Skip to main content

Linux File System Permissions

Access to files by users are controlled by file permissions. The Linux file permissions system is simple but flexible, which makes it easy to understand and apply, yet able to handle most normal permission cases easily.
Files have just three categories of user to which permissions apply. The file is owned by a user, normally the one who created the file. The file is also owned by a single group, usually the primary group of the user who created the file, but this can be changed. Different permissions can be set for the owning user, the owning group, and for all other users on the system that are not the user or a member of the owning group.
The most specific permissions apply. So, user permissions override group permissions, which override other permissions.
In the graphic that follows, joshua is a member of the groups joshua and web, while allison is a member of allison, wheel, and web. When joshua and allison have the need to collaborate, the files should be associated with the group web and the group permissions should allow the desired access.
Group membership illustration
There are also just three categories of permissions which apply: read, write, and execute. These permissions affect access to files and directories as follows:
Effects of Permissions on Files and Directories
Permission Effect on files Effect on directories
r (read) Contents of the file can be read. Contents of the directory (file names) can be listed.
w (write) Contents of the file can be changed. Any file in the directory may be created or deleted.
x (exec) Files can be executed as commands. Contents of the directory can be accessed (dependent on the permissions of the files in the directory).

Note that users normally have both read and exec on read-only directories, so that they can list the directory and access its contents. If a user only has read access on a directory, the names of the files in it can be listed, but no other information, including permissions or time stamps, are available, nor can they be accessed. If a user only has exec access on a directory, they cannot list the names of the files in the directory, but if they already know the name of a file which they have permission to read, then they can access the contents of that file by explicitly specifying the file name.
A file may be removed by anyone who has write permission to the directory in which the file resides, regardless of the ownership or permissions on the file itself. (This can be overridden with a special permission, the sticky bit, which will be discussed at the end of the unit.)

Viewing File/Directory Permissions and Ownership

The -l option of the ls command will expand the file listing to include both the permissions of a file and the ownership: 
[student@desktopX ~]$ ls -l test
-rw-rw-r--. 1 student student 0 Feb  8 17:36 test
The command ls -l directoryname will show the expanded listing of all of the files that reside inside the directory. To prevent the descent into the directory and see the expanded listing of the directory itself, add the -d option to ls: 
[student@desktopX ~]$ ls -ld /home
drwxr-xr-x. 5 root root 4096 Jan 31 22:00 /home

Note

Unlike NTFS permissions, Linux permissions only apply to the directory or file that they are set on. Permissions on a directory are not inherited automatically by the subdirectories and files within it. (The permissions on a directory may effectively block access to its contents, however.) All permissions in Linux are set directly on each file or directory.
The read permission on a directory in Linux is roughly equivalent to List folder contents in Windows.
The write permission on a directory in Linux is equivalent to Modify in Windows; it implies the ability to delete files and subdirectories. In Linux, if write and the sticky bit are both set on a directory, then only the user that owns a file or subdirectory in the directory may delete it, which is close to the behavior of the Windows Write permission.
Root has the equivalent of the Windows Full Control permission on all files in Linux. However, root may still have access restricted by the system's SELinux policy and the security context of the process and files in question.

Examples: Linux User, Group, Other Concepts

Users and their groups:

    lucy     lucy,ricardo
    ricky    ricky,ricardo
    ethel    ethel,mertz
    fred     fred,mertz

File attributes (permissions, user & group ownership, name):

    drwxrwxr-x   ricky   ricardo   dir (which contains the following files)
      -rw-rw-r--   lucy    lucy      lfile1
      -rw-r--rw-   lucy    ricardo   lfile2
      -rw-rw-r--   ricky   ricardo   rfile1
      -rw-r-----   ricky   ricardo   rfile2
Allowed/denied behavior Controlling permissions
lucy is the only person who can change the contents of lfile1. lucy has write permissions on the file lfile1 as the owner. No one is listed as a member of the group lucy. The permissions for other do not include write permissions.
ricky can view the contents of lfile2, but cannot modify the contents of lfile2. ricky is a member of the group ricardo, and that group has read-only permissions on lfile2. Even though other has write permissions, group permissions take precedence.
ricky can delete lfile1 and lfile2. ricky has write permissions on the directory containing both files, and as such, he can delete any file in that directory.
ethel can change the contents of lfile2. Since ethel is not lucy, and is not a member of the ricardo group, other permissions apply to her, and those include write permission.
lucy can change the contents of rfile1. lucy is a member of the ricardo group, and that group has both read and write permissions on rfile1.
ricky can view and modify the contents of rfile2.
lucy can view but not modify the contents of rfile2.
ethel and fred do not have any access to the contents of rfile2.		 ricky owns the file and has both read and write access to rfile2.
lucy is a member of the ricardo group, and that group has read-only access to rfile2.
other permissions apply to ethel and fred, and those permissions do not include read or write permission.

Comments

Post a Comment

thank you for visiting :)

Popular posts from this blog

The Seven-Step Model of Migration

Irrespective of the migration approach adopted, the Seven-step Model of Cloud Migration creates a more rational point of view towards the migration process and offers the ability to imbibe several best practices throughout the journey Step 1: Assess Cloud migration assessments are conducted to understand the complexities in the migration process at the code, design and architectural levels. The investment and the recurring costs are also evaluated along with gauging the tools, test cases, functionalities and other features related to the configuration. Step 2: Isolate The applications to be migrated to the cloud from the internal data center are freed of dependencies pertaining to the environment and the existing system. This step cuts a clearer picture about the complexity of the migration process. Step 3: Map Most organisations hold a detailed mapping of their environment with all the systems and applications. This information can be used to distinguish between the ...
Post a Comment
Read more

Cloud Computing architecture

Cloud computing architecture refers to all components and sub-components that together form the structure of the cloud computing system. This architecture can be divided into three parts for better understanding – front end, back end and middleware. Each part of the cloud architecture has its own set of functionalities and protocols that work together to deliver on-demand services to user-facing hardware as well as software. In general, the architecture is evolved out of large distributed network applications over the last two decades. Hence it supports any system where resources can be pooled and partitioned as required. The general cloud architecture is capable of running multiple software applications running on multiple virtual hardware in multiple locations to efficiently render on-demand services to the users. The users could be using these software applications from their desktop or laptop or mobile or tablets. Usually, whatever the user is looking at – through t...
Post a Comment
Read more

connection oriented

connection-oriented:- connection-oriented  describes a means of transmitting data in which the devices at the end points use a preliminary  protocol  to establish an end-to-end connection before any data is sent. Connection-oriented protocol service is sometimes called a "reliable" network service, because it guarantees that data will arrive in the proper sequence. Transmission Control Protocol ( TCP ) is a connection-oriented protocol. For connection-oriented communications, each end point must be able to transmit so that it can communicate. The alternative to connection-oriented transmission is the  connection-less  approach, in which data is sent from one end point to another without prior arrangement. Connection-less protocols are usually described as  stateless  because the end points have no protocol-defined way to remember where they are in a "conversation" of message exchanges. Because they can keep track of a conversation, connection-or...
Post a Comment
Read more

tag