Understanding Permissions Under GNU/Linux Systems
“Permission plays a vital role in everyday life, without permission we cannot achieve work in a swift manner. Thus understanding permission is a crucial task and one should be well adept with the rules of the permission. Today we unravel various aspects of the permission that has been implemented in the *Unix subsystem”.
Every operating system handle files and directories uniquely. The security of the system depends on many factors however the most important aspect is the way how an OS handles file. Window or NT based OS treats all files equally, which may lead to security holes and unwanted vulnerabilities for hackers to exploit. Due to which Windows has always been a hackers delight. Contrary to Windows, Unix based system or Linux handles files in a much sophisticated manner, special set of rules has been defined for better and efficient file handling.
- Are you a blogger? Now you can make money from Muktware....check it out: Muktware's Bloggers Network
Unlike Windows, Linux has varied log-in scenario and many users can log-in and use the system at once. Thus it is very necessary for everyone to bypass the security by entering the valid login id and password so that they can access the bread of their share. So it is very necessary for the system to preserve the space and share so that users don’t goof up with other users data. To ensure a smooth functionality, every user has been provided with his her home folder under /home/<user_name>/. A place where system provides permission so that only the user can access and share files and others cannot mess around.
Permission setup might be time consuming and perpetual. But its one of the most efficient way to manage data. You must be thinking about why get into so much trouble of setting permission. But through efficient permission scenario one can make sharing easy and lucid. With multiple users you can easily assign a common access point for file sharing thus taking away the hectic job of making files available through any other sharing program or the likes.
So in order to understand the permission scenario and to develop a common permission set of rule one must understand how things work in linux. Linux permission is usually segregated into three categories.
1. File Owner
2. Group Member
3. Access Permission.
Every file has an owner. Once you create a file it is assigned an owner. Generally the user that creates the file is the default owner of the file, however this can be changed using permission and user scenario in linux. A file can have only one owner, not more than one owner is allowed. A bunch of users form a group. So similar or known users can be clubbed together under a group.
The next and the most crucial part of the permission scenario is the access permission. Access permission is further segregated into three part.
Read means a user can read the file, read here means only read or viewing and no other operations can be performed on that particular file. Write on the other hand means we can only write to that file. With only write permission applicable a user can only “write” to the file and cannot even see the content. Sounds weird ain’t it ? We will look into this part later down the article.
Execute means run a file with execute permission. Each file has some predefined sets of permission, and these can be viewed by ‘ls -l’ command. The ls or List command simply displays the data in a directory. Since Linux treat directory as a file it also displays the directories. A simple ls -l (long listing) under a directory will show up lots of boggling data. But its very easy to make out once you get permission thing under your belt.
[shashwat@localhost ~]$ ls -l
-rw-rw-r-- 1 shashwat shashwat 273089 Dec 23 17:12 AMD_fusion_Whitepaper.pdf
drwxrwxr-x. 4 shashwat shashwat 4096 Dec 24 19:53 Code
From the above example the first field denoted by ‘–’ represents the file type indicator. A file can be of many types say a normal file, a directory file, link file and many more. Depending on the type of file the notation changes in the first field. A simple – or s represents a normal file, while d stands for directory.
Taking the first line in consideration, the next three field after file type field i.e. rw- indicates the access control for the owner of the file. The next three i.e. rw- indicates the access control for the group. The last three field indicates access permission for other users that are not even owner nor a part of the group.
The next in the output shows the number of links associated with a file. The 1 in the first lines shows that the file has only one accessible link. The 4 in the second line represents that there are 4 links associated with it. Generally a blank directory has 2 link. One is the link for the current directory and the other for the parent directory. The number of link increase as you increase the content of a directory.
The next two field indicates owner and group of the file. In case of the output both are shashwat. This means shashwat is the owner and the group owner/member of the file. The rest syntax indicates file size in bytes. The next is the time stamp, note that time stamp changes the instance you make any change with the file, it includes reading, writing or modifying. However ls -l will only list time stamp of modifying. More time stamp details can be seen by using stat command.
The Last field indicate the name of the file.
That sums the basic terminology associated with the ls -l command. Once we got the basic terminology under our belt its time for us to play with the permission in linux. There are many ways to play with the permission i.e. the GUI and the CLI mode.
Changing Permission via GUI: Changing permission in GUI is almost the same in various desktop environment be it the KDE , Gnome or XFCE. To change the permission open the file manager i.e. Dolphin/Konqueror in KDE, Nautilus in Gnome and Thunar in XFCE. Once done navigate to the file that you want to have different sets of permission, right click the file and then select properties. Under Permission Tab change the permission as you want to.
Note: Before changing permission you must have the desired previlidges to write the permission. Else you cannot make changes. In-order to change permission you can open the desired file manger through superuser mode via kdesu or gksu command followed by the file manager name.
Changing Permission via CLI : CLI has always been the usability turf. If you know your way around CLI is the best bet, same goes for changing permission. Changing permission in linux can be achieved perfectly through CLI or in fact CLI should be the preferred way to change a file/directory permission.
To change permission in linux through command line is by using ‘chmod’ command. To change permission through chmod simply run the command over a directory or a file with requisite parameters to get the desired result. The general way to put a chmod command is like
chmod <parameters> <directory/file path>
Changing permission in chmod can be achieved through ways, by passing alphabetical parameters or through numerical parameters. We will look them one by one.
