Have you heard the LinuxQuestions.org Podcast?

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our free community you will have access to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! Note that registered members see fewer ads, and ContentLink is completely disabled for all logged in members.

If you have any problems with the registration process or your account login, please contact us.

Home Forums HCL Reviews Tutorials Articles Register Search

Search Forums

Advanced Search

Search Tags

Search LQ Wiki

Search Tutorials/Articles

Search HCL

Search Reviews

Search Bookmarks

Search ISOs

Go to Page...

 LinuxQuestions.org > Linux Answers > Security

Setting File and Directory Permission in Unix/Linux

User Name Remember Me?

Password

Setting File and Directory Permission in Unix/Linux

Written by munawer_hassan - 2005-08-14 04:21

Before setting permissions on files & directories you have to check the permissions so that you can verify the changes. In order to view the file/directory permission issue the following commandls l�This will show files in long format i.e.-rw -r- -r - - 1 root adm 4096 May 15 16:20 MyText

The first char (-) shows file type here means that it is a regular text file the other � �option may be d (directory).

The next three characters(i.e. rw- -) are reserved for permission for the owner/creator �of the file/directory.

Next three characters( r - -) are reserved for permission for the group users the �file/directory belongs to.

The next character (i.e 1 ) shows the no of links in case of directory or no of �subdirectories or files in case of directory.

root is representing the user name of the owner/creator of the file�

adm shows the group the file belongs to�

4096 is the size of the file in bytes�

May 15 16:20 is the date & time the file/directory last access/created/modified�

Finally Mytext is the name of the file�

A file/directory may has following permissions

1. r (Read)2. w(Write)3. x(Execute)

There are other file permissions in the Unix/Linux but they are beyond the scope of this document

Permissions can be defined for

1. u (user/owner/creator of the file/directory)2. g (group members of the group file/directory belongs to)3. o (users neither belongs to user nor to the group of the file)

[Ad: Advertisement]

4. a (all)

Permission assignment can be made using

1. (+) to grant permission2. (-) to revoke permission3. (=) to assign the only permission

Permissions can be defined in two fashions

1. Symbolically2. Numerically

Symbolic Method

In this method each permission and user type is defined using special character which we have already discussed

Syntax--w -r- -r - - 1 root adm 4096 May 15 16:20 MyText

chmod u+r MyText (user will now have read permission i.e - r w - r - - r - - p; )

chmod a-w MyText(write permission must be taken back from all users - r w - r w - r w -)

chmod g=x MyText (all the permissions must be taken back and assign execute as the only permission for group users of the file/directory i.e - r w - - - x r - -)

chmod o+wrx MyText (others must have rwx i.e. - r w - - - x r w x )

Numeric Method

Numeric method can be understood by the following table

Permission Type Users Type User Group other Read (r) =4 Yes No Yes Write (w)=2 No No Yes Execute (x)=1 Yes Yes Yes 4+0+1=5 0+0+1=1 4+2+1=7

--w -r- -r - - 1 root adm 4096 May 15 16:20 MyText

chmod 517 MyText ( i.e. - r x - - x r w x )�

chmod 235 MyText ( i.e. - - w - w x r - x )

chmod 777 Mytext (i.e. r w x r w x r w x )�

this is a quick method for assigning permissions it is consist of 4 numbers leading zero

will automatically placed on the left side i.e 517 will be interpreted as 0517 the first number defines special type of permission which I am not going to discuss here so always use three characters instead of four. It must be noted that each character must be (0-7) as 0 is minimum and 7 is the maximum sum of permission

File Permissions

A file may have following basic permissions

1. Read ( means the contents can only be viewed but can not be altered )2. write ( means the contents can be written/altered)3. Execute (file can be executed as excitable)

Combine effect of the file permission can be observed with the help of this table

Permissions Operations Read Write Execute - - - No No No - - x No No Yes - w x No Yes Yes R w x Yes Yes Yes R w - Yes Yes No R - - Yes No No - w - No Yes No

Directory Permissions

Directory permissions are somehow different to that of file permissions

4. Read ( means the contents can be listed )5. write ( means file/sub-directory can be created/deleted/modified)6. Execute (means user can move into directory)

Combine effect of the file permission can be observed with the help of this table

Permissions Operations List Create/Delete /Modified Directory Contents Move into directory - - - No No No - - x No No Yes - w x No Yes Yes R w x Yes Yes Yes R w - Yes Yes No R - - Yes No No - w - No Yes No

Quick and Dirty Guide to Linux File Permissions

Written by bulliver - 2003-07-12 23:36

One of the most confusing issues for Windows defector is that of file permissions. Home-user Windows systems have no concept of file ownership, which depending on your situation, can be a good or bad thing. You need to keep in mind that Linux is at heart a Unix system, and Unix is built to support multiple users. Even on a home computer permissions are a useful feature which allow you to block sensitive files from being edited, or even read by non-authorized people.

To further illustrate this point, consider your old Windows box. You might have spent hours or days getting your preferences and settings just right, only to find that the next time you sit down at the computer somebody has changed the widget colours to an ungodly lemon yellow, and changed the system time to GMT when you live in New York. Another example: You spend all weekend putting the finishing touches on a report for your boss, but unfortunately it is lost forever because your child has just discovered the joy of "delete". Oops.

These examples may be a bit extreme, but suffice it to say that ensuring your files don't get 'accidently' deleted, or viewed by the wrong eyes provides a great deal of comfort.

overview

In a nutshell, there are three types of permissions, and three entities that receive these permissions. As a quick example type 'ls -l' in a directory. Any directory. You should see something like this:

-rwxr-xr-x 1 bulliver web 664 Feb 9 02:28 ip2name.pl-rw-r--r-- 1 bulliver web 1704 Feb 1 07:29 letter.dvi-rw-r--r-- 1 bulliver web 1185 Feb 5 19:16 letter.latex-rwxrwxrwx 1 bulliver web 192 Feb 14:55 darren_says

What we are interested in is the cryptic 'r's 'w's and 'x's on the left side. You may already know that these are the permissions of the respective files. So what do they mean?

'r''read' permission. This allows you to read, view, or otherwise open the file depending on context.

'w''write' permission. This allows you to edit or delete the file.

'x''execute' permission. This allows you to run the file as a program.

So who recieves these permissions? We have three entities: owner, group, and other.

ownerTypically the owner is the person who creates the file. The majority of system files are owned by root, ensuring that mortal users cannot erase or edit important system settings.

groupGroups create a way to share files between users, for example, a team of designers who

[Ad: Advertisement]

are working together on a project. Groups may also be used to allow access to certain devices, such as CDROMs or printers to regular users.

otherAs the name implies, this permission applies to everybody else. We need to pay particular attention to this permission because if it is set to read or write then anybody can view, edit, or delete the file.

Looking back to our 'ls -l' example you can see that there are 10 slots in the listing. The first slot is usually just a dash (-) which tells us it is a regular file. Sometimes it is a 'd' for directory, 'l' for link, or 'c' for character device. We don't need to worry about that right now. The other 9 slots are our three permissions for our three entities. The first three are for the owner, then group, then other. Perhaps an example:

-rwxrw-r-- 1 bulliver web 192 Feb 6 14:55 darren_says

In this example we can see that the first three are 'rwx' which means the owner of the file can read, write or execute it. The group can read and write (rw-), and everybody else is limited to viewing the file (r--). In this particular example we can see that the file's owner is 'bulliver', and the file's group is 'web'.

ownership and groups :: chown and chgrp

To change the owner of a file, we use the chown command. The format is 'chown [new owner] file'. To change the file's group, we use the chgrp command. The format is the same 'chgrp [new group] file'. To save some typing we can change both in one shot using the dot notation: 'chown [new owner].[new group] file'. Let's have some examples:

