Learn Linux 09: Permissions

Published Jan 10, 2022

Contents


Introduction

Operating systems in the Unix tradition differ from those in the MS-DOS tradition in that they are not only multitasking systems but also multiuser systems. This chapter will introduce the following commands:

  • id - Display user identity
  • chmod - Change a file’s mode
  • umask - Set the default file permissions
  • su - Run a shell as another user
  • sudo - Execute a command as another user
  • chown - Change a file’s owner
  • chgrp - Change a file’s group ownership
  • passwd - Change a user’s password

Owners, Group Members, And Everybody Else

If we try to examine the /etc/shadow file we will get an error.

[user@linux ~]$ file /etc/shadow
/etc/shadow: regular file, no read permission
[user@linux ~]$ less /etc/shadow
/etc/shadow: Permission denied

The reason for this error message is that, as regular users, we do not have permission to read this file. In the Unix security model, a user may own files and directories. When a user owns a file or directory, the user has control over its access. Users can, in turn, belong to a group consisting of one or more users who are given access to files and directories by their owners. In addition to granting access to a group, an owner may also grant some set of access rights to everybody, which in Unix terms is referred to as the world. To find out information about your identity, use the id command.

[user@fedora ~]$ id
uid=500(user) gid=500(user) groups=500(user)

Let’s look at the output. When user accounts are created, users are assigned a number called a user ID (uid), which is then, for the sake of the humans, mapped to a username. The user is assigned a group ID (gid) and may belong to additional groups. The preceding example is from a Fedora system. On other systems, such as Ubuntu, the output may look a little different.

[user@ubuntu ~]$ id
uid=1000(user) gid=1000(user) groups=4(adm),20(dialout),24(cdrom),25(floppy),
29(audio),30(dip),44(video),46(plugdev),108(lpadmin),114(admin),1000(user)

As we can see, the uid and gid numbers are different in Ubuntu. This is simply because Fedora starts its numbering of regular user accounts at 500, while Ubuntu starts at 1,000. We can also see that the Ubuntu user belongs to a lot more groups. This has to do with the way Ubuntu manages privileges for system devices and services.

So, where does this information come from? Like so many things in Linux, it comes from a couple of text files. User accounts are defined in the /etc/passwd file, and groups are defined in the /etc/group file. When user accounts and groups are created, these files are modified along with /etc/shadow, which holds information about the user’s password. For each user account, the /etc/passwd file defines the user (login) name, uid, gid, account’s real name, home directory, and login shell. If we examine the contents of /etc/passwd and /etc/group, we notice that besides the regular user accounts, there are accounts for the superuser (uid 0) and various other system users.

Reading, Writing, And Executing

Access rights to files and directories are defined in terms of read access, write access, and execution access. If we look at the output of the ls command, we can get some clue as to how this is implemented.

[user@linux ~]$ > foo.txt
[user@linux ~]$ ls -l foo.txt
-rw-rw-r-- 1 user user 0 2017-05-09 12:00 foo.txt

The first 10 characters of the listing are the file attributes. The first of these characters is the file type.

Here is a list of file types you are most likely to see (there are other, less common types too):

  • - - A regular file.
  • d - A directory.
  • l - A symbolic link. Notice that with symbolic links, the remaining file attributes are always rwxrwxrwx and are dummy values. The real file attributes are those of the file the symbolic link points to.
  • c - A character special file. This file type refers to a device that handles data as a stream of bytes, such as a terminal or /dev/null.
  • b - A block special file. This file type refers to a device that handles data in blocks, such as a hard drive or DVD drive.

The remaining nine characters of the file attributes, called the file mode, represent the read, write, and execute permissions for the file’s owner, the file’s group owner, and everybody else.

