Basics: Mode, User and Group Ownership

Owner and Permissions

Types of permissions

  • Read (r)

  • Write (w)

  • Execute (x)

Separate permissions for …

  • User (u): the owning user of the entry

  • Group (g): the owning group of the entry

  • Others (o): all others

A Simple Example

The typical ls -l output:

$ ls -l tasks.csv
-rw-rw-r-- 1 jfasch team 396 Jun  8 14:49 tasks.csv

Three groups of “bits”: rw-, rw-, r--

Bits

Meaning

rw-

Read- and writable for owning user (jfasch)

rw-

Read- and writable for owning group (team)

r--

Readable for all others: those who are neither user jfasch nor belong to group team

First column (-) is irrelevant (type: regular file)

Permission Check: User

Can user ``jfasch`` write the file?

  • Which triplet to check?

    • jfasch is the owner of the file

    • ⟶ The first triplet: rw-

  • ⟶ yes, jfasch can write

  • (likewise, jfasch will be able to read)

Permission Check: Group

Can user ``teammember42`` write the file?

  • Which triplet to check?

    • teammember42 is not jfaschnot the first triplet

    • Is teammember42 a member of group team?

      $ id teammember42
      uid=1001(teammember42) gid=1002(teammember42) groups=1002(teammember42),1001(team)
      
      • Answer: yes

      • ⟶ second triplet, rw-

  • ⟶ yes, teammember42 can write

  • (likewise, teammember42 will be able to read)

Permission Check: Others

Can user ``manfromthestreet`` read the file?

  • Which triplet to check?

    • manfromthestreet is not jfaschnot the first triplet

    • Is manfromthestreet a member of group team?

      $ id manfromthestreet
      uid=1002(manfromthestreet) gid=1003(manfromthestreet) groups=1003(manfromthestreet)
      
      • Answer: no

      • ⟶ not the second triplet

    • manfromthestreet is among the others

      • Third triplet, r--

      • ⟶ no, manfromthestreet cannot write

      • (manfromthestreet can read though)

Execute Permissions

$ ls -l /bin/ls
-rwxr-xr-x ... /bin/ls

Facts …

  • An executable file does not have to end with .exe to be executable

  • … it simply is executable

Directory Permissions

$ ls -ld /etc
drwxr-xr-x ... 07:54 /etc
  • Read permissions: content (list of names) is readable

  • Execute permissions: to access a file (e.g. for reading), one has to have execute permissions on the parent directory and all directories along the path

  • The right to cd into the directory

Permission Bits, octal

ls -l Output

Binary

Shell command

-rw-r--r--

110100100

chmod 0644 <path>

-rw-------

110000000

chmod 0600 <path>

-rwxr-xr-x

111101101

chmod 0755 <path>

Default Permissions - umask

The U-Mask …

  • Bit field

  • Subtracted from default permissions at file/directory creation

  • Process attribute ⟶ inherited

umask in action
$ umask
0022
$ touch /tmp/file
$ ls -l /tmp/file

umask: How Does it Work?

  • umask subtracted from default permissions

  • umask is an (inherited) process attribute

  • Default permissions at file creation: rw-rw-rw-

Default permissions

rw-rw-rw-

110 110 110

0666

  • U-Mask

----w--w-

000 010 010

0022

Outcome

rw-r--r--

110 100 100

0644

Shell Commands

  • Permission modification (set to octal value)

    $ chmod 755 /bin/script.sh
    
  • Permission modification (differential symbolic)

    $ chmod u+x,g-wx,o-rwx /bin/script.sh
    
  • Group ownership modification (only root and members of the group can do this)

    $ chgrp team /tmp/file
    
  • Ownership modification (only root)

    # chown jfasch /tmp/file
    
  • chmod, chown, and chgrp understand

    -R for “recursive”.

Set-UID Bit

Set-UID Bit: motivation

  • Ugly hack!

  • Encrypted passwords in /etc/passwd (or /etc/shadow, nowadays)

  • Only root can modify

  • I (jfasch) want to change my password

  • Have to ask root to edit /etc/passwd or /etc/shadow for me

  • root is annoyed by me

$ ls -l /bin/passwd
-rws--x--x 1 root root ... /bin/passwd

Sticky Bit

Sticky bit: motivation

  • Ugly hack!

  • Everyone has write permissions in /tmp

    • ⟶ everyone can create files

    • ⟶ everyone can remove files

  • Chaos: everyone can remove each other’s files

$ ls -ld /tmp
drwxrwxrwt ... /tmp