Results 1 to 2 of 2

Thread: How to Manage File Permission in Unix

  1. #1
    Join Date
    Feb 2010

    How to Manage File Permission in Unix

    Managing Unix file permissions

    1. File Principles in Unix: generic
    1.1. Rationale

    Rights management is done according to Unix file in three directions: the right reading (Read), write access (Write) and law enforcement (execute).
    - The right to read can read the content a.
    - The right of writing allows modification and deletion of a file.
    - The right of execution on binaries or shell can launch the program.

    In digital version:
    Read = 4
    Write = 2
    execute = 1

    Applied to a directory, these definitions are significantly different.
    r - Read - The file can be read - The directory can be listed (example: Get the files in this directory with the ls command)

    w - WRITE - The contents of the file can be modified or its attributes changed - In the directory, you can delete, create or edit a file

    x - execute - The file can be executed - We can enter this directory, which becomes your current directory

    Each of these rights are attributed to three types of people: the owner (owner or UID), group (GID group) and the rest of the world (other).

    1.2. Implementation with an example

    So, I have a file: test.xml, containing my recipes.
    These are the permissions of the file

    test.xml ls-rwxr-xr - 1 sl 200 friends test.xml Sep 23 4:44 p.m
    See the above output carefully.
    The first "-" does not concern us, it is the type of file. (Eg d = directory)

    Then there are three sets of three letters beginning with r:
    rwx: Rights of the owner: sl => The user has the rights sl reading, writing and executing the file.
    rx: Rights the group: friends => Everyone in this group has rights to friends and reading performance.
    r -: The rights of the rest of the world => The others have just the right reading.

    If you want to change the file permissions, the command "chmod" is present.
    It is used as
    myfile chmod XYZ
    Note: When you change the permissions of a directory and you want all the files contained in it has the same rights, use the-R option (for recursive).

    Here X, Y and Z are respectively the rights (digital) of the owner, group and the rest.

    How to calculate X? In summing up the rights you want granted.
    rwx = 4 +2 +1 = 7 
    rw- = 4 + 2 = 6 
    r-x   = 4 +1 = 5 
    ---  = 0
    (Y and Z are calculated in the same way)

    For setting permission "rwxr", here is the command
    chmod 740 MyFile
    If the mathematics do not seem very meaningful, there is a literary means to give the rights:
    chmod u + rw MyFile
    This will add read and write to the owner

    In the first letter, you insert the type of person to change. Then with the + or - you describe respectively, an add operation of law or a withdrawal operation. It only remains to give the rights impacted by letters r, w, x.
    The owner of the file - u
    Group File - g
    The rest of the world - o
    Everyone - has

  2. #2
    Join Date
    Feb 2010

    Re: How to Manage File Permission in Unix

    1.3. Special case: setuid and setgid
    The setuid and setgid are two attributes that modify the rights of the process created by executing the file. If setuid is enabled when the file is executed by a user, the process has the same rights as the owner of the file during the execution. For the setgid, you have guessed it was a legacy of group rights, not the owner of the file.

    To activate, you simply add or remove the flag "s" on the owner or group.
    Added setuid
    chmod u + s myfile
    We observe:
    ls-l myfile-rwsrw-r - 1 sl 200 friends myfile Sep 23 4:44 p.m.
    Added setgid
    chmod g + s myfile2
    We observe:
    ls-l-myfile2 rwxrwsr - 1 sl 200 friends myfile2 Sep 23 4:44 p.m.
    1.4. Limit System
    This simple and effective solution contains a large limit, the management of rights by user or group.

    2. ACLs on Linux (POSIX)
    2.1. Contribution

    Take a hard case with the soluble system generic rights to illustrate:
    Suppose I have a file example.txt, which includes gift ideas for birthdays:
    Here are the permission
    example.txt ls-sl ---- 1 rwxrw 120 friends example.txt Sep 23 5:44 p.m
    Unfortunately, this belongs to the group "friends". I can not afford to remove the group just for a file, it will exist primarily impacts on other files. Create another group without it? What complications! The solution lies in the addition of users and / or groups with basic rights (rwx). Thus, I can specify an ACL that will remove his right to this users reading, even if it belongs to friends