OwnerGroupWorld
rwxrwxrwx

Here is a list that documents the effect that r, w, and x mode attributes have when set on files and directories:

  • r - Allows a file to be opened and read. Allows a directory’s contents to be listed if the execute attribute is also set.
  • w - Allows a file to be written to or truncated; however, this attribute does not allow files to be renamed or deleted. The ability to delete or rename files is determined by directory attributes. Allows files within a directory to be created, deleted, and renamed if the execute attribute is also set.
  • x - Allows a file to be treated as a program and executed. Program files written in scripting languages must also be set as readable to be executed. Allows a directory to be entered, e.g., cd directory.

chmod

To change the mode (permissions) of a file or directory, use the chmod command. Be aware that only the file’s owner or the superuser can change the mode of a file or directory. chmod supports two distinct ways of specifying mode changes.

  • Octal number representation
  • Symbolic representation

Octal Notation

Octal (base 8) and its cousin, hexadecimal (base 16), are number systems often used to express numbers on computers. We humans, owing to the fact that we (or at least most of us) were born with 10 fingers, count using a base 10 number system. Computers, on the other hand, were born with only one finger and thus do all their counting in binary (base 2). Their number system has only two numerals, 0 and 1.

With octal notation, we use octal numbers to set the pattern of desired permissions. Because each digit in an octal number represents three binary digits, this maps nicely to the scheme used to store the file mode.

Here is a list of file modes in binary and octal (Octal - Binary - File mode):

  • 0 - 000 - ---
  • 1 - 001 - --x
  • 2 - 010 - -w-
  • 3 - 011 - -wx
  • 4 - 100 - r--
  • 5 - 101 - r-x
  • 6 - 110 - rw-
  • 7 - 111 - rwx

Symbolic Notation

chmod also supports a symbolic notation for specifying file modes. Symbolic notation is divided into three parts.

Here is a list of file modes in symbolic notation:

  • u - Short for "user" but means the file or directory owner.
  • g - Group owner.
  • o - Short for "others" but means world.
  • a - Short for "all." This is a combination of u, g, and o.

umask

The umask command controls the default permissions given to a file when it is created. It uses octal notation to express a mask of bits to be removed from a file’s mode attributes. If we run the umask command without an argument to see the current value tt respondes with the value 0002 (the value 0022 is another common default value), which is the octal representation of our mask.

[user@linux ~]$ umask
0002
[user@linux ~]$ > file1
[user@linux ~]$ ls -l file1
-rw-rw-r-- 1 user user 0 2017-05-09 12:00 foo.txt
[user@linux ~]$ umask 0000
[user@linux ~]$ > file2
[user@linux ~]$ ls -l file2
-rw-rw-rw- 1 user user 0 2017-05-09 12:00 file2

When we set the mask to 0000 (effectively turning it off), we see that the file is now world writable. To understand how this works, we have to look at octal numbers again. If we take the mask, expand it into binary, and then compare it to the attributes, we can see what happens.

Description
Original file mode--- rw- rw- rw-
Mask000 000 000 010
Result--- rw- rw- r--

Most of the time we won’t have to change the mask; the default provided by your distribution will be fine. In some high-security situations, however, we will want to control it.

Some Special Permissions

Though we usually see an octal permission mask expressed as a threedigit number, it is more technically correct to express it in four digits. Why? Because, in addition to read, write, and execute permissions, there are some other, less used, permissions settings.

The first of these is the setuid bit (octal 4000). When applied to an executable file, it changes the effective user ID from that of the real user (the user actually running the program) to that of the program’s owner. Most often this is given to a few programs owned by the superuser. When an ordinary user runs a program that is setuid root, the program runs with the effective privileges of the superuser. This allows the program to access files and directories that an ordinary user would normally be prohibited from accessing. Clearly, because this raises security concerns, the number of setuid programs must be held to an absolute minimum.

The second less-used setting is the setgid bit (octal 2000), which, like the setuid bit, changes the effective group ID from the real group ID of the real user to that of the file owner. If the setgid bit is set on a directory, newly created files in the directory will be given the group ownership of the directory rather the group ownership of the file’s creator. This is useful in a shared directory when members of a common group need access to all the files in the directory, regardless of the file owner’s primary group.

