[Explained] Files & Permissions - Security & Cryptography

Users browsing this thread: 2 Guest(s)
Loki123
Members
General
To stop unwanted users to access your files, you can set permission bits on them and your directories. Also it is possible to set what kind of permissions the file get when they are created: This is just a small part of system security. We won't concern ourselves with the big security picture, only the files and directory part. Directories are a bit different but not much as it will be covered in short text at the bottom.

When a file is created it is owned by the user whom created it and the user group the user belongs to. The user alone can specify whom can read, write and execute that file but root or the system administrator can override anything that mere mortal user does.

A file can be accessed in three ways.
  1. Reading, so you can display the file.
  2. Writing, so you can edit or delete it
  3. Executing, if the file contains a script or it is a program
Permissions of a file are grouped into three different types.
  1. Owner. Who ownes the file
  2. Group. Any user that belongs to that group
  3. Other. Someone outside the group.

Files
When you create a file the system stores all the information you could ever want to know about it. Including:
  • The location of the file
  • File Type
  • File size
  • Who owns it and can access it
  • The inode
  • Time last modified
  • The permission bits of the file

Now when all that has been explained, let's take a look at a typical file listing using the ls (-)l command. But take away the (). I get blocked when posting the command without having the ().
PHP Code:
root@Teddi:/home/Teddi/permissions # ls - l
total 0
-rwxr-xr-x  1 root  wheel  0 Dec 21 10:04 1
-r-xr-xr-x  1 root  wheel  0 Dec 21 10:04 2
-rwxr-xr-x  1 root  wheel  0 Dec 21 10:04 3
... 

Total 0 : Tells us how much space the files have taken up in the directory.
-rwxr-xr-x : This is the permission bits on the file. By counting all the characters excluding the first '-', you'll see that there is nine of them. Now if you remember earlier that you can specify who can access the files. Those were Owner, Group and Others.
rwx : The owner. These are the first three bits.
r-x : Group. These are the second three bits.
r-x : Others. These are the last three bits.
1 : This is the number of hard links the file has.
root : This is who owns the actual file.
wheel : This is the default group that the owner belongs to.
0 : This is the file's size in bytes, not kilobytes.
Dec 21 10:04 : This is the date of the last time the file was modified.
1 : The file name.

Types of files
I know why you are wondering why I told you to exclude the first dash when looking at the permission bits. Now I am going to explain what the first dash means. A file can have seven types, designated by the first character when you do ls -(l) command. (Note: Remove the () )
The types are: (image)
[Image: n6ywcEE.png]

Permissions
Let's create a file using the touch command
$ touch myfile
Now let's to an ls -(l) (Note: Take away the () )
PHP Code:
-rw-r--r--  1 Teddi  Teddi  0 Dec 21 11:06 myfile 
Now you have created an empty file, and as expected the first '-' tells us that this is an ordinary file.
[Image: gSfLOZf.png]
Now after the first bit there are three bits (rw-) those are your permissions, the owner of the file. The following (r--) are the group permissions that you belong to, in this case the group Teddi. The last thee (r--) are others or the rest of the world. Now we should take a bit closer at the permissions to see what they mean.
[Image: i1lV8qu.png]

So each set of three characters excluding the first defines:
  1. Permissions for the owner of the file
  2. Permissions of the default group you belong to. (User can belong to many groups)
  3. Permissions for anybody else on the system
For each of these sets we have the following set permissions:
r : Can read the file
w : Can write/amend this file
x : Can eXecute this file.

You might have noticed that the file myfile was not created with the execute permission for the owner. The system will not allow you to create a file with this permission bit set. This is because of the security enforced by the system, you will have to change this manually. You can also set the execute permission bit on directories but that has a slight different meaning.

Changing the permission bits
You can change the permission bits of a file to whatever you would like. The only thing you have to think about is whom you would like to give access to your files and what kind of access. This also includes directories you own. To change the permission bits you use the command chmod. The chmod command can be used in the short way using the absolute mode or a long way using the symbolic way.

