Day 14 - Who has permission?
INTRO
Files on a Linux system always have associated “permissions” - controlling who has access and what sort of access. You’ll have bumped into this in various ways already - as an example, yesterday while logged in as your “ordinary” user, you could not upload files directly into /var/www or create a new folder at /.
The Linux permission system is quite simple, but it does have some quirky and subtle aspects, so today is simply an introduction to some of the basic concepts.
This time you really do need to work your way through the material in the RESOURCES section!
YOUR TASKS TODAY
- Change the ownership of a file to root
- Change file permissions
OWNERSHIP
First let’s look at “ownership”. All files are tagged with both the name of the user and the group that owns them, so if we type ls -l
and see a file listing like this:
-rw------- 1 steve staff 4478979 6 Feb 2011 private.txt
-rw-rw-r-- 1 steve staff 4478979 6 Feb 2011 press.txt
-rwxr-xr-x 1 steve staff 4478979 6 Feb 2011 upload.bin
Then these files are owned by user “steve”, and the group “staff”. Anyone that is not “steve” or is not part of the group “staff” is considered “other”. Others may still have permissions to handle these files, but they do not have any ownership.
If you want to change the ownership of a file, use the chown
utility. This will change the user owner of file to a new user:
sudo chown user file
You can also change user and group at the same time:
sudo chown user:group file
If you only need to change the group owner, you can use chgrp
command instead:
sudo chgrp group file
Since you created new users in the previous lesson, switch logins and create a few files to their home directories for testing. See how they show with ls -l
PERMISSIONS (SYMBOLIC NOTATION)
Looking at the -rw-r--r--
at the start of a directory listing line, (ignore the first “-” for now), and see these as potentially three groups of “rwx”: the permission granted to the “user” who owns the file, the “group”, and “other people” - we like to call that UGO.
For the example list above:
- private.txt - Steve has
rw
(ie Read and Write) permission, but neither the group “staff” nor “other people” have any permission at all - press.txt - Steve can Read and Write to this file too, but so can any member of the group “staff” and anyone, i.e. “other people”, can read it
- upload.bin - Steve has
rwx
, he can read, write and execute - i.e. run this program - but the group and others can only read and execute it
You can change the permissions on any file with the chmod
utility. Create a simple text file in your home directory with vim
(e.g. tuesday.txt) and check that you can list its contents by typing: cat tuesday.txt
or less tuesday.txt
.
Now look at its permissions by doing: ls -ltr tuesday.txt
-rw-rw-r-- 1 ubuntu ubuntu 12 Nov 19 14:48 tuesday.txt
So, the file is owned by the user “ubuntu”, and group “ubuntu”, who are the only ones that can write to the file - but any other user can only read it.
CHANGING PERMISSIONS
Now let’s remove the permission of the user and “ubuntu” group to write their own file:
chmod u-w tuesday.txt
chmod g-w tuesday.txt
…and remove the permission for “others” to read the file:
chmod o-r tuesday.txt
Do a listing to check the result:
-r--r----- 1 ubuntu ubuntu 12 Nov 19 14:48 tuesday.txt
…and confirm by trying to edit the file with nano
or vim
. You’ll find that you appear to be able to edit it - but can’t save any changes. (In this case, as the owner, you have “permission to override permissions”, so can can write with :w!
). You can of course easily give yourself back the permission to write to the file by:
chmod u+w tuesday.txt
POSTING YOUR PROGRESS
Just for fun, create a file: secret.txt in your home folder, take away all permissions from it for the user, group and others - and see what happens when you try to edit it with vim
.
EXTENSION
If all of this is old news to you, you may want to look into Linux ACLs:
Also, SELinux and AppArmour:
- SELinux man page
- SELinux User’s and Administrator’s Guide
- SELinux For Mere Mortals
- Securing Ubuntu 18 04 with Apparmor
RESOURCES
- How to Use the chown Command to Change the Owner of a File in Linux
- If chown can change groups, why was chgrp created?
- Linux file permissions explained
- File permissions and attributes
- File Security
- chmod Tutorial
- File and Directory Permissions
- What is “umask” and how does it work?
Some rights reserved. Check the license terms here