LPI 010-160 – Managing File Ownership and Permission part 2
- Using Sticky Bits
When investigating the Linux directory tree, there are going to be certain file types that are going to require special attention from you. Sometimes a user may just want to be aware that these special files exist and how they’re handled because they’re going to deviate from what is expected based on what has been previously covered in the other videos we’ve talked about. For example, a user could delete a file without having write permission to it. Now this may seem like a bug after all because if a user can’t write to a file, we may think they shouldn’t be able to delete that file either. But you have to remember that directories are a special type of file. One that holds other files, names and pointers to their lower level data structures.
Therefore, modifying a file requires write access to the file. But to create or delete a file only requires write access to the directory in which the file is going to reside. The result is not a bug, it’s just kind of a counterintuitive feature. Now although Linux file systems were designed to work this way, this behavior is not always desirable. Therefore, there’s this thing known as a sticky bit that you have to learn about. This is a way to create a more intuitive result by using the sticky bit. The sticky bit is basically a special file system flag that’s going to alter the behavior. With the sticky bit set on a directory, linux will permit a user to delete a file only if owning the file or the containing directory.
This way not anyone can just go and delete your files. Therefore, write permission to the containing directory is not enough. You have to have the sticky bit set as well. To set that sticky bit. You can do this by using the change own command in one of two ways. You can do this using the octal code by prefixing the three digit octal code described in our last video. With another digit you can then set any of three special permission bits using this first new digit. One of these is known as the sticky bit. The code for the sticky bit is one. So if we have a code like 1755, this means we have one saying the sticky bit is set seven, meaning the user who owns that file is going to be able to read, write and execute to it.
And then the 55 saying that other people in our group and other people in our system can read and execute this file but they can’t write to it. Now specifying a value of zero such as 0755 will then remove your sticky bit so you can keep that in mind, turning it on and turning it off using the one and the zero. Now the second way you can set a sticky bit is by using a symbolic code. To pass the symbolic code, you’re going to use the letter t for the world permissions so if I’m doing something like change mod o plus t and the subdirectory name, this will set the sticky bit on that subdirectory. You can also remove the sticky bit in a similar way by doing change mod o minus t and the subdirectory name.
- Using Special Execute Permissions
So we’ve already talked about the fact that the execute permission bit enables you to identify programs as such by using the LS la command. By seeing that Xlisted, you’re going to know these are things that you can run as a program. Now these files can be done using your own credentials, which is usually a good thing because you want to run these processes as a specific user as part of Linux’s security model. So if you’re running a file file, you’re going to be the one using your normal user permissions. Occasionally, though, you may need to run these programs with elevated permissions as a super user, an admin, or even the root user. For example, if you want to change the password by using the password program, this is going to have to be run as root because it needs to write a special configuration file that only the root user has.
So if users were to change their own passwords, the password must have root privileges, even when an ordinary user is trying to run it. So to accomplish this, two special permission bits exist, similar to the sticky bit we just talked about. This is known as set user ID and set group ID. Now the Set User ID, also known as Seward, is going to tell Linux to run this program with the permissions of whoever owns the file, rather than the permissions of the user who runs the program. For instance, if a file is owned by Root and it has Sewed bit Set, that means the program will run with root permissions and therefore it can read any file on this computer. Some servers and other system programs will run things this way and they’re often called Sewed.
Root seward programs are indicated by an S in the owner’s execute permission bit inside the permission string. So if you see something like RWS instead of Rwx, this indicates a Sewed bit has been set. The second one is known as Set group ID or SGID. The SGID option is similar to the suit option, but it sets the group of the running program to the group of the file. This is indicated by an S in the group’s execute bit inside its permission string. So when we look at that second set of three digits, we might have Rs, and this means it has read access. It doesn’t have write access, but because there’s that S in the execute bit, it does have this group level execution permission.
Now you can set these bits by using the change mod command as well. If you’re doing this by using Octal codes, you’re going to use a leading digit of a four digit Octal code. So instead of using seven five, five, for instance, we’re going to add a new digit to the front of that. That new digit can either be a four, a two or a six. If it’s a four, that’s going to set the Sewed bit. If it’s a two, it’s going to set the SGID bit and if you set it as a six that’s going to set both bits. So for example, if I use 4755 this sets the sued bit but not the SGID bit on an executable file. Another way to do this is to use a symbolic code and we’re going to use the s symbolic code in conjunction with U or G. When we use it with U that specifies the Sewed bit.
