Prawa do plików linux

Linux uży­wa tych samych ustaw­ień praw plików co UNIX, każdy plik i kat­a­log sys­te­mu Linux ma określone prawa dla właś­ci­ciela plików, członków grup użytkown­ików i każdego użytkown­i­ka sys­te­mu. Prawa to uprawnienia do czy­ta­nia pliku (ang. Read) , pisa­nia do pliku (ang. Write) i jego wykony­wa­nia (ang. Execute).

W celu sprawdzenia praw wykonu­je­my polecenie: 

# ls –l plik

Wykonanie polece­nia,

[me@linuxbox me]$ ls ‑l some_file

będzie skutkowało:

-rw-rw‑r– 1 me   me   1097374 Sep 26 18:48 some_file

Wynik może­my następu­ją­co zinterpretować:

- Właścicielem pliku "some_file" jest użytkown­ik "me"
— Użytkownik "me" ma prawa do pisa­nia i czy­ta­nia tego pliku
— Plik przy­należy do grupy "me"
— Członkowie grupy "me" mogą również czy­tać i pisać w tym pliku
— Wszyscy mogą czy­tać ten plik

iden­ty­fika­tor typu :

-   zwykły plik
b  spec­jal­ny plik blokowy
c  spec­jal­ny plik znakowy
d  katalog
l   link symboliczny
p potok
s  gniazdo

Basic File Permissions

Permission Groups

Each file and direc­to­ry has three user based per­mis­sion groups:

  • own­er — The Owner per­mis­sions apply only the own­er of the file or direc­to­ry, they will not impact the actions of oth­er users.
  • group — The Group per­mis­sions apply only to the group that has been assigned to the file or direc­to­ry, they will not effect the actions of oth­er users.
  • all users — The All Users per­mis­sions apply to all oth­er users on the sys­tem, this is the per­mis­sion group that you want to watch the most.

Permission Types

Each file or direc­to­ry has three basic per­mis­sion types:

  • read — The Read per­mis­sion refers to a user's capa­bil­i­ty to read the con­tents of the file.
  • write — The Write per­mis­sions refer to a user's capa­bil­i­ty to write or mod­i­fy a file or directory.
  • exe­cute — The Execute per­mis­sion affects a user's capa­bil­i­ty to exe­cute a file or view the con­tents of a directory.

Viewing the Permissions

You can view the per­mis­sions by check­ing the file or direc­to­ry per­mis­sions in your favorite GUI File Manager (which I will not cov­er here) or by review­ing the out­put of the \"ls ‑l\" com­mand while in the ter­mi­nal and while work­ing in the direc­to­ry which con­tains the file or folder. 

The per­mis­sion in the com­mand line is dis­played as: _rwxrwxrwx 1 owner:group

  1. User rights/Permissions
    1. The first char­ac­ter that I marked with an under­score is the spe­cial per­mis­sion flag that can vary.
    2. The fol­low­ing set of three char­ac­ters (rwx) is for the own­er permissions.
    3. The sec­ond set of three char­ac­ters (rwx) is for the Group permissions.
    4. The third set of three char­ac­ters (rwx) is for the All Users permissions.
  2. Following that group­ing since the integer/number dis­plays the num­ber of hardlinks to the file.
  3. The last piece is the Owner and Group assign­ment for­mat­ted as Owner:Group.

Modifying the Permissions

When in the com­mand line, the per­mis­sions are edit­ed by using the com­mand chmod. You can assign the per­mis­sions explic­it­ly or by using a bina­ry ref­er­ence as described below.

Explicitly Defining Permissions

To explic­i­ty define per­mis­sions you will need to ref­er­ence the Permission Group and Permission Types. 

The Permission Groups used are:

  • u — Owner
  • g — Group
  • o or a — All Users

The poten­tial Assignment Operators are + (plus) and — (minus); these are used to tell the sys­tem whether to add or remove the spe­cif­ic permissions. 

The Permission Types that are used are:

  • r — Read
  • w — Write
  • x — Execute

So for an exam­ple, lets say I have a file named file1 that cur­rent­ly has the per­mis­sions set to _rw_rw_rw, which means that the own­er, group and all users have read and write per­mis­sion. Now we want to remove the read and write per­mis­sions from the all users group. 

To make this mod­i­fi­ca­tion you would invoke the com­mand: chmod a‑rw file1
To add the per­mis­sions above you would invoke the com­mand: chmod a+rw file1

As you can see, if you want to grant those per­mis­sions you would change the minus char­ac­ter to a plus to add those permissions. 

Using Binary References to Set permissions

Now that you under­stand the per­mis­sions groups and types this one should feel nat­ur­al. To set the per­mis­sion using bina­ry ref­er­ences you must first under­stand that the input is done by enter­ing three integers/numbers.

A sam­ple per­mis­sion string would be chmod 640 file1, which means that the own­er has read and write per­mis­sions, the group has read per­mis­sions, and all oth­er user have no rights to the file. 

