Ubuntu Advanced file permissions in 10 minutes

At a Glance

 

→In Ubuntu / Linux 9 bit file/directory permissions are used as follows:

4 = Read, 2 = Write, 1 = Execute

When we create a new file or directory the default permissions is determined by Linux from a variable umask. You can find the current umask value by : $ umask

and add new umask as : umask 022

The new file or directory created by the user will get ( 777 – umask permission) REGARDLESS of parent directory permissions. So a umask of 022 will allow for permission of 755 which is most common.

→The three most important commands dealing with files and directory permissions are chmod, chgrp and chown.

→The most strange permission is for directory because it needs x permission always with both a read and write permissions enabled. A common sense says write permission on directory means you can write in that director but it won’t unless you grant the x permission as well. So in short on a directory with permissions:

w : cannot do anything

r: cannot do anything

rx: can read the contents of directory means can list (ls ) files.

wx: can add new files but cannot list them.

rwx: can add and list files.

→ You cannot cd to a path if you have no read permission to any of the sub-directory. (Contrary to MS Windows )

A Scenario

→Lets say we want to make a directory called ‘base’ and want several users (the world) on the system to be able to (1) add their own contents to this directory. (2)They can READ contents of others but (3) must not DELETE them.

$ mkdir base                (by root)

$chmod 777 base        (this enables every one to read and write to this dir, but its parent directory must have 755 permission so that the users would not be able to delete this ‘base’ directory altogether.)

Problem: Now since everyone has read, write permissions user1 is able to delete user2 file.

Solution: We need to sit the sticky bit on the base folder. The sticky bit will prevent users to delete the files not owned by them even if they have full permissions on base directory.

$chmod 1777 base

 

Sticky bit: If a user has write permission on a directory he can rename and remove files on that directory even if those files not belong to him. How can we prevent this? The owner of a directory can set the directory’s “sticky bit”, octal value 1000, which will give the rename and remove permissions of any file in that directory to the file owner, the directory owner, and the superuser (in this order).

SETUID: The bits with octal value 4000 are the setuid  bits. When you are executing a program with the setuid bit set you are granted with the owners permissions to this program until you are finished with it. $chmod 4755 or chmod u+s

SETGID: The bits with octal value 2000 are the setgid  bits. When you are executing a program with the setgid bit set you are granted with the groups permissions to this program until you finish executing the program. $chmod 2755 or chmod g+s. When you set the setguid on a directory, any file created by any user inside this directory will inherit the group from the directory.

Leave a Comment

Your email address will not be published. Required fields are marked *