Day 13 - Who has permission?
Files on a Linux system always have associated “permissions” - controlling who has access and what sort of access. You’ll have bumped into this in various ways already - as an example, yesterday while logged in as your “ordinary” user, you could not upload files directly into /var/www or create a new folder at /.
The Linux permission system is quite simple, but it does have some quirky and subtle aspects, so today is simply an introduction to some of the basic concepts.
This time you really do need to work your way through the material in the RESOURCES section!
First let’s look at “ownership”. All files are tagged with both the name of the user and the group that owns them, so if we type “ls -l” and see a file listing like this:
-rw------- 1 steve staff 4478979 6 Feb 2011 private.txt -rw-rw-r-- 1 steve staff 4478979 6 Feb 2011 press.txt -rwxr-xr-x 1 steve staff 4478979 6 Feb 2011 upload.bin
Then these files are owned by user “steve”, and the group “staff”.
Looking at the ‘-rw-r–r–” at the start of a directory listing line, (ignore the first “-” for now), and see these as potentially three groups of “rwx”: the permission granted to the user who owns the file, the “group”, and “other people”.
For the example list above:
- private.txt - Steve has “rw” (ie Read and Write) permission, but neither the group “staff” nor “other people” have any permission at all
- press.txt - Steve can Read and Write to this file too, but so can any member of the group “staff” - and anyone can read it
- upload.bin - Steve can write to the file, all others can read it. Additionally all can “execute” the file - ie run this program
You can change the permissions on any file with the
chmod utility. Create a simple text file in your home directory with
vim (e.g. tuesday.txt) and check that you can list its contents by typing:
cat tuesday.txt or
Now look at its permissions by doing:
ls -ltr tuesday.txt
-rw-rw-r-- 1 ubuntu ubuntu 12 Nov 19 14:48 tuesday.txt
So, the file is owned by the user “ubuntu”, and group “ubuntu”, who are the only ones that can write to the file - but any other user can read it.
Now let’s remove the permission of the user and “ubuntu” group to write their own file:
chmod u-w tuesday.txt
chmod g-w tuesday.txt
…and remove the permission for “others” to read the file:
chmod o-r tuesday.txt
Do a listing to check the result:
-r--r----- 1 ubuntu ubuntu 12 Nov 19 14:48 tuesday.txt
…and confirm by trying to edit the file with
vim. You’ll find that you appear to be able to edit it - but can’t save any changes. (In this case, as the owner, you have “permission to override permissions”, so can can write with
:w!). You can of course easily give yourself back the permission to write to the file by:
chmod u+w tuesday.txt
On most modern Linux systems there is a group created for each user, so user “ubuntu” is a member of the group “ubuntu”. However, groups can be added as required, and users added to several groups.
To see what groups you’re a member of, simply type:
On an Ubuntu system the first user created (in your case
ubuntu), should be a member of the groups:
adm - and if you list the
/var/log folder you’ll see your membership of the
adm group is why you can use
less to read and view the contents of
The “root” user can add a user to an existing group with the command:
usermod -a -G group user
ubuntu user can do the same simply by prefixing the command with
sudo. For example, you could add a new user
fred like this:
Because this user is not the first user created, they don’t have the power to run
sudo - which your user has by being a member of the group
So, to check which groups
fred is a member of, first “become fred” - like this:
sudo su fred
Now type “exit” to return to your normal user, and you can add
fred to this group with:
sudo usermod -a -G sudo fred
And of course, you should then check by “becoming fred” again and running the
POSTING YOUR PROGRESS
Just for fun, create a file: secret.txt in your home folder, take away all permissions from it for the user, group and others - and see what happens when you try to edit it with
umaskand test to see how it’s setup on your server
- the classic octal mode of describing and setting file permissions. (e.g.
chmod 664 myfile)
Look into Linux ACLs:
Also, SELinux and AppArmour:
- SELinux man page
- SELinux User’s and Administrator’s Guide
- SELinux For Mere Mortals
- Securing Ubuntu 18 04 with Apparmor
Some rights reserved. Check the license terms here