Sunday, November 16, 2014

Access Permissions

One of the important features that make a operating system good is Security. Linux is considered One of the secured Operating system. In this article we will see the basics of security in Linux.

Normally in Linux we have 3 types of permissions that change the behavior of 3 entities.
The 3 types of permissions are

'r'(Read ) : This allows you to read, view, or open a file
'w'(Write) : This allows you to edit or delete the file
'x'(execute) : This allows you to run the file as a program if that is executable.

The 3 entities are
Owner: Owner is the person who created the file. Most of the files in linux are owned by root saying that the files are created by root user and not allowing other users to modify of delete the files.

Group: Group is nothing but users who are set under specific group. So when changing permissions to groups, the users that belong to group are only affected leaving other users intact.

Other: As the name implies, the permission applies to everybody. We need to take care of this entity as altering permissions for this without knowledge can lead to the executing things by all users.Permissions on the file can be viewed by using “ls –l” command in linux

Dev:vx2100:jbs002-jag $ ls -alrt
drwxr-xr-x 6 djbs002 jksgrp  4096 Jul   26  2012 syslog-ng
-rw-r--r--  1  djbs002 jksgrp   925  Nov 13 00:00 clean-logs.log

The format for the permissions looks as “ _rwxrwxrwx 1 owner:group “.
In the above line, the first character represents a file or a directory, Others including

 Regular file
Symbolic link
 Character device
 Block special device

The first 3 char (rwx) are the owner permission
The second 3 char (rwx) are group permissions
The last 3 char (rwx) are the user permissions
The next integer value is the number of hard links to that file
The next one is the owner of the file (djbs002)
The next line is the group to while the file exists (jksgrp)

Owner and group Changes
Linux provides us utilities to change Owner and group permissions on a file using “chown” and “chgrp” commands.

Create a file with a different user as
-rw-r--r--  1 oracle oinstall    0 Nov 14 15:01 test_file

Now we have create a file with owner as “oracle”. In order to change the owner of the file to a different user we can use
[root@localhost oracle]# chown root test_file
-rw-r--r--  1 root   oinstall    0 Nov 14 15:01 test_file

The group also can be changed using
[root@localhost oracle]# chgrp root test_file
[root@localhost oracle]# ll
-rw-r--r--  1 root   root        0 Nov 14 15:01 test_file
Now both can be changed at same time using,
[root@localhost oracle]# chown root.root test_file
[root@localhost oracle]# ll
-rw-r--r--  1 root   root        0 Nov 14 15:05 test_file

Mode Changes
There are two ways of specifying the new permissions using chmod: symbolic and absolute.

Absolute mode deal with numbers. Every file permission can be considered as numbers. We can use the below values for setting permissions on the file.

          |         owner                |        group                |    everyone             |
          | read | write | execute  | read | write | execute  | read | write  | execute |
          | 400  |  200  |  100      |  40  |  20   |   10         |  4   |   2    |   1     |

If you have a file names test_file

[root@localhost oracle]# ll
-rw-r--r--  1 root   root        0 Nov 14 15:05 test_file

We can see the file permissions are read & write for owner, read to group and read to others. Now if we want to remove the read permission to the group and other we can do as,

Take owner read and write values as 400+200=600.Since we are disabling the permissions for both group and everyone we don’t add those values.

We can use the “chmod” command for providing the permissions as
 [root@localhost oracle]# chmod -R 600 test_file

Once we check the permissions we can see as
[root@localhost oracle]# ll
-rw-------  1 root   root        0 Nov 14 15:05 test_file

Similarly if we want to add or delete specific permissions we can add values from the above diagram and use them with the chmod command.

Octal mode
We can also use octal representation for add/modify and delete permissions. We can use the table,

Octal number

So if we have to give a user read/write/execute (octal 7 = rwx), group read/execute (octal 5 = r-x), and other read only (octal 4 = r--) for the file test_file we can use

chmod 754 test_file

Relative mode
In this mode we change permissions that are not based on numbers and we have entities , operators and permissions in this. The below diagram tell give us the

user, group, and other access
group access
other access
user access
add specified permissions to the group, other, or user category of the specified files
remove specified permissions from the group, other, or user category of the specified files
set the specified permissions for the group, other, or user category of the specified files
read permission
set userid or groupid when executed
write permission
execute permission

We will use the above options as defined in the diagram. These options can be used in changing the permissions on a file as

[root@localhost oracle]# ll test_file
-rw-r--r-- 1 oracle oinstall 0 Nov 14 15:09 test_file

Add execute permission to all
[root@localhost oracle]# chmod a+x test_file

[root@localhost oracle]# ll test_file
-rwxr-xr-x 1 oracle oinstall 0 Nov 14 15:09 test_file

Remove read and write permission to other on a file
[root@localhost oracle]# chmod o-rw test_file
[root@localhost oracle]# ll test_file
-rwxr-x--x 1 oracle oinstall 0 Nov 14 15:09 test_file

A few other examples include
chmod u+x filename # adds execute permissions to the file's owner
chmod ug+w filename # adds write permissions to the file's owner and group
chmod a=rx filename # creates a 555 permission from scratch

In the next lesion we will see about other access permission like setgid,setuid and sticky bits.

No comments :

Post a Comment