LPI 010-160 – Managing File Ownership and Permission part 1
- Setting Ownership
Linux is a multiuser operating system like we’ve talked about before now, because of this we have lots of users accessing the same system so how does a user secure their files against unwanted access by those other users? Well. Linux handles these tasks through two types of features. When you’re dealing with files and directories, this is known as ownership and permission. Every file has an associate, owner or account with that file or directory it’s linked to. It as well as its associated group. Now, in addition to that ownership, we have permissions. And these sets of permissions will define what the files owner, the members of the files group and the other users can do with that file. So there’s three sets of permissions. We have ownership permissions for the user, for the group, and then for all other users.
These are all intertwined, but when we’re dealing with the text mode commands, we’re going to be able to manipulate them separately, both ownership and permissions. Linux’s security model assumes the presence of multiple users on this computer because it grew up as a server based multi user operating system and therefore it’s going to provide the means to associate individual files with a single user who created them. This means every single file is going to have an owner. Ownership also applies to running programs and processes because everything is treated as a file inside. Of Linux most programs that are run are going to be tied to the user account that launch that program.
This identity, together with the file’s ownerships and permissions determines exactly what that program can do and which files it. Can modify. As we talked about before, every file has an owner or an account that’s associated with it. This association occurs because of that user account user ID number. Every file is also associated with a group using its group ID number. Access to the file is then controlled by means of permissions that can be set independently of the file’s owner, the files group and all other users on this computer. Now, the root user can change the owner and group of any file at once. So if we have a computer that has a file that I’ve created and you’ve created, our root user can actually take our files and change their permissions whenever they feel like.
It. Now, as the file owner, you can also change the files group, but only to a group that you also belong into. So if we both work in the instructor group, you can give me permission to your files. And I can give you permission to mine, but you can’t add the students to that file because you’re not a member of that group. Now, the same principles of ownership apply equally to files like we’ve been talking about. Also to the directories, because directories are going to have owners and groups as well. These can be changed by root or they can be changed by the directory’s owner. So how do we change the ownership of a file inside the terminal? Well, we’re going to use a command known as Chone.
This is change ownership or chown. Now the Chone command is going to stand for change owner like I said and in its most basic form you’re going to pass a username to it followed by the file name. So for example I might say change own Jason Dion file and that would change the file owner to Jason Dion. Now if you want to look at all the different options of using Change Own, you can do that using the man page by typing manspace change own from your command prompt. Now if we wanted to change a group we’re going to use the change group command which is chgrp. It works the exact same way. We’re going to put change group, the group name and then the file or directory you want to change.
Now one thing to note here is if you want to change the ownership of a file or a directory you have to do that as the root user. The reason is you can only give ownership if you have permissions over that file both as the owner of it and the person who’s going to own it. And since a user account can’t have permissions over both, you have to do this as root. Now in a group situation you can do this as an ordinary user if you own the file and you belong to both groups. So if happen to be a part of the student group and the instructor group, I can change this folder and I can give permissions from instructors to students because I’m in both groups. So I bridge that gap. If I wasn’t in both groups then I would need to use root access to do it as well.
- Setting Ownership in the Shell
In this lesson, we’re going to work on changing ownership of files and directories. You can see here on the screen I’ve created a folder named Ownership within my home directory underneath my documents directory. Now in here I have three things. I have two text files named foo one and foo two, and one directory named fodder. Now if I do an LS la, we can see who owns these files and who owns these directories. And as you can see here, it’s owned by Dion Training. But what if I don’t want to own these files anymore? What if I need to change this so that Tim, that user we created recently, can now take ownership of foo one? Well, we can do that using a command known as change own, which is change ownership.
Let’s take a look at change own here. If we look at change own, it’s going to change the file owner and the group. If you go through this, it’ll give you all the details of how to do it. So if we want to change the ownership of foo one text from Deontrain to Tim, we need to find the right option that will allow us to do that. If we go ahead and page down here a couple of times, we’re going to start seeing examples. Under the examples, the first one shows us change ownership root u. This says we’re going to change the ownership of U, which in this case is a directory to root. So if I want to change the foo one txt to the user Tim, I would just use change owntim, foo one txt.
Now before I go back to the command line and give that one a try, let’s look at the second example. Notice it says change own root staff u. This is going to change that file or directory not only the user, which is now going to become brute, but also it’s going to change the group into staff. And so if I want to give Tim access to this and my staff group access to this, I can do that both at the same time by using that command. Let’s go ahead and give this a shot. All right, so here we are back at the command line, and I want to go ahead and take foo one and change that ownership. If I want to do that, I’m going to use change own Tim, and then the file name, in this case, foo one txt.
