3.4.1. Access rights: Linux’s first line of defense
The Linux security model is based on the one used on UNIX systems, and is as rigid as the UNIX security model (and sometimes even more), which is already quite robust. On a Linux system, every file is owned by a user and a group user. There is also a third category of users, those that are not the user owner and don’t belong to the group owning the file. For each category of users, read, write and execute permissions can be granted or denied.
We already used the long option to list files using the ls -l command, though for other reasons. This command also displays file permissions for these three user categories; they are indicated by the nine characters that follow the first character, which is the file type indicator at the beginning of the file properties line. As seen in the examples below, the first three characters in this series of nine display access rights for the actual user that owns the file. The next three are for the group owner of the file, the last three for other users. The permissions are always in the same order: read, write, execute for the user, the group and the others. Some examples:
marise:~> ls -l To_Do
-rw-rw-r– 1 marise users 5 Jan 15 12:39 To_Do
marise:~> ls -l /bin/ls
-rwxr-xr-x 1 root root 45948 Aug 9 15:01 /bin/ls*
The first file is a regular file (first dash). Users with user name marise or users belonging to the group users can read and write (change/move/delete) the file, but they can’t execute it (second and third dash). All other users are only allowed to read this file, but they can’t write or execute it (fourth and fifth dash).
The second example is an executable file, the difference: everybody can run this program, but you need to be root to change it.
The Info pages explain how the ls command handles display of access rights in detail, see the section What information is listed.
For easy use with commands, both access rights or modes and user groups have a code. See the tables below.
Table 3-7. Access mode codes
0 or – The access right that is supposed to be on this place is not granted.
4 or r read access is granted to the user category defined in this place
2 or w write permission is granted to the user category defined in this place
1 or x execute permission is granted to the user category defined in this place
Table 3-8. User group codes
u user permissions
g group permissions
o permissions for others
This straight forward scheme is applied very strictly, which allows a high level of security even without network security. Among other functions, the security scheme takes care of user access to programs, it can serve files on a need-to-know basis and protect sensitive data such as home directories and system configuration files.
You should know what your user name is. If you don’t, it can be displayed using the id command, which also displays the default group you belong to and eventually other groups of which you are a member:
uid=504(tilly) gid=504(tilly) groups=504(tilly),100(users),2051(org)
Your user name is also stored in the environment variable USER:
tilly:~> echo $USER
3.4.2. The tools
184.108.40.206. The chmod command
A normal consequence of applying strict file permissions, and sometimes a nuisance, is that access rights will need to be changed for all kinds of reasons. We use the chmod command to do this, and eventually to chmod has become an almost acceptable English verb, meaning the changing of the access mode of a file. The chmod command can be used with alphanumeric or numeric options, whatever you like best.
The example below uses alphanumeric options in order to solve a problem that commonly occurs with new users:
bash: ./hello: bad interpreter: Permission denied
asim:~> cat hello
echo “Hello, World”
asim:~> ls -l hello
-rw-rw-r– 1 asim asim 32 Jan 15 16:29 hello
asim:~> chmod u+x hello
asim:~> ls -l hello
-rwxrw-r– 1 asim asim 32 Jan 15 16:29 hello*
The + and – operators are used to grant or deny a given right to a given group. Combinations separated by commas are allowed. The Info and man pages contain useful examples. Here’s another one, which makes the file from the previous example a private file to user asim:
asim:~> chmod u+rwx,go-rwx hello
asim:~> ls -l hello
-rwx—— 1 asim asim 32 Jan 15 16:29 hello*
The kind of problem resulting in an error message saying that permission is denied somewhere is usually a problem with access rights in most cases. Also, comments like, “It worked yesterday,” and “When I run this as root it works,” are most likely caused by the wrong file permissions.
When using chmod with numeric arguments, the values for each granted access right have to be counted together per group. Thus we get a 3-digit number, which is the symbolic value for the settings chmod has to make. The following table lists the most common combinations:
Table 3-9. File protection with chmod
chmod 400 file To protect a file against accidental overwriting.
chmod 500 directory To protect yourself from accidentally removing, renaming or moving files from this directory.
chmod 600 file A private file only changeable by the user who entered this command.
chmod 644 file A publicly readable file that can only be changed by the issuing user.
chmod 660 file Users belonging to your group can change this file, others don’t have any access to it at all.
chmod 700 file Protects a file against any access from other users, while the issuing user still has full access.
chmod 755 directory For files that should be readable and executable by others, but only changeable by the issuing user.
chmod 775 file Standard file sharing mode for a group.
chmod 777 file Everybody can do everything to this file.
If you enter a number with less than three digits as an argument to chmod, omitted characters are replaced with zeros starting from the left. There is actually a fourth digit on Linux systems, that precedes the first three and sets special access modes. Everything about these and many more are located in the Info pages.
220.127.116.11. Logging on to another group
When you type id on the command line, you get a list of all the groups that you can possibly belong to, preceded by your user name and ID and the group name and ID that you are currently connected with. However, on many Linux systems you can only be actively logged in to one group at the time. By default, this active or primary group is the one that you get assigned from the /etc/passwd file. The fourth field of this file holds users’ primary group ID, which is looked up in the /etc/group file. An example:
uid=501(asim) gid=501(asim) groups=100(users),501(asim),3400(web)
asim:~> grep asim /etc/passwd
asim:x:501:501:Asim El Baraka:/home/asim:/bin/bash
asim:~> grep 501 /etc/group
The fourth field in the line from /etc/passwd contains the value “501”, which represents the group asim in the above example. From /etc/group we can get the name matching this group ID. When initially connecting to the system, this is the group that asim will belong to.
