Skip to main content

Linux File System Permissions

Access to files by users are controlled by file permissions. The Linux file permissions system is simple but flexible, which makes it easy to understand and apply, yet able to handle most normal permission cases easily.
Files have just three categories of user to which permissions apply. The file is owned by a user, normally the one who created the file. The file is also owned by a single group, usually the primary group of the user who created the file, but this can be changed. Different permissions can be set for the owning user, the owning group, and for all other users on the system that are not the user or a member of the owning group.
The most specific permissions apply. So, user permissions override group permissions, which override other permissions.
In the graphic that follows, joshua is a member of the groups joshua and web, while allison is a member of allison, wheel, and web. When joshua and allison have the need to collaborate, the files should be associated with the group web and the group permissions should allow the desired access.
Group membership illustration
There are also just three categories of permissions which apply: read, write, and execute. These permissions affect access to files and directories as follows:
Effects of Permissions on Files and Directories
Permission Effect on files Effect on directories
r (read) Contents of the file can be read. Contents of the directory (file names) can be listed.
w (write) Contents of the file can be changed. Any file in the directory may be created or deleted.
x (exec) Files can be executed as commands. Contents of the directory can be accessed (dependent on the permissions of the files in the directory).

Note that users normally have both read and exec on read-only directories, so that they can list the directory and access its contents. If a user only has read access on a directory, the names of the files in it can be listed, but no other information, including permissions or time stamps, are available, nor can they be accessed. If a user only has exec access on a directory, they cannot list the names of the files in the directory, but if they already know the name of a file which they have permission to read, then they can access the contents of that file by explicitly specifying the file name.
A file may be removed by anyone who has write permission to the directory in which the file resides, regardless of the ownership or permissions on the file itself. (This can be overridden with a special permission, the sticky bit, which will be discussed at the end of the unit.)

Viewing File/Directory Permissions and Ownership

The -l option of the ls command will expand the file listing to include both the permissions of a file and the ownership: 
[student@desktopX ~]$ ls -l test
-rw-rw-r--. 1 student student 0 Feb  8 17:36 test
The command ls -l directoryname will show the expanded listing of all of the files that reside inside the directory. To prevent the descent into the directory and see the expanded listing of the directory itself, add the -d option to ls: 
[student@desktopX ~]$ ls -ld /home
drwxr-xr-x. 5 root root 4096 Jan 31 22:00 /home

Note

Unlike NTFS permissions, Linux permissions only apply to the directory or file that they are set on. Permissions on a directory are not inherited automatically by the subdirectories and files within it. (The permissions on a directory may effectively block access to its contents, however.) All permissions in Linux are set directly on each file or directory.
The read permission on a directory in Linux is roughly equivalent to List folder contents in Windows.
The write permission on a directory in Linux is equivalent to Modify in Windows; it implies the ability to delete files and subdirectories. In Linux, if write and the sticky bit are both set on a directory, then only the user that owns a file or subdirectory in the directory may delete it, which is close to the behavior of the Windows Write permission.
Root has the equivalent of the Windows Full Control permission on all files in Linux. However, root may still have access restricted by the system's SELinux policy and the security context of the process and files in question.

Examples: Linux User, Group, Other Concepts

Users and their groups:

    lucy     lucy,ricardo
    ricky    ricky,ricardo
    ethel    ethel,mertz
    fred     fred,mertz

File attributes (permissions, user & group ownership, name):

    drwxrwxr-x   ricky   ricardo   dir (which contains the following files)
      -rw-rw-r--   lucy    lucy      lfile1
      -rw-r--rw-   lucy    ricardo   lfile2
      -rw-rw-r--   ricky   ricardo   rfile1
      -rw-r-----   ricky   ricardo   rfile2
Allowed/denied behavior Controlling permissions
lucy is the only person who can change the contents of lfile1. lucy has write permissions on the file lfile1 as the owner. No one is listed as a member of the group lucy. The permissions for other do not include write permissions.
ricky can view the contents of lfile2, but cannot modify the contents of lfile2. ricky is a member of the group ricardo, and that group has read-only permissions on lfile2. Even though other has write permissions, group permissions take precedence.
ricky can delete lfile1 and lfile2. ricky has write permissions on the directory containing both files, and as such, he can delete any file in that directory.
ethel can change the contents of lfile2. Since ethel is not lucy, and is not a member of the ricardo group, other permissions apply to her, and those include write permission.
lucy can change the contents of rfile1. lucy is a member of the ricardo group, and that group has both read and write permissions on rfile1.
ricky can view and modify the contents of rfile2.
lucy can view but not modify the contents of rfile2.
ethel and fred do not have any access to the contents of rfile2.		 ricky owns the file and has both read and write access to rfile2.
lucy is a member of the ricardo group, and that group has read-only access to rfile2.
other permissions apply to ethel and fred, and those permissions do not include read or write permission.

Comments

Post a Comment

thank you for visiting :)

Popular posts from this blog

The Seven-Step Model of Migration

Irrespective of the migration approach adopted, the Seven-step Model of Cloud Migration creates a more rational point of view towards the migration process and offers the ability to imbibe several best practices throughout the journey Step 1: Assess Cloud migration assessments are conducted to understand the complexities in the migration process at the code, design and architectural levels. The investment and the recurring costs are also evaluated along with gauging the tools, test cases, functionalities and other features related to the configuration. Step 2: Isolate The applications to be migrated to the cloud from the internal data center are freed of dependencies pertaining to the environment and the existing system. This step cuts a clearer picture about the complexity of the migration process. Step 3: Map Most organisations hold a detailed mapping of their environment with all the systems and applications. This information can be used to distinguish between the
Post a Comment
Read more

Special Permissions in linux

The setuid permission on an executable file means that the command will run as the user owning the file, not as the user that ran the command. One example is the passwd command: [student@desktopX ~]$ ls -l /usr/bin/passwd -rw s r-xr-x. 1 root root 35504 Jul 16 2010 /usr/bin/passwd In a long listing, you can spot the setuid permissions by a lowercase s where you would normally expect the x (owner execute permissions) to be. If the owner does not have execute permissions, this will be replaced by an uppercase S . The special permission setgid on a directory means that files created in the directory will inherit their group ownership from the directory, rather than inheriting it from the creating user. This is commonly used on group collaborative directories to automatically change a file from the default private group to the shared group, or if files in a directory should be
Post a Comment
Read more

RequestsDependencyWarning: urllib3 (1.24.1) or chardet (3.0.4) doesn't match a supported version

import tweepy /usr/lib/python2.7/dist-packages/requests/__init__.py:80: RequestsDependencyWarning: urllib3 (1.24.1) or chardet (3.0.4) doesn't match a supported version!   RequestsDependencyWarning) Traceback (most recent call last):   File "<stdin>", line 1, in <module>   File "/usr/local/lib/python2.7/dist-packages/tweepy/__init__.py", line 14, in <module>     from tweepy.api import API   File "/usr/local/lib/python2.7/dist-packages/tweepy/api.py", line 12, in <module>     from tweepy.binder import bind_api   File "/usr/local/lib/python2.7/dist-packages/tweepy/binder.py", line 11, in <module>     import requests   File "/usr/lib/python2.7/dist-packages/requests/__init__.py", line 97, in <module>     from . import utils   File "/usr/lib/python2.7/dist-packages/requests/utils.py", line 26, in <module>     from ._internal_utils import to_native_string   File "/usr/lib/python2.
Post a Comment
Read more

tag