The third is called the sticky bit (octal 1000). This is a holdover from ancient Unix, where it was possible to mark an executable file as "not swappable." On files, Linux ignores the sticky bit, but if applied to a directory, it prevents users from deleting or renaming files unless the user is either the owner of the directory, the owner of the file, or the superuser. This is often used to control access to a shared directory, such as /tmp.

Changing Identities

At various times, we may find it necessary to take on the identity of another user. There are three ways to take on an alternate identity.

  • Log out and log back in as the alternate user.
  • Use the su command.
  • Use the sudo command.

We will skip the first technique because we know how to do it and it lacks the convenience of the other two. From within our own shell session, the su command allows you to assume the identity of another user and either start a new shell session with that user’s ID or issue a single command as that user. The sudo command allows an administrator to set up a configuration file called /etc/sudoers and define specific commands that particular users are permitted to execute under an assumed identity.

su

The su command is used to start a shell as another user.

If the -l option is included, the resulting shell session is a login shell for the specified user. This means the user’s environment is loaded and the working directory is changed to the user’s home directory. This is usually what we want. If the user is not specified, the superuser is assumed. Notice that (strangely) the -l may be abbreviated as -, which is how it is most often used.

[user@linux ~]$ su -
Password:
[root@linux ~]#

After entering the command, we are prompted for the superuser’s password. If it is successfully entered, a new shell prompt appears indicating that this shell has superuser privileges (the trailing # rather than a $), and the current working directory is now the home directory for the superuser (normally /root). Once in the new shell, we can carry out commands as the superuser. When finished, enter exit to return to the previous shell.

[root@linux ~]# exit
[user@linux ~]$

It is also possible to execute a single command rather than starting a new interactive command by using su this way.

[user@linux ~]$ su -c 'ls -l /root/*'

sudo

The sudo command is like su in many ways but has some important additional capabilities. The administrator can configure sudo to allow an ordinary user to execute commands as a different user (usually the superuser) in a controlled way. In particular, a user may be restricted to one or more specific commands and no others. Another important difference is that the use of sudo does not require access to the superuser’s password. Authenticating using sudo requires the user’s own password. Let’s say, for example, that sudo has been configured to allow us to run a fictitious backup program called backup_script, which requires superuser privileges.

[user@linux ~]$ sudo backup_script
Password:
System Backup Starting...

To see what privileges are granted by sudo, use the -l option to list them.

[user@linux ~]$ sudo -l
User user may run the following commands on this host:
    (ALL) ALL

chown

The chown command is used to change the owner and group owner of a file or directory. Superuser privileges are required to use this command. The syntax looks like this.

chown [owner][:[group]] file...

Here is an example.

[janet@linux ~]$ sudo cp myfile.txt ~tony
Password:
[janet@linux ~]$ sudo ls -l ~tony/myfile.txt
-rw-r--r-- 1 root root root 2017-05-09 12:00 /home/tony/myfile.txt
[janet@linux ~]$ sudo chown tony: ~tony/myfile.txt
[janet@linux ~]$ sudo ls -l ~tony/myfile.txt
-rw-r--r-- 1 tony  tony  tony 2017-05-09 12:00 /home/tony/myfile.txt

chgrp

In older versions of Unix, the chown command changed only file ownership, not group ownership. For that purpose, a separate command, chgrp, was used. It works much the same way as chown, except for being more limited.

Changing Your Password

To change your password, just enter the passwd command. You will be prompted for your old password and your new password.

[user@linux ~]$ passwd
(current) UNIX password:
New UNIX password:

If you have superuser privileges, you can specify a username as an argument to the passwd command to set the password for another user. Other options are available to the superuser to allow account locking, password expiration, and so on. See the passwd man page for details.

Summary

In this chapter, we saw how Unix-like systems such as Linux manage user permissions to allow the read, write, and execution access to files and directories. The basic ideas of this system of permissions date back to the early days of Unix and have stood up pretty well to the test of time. But the native permissions mechanism in Unix-like systems lacks the fine granularity of more modern systems.