Alphabetical Parameter : – Fairly easy to grasp, this way requires a user to understand few things before changing permission. The variable needed to understand are: -
Once we get the basic thing we are all good to go. Now to change permission in a directory or a file via chmod alphabetical parameter we apply the commands in these ways.
chmod a+rwx /grub/menu.lst
The above is a basic example of changing permission through alphabetical parameters. Now ‘a’ stands for all and + stands for addition. So from the above command we can conclude that the owner of the file i.e. root in this case wish to grant access of read (r), write (w) and execute (x) to all the possible users in the system.
Similarly we can reduce the permission using the above method.
chmod og-rw /media/sdb1
The above combines the user level and removes the access of read and write from other and group level. Likewise we can come up with various combination of alphabetical ways to change permission.
- Numerical Parameters : – Though the end result is same , getting numerical way to change the permission comes handy even though it might be not your cup of tea. Since getting through numbers is not human tendency. Anyway since there is a way we had to just look into it. Numerical way works exactly similar to that of alphabetical way..
Since the ls -l output show a total of 9 field for permission minus the file type indicator field. From the nine field each 3 field is for read (r), write (w), and execute (x). So here is a table that shows up what is the numerical equivalent for alphabetical counterpart, for the general 3 fields i.e. rwx.
The above represents value for only 3 bit of the permission field however there are nine bits. So those octal digits can be combined to provide the permission is the following way
chmod 777 /boot/grub.conf
The above is similar to a+rwx that we used in the examples of Alphabetical chomd expression. Some alphabetical representation in numerical are shown in the following table.
Similarly other possible combinations can be made out by carrying out simple octal conversion.
Special Permission: - Apart from normal permission Linux cater to some instances that require special permission. SetUID/GID and Sticky Bit are the other two permission that are available for use. However it is advised not to use these permission on files that you are not sure. Cause undue usage can lead your system to vulnerabilities. Thus avoid these permission on files owned by root.
SetUID/GID bits allow any user to run a file which has been assigned the SetUID/GID bit with the owners privileges. A wrong permission can bring the system down so be careful with the SetUID/GID bit. To attach this special permission to an executable use the following command
chmod a+s filename
A file with a setuid/gid bit set will show different variables in the permission field when viewed by ls -l command.
[shashwat@localhost minitunes]$ ls -l minitunes
-rwsr-xr-x 1 shashwat shashwat 852329 Jul 13 16:03 minitunes
Notice above instead of x (executable) now it shows s, which represent that the following executable file has been assigned a special bit.
Stickybit on the other hand are more worthy than SetUID/GID bits. When applied on a directory/file it ensures that no one can tamper with the data other than the owner of the directory/file. To apply sticky bit permission use the following command :-
chmod +t /home/code
Similar to SetUID/GID bits, ls -l differ when applied on a file or directory.
[shashwat@localhost ~]$ ls -ld Code/
drwxrwxr-t. 4 shashwat shashwat 4096 Dec 24 19:53 Code/
Here t represent that the said directory has sticky bit applied so no other user can tamper with data inside the directory.
Umask: These are special set of rules that restricts the user to apply full permission. Once you create a file umask restrict the system to allow complete permission for the desired file. Umask defines the effective permission of system by deducting 022 value from the permission of the system.
Effective Permission = Applicable Permission – Umask
By default the value of umask is 022 . So if you create a file with 777 permission the aplicable permission will be 755.
Owner / Group : - When you create a file you are the owner of the file, and by default the user has the group similar to its name. So you are the owner and group owner of the file that you create. A user can be a member of many group but can have a owner of only one group. Inorder to assign multiple group we use:-
chmod -G group1,group2
The above adds additional groups to the users group, and makes it a member of other available group. We can change the group owner ship by using -g handler. But in this case there can be only one group. Cause only one user can be an owner of a particular group.
To change the owner ship and group from a file we use chown and chgrp command.
To change ownership of a file / directory we use commands as stated : -
chown <user_name> <file_directory path>
For example chown lfy /opt/abc.txt will change the owner ship of abc.txt file to lfy. In order to change group we use chgrp in similar way we use chown.
chgrp lfy ~/abc.txt
However we can change ownership and group owner ship using the chown command only. Inorder to achieve this simply follow the below syntax.
chown <username>.<group_name> <file_path>
For example chown shashwat.lfy ~/Code will change the owner to shashwat and group owner to lfy for the said file/directory.
Conclusion: Permission plays a vital role in maintaining the security of the system. A sound knowledge of the permission can help you design the security of the system in a better and efficient way. Though permission forms the very basic part of the system, yet these fundamental security blocks can let you create a stupendous system shield that not only lets you secure your data but allow others to manoeuvre them easily. What we have covered in the article is only the tip of ice berg, with advance permission and control lists we can have much enhanced security framework. So inorder to make things more secure keep diggin the resources and create an enhanced permission layout.
About the Author:
Shashwat Pant is a foss/hardware enthusiast who like to review software and tweak his hardware for optimum performance.. Interested in Python and Qt programming and fond of benchmarking latest foss distro…