-Symbolic mode
The general format of the chmod command is
chmod [who] operator [Permissions] filename

Who means
u : User permissions
g : The group permissions
o : The Other permissions
a : Means all (User, Group and other)

Operator means:
+ : Add a permission
- : Take away a permission
= : Set permissions

Permissions means:
r : Read permission
w : Write permission
x : Execute permission
s : User or Group set-ID
t : Sticky bit*
l : Lock the file, other users cannot access it
u,g,o : Take away from the user, group or other

* You might see the t when you do a listing on a file or directory. The t stands for Sticky bit. If you see a t on a directory it means only the owner of the files contained in that directory can delete them, even if a member of a group has the same rights as the owner.
If you see a t on a file listing, it means that once the script or a program has been run it is to be kept in SWAP (Virtual memory).

Examples:
Lest assume that we have a file with the following permissions. rwx rwx rwx
[Image: BXUG2g3.png]

-Absolute mode
The general format for the absolute mode is
chmod [mode] file
Where mode is an octal number.
The permission part takes a new meaning in the absolute mode. Each permission bit is an octal number representation. Like this :
[Image: L99w2BI.png]

To specify the permissions all we have to do is look at the table to required permissions fot the user, group and other. Now add the octal numbers up for each corresponding permission set. If you look at the table you can see that the maximum for the Owner, Group and Other is 7.
[Image: D6jQx1G.png]

Directories
You might remember that I said that directories are a little bit different. I am going to keep this short and only explain it in this little text about directories so try to keep up, this is almost over.
The 'read' bit means being able to list the contents of the files. The 'write' bit means you can create files in this directory and the last bit, the 'execute' bit means that you have the privilege to search or access that directory.

setuid & setgid
Setuid and setgid can be useful but really dangerous too, some vendors do not allow implementation of this bit or ignore it because of the security risk that follows it. The idea behind setuid is that if the owner has the setuid bit set on a script or an executable the user that runs the script gets the owners permissions. So lets say that root owns the script and has the setuid bit set, the user that runs the script then assumes root privileges for the scripts run-time. The same principle goes for setgid, but with setgid the user that runs the script assumes the groups permissions instead. (Set User ID up on execution and Set Group ID up on execution)

If you noticed in the tables above we always seem to have a 0 (zero) in front of the permission bits for Owner, group, others. Finally you will see what that part does.
Instead of that 0 you can set 2 for suid and 4 for guid. Add them together to set both, thus it becoming 6.

example of the absolute way:
[Image: ITMh6o2.png]

Example of the symbolic way:
[Image: vaN66Iv.png]

You might sometimes see an uppercase S when looking at the permissions. What it means is that the execute bit has not been set under the S. That is a useless suid permission state and you can ignore it.

Change the ownership of a file/directory
When you create a file it is owned by the creator. Once you own a file you should be free to change the ownership and give it away to another user. That can be in the format of the users login name or the ID of the user which is a number. For security reasons when the ownership of the file is changed the suid bit is cleared. There are two users that are allowed to give a file away to another user, the owner and the system administrator. In some systems only the system administrator is allowed to give the file away.
    • The general format to change the ownership is:
      • chown -R -h owner file

-R means you can do a recursive change on the files and all its sub-directories.
-h means if the file is a symbolic link then change the owner of that as well.

Change the group
Once a file is created the group it belongs to is the users default group. This we can change with the chgrp command.
    • The general format to change the group is:
      • chgrp -R -h group file

-R means you can do a recursive change on the files and all its sub-directories.
-h means if the file is a symbolic link then change the group of that as well.


Now that was that. We have covered the most important parts at least. I did not cover umask which is the opposite of chmod so you might want to take time learning about umask. Please leave a reply for something I could add or do better if I should decide to create another tutorial or information thread. hehe..

I hope it helped some of you.!

~Loki123
venam
Administrators
Knowing about file permission is one of the most basic skills of *nix users. This might not be new for most of the users of this forums however it will help beginners.
Loki123
Members
(22-12-2013, 04:03 AM)venam Wrote: Knowing about file permission is one of the most basic skills of *nix users. This might not be new for most of the users of this forums however it will help beginners.

You are right, but permissions are also probably one of the most important things that a *nix user has to know about.
Gen
Long time nixers
Ooo, I learned most of the stuff from the FreeBSD Documents, one of the first things I've actually learned about Unix in fact. Nevertheless, HF community is a bit wasteful, only a few users are passionate about learning.
Loki123
Members
The FreeBSD Documents and the handbook is today one of the first places where I look when I don't know something. It is amazing.

Yeah, the HF community is a bit wasteful. Don't know how I can stay there. Addictive.

I added setuid and setguid with how to change the ownership and group of a file/directory.