    2.1. Prerequisites
    There are two prerequisites:
    - The kernel supports ACLs.
    - The file system is mounted with the acl option:
    from / etc / fstab / Dev/hda6 / home ext3 defaults, acl 0 2

    2.2. Attributing LCD
    There are two basic commands to manage ACL: setfacl and getfacl
    For all examples, we start from a following file:
    sl @ testuser: / home / TEST $ ls-lrt total 4-rwxr-x --- 1 sl sl 209 2009-11-30 4:59 p.m. test.xml
    setfacl allows you to edit the list of rights monitor. You can withdraw as add. First and foremost, you must initialize a "mask". If the mask does not exist, you can not add ACL rules . Only operations allowed in this mask will be active. So if you put a mask -rw, no person may conduct the execution, even if you allow it. Conversely, if the mask is "rwx" and want to prevent all persons affected by the Write right to perform a write operation, you simply change the mask rx.

    Adding a mask total
    setfacl-mm:: rwx myfile
    Let this command to examine the syntax of setfacl. The argument-m allows you to add an LCD, unlike x-removal.
    'Type of person': 'someperson': 'right rwx'
    Moreover, the second argument holds that structure, there are 2 types of people (outside of the mask "m"): "u" for user and "g" for a group. So to add the user, rights Reading and writing a file:

    Mask part
    setfacl-mu: pm:-rw myfile
    When you change the permissions of a directory and you want all files in that it has the same rights, use the-R option (for recursive). When I do a ls-l of my file, I realize a small change:
    sl @ testuser: / home / TEST $ ls-lrt total 4-rwxr-x --- + 1 sl sl 209 2009-11-30 4:59 p.m. test.xml
    The small + indicates that the file has ACL rights. To view the human ACL, use the command getfacl.

    Order getfacl
    sl @ testuser: / home / Test $ getfacl test.xml # file: test.xml # owner: sl # group sl user:: rwx user: pm: rw-group:: rx mask:: rwx other:: - -
    Lines user:: rwx, sauf ::--- and group:: rx correspond to the usual Unix rights.
    You also find your mask: mask:: rwx user and one pm: rw-

    Let's see the interest mask. My desire to delete all users (besides me, the owner), the law in writing. I remove the write permission in the mask.
    Changing Mask
    sl @ testuser: / home / Test $ setfacl-mm:: rx test.xml sl @ testuser: / home / Test $ getfacl test.xml # file: test.xml 
    # owner: sl # group sl user:: rwx user pm: rw-# effective r - group:: rx mask:: rx Other ::---
    Note the actual line #, which tells us that after applying the mask, the real rights of pm are right: reading. Without the mask, I should be removed for each user right in writing. If I want to remove LCD pm straight on this file:

    Deleting a user
    sl @ testuser: / home / TEST $ setfacl-xu pm test.xml sl @ testuser: / home / TEST $ getfacl test.xml getfacl test.xml # file: # test.xml owner: sl # group sl user: : rwx group:: rx mask:: rx Other ::---
    And it becomes a regular user subjects to classical rules. You can also delete all of the rights of an ACL file.

    More ACL
    sl @ usr: / home / TEST $ setfacl-b @ sl test.xml usr: / home / TEST $ getfacl test.xml # file: # test.xml owner: sl # group sl user:: rwx group:: rx Other ::---
    3. Conclusion
    Rights Management Unix generic form should be well known to all, first for security issues but also privacy, partly because it is fundamental in the handling / using files. Today it is used in Linux and even other UNIX ACLs are yet to implement a simple and quite at hand to bring any administrator or user. I strongly advise you to put in place at least initially at the / home, what kind of rights is often appreciated by users.

Similar Threads

  1. Replies: 6
    Last Post: 09-03-2012, 02:46 AM
  2. Replies: 3
    Last Post: 20-03-2011, 05:40 AM
  3. File system Security of UNIX
    By HoGaN 77 in forum Networking & Security
    Replies: 4
    Last Post: 04-11-2010, 05:07 AM
  4. Manage Permission on MS Project 2007
    By pshetty in forum Windows Software
    Replies: 4
    Last Post: 06-10-2009, 10:22 PM
  5. How to find file modified in unix
    By Yancy in forum Operating Systems
    Replies: 3
    Last Post: 23-05-2009, 05:21 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts