Unix rights reminder
id : o1456j77sv
category : computer
blog : unixlinux
created : 02/27/10 - 19:41:36

Flags : read, write, execute


  • read (r) (4)
    • file : read the file.
    • directory : list directory.
  • write (w) (2)
    • file : modify or delete file.
    • directory : create, delete, or modify name of directory's files.
  • execute (x) (1)
    • file : execute file if file can be executed.
    • directory : can go inside directory (open access).

Type : user, group, others


  • user (u) : user rights
  • group (g) : group rights (all users from a group)
  • others (o) : all other user (not user, and not users from group)

Type file


  • d : directory
  • l : sympbolik link
  • c : char device
  • b : block device
  • p : fifo
  • s : socket
  • - : classic file

Example


karl@sanctuary# ls -l
drwxrwxr-x 2 karl karl     4096 dec  4 11:06 trash
-rw-rw-r-- 1 karl karl 52106601 feb 12 23:03 VirtualBox-3.1-3.1.4_57640_rhel5-1.x86.rpm

- --- --- ---
| | | |
| | | |
| | | |
| | | |__ others rights (o)
| | |__ group rights (g)
| |__ user rights (u)
|__ type of file

  • 'trash' is a directory owned by karl, karl can list it, create, delete and modify file in it, and go in it, users of group karl too, other people can list file and go in it.
  • ' VirtualBox-3.1-3.1.4_57640_rhel5-1.x86.rpm' is a file owned by karl, karl can read or modify the file, users of group karl too, others people can just read it.

Special rights


  • Special rights are set on x permission !

Suid

  • Suid (s,S on user)
    • s : user execution is set and Suid is set.
    • S : user execution is not set and Suid is set.
    • file :
      • This special right can be set on an excutable file.
      • It allow a lambda user to execute the file with file users permission, and have elevated privileges of user file owner (for example root).
      • When this bit is set, the program it is applied to, does run with the privileges of the file owner.
      • A good example is passwd command, file /usr/bin/passwd is owned by root, but every user can modify his own password, and run passwd command with root permissions.
    • directory :
      • All file or directory created in a directory with Suid will have the same owner as Suid directory, no matter which user create the file or directory.

karl@sanctuary# ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 20704  1 août   2009 /usr/bin/passwd
karl@sanctuary# ls -l /bin/mount
-rwsr-xr-x 1 root root 80748 22 janv. 11:52 /bin/mount


Guid

  • Guid (s,S on group)
    • s : group execution is set and Suid is set.
    • S : group execution is not set and Suid is set.
    • file :
      • While executing a program with this bit set, you will automatically inherit the privileges of the group owning the program.
    • directory :
      • A SGID bit on a directory can mean that all files created in the directory inherit the group of the directory and subdirectories will also inherit the SGID bit.

karl@sanctuary#ls -l chaosisme.com/
total 8
drwxr-sr-x 2 karl lighttpd 4096 Jan 23 00:47 http
drwxr-sr-x 2 karl lighttpd 4096 Jan 15 22:47 logs


Sticky bit

  • Sticky bit (t,T on others)
    • t : others execution is set and Stiky bit is set.
    • T : others execution is not set and Sticky bit is set.
    • file :
      • Do not use it
    • directory :
      • When the sticky bit is set, only the item's owner, the directory's owner, or the superuser can rename or delete files. Without the sticky bit set, any user with write and execute permissions for the directory can rename or delete contained files, regardless of owner. Typically this is set on the /tmp directory to prevent ordinary users from deleting or moving other users' files

root@sanctuary#ls -l / | grep tmp
drwxrwxrwt  5 root root   4096 27 feb. 17:04 tmp


  • Find all Sgid, Suid files
root@sanctuary# find / -type f \( -perm /4000 -a -user root \) -ls -o \( -perm /2000 -a -group root \) -ls

Change rights


  • Use the chmod command to change rights, you can use :
    • Numerical notation : 777 (r w x r w x r w x), 644 ( r w _ r _ _ r_ _), 750 (r w x r _ x _ _ _), 720 (r w x _ w _ _ _ _), etc ...
    • Alpha notation :
      • u : owner ( u+x, will set execute for owner )
      • g : group ( g+r, will set write for group )
      • o : others (o-rwx, will revoke read, write, execute for all)
      • a : all (owner group others)
      • + : add a right
      • - : revoke a right

  • examples :
karl@sanctuary# chmod g+rw /tmp/filea
karl@sanctuary# chmod a-r /tmp/fileb
karl@sanctuary# chmod -R 750 /tmp/karlsfile

  • Be carefull when you're using -R (recursivly chmod) to not type -r, this will be interpreted to revoke read permissions

Umask


  • The umask is the default permission setting that is applied to files and directories when they are created. The umask is set when you login to a UNIX machine.
  • There is one important difference with the 'umask and files and directories - the execute part will be set on directories, but they have to be manually changed on files after the file has been created. The read and write parts remain the same.
  • umask works by doing a bitwise AND with the bitwise complement of the umask. Bits that are set in the umask correspond to permissions that are not automatically assigned to newly created files.

  • Remember :
    • 4 -> read (r)
    • 2 -> write (w)
    • 1 -> execute (x)

  • umask permissions are :
    • 7 : no rights : 7 = 7
    • 6 : execute (x) : 7 - 1 = 6
    • 5 : write (w) : 7 - 2 = 5
    • 4 : write (w), execute (x) : 7 - 2 - 1 = 4
    • 3 : read (r) : 7 - 4 = 3
    • 2 : read (r), execute (x) : 7 - 4 - 1 = 2
    • 1 : read (r), write (w) : 7 - 4 - 2 = 1
    • 0 : read (r), write (w), execute (x) : 7 - 4 - 2 - 1 = 0

  • examples :
    • 0000 : files will be created with rwx for owner,group,others
    • 0022 : files will be created with rwx for owner, rx for group, others
    • 0027 : files will be created with rwx for owner, rw for group, and nothing for others

  • if you are a user : you can set your umask with umask command :

user@sanctuary# umask 0033

    • This will set default rights of your files and directories to :
      • owner : read (r), write (w), execute (x).
      • group : read (r).
      • others : read (r).
      • no suid, guid or sticky bit.
    • You can edit your .bashrc or .profile file to permanantly add your umask by adding "umask xxxx" command at the bottom of your file.

  • if your are a system administrator : you can set your users default umask by editing /etc/profile and add/modif umask line.