When we use it with G we’re going to set the SGID bit and we can also set both of these if we wanted to. So for example, I might use change mod U plus s my program and that’s going to set the Sewed bit on my program. Whereas if I use change mod UG s, this is going to end up removing the Seward bit and the SGID bit from that program. Ordinarily you don’t need to set or remove these bits when necessary. Your package management program is going to set these bits correctly for you when you install or upgrade a program. But if you’re doing something indepth as an administrator, you may need to set these bits once in a while and that’s why we’re presenting it here to you.
- Hiding Files and Directories
If you’re a Windows user, you may be familiar with the concept of a hidden bit. This is going to hide a file from view in the file managers and by default the Windows Dirt command. And most of the programs aren’t going to see it. Now, Linux has something analogous to this, but it’s not in the form of a dedicated file system feature. Instead, Linux uses a file naming convention to hide files from view. So for example, if I’m using the LS command to list out files in a directory and I have a file named myfile. Txt, that will show up. But if I have myfile. Txt, that’s not going to show up. Most file managers and dialog boxes that deal with files also will hide such dot files as they’re commonly referred to.
But this practice is not universal. Many user programs will take advantage of this feature to keep their configuration files from cluttering up your display. They’ll simply name them as dot, whatever the configuration is. Now dot files can be viewed in several different ways depending on the program you’re using. Some graphical user interface tools have a checkbox that can be set and this will allow their configuration to know that they’re going to display those dot files for you at the command line if you use the A command as you’re using the list command. So lsa, you’re going to be able to see the hidden files and directories.
When you do this, you’re going to notice two hidden directories right off the bat. This is the dot and the dot dot directory. The dot directory refers to the current directory you’re in. The dot dot refers to the parent directory, the one right above where you are. Now note that if you rename a file so that it begins with a dot, this is going to hide it. But this action may also make that file inaccessible to other programs that are referencing it using the original file name. Because now instead of calling them my file, they need to call them dot myfile. Now, speaking of the LS command, there’s another dash that you should be familiar with and this option is known as dash D.
When you’re working in a directory that holds a lot of different subdirectories and you start doing an LS search with a wild card, you may match one or more subdirectories inside of it. And this can give you some unexpected outputs so your output will show the files in the match subdirectories rather than the information on the subdirectorories themselves. So if you want to search for directories instead of things inside of them, you want to use the dash d command instead. This means search for directories. Hopefully this is helpful to you as you move forward in your Linux studies.
- Setting Permissions
In the last video, I showed you how we could change the ownership to different members and different groups using the change on command. In this lesson, we’re going to take it a step further and start setting our permissions for those files. So if you notice here, I have foo one, foo two, and foo directory in foo one, Tim owns that file, but the group, Dion Training has access to it. If you look at the next one, Tim is is the owner and staff is the group. And if you look at the foo, Der Deon Training is the user and staff is owning it as the group. Now if we look at the different permissions on the far left side, you’re going to see that we have those Rs, those WS and those XS.
And based on that, those certain people are going to have access to these different files and what they can do with it. So before we get started, I want to go ahead and take ownership back from that first file, foo One, back to Dion Training. So I’m going to go ahead and put in Change, own Dion Training, foo one, Txt and hit Enter. Now I’m going to do the same thing for foo two. And now if I do LSLA, you’re going to see that Dion Training owns all of these files once more. But the last two, foo Two and Fu Dur are still having group membership with staff. And that’s okay for right now. Now as we look at these permissions, we need to remember the R’s, the WS, and the XS. Anytime we have an R, I want you to think about that as a four.
Anytime we have A-W-I want you to think about that as a two. And anytime we have an execute, that’s going to be a one. If you add these up in different ways, you’re going to be able to get the different permissions. So for example, that first one there with foo one, if we look at the first three letters, we have an R-A-W and a dash. That would be four plus two plus dash, which is zero. And so we would get a six for that first letter. Then we have a read, but no right and no execute. So that’d be a four. And that’s for our group. Then we have everybody else in the system. They can read that file, but they can’t write it and they can’t execute it. So they would have a four. So that would give us a six, four, four.
