Understanding Linux File Permissions
Although there are already a lot of good security features built into Linux-based systems, one very important potential vulnerability can exist when local access is granted - - that is file permission based issues resulting from a user not assigning the correct permissions to files and directories. So based upon the need for proper permissions, I will go over the ways to assign permissions and show you some examples where modification may be necessary.
Basic File Permissions
Permission Groups
Each file and directory has three user based permission groups:
owner - The Owner permissions apply only the owner of the file or directory, they will not impact the actions of other users.
group - The Group permissions apply only to the group that has been assigned to the file or directory, they will not effect the actions of other users.
all users - The All Users permissions apply to all other users on the system, this is the permission group that you want to watch the most.
Permission Types
Each file or directory has three basic permission types:
read - The Read permission refers to a user's capability to read the contents of the file.
write - The Write permissions refer to a user's capability to write or modify a file or directory.
execute - The Execute permission affects a user's capability to execute a file or view the contents of a directory.
Viewing the Permissions
You can view the permissions by checking the file or directory permissions in your favorite GUI File Manager (which I will not cover here) or by reviewing the output of the "ls -l" command while in the terminal and while working in the directory which contains the file or folder.
The permission in the command line is displayed as: _rwxrwxrwx 1 owner:group
User rights/Permissions
The first character that I marked with an underscore is the special permission flag that can vary.
The following set of three characters (rwx) is for the owner permissions.
The second set of three characters (rwx) is for the Group permissions.
The third set of three characters (rwx) is for the All Users permissions.
Following that grouping since the integer/number displays the number of hardlinks to the file.
The last piece is the Owner and Group assignment formatted as Owner:Group.
Modifying the Permissions
When in the command line, the permissions are edited by using the command chmod. You can assign the permissions explicitly or by using a binary reference as described below.
Explicitly Defining Permissions
To explicity define permissions you will need to reference the Permission Group and Permission Types.
The Permission Groups used are:
u - Owner
g - Group
o - Others
a - All users
The potential Assignment Operators are + (plus) and - (minus); these are used to tell the system whether to add or remove the specific permissions.
The Permission Types that are used are:
r - Read
w - Write
x - Execute
So for an example, lets say I have a file named file1 that currently has the permissions set to _rw_rw_rw, which means that the owner, group and all users have read and write permission. Now we want to remove the read and write permissions from the all users group.
To make this modification you would invoke the command: chmod a-rw file1
To add the permissions above you would invoke the command: chmod a+rw file1
As you can see, if you want to grant those permissions you would change the minus character to a plus to add those permissions.
Using Binary References to Set permissions
Now that you understand the permissions groups and types this one should feel natural. To set the permission using binary references you must first understand that the input is done by entering three integers/numbers.
A sample permission string would be chmod 640 file1, which means that the owner has read and write permissions, the group has read permissions, and all other user have no rights to the file.
The first number represents the Owner permission; the second represents the Group permissions; and the last number represents the permissions for all other users. The numbers are a binary representation of the rwx string.
r = 4
w = 2
x = 1
You add the numbers to get the integer/number representing the permissions you wish to set. You will need to include the binary permissions for each of the three permission groups.
So to set a file to permissions on file1 to read rwxr____, you would enter chmod 740 file1.
Owners and Groups
I have made several references to Owners and Groups above, but have not yet told you how to assign or change the Owner and Group assigned to a file or directory.
You use the chown command to change owner and group assignments, the syntax is simplechown owner:group filename, so to change the owner of file1 to user1 and the group to family you would enter chown user1:family file1.
Advanced Permissions
The special permissions flag can be marked with any of the following:
_ - no special permissions
d - directory
l- The file or directory is a symbolic link
s - This indicated the setuid/setgid permissions. This is not set displayed in the special permission part of the permissions display, but is represented as a s in the read portion of the owner or group permissions.
t - This indicates the sticky bit permissions. This is not set displayed in the special permission part of the permissions display, but is represented as a t in the executable portion of the all users permissions
Setuid/Setgid Special Permissions
The setuid/setguid permissions are used to tell the system to run an executable as the owner with the owner's permissions.
Be careful using setuid/setgid bits in permissions. If you incorrectly assign permissions to a file owned by root with the setuid/setgid bit set, then you can open your system to intrusion.
You can only assign the setuid/setgid bit by explicitly defining permissions. The character for the setuid/setguid bit is s.
So do set the setuid/setguid bit on file2.sh you would issue the command chmod g+s file2.sh.
Sticky Bit Special Permissions
The sticky bit can be very useful in shared environment because when it has been assigned to the permissions on a directory it sets it so only file owner can rename or delete the said file.
You can only assign the sticky bit by explicitly defining permissions. The character for the sticky bit is t.
To set the sticky bit on a directory named dir1 you would issue the command chmod +t dir1.
When Permissions Are Important
To some users of Mac- or Windows-based computers you don't think about permissions, but those environments don't focus so aggressively on user based rights on files unless you are in a corporate environment. But now you are running a Linux-based system and permission based security is simplified and can be easily used to restrict access as you please.
So I will show you some documents and folders that you want to focus on and show you how the optimal permissions should be set.
home directories- The users' home directories are important because you do not want other users to be able to view and modify the files in another user's documents of desktop. To remedy this you will want the directory to have the drwx______ (700) permissions, so lets say we want to enforce the correct permissions on the user user1's home directory that can be done by issuing the command chmod 700 /home/user1.
bootloader configuration files- If you decide to implement password to boot specific operating systems then you will want to remove read and write permissions from the configuration file from all users but root. To do you can change the permissions of the file to 700.
system and daemon configuration files- It is very important to restrict rights to system and daemon configuration files to restrict users from editing the contents, it may not be advisable to restrict read permissions, but restricting write permissions is a must. In these cases it may be best to modify the rights to 644.
firewall scripts - It may not always be necessary to block all users from reading the firewall file, but it is advisable to restrict the users from writing to the file. In this case the firewall script is run by the root user automatically on boot, so all other users need no rights, so you can assign the 700 permissions.
Other examples can be given, but this article is already very lengthy, so if you want to share other examples of needed restrictions please do so in the comments.
Comments Welcome
If you have anything to add or want to make a comment or correction please do so in the comments. I look forward to your feedback and wish you the best in your future with Linux-based systems.
Understanding Linux File Permissions的更多相关文章
- Error of "Please Check for Sufficient Write File Permissions"
The error message “Please check for sufficient write file permissions” is generated by the Web-based ...
- RH033读书笔记(4)-Lab 5 File Permissions
Lab 5 File Permissions Sequence 1: Determining File Permissions 1. What is the symbolic representati ...
- Understanding Linux CPU stats
Your Linux server is running slow, so you follow standard procedure and run top. You see the CPU met ...
- chattr lsattr linux file system attributes - linux 文件系统扩展属性
我们使用 linux 文件系统扩展属性,能够对linux文件系统进行进一步保护:从而给文件 赋予一些额外的限制:在有些情况下,能够对我们的系统提供保护: chattr命令用来改变文件属性.这项指令可改 ...
- Linux— file命令 用于辨识文件类型
Linux file命令用于辨识文件类型. 通过file指令,我们得以辨识该文件的类型. 语法 file [-bcLvz][-f <名称文件>][-m <魔法数字文件>...] ...
- Linux File System Change Monitoring Technology、Notifier Technology
catalog . 为什么要监控文件系统 : hotplug . udev . fanotify(fscking all notification system) . inotify . code e ...
- Linux File System
目录 . Linux文件系统简介 . 通用文件模型 . VFS相关数据结构 . 处理VFS对象 . 标准函数 1. Linux文件系统简介 Linux系统由数以万计的文件组成,其数据存储在硬盘或者其他 ...
- Linux File Recovery Study
Background Today I did stupid things that I went into the ~/Downloads/ and pressed [Alt] + [A] then ...
- 磁盘、分区及Linux文件系统 [Disk, Partition, Linux File System]
1.磁盘基础知识 1.1 物理结构 硬盘的物理结构一般由磁头与碟片.电动机.主控芯片与排线等部件组成:当主电动机带动碟片旋转时,副电动机带动一组(磁头)到相对应的碟片上并确定读取正面还是反面的碟面,磁 ...
随机推荐
- 操作符(运算符)重载 或者叫 二元运算符 operator + 与 转换式操作符 implicit operator explicit operator
static void Main(string[] args) { rational r1 = new rational(5); rational r2 = new rational(51); rat ...
- 浅谈C/C++堆栈指引——C/C++堆栈
C/C++堆栈指引 Binhua Liu 前言 我们经常会讨论这种问题:什么时候数据存储在飞鸽传书堆栈(Stack)中.什么时候数据存储在堆(Heap)中.我们知道.局部变量是存储在堆栈中的.debu ...
- vs 2015 update 3各版本下载地址
微软在06月27日发布了Visual Studio 2015 Update 3 .在MSDN中微软也提供下载,而且MSDN的Visual Studio 2015 Update 3与官方免费下载的文件是 ...
- oracle中提高order by的性能
1.如果order by columnA,那么在where查询条件中添加条件columnA=value,则oracle内部会过滤order by排序,直接用索引(可以通过execution plan查 ...
- bbb u-boot SPI 启动
beagle bone black的u-boot编译时已经为SPI准备好了 MLO.byteswap,这个文件应该直接写入到SPI flash的偏移0位置,根据am335x的手册,SPI内可以保存多份 ...
- 机器学习6—SVM学习笔记
机器学习牛人博客 机器学习实战之SVM 三种SVM的对偶问题 拉格朗日乘子法和KKT条件 支持向量机通俗导论(理解SVM的三层境界) 解密SVM系列(一):关于拉格朗日乘子法和KKT条件 解密SVM系 ...
- Python鸡汤
标准库 很正确 外部库 有一些风险,可能有bug,可能文档不全,可能长时间未更新. ipython 1 pip 这应该是安装Python后第一个需要的命令 pip install -i -i, --i ...
- Android分享图片失败解决方案
前言:在做图片分享到微博或是用彩信分享的时候,会遇到“无法将图片添加到信息中”,其实这个问题的原因是创建的那个图片默认是,只能被当前应用调用,无法被其他应用调用,即分享的时候,无法读取到图片,并提示I ...
- 解决Discuz安装时报错“该函数需要 php.ini 中 allow_url_fopen 选项开启…”
开启php的fsockopen函数 —— 解决DZ论坛安装问题“该函数需要 php.ini 中 allow_url_fopen 选项开启.请联系空间商,确定开启了此项功能 在安装dz论坛时遇到因为fs ...
- Ant自己主动编译打包&公布 android项目
Eclipse用起来尽管方便,可是编译打包android项目还是比較慢,尤其将应用打包公布到各个渠道时,用Eclipse手动打包各种渠道包就有点不切实际了,这时候我们用到Ant帮我们自己主动编译打包了 ...