Managing Permissions and Ownership

UGO format (symbolic):
User/Owner
Group
Other

Permissions of read, write, execute
4 2 1
r w x

1 0 0 = 4 (read)
1 0 1 = 5 (read and execute)
1 1 0 = 6 (read and write)
1 1 1 = 7 (read, write, and execute)

User/Owner		Group			Other
421			421			421
rwx			rwx			rwx

User/Owner		Group			Other
421			421			421
rwx			rwx			rwx

111000000 = 700 (User/Owner has all rights)
111101000 = 750 (User/Owner has all rights, Group can read and execute)
111110100 = 764 (User/Owner has all rights, Group and read/write, Other can read)

Read only filesystem allows execute - this is independent of UGO

-rwxrw-r--
- = regular file

drwxr-xr-x
d = directory

lrwxr-xr-x
l = link

prwxr-xr-x
p = pipe

chmod : Modify file/directory permissions

chmod <perm> object
chmod 700 object (Assign full permissions for the owner)
chmod -x object (Removes execute for everyone)
chmod UG+x object (Assigns execute to user and group but not other)
chmod g=rwx object (Assign full permissions for the group)

These changes will not take place recursively (on files in a directory)

• -R will apply changes recursively
• chmod -R +rx /directory (Apply read/execute recursively)

Default Permissions

Files created by root: 644
Files created by user: 664
Directories created by root: 755
Directories created by user: 775
Root Umask: 022
User Umask: 002

To change umask: umask 007
Set system-wide or user based umask in /etc/bashrc or /.bashrc

Ownership

chown

• chown user file/dir
• chown user:group file/dir
• chown :group file/dir
• chown -R (apply recursively)

chgrp
Kind of useless. chown can do everything.

Special Permissions

suid (special user id)

• Ignored on directories
• Executes file as the file owner, not executor (Intended for binaries)
• Modern shells ignore suid on scripts
• chmod 4xxx

passwd command (/bin/passwd):

• Owned by root
• SUID is on
• -rwsr-xr-x (the s identifies the suid)
• Without execute permissions, the suid is a capital S

sgid (special group id)

• Executes with permissions of the group
• In directory, all future files in the directory are owned by the group
• chmod g+s
• chmod 2xxx

sticky

• On directory, files can only be deleted by owner
• chmod 1xxx
• Will be displayed with a t

File Attributes

lsattr = List attributeslsattr
chattr = Change attributes

• chattr +i (immutable file)
• chattr -i (remove immutable)
• Immutable files are read only and defined by an i

ACLs

getfacl

• retrieve ACLs of files/directories

setfacl

• set ACLs on files/directories

Troubleshooting

Verify Permissions:
ls -al

Group Membership Troubleshooting:
groups <group>
/etc/groups

LAB : Managing Permissions and Ownership

Configuring .bashrc to apply non-standard umask:
vim /home/user/.bashrc
umask 022 (<-- put on a new line at bottom of file)

Configuring SGID Permissions and Sticky Bit:
chmod g+s /Dir (Set the SGID on Directory)

• To test, login as user and create file in directory. View permissions. Group should now be changed.

Configure Sticky bit to protect files from deletion by non-owners:
chmod +t /Dir (Set sticky bit on Directory)

• To test, login as user and try to delete a file owned by someone else in Directory.

Configuring the Immutable flag:
chattr +i /Dir/File (Set immutable flag on file in directory)
lsattr /Dir/File (Veryify immutable flag is set)

Configure an ACL
getfacl /Dir (View current ACLs)
setfacl -R -m g:GroupName:r /Directory (Recursively set read only ACL on Directory for the users in group GroupName)

• To verify, getfacl /Dir

setfacl -m u:user1:rwx /file/path