But if I hit enter right now, it’s not going to work. And the reason is I don’t have permission to be able to give permission of this file over to Tim because it’s sitting inside my home directory. So instead, I would have to pseudo this. So if I go ahead and do pseudo now, it’s going to allow me to do that. And so if I go ahead and do LSLA, we should see that Tim now owns that file. And you can see he does. Now, if I wanted to take foo two and give that to Tim and put it in the staff group, I could do that as well. Let’s go ahead and try doing that without the pseudo and you’re going to see the error that I’m talking about.
So we’re going to do Timstaff Fo, two txt, and there we go. Operation not permitted. But if I put in that pseudo, I become the root user. I can do whatever I want. And there we go. So now if I do LSLA, you’ll see that Tim owns it and it’s in the group staff now. Now this is kind of a silly example because all of this is inside my own files and folders and they’re not going to actually be able to get access to it because they don’t have access to my home directory. But we could have put this in a different folder that everybody had access to, maybe on a sharedrive or something like that.
The same thing would work inside the directory, for instance, maybe for Fodder, I want to keep ownership of it, but I want to change the group to staff instead of Deon training. Well, I can do that as well. So I’ll do pseudo change own. I will then give it the name of Dion Training as the user and staff as the group and then use Fodder. And there we go. If we do LS La, you’ll see that we were able to change that as well. This again was a very quick overview of setting ownership on files using Change Own. Please go into your system, play around with it a little bit, create some files, create some directories, and change the owners and permissions to some of those users and groups you created in the last couple of lessons.
- Understanding Permissions
It’s now time for us to start discussing how to set permissions. Now, file ownership is really meaningless without some way to specify what a particular user can do with the files or folders that they own and that other people own. So let’s begin with the display created by the LS command, which lists the files in a directory. So as we do this, we might use the Dashl option, which creates the long directory listings, which includes the file permissions. For example, let’s see a long list of files using LF lspest. This line is going to consist of several sections which will provide all sorts of different information for us. First we have the permissions. This first column shows us the file permissions.
Then we have a number of links. This shows us the number of hard links to this file. These are the number of unique file names that may be used to access this particular file. Then we have the username. This identifies the file’s owner. Then we have our group name, which identifies the group that owns it. Then we have the file size. How big is this file? After that we have a timestamp which shows us when the file was last modified and finally we have our file name showing the file name. Now, the string that begins the LS output is the symbolic representation of the permission string broken up into several pieces. Let’s take a closer look at this. First we have a file type code.
The first character is the file type code. It represents what kind of file this is. This type character is sometimes omitted from the description when the file type is not relevant or if it’s identified in some other way. So this one character code can be a lot of different things. If we have a dash that is a normal data file, this may be an executable program, a graphics file, compressed data or just about any other type of data. After that we might have something showing up as a D, which is a directory disk. This means it’s a directory because directories are really files, but they contain file names and pointers to other name files, data structures and so a directory is simply a file that points to other files.
Next we have a pipe which stands for a symbolic link. Now this is the file that’s going to contain the name of another file or directory. When Linux accesses that symbolic link, it tries to read the link to file instead. If we have a P shown here, that’s a name pipe. A pipe enables two running Linux programs to communicate with each other in a one way fashion. If we have an S, that stands for a socket. A socket is similar to a name pipe but it allows network and bi directional links. If we have a B, that stands for a block device. This is a file that corresponds to a hardware device and allows us to read and write data over this in blocks of more than one byte at a time.
Disk devices such as hard drives and USB drives are common types of block devices. C would stand for a character device. This is a file that corresponds to a hardware device, and it allows us to send things out one byte or one character at a time. For example, if I have a connection that’s a parallel connection or a serial connection through a port that might be using one of these. All right, so that was a lot of file type codes that we just went through. And that was only the first of the four pieces of the permission string. So let’s look at the second piece of the permission string. Now, the second piece of the permission string we’re going to deal with is going to be the owner’s permission. These permissions determine what the file owner can actually do with the file.
Next, we’re going to have the group permissions, and these are permissions to determine what the members of the file group who are not an owner can do with that file. And the last portion is the world or other permissions. These permissions are going to tell you you what users who aren’t the file’s owner or a member of the groups can do with that file. So if I own the file and I am a teacher, but you’re a student well, I own the file, so I’m the owner. My group is the teachers. They can do something with it. And then you as somebody who is not me or my teachers, you can do something else with it. And that’s what that last thing is. Now we’ll talk more about what those things are in another lesson.
