How to Manage File Permission in Unix

[blueprats]

Managing Unix file permissions

1. File Principles in Unix: generic
1.1. Rationale

Rights management is done according to Unix file in three directions: the right reading (Read), write access (Write) and law enforcement (execute).
- The right to read can read the content a.
- The right of writing allows modification and deletion of a file.
- The right of execution on binaries or shell can launch the program.

In digital version:
Read = 4
Write = 2
execute = 1


Applied to a directory, these definitions are significantly different.
r - Read - The file can be read - The directory can be listed (example: Get the files in this directory with the ls command)

w - WRITE - The contents of the file can be modified or its attributes changed - In the directory, you can delete, create or edit a file

x - execute - The file can be executed - We can enter this directory, which becomes your current directory

Each of these rights are attributed to three types of people: the owner (owner or UID), group (GID group) and the rest of the world (other).

1.2. Implementation with an example

So, I have a file: test.xml, containing my recipes.
These are the permissions of the file

Code:

test.xml ls-rwxr-xr - 1 sl 200 friends test.xml Sep 23 4:44 p.m

See the above output carefully.
The first "-" does not concern us, it is the type of file. (Eg d = directory)

Then there are three sets of three letters beginning with r:
rwx: Rights of the owner: sl => The user has the rights sl reading, writing and executing the file.
rx: Rights the group: friends => Everyone in this group has rights to friends and reading performance.
r -: The rights of the rest of the world => The others have just the right reading.

If you want to change the file permissions, the command "chmod" is present.
It is used as

Code:

myfile chmod XYZ

Note: When you change the permissions of a directory and you want all the files contained in it has the same rights, use the-R option (for recursive).

Here X, Y and Z are respectively the rights (digital) of the owner, group and the rest.

How to calculate X? In summing up the rights you want granted.

Code:

rwx = 4 +2 +1 = 7 
rw- = 4 + 2 = 6 
r-x   = 4 +1 = 5 
---  = 0

(Y and Z are calculated in the same way)

For setting permission "rwxr", here is the command

Code:

chmod 740 MyFile

If the mathematics do not seem very meaningful, there is a literary means to give the rights:

Code:

chmod u + rw MyFile

This will add read and write to the owner

In the first letter, you insert the type of person to change. Then with the + or - you describe respectively, an add operation of law or a withdrawal operation. It only remains to give the rights impacted by letters r, w, x.

Code:

The owner of the file - u
Group File - g
The rest of the world - o
Everyone - has

[blueprats]

1.3. Special case: setuid and setgid
The setuid and setgid are two attributes that modify the rights of the process created by executing the file. If setuid is enabled when the file is executed by a user, the process has the same rights as the owner of the file during the execution. For the setgid, you have guessed it was a legacy of group rights, not the owner of the file.


To activate, you simply add or remove the flag "s" on the owner or group.
Added setuid

Code:

chmod u + s myfile

We observe:

Code:

ls-l myfile-rwsrw-r - 1 sl 200 friends myfile Sep 23 4:44 p.m.

Added setgid

Code:

chmod g + s myfile2

We observe:

Code:

ls-l-myfile2 rwxrwsr - 1 sl 200 friends myfile2 Sep 23 4:44 p.m.

1.4. Limit System
This simple and effective solution contains a large limit, the management of rights by user or group.

2. ACLs on Linux (POSIX)
2.1. Contribution

Take a hard case with the soluble system generic rights to illustrate:
Suppose I have a file example.txt, which includes gift ideas for birthdays:
Here are the permission

Code:

example.txt ls-sl ---- 1 rwxrw 120 friends example.txt Sep 23 5:44 p.m

Unfortunately, this belongs to the group "friends". I can not afford to remove the group just for a file, it will exist primarily impacts on other files. Create another group without it? What complications! The solution lies in the addition of users and / or groups with basic rights (rwx). Thus, I can specify an ACL that will remove his right to this users reading, even if it belongs to friends

2.1. Prerequisites
There are two prerequisites:
- The kernel supports ACLs.
- The file system is mounted with the acl option:
from / etc / fstab / Dev/hda6 / home ext3 defaults, acl 0 2


2.2. Attributing LCD
There are two basic commands to manage ACL: setfacl and getfacl
For all examples, we start from a following file:

Code:

sl @ testuser: / home / TEST $ ls-lrt total 4-rwxr-x --- 1 sl sl 209 2009-11-30 4:59 p.m. test.xml

setfacl allows you to edit the list of rights monitor. You can withdraw as add. First and foremost, you must initialize a "mask". If the mask does not exist, you can not add ACL rules . Only operations allowed in this mask will be active. So if you put a mask -rw, no person may conduct the execution, even if you allow it. Conversely, if the mask is "rwx" and want to prevent all persons affected by the Write right to perform a write operation, you simply change the mask rx.

Adding a mask total

Code:

setfacl-mm:: rwx myfile

Let this command to examine the syntax of setfacl. The argument-m allows you to add an LCD, unlike x-removal.

Code:

'Type of person': 'someperson': 'right rwx'

Moreover, the second argument holds that structure, there are 2 types of people (outside of the mask "m"): "u" for user and "g" for a group. So to add the user, rights Reading and writing a file:

Mask part

Code:

setfacl-mu: pm:-rw myfile

When you change the permissions of a directory and you want all files in that it has the same rights, use the-R option (for recursive). When I do a ls-l of my file, I realize a small change:

Code:

sl @ testuser: / home / TEST $ ls-lrt total 4-rwxr-x --- + 1 sl sl 209 2009-11-30 4:59 p.m. test.xml

The small + indicates that the file has ACL rights. To view the human ACL, use the command getfacl.

Order getfacl

Code:

sl @ testuser: / home / Test $ getfacl test.xml # file: test.xml # owner: sl # group sl user:: rwx user: pm: rw-group:: rx mask:: rwx other:: - -

Lines user:: rwx, sauf ::--- and group:: rx correspond to the usual Unix rights.
You also find your mask: mask:: rwx user and one pm: rw-

Let's see the interest mask. My desire to delete all users (besides me, the owner), the law in writing. I remove the write permission in the mask.
Changing Mask

Code:

sl @ testuser: / home / Test $ setfacl-mm:: rx test.xml sl @ testuser: / home / Test $ getfacl test.xml # file: test.xml 
# owner: sl # group sl user:: rwx user pm: rw-# effective r - group:: rx mask:: rx Other ::---

Note the actual line #, which tells us that after applying the mask, the real rights of pm are right: reading. Without the mask, I should be removed for each user right in writing. If I want to remove LCD pm straight on this file:

Deleting a user

Code:

sl @ testuser: / home / TEST $ setfacl-xu pm test.xml sl @ testuser: / home / TEST $ getfacl test.xml getfacl test.xml # file: # test.xml owner: sl # group sl user: : rwx group:: rx mask:: rx Other ::---

And it becomes a regular user subjects to classical rules. You can also delete all of the rights of an ACL file.

More ACL

Code:

sl @ usr: / home / TEST $ setfacl-b @ sl test.xml usr: / home / TEST $ getfacl test.xml # file: # test.xml owner: sl # group sl user:: rwx group:: rx Other ::---

3. Conclusion
Rights Management Unix generic form should be well known to all, first for security issues but also privacy, partly because it is fundamental in the handling / using files. Today it is used in Linux and even other UNIX ACLs are yet to implement a simple and quite at hand to bring any administrator or user. I strongly advise you to put in place at least initially at the / home, what kind of rights is often appreciated by users.