Note User private group scheme
In order to allow more flexibility, most Linux systems follow the so-called user private group scheme, that assigns each user primarily to his or her own group. This group is a group that only contains this particular user, hence the name “private group”. Usually this group has the same name as the user login name, which can be a bit confusing.
Apart from his own private group, user asim can also be in the groups users and web. Because these are secondary groups to this user, he will need to use the newgrp to log into any of these groups (use gpasswd for setting the group password first). In the example, asim needs to create files that are owned by the group web.
asim:/var/www/html> newgrp web
uid=501(asim) gid=3400(web) groups=100(users),501(asim),3400(web)
When asim creates new files now, they will be in group ownership of the group web instead of being owned by the group asim:
asim:/var/www/html> touch test
asim:/var/www/html> ls -l test
-rw-rw-r– 1 asim web 0 Jun 10 15:38 test
Logging in to a new group prevents you from having to use chown (see Section 18.104.22.168) or calling your system administrator to change ownerships for you.
See the manpage for newgrp for more information.
22.214.171.124. The file mask
When a new file is saved somewhere, it is first subjected to the standard security procedure. Files without permissions don’t exist on Linux. The standard file permission is determined by the mask for new file creation. The value of this mask can be displayed using the umask command:
Instead of adding the symbolic values to each other, as with chmod, for calculating the permission on a new file they need to be subtracted from the total possible access rights. In the example above, however, we see 4 values displayed, yet there are only 3 permission categories: user, group and other. The first zero is part of the special file attributes settings, which we will discuss in Section 126.96.36.199 and Section 4.1.6. It might just as well be that this first zero is not displayed on your system when entering the umask command, and that you only see 3 numbers representing the default file creation mask.
Each UNIX-like system has a system function for creating new files, which is called each time a user uses a program that creates new files, for instance, when downloading a file from the Internet, when saving a new text document and so on. This function creates both new files and new directories. Full read, write and execute permission is granted to everybody when creating a new directory. When creating a new file, this function will grant read and write permissions for everybody, but set execute permissions to none for all user categories. This, before the mask is applied, a directory has permissions 777 or rwxrwxrwx, a plain file 666 or rw-rw-rw-.
The umask value is subtracted from these default permissions after the function has created the new file or directory. Thus, a directory will have permissions of 775 by default, a file 664, if the mask value is (0)002. This is demonstrated in the example below:
bert:~> mkdir newdir
bert:~> ls -ld newdir
drwxrwxr-x 2 bert bert 4096 Feb 28 13:45 newdir/
bert:~> touch newfile
bert:~> ls -l newfile
-rw-rw-r– 1 bert bert 0 Feb 28 13:52 newfile
Note Files versus directories
A directory gets more permissions by default: it always has the execute permission. If it wouldn’t have that, it would not be accessible. Try this out by chmodding a directory 644!
If you log in to another group using the newgrp command, the mask remains unchanged. Thus, if it is set to 002, files and directories that you create while being in the new group will also be accessible to the other members of that group; you don’t have to use chmod.
The root user usually has stricter default file creation permissions:
[[email protected] root]# umask
These defaults are set system-wide in the shell resource configuration files, for instance /etc/bashrc or /etc/profile. You can change them in your own shell configuration file, see Chapter 7 on customizing your shell environment.
188.8.131.52. Changing user and group ownership
When a file is owned by the wrong user or group, the error can be repaired with the chown (change owner) and chgrp (change group) commands. Changing file ownership is a frequent system administrative task in environments where files need to be shared in a group. Both commands are very flexible, as you can find out by using the –help option.
The chown command can be applied to change both user and group ownership of a file, while chgrp only changes group ownership. Of course the system will check if the user issuing one of these commands has sufficient permissions on the file(s) she wants to change.
In order to only change the user ownership of a file, use this syntax:
chown newuser file
If you use a colon after the user name (see the Info pages), group ownership will be changed as well, to the primary group of the user issuing the command. On a Linux system, each user has his own group, so this form can be used to make files private:
uid=1304(jacky) gid=(1304) groups=1304(jacky),2034(pproject)
jacky:~> ls -l my_report
-rw-rw-r– 1 jacky project 29387 Jan 15 09:34 my_report
jacky:~> chown jacky: my_report
jacky:~> chmod o-r my_report
jacky:~> ls -l my_report
-rw-rw—- 1 jacky jacky 29387 Jan 15 09:34 my_report
If jacky would like to share this file, without having to give everybody permission to write it, he can use the chgrp command:
jacky:~> ls -l report-20020115.xls
-rw-rw—- 1 jacky jacky 45635 Jan 15 09:35 report-20020115.xls
jacky:~> chgrp project report-20020115.xls
jacky:~> chmod o= report-20020115.xls
jacky:~> ls -l report-20020115.xls
-rw-rw—- 1 jacky project 45635 Jan 15 09:35 report-20020115.xls
This way, users in the group project will be able to work on this file. Users not in this group have no business with it at all.
Both chown and chgrp can be used to change ownership recursively, using the -R option. In that case, all underlying files and subdirectories of a given directory will belong to the given user and/or group.
On most systems, the use of the chown and chgrp commands is restricted for non-privileged users. If you are not the administrator of the system, you can not change user nor group ownerships for security reasons. If the usage of these commands would not be restricted, malicious users could assign ownership of files to other users and/or groups and change behavior of those users’ environments and even cause damage to other users’ files.