- Permission Strings and Setting the umask
Previously, we covered the basics of file permissions and we discussed the four parts of the permission string that’s displayed by the LS L A command. Now, after the file type code, each of the last three sets of permission strings identifies the presence or absence of three types of access read, write, and execute. Now, read and write permissions are fairly self explanatory. If the execute permission is set, though, this means the file can also be run as a program. The absence of this permission is denoted by a dash inside that permission string. Now, if you have that permission and it’s indicated by the letter R for read, W for right, or X for execute, you’ll see that within that permission string. So in this example, you can see Rwxrxrx.
And this means the file is a normal data file and its owner, the members of the file group and all of the other users can read and execute this particular file. Now, only the file’s owner has write permission to the file, though, so they’re the only ones who can modify it and overwrite this file. There is also another way of representing these permissions. Instead of having all of those R’s and W’s and XS, we can take a shortcut by giving each of these three groups of permissions a certain number that represents their permission string. This will convert them into a number from zero to seven. This result is a three digit Octal code. Each number is constructed by starting with a value of zero, and then we’re going to add a certain number to it based on the permissions.
So if we have zero, that means we have no permissions. There’s no read, no write, no execute. If I have a four, that means I have read permissions. If I have a two, that means I have write permissions. If I have a one, that means I have execute permissions. And if I’m going to have multiple things like read, write, and execute, I’ll add four for read, two for write, and one for execute, giving me a seven as my digit. This resulting three digit code is going to represent the permissions for the owner, the group, and everybody else in the world. So this table will show you a few examples of the permission string and the corresponding three digit code and what it means.
So for example, if you see seven seven seven, this will give you Rwx Rwxrwx, which means you can read, write, and execute for all users, all groups, and everybody else in the world. Now, if I have Rwxrx, this would be seven 50. Now, with seven 50, this gives me read, write and execute that first digit seven for the owner of this file. But I only have five, which is read and execute for all the other people inside my group. And anybody who’s not in my group gets no permissions whatsoever. That’s why we have that zero there. Now another one we have would be something like six four four. Well, if we have six, that means we have read and write permission, but we can’t execute.
Now, if I have four, that means I can read. And so in six four four, this says that the owner of the file can read it and write it, but they can’t execute it. Now, because I have four and four, that means all other people in my group and all other people in the world can read the file, but they can’t write to it and they can’t execute. Now, if I have something like 400, this would mean that it’s a readable file by myself, who owns it. But nobody else can read it, write it or execute it, as long as they’re in the world or in the group for myself, because I have a four there.That means I can read it, but I can’t write it and I can’t execute it. This becomes a read only text file, essentially. Now, that’s the basics of permissions, but there are a couple of special cases that you should be aware of.
Now, one of these is what’s known as the directory execute bits. This is a special bit that gets turned on or off. And if it’s on, it says that the directory is going to be able to grant permission to search within that directory. Now, the next thing we have to think about is what’s known as a directory write permission. When you give write permission to a directory, it means that these directories, which are really just special files, are able to allow a user to write to that directory. They can create, delete and rename files within that directory. And even if the user isn’t the owner of these files and doesn’t have permission to write to those files, if the directory permission is set, that’s going to allow them to do that. So it’s not based on the file, but it’s based on the directory.
So this is something you have to be aware of. Now, when you’re talking about symbolic links, this is another thing you might see. And usually when you have a symbolic link, they’re always going to have the permission of seven seven seven. This means that access applies only to the link file itself, though not the file being linked to. So if I have a symbolic link pointing to a directory with a bunch of my files in it, those files can still be protected with read, write and execute access based on whatever octic code you want to use. For example, I might use something like six four four, which is going to give me read and write permissions but not execute. And four four giving me read only. But if I have a symbolic link, that symbolic link is going to have permissions of seven seven seven.
That means the symbolic link itself can be read, written and executed. But the files it’s pointing to are still going to maintain six, four four that read and write access only. Now, many of these permission rules do not apply to the root user. Remember, the root user is a super user. They can do pretty much whatever they want. They can read and write any file on the computer, including files that have permission set as. Remember, zero zero means there’s no read, no right and no execute permission. But as a root user, you get to bypass that because root is super special and super powerful. Now, another thing we need to talk about is what’s known as the user mask or umask. The Umask is going to determine the default permissions for new files that are created.
The Umask is the value that is removed from the six six six, which is read, write, readwrite, read, write. Now, when you’re creating a new file, this is normally the typical way things are made. It’s going to be done with six six six, but you can change this and make it seven seven seven if you want. Now, when you create a new directory by default, it is going to use seven seven seven. But when you create a new file, it’s going to use six six six. So remember, when you create a directory, it is going to be readable, writable and executable by default. Now, if you want to adjust the UMass setting, you can use the UMass command. Typically, this command appears in a system or a user configuration file. I’ll show you how to use this in a future lesson.