The first num­ber rep­re­sents the Owner per­mis­sion; the sec­ond rep­re­sents the Group per­mis­sions; and the last num­ber rep­re­sents the per­mis­sions for all oth­er users. The num­bers are a bina­ry rep­re­sen­ta­tion of the rwx string. 

  • r = 4
  • w = 2
  • x = 1

You add the num­bers to get the integer/number rep­re­sent­ing the per­mis­sions you wish to set. You will need to include the bina­ry per­mis­sions for each of the three per­mis­sion groups. 

So to set a file to per­mis­sions on file1 to read _rwxr_____, you would enter chmod 740 file1.

Owners and Groups

I have made sev­er­al ref­er­ences to Owners and Groups above, but have not yet told you how to assign or change the Owner and Group assigned to a file or directory. 

You use the chown com­mand to change own­er and group assign­ments, the syn­tax is sim­ple chown owner:group file­name, so to change the own­er of file1 to user1 and the group to fam­i­ly you would enter chown user1:family file1.

Advanced Permissions

The spe­cial per­mis­sions flag can be marked with any of the following: 

  • _ — no spe­cial permissions
  • d — directory
  • l - The file or direc­to­ry is a sym­bol­ic link
  • s — This indi­cat­ed the setuid/setgid per­mis­sions. This is not set dis­played in the spe­cial per­mis­sion part of the per­mis­sions dis­play, but is rep­re­sent­ed as a s in the read por­tion of the own­er or group permissions.
  • t — This indi­cates the sticky bit per­mis­sions. This is not set dis­played in the spe­cial per­mis­sion part of the per­mis­sions dis­play, but is rep­re­sent­ed as a t in the exe­cutable por­tion of the all users permissions

Setuid/Setgid Special Permissions

The setuid/setguid per­mis­sions are used to tell the sys­tem to run an exe­cutable as the own­er with the owner\'s permissions.

Be care­ful using setuid/setgid bits in per­mis­sions. If you incor­rect­ly assign per­mis­sions to a file owned by root with the setuid/setgid bit set, then you can open your sys­tem to intrusion.

You can only assign the setuid/setgid bit by explic­it­ly defin­ing per­mis­sions. The char­ac­ter for the setuid/setguid bit is s.

So do set the setuid/setguid bit on you would issue the com­mand chmod g+s

Sticky Bit Special Permissions

The sticky bit can be very use­ful in shared envi­ron­ment because when it has been assigned to the per­mis­sions on a direc­to­ry it sets it so only file own­er can rename or delete the said file.

You can only assign the sticky bit by explic­it­ly defin­ing per­mis­sions. The char­ac­ter for the sticky bit is t.

To set the sticky bit on a direc­to­ry named dir1 you would issue the com­mand chmod +t dir1.

When Permissions Are Important

To some users of Mac- or Windows-based com­put­ers you don't think about per­mis­sions, but those envi­ron­ments don't focus so aggres­sive­ly on user based rights on files unless you are in a cor­po­rate envi­ron­ment. But now you are run­ning a Linux-based sys­tem and per­mis­sion based secu­ri­ty is sim­pli­fied and can be eas­i­ly used to restrict access as you please.

So I will show you some doc­u­ments and fold­ers that you want to focus on and show you how the opti­mal per­mis­sions should be set.

  • home direc­to­ries - The users\' home direc­to­ries are impor­tant because you do not want oth­er users to be able to view and mod­i­fy the files in anoth­er user\'s doc­u­ments of desk­top. To rem­e­dy this you will want the direc­to­ry to have the drwx______ (700) per­mis­sions, so lets say we want to enforce the cor­rect per­mis­sions on the user user1\'s home direc­to­ry that can be done by issu­ing the com­mand chmod 700 /home/user1.
  • boot­loader con­fig­u­ra­tion files - If you decide to imple­ment pass­word to boot spe­cif­ic oper­at­ing sys­tems then you will want to remove read and write per­mis­sions from the con­fig­u­ra­tion file from all users but root. To do you can change the per­mis­sions of the file to 700.
  • sys­tem and dae­mon con­fig­u­ra­tion files - It is very impor­tant to restrict rights to sys­tem and dae­mon con­fig­u­ra­tion files to restrict users from edit­ing the con­tents, it may not be advis­able to restrict read per­mis­sions, but restrict­ing write per­mis­sions is a must. In these cas­es it may be best to mod­i­fy the rights to 644.
  • fire­wall scripts — It may not always be nec­es­sary to block all users from read­ing the fire­wall file, but it is advis­able to restrict the users from writ­ing to the file. In this case the fire­wall script is run by the root user auto­mat­i­cal­ly on boot, so all oth­er users need no rights, so you can assign the 700 permissions.

Other exam­ples can be giv­en, but this arti­cle is already very lengthy, so if you want to share oth­er exam­ples of need­ed restric­tions please do so in the comments.

Share Button

Dodaj komentarz

Twój adres email nie zostanie opublikowany. Pola, których wypełnienie jest wymagane, są oznaczone symbolem *