |4 |s| | ||
|SGID |2 |s| | |SGID |2 |s| | ||
|Sticky |1 |t| | |Sticky |1 |t| | ||
- | When using octal permissions, | + | When using octal permissions, |
+ | octal value. For example, to recreate the permission on | ||
+ | '' | ||
+ | permissions on '' | ||
+ | Essentially, | ||
+ | **//chmod//** assumes its value to be 0. | ||
< | < | ||
Line 203: | Line 316: | ||
</ | </ | ||
- | Using the alphabetic permission values is slightly different. Assuming the two files above have permissions of 0000 (no permissions at all), here is how we would set them. | + | |
+ | Using the alphabetic permission values is slightly different. Assuming | ||
+ | the two files above have permissions of 0000 (no permissions at all), | ||
+ | here is how we would set them. | ||
< | < | ||
Line 210: | Line 327: | ||
</ | </ | ||
+ | ====== Chapter Navigation ====== | ||
+ | |||
+ | **Previous Chapter: [[slackbook: | ||
+ | |||
+ | **Next Chapter: [[slackbook: | ||
====== Sources ====== | ====== Sources ====== | ||
<!-- If you copy information from another source, then specify that source --> | <!-- If you copy information from another source, then specify that source --> | ||
- | * Original source: [[http:// | + | |
<!-- Authors are allowed to give credit to themselves! --> | <!-- Authors are allowed to give credit to themselves! --> | ||
- | < | + | |
- | <!-- * Contrbutions | + | <!-- * Contributions |
<!-- Please do not modify anything below, except adding new tags.--> | <!-- Please do not modify anything below, except adding new tags.--> | ||
<!-- You must also remove the tag-word " | <!-- You must also remove the tag-word " | ||
{{tag> | {{tag> |