Now if I wanted everyone to be able to read it, write it, and execute it, that would be a seven. If I wanted all three people to be able to do it myself, who owns the file, the group that has membership of it, and everybody else in the system, I would use seven, seven, seven. To do that, I can use the change mod command to do this. So to do this, we are going to use change mod. Let’s take a look at change mod real quick. And here you can see that we use change mod by giving the change mod command. We can then use an Octal mode, which is those numbers like 777644, and then we can give it a file name. You also can use change mod with a mode. And when you use mode, you’re actually going to list out all the Rs and WS and XS.
Now it’s a little easier to remember by typing out the R’s and WS and X’s, but there is nine of them because you have three for the owner, three for the group and three for everybody else. So that gets to be a lot, which is why we use the numbers instead. And as you go through this man article, it’s going to give you lots of information, tell you all about the setuid and the set Guid and all the stuff we talked about in our lessons are all covered here inside your manual. So let’s go back here and we’re going to go ahead and use change mod. First, let me go ahead and clear my screen. I’m then going to go ahead and do my listing and I’m going to work with foo one first. I want to make it so everybody has access to read it, write it and execute it.
That would be what?It would be seven, seven, seven. And then I tell it foo one is the file. Go ahead and hit enter. And now let’s go ahead and list it and we should see Rwx Rwxrwx. Let’s see if we get that and we do Rwx Rwxrwx. That looks good. Now the funny thing here is that’s now an executable file, but it’s just a text document. So we really don’t want that, do we? So we want to take away the access for everybody to be able to execute it. What if I wanted my owner to be able to read it and write it, and I wanted everybody else just to be able to read it and I wanted the group to be able to read it and write it? Well, I can do that as well because I can use change mod and if I want to be able to read it and write it, that would be what? Read, write, execute.
And then if I wanted my group to be able to read it and write it and execute it, and if I want everybody else to just be able to read it, execute, execute, so that I can type it out all that way, that’s a lot of typing though. I can replace that with just using numbers. And so if we want to go ahead and change that, we want to go ahead and change mod this and make it into what the one for foo two is, which is read, write, no, execute for me, which would be six because reading and writing is four plus two. I want to read the group, which is going to be four. And let’s say I just want to write it. If I was everybody else, I can do that with a two. And so in this case I can make it six four two. It’ll be read and write but not execute for the owner.
It’ll be read for the group and it’ll be just writing for everybody else. And then we’re going to go ahead and give it foo one text. Now if we do LSLA, what do we get? Exactly what we were looking for read, write, read and write only. But that’s kind of silly because we wouldn’t want everybody else to write it if they couldn’t read it right. So maybe we want to go ahead and change that to make it match foo two. To make it match foo two. We can go ahead and change that to six four four because that is the permission set that we have there and now it’s going to go ahead and match foo two. Now the other thing we need to talk about here is using sticky bits. We talked about this in our lesson as well.
If you want to use sticky bits, you’re going to use a one in front of whatever you change mod it to. So in this case, if I wanted to add a sticky bit to foo one I can use change mod 1644 and then I have foo one. And if I do that, do LSLA, what do you have? You’ll see the t there all the way on the right side? We can see that we now have this t that showed up and that t is actually the sticky bit. That’s what we just turned on by using the one there. Now if I wanted to turn that off I can go ahead and go back here and put a zero. And now if I do LSLA, you’ll see that the t went away, that sticky bit is no longer there. So that’s how you turn on and off a sticky bit like we discussed in the lesson.
Now again, there is a lot more to permissions and I do recommend taking a little time to look through the change mod manual. What we just did here was covering the highlights of how you can go and set these permissions. But by going through the change mod manual and learning more about it, you’re going to become a much better system administrator. I do recommend setting up some files, setting up some folders and playing with this change permissions, change ownership and see what you can do. As you get more comfortable, the more you’re typing these commands in, the more fluent you’re going to get with it and the more these numbers are going to make sense, as opposed to just using seven, five five or seven seven seven or six four. It’s going to make a lot more sense as you play with this and get used to it.