[root@localhost]$ ls -l anyfile-rw-rw-r-- 1 bulliver web 192 Feb 6 14:55 anyfile[root@localhost]$ chown root anyfile[root@localhost]$ ls -l anyfile-rw-rw-r-- 1 root web 192 Feb 6 14:55 anyfile[root@localhost]$ chgrp bozo anyfile[root@localhost]$ ls -l anyfile-rw-rw-r-- 1 root bozo 192 Feb 6 14:55 anyfile[root@localhost]$ chown bulliver.web anyfile[root@localhost]$ ls -l anyfile-rw-rw-r-- 1 bulliver web 192 Feb 6 14:55 anyfile

Not much to this, right? Let's move on to something complicated.

permissions and chmod

A file's permissions are also known as its 'mode' to gurus and Linux geeks, so to change them we use the 'chmod' command (change mode). There are two ways of specifying the new permissions using chmod: symbolic and absolute.

absolute modeBecause you are dying with suspense, I will just tell you that absolute mode is the one with the numbers. You can use simple arithmetic to arrive at the permission you are looking for. Consider:

-------------------------------------------------------------------------------------| owner | group | everyone |-------------------------------------------------------------------------------------| read | write | execute | read | write | execute | read | write | execute |-------------------------------------------------------------------------------------| 400 | 200 | 100 | 40 | 20 | 10 | 4 | 2 | 1 |--------------------------------------------------------------------------------------

So you just add the appropriate mode numbers to arrive at your desired permission. It may be easier to consider each entity as a single digit, in the usual order (owner group other). As always, this theory is best understand with some examples. Let's imagine a hypothetical file named 'myscript'. 'myscript' is a shell script that we are writing that performs a useful function. When we first create it we don't want others to mess around with it, so we set some restrictive permissions while writing it:

[joe@localhost]$ chmod 600 myscript[joe@localhost]$ ls -l myscript-rw------- 1 joe user 192 Feb 6 14:55 myscript

Now let us imagine that we need some help with our script, so we make it available to our programmer friend, who just happens to belong to a group called 'web'. We need to change the group, and change the group permissions:

[joe@localhost]$ chgrp web myscript[joe@localhost]$ chmod 660 myscript[joe@localhost]$ ls -l myscript-rw-rw---- 1 joe web 192 Feb 6 14:55 myscript

Our script is now almost done, and we want to test it. We need it to be executable:

[joe@localhost]$ chmod 770 myscript[joe@localhost]$ ls -l myscript-rwxrwx--- 1 joe web 192 Feb 6 14:55 myscript

Our script is now perfect. We are going to make the script available for all users to run, and we want them to be able to see our handywork so we'll let everybody read and execute it. We don't want users changing it however, so they don't get write permission:

[joe@localhost]$ chmod 775 myscript[joe@localhost]$ ls -l myscript-rwxrwxr-x 1 joe web 192 Feb 6 14:55 myscript

This should give you a good working knowledge of absolute mode. Just remember that to

get your permission, add the appropriate mode numbers.

SETUID

Normally, when a program is run it inherits all the rights/restrictions of the user that executed it. if a user can't read /var/log/messages, then neither can any program/script executed by that user. There is a way around this, we again use the chmod command but add a '4' at the beginning of the permission string, example:chmod 4755 myscript

this would execute 'myscript' with the permissions of the files owner(such as root, if the file is own by root),and not the normal user executing 'myscript'. As you can imagine, this should be used sparingly if at all, as it defeats the normal permission structure,and can lead to security issues.

SETGID

The setgid bit works the same way, except instead of applying to the files owner, it is applied to the files group setting. the chmod command is used again prefixing a '2' as the first digit.

chmod 2755 myscript

relative mode

As the name implies, relative mode only changes permissions relative to the current permissions. That is, you can add or remove permissions from the existing ones. The format is pretty much the same as absolute mode: 'chmod [new_mode] file'. It is only the mode that is different.

We have three parts, which for lack of better terms, are '[entity][operator][permissions]'. The entities describe who gets the permissions. They are:

'u': user, the file's owner 'g': group, the file's group 'o': other, everybody else 'a': all, all three together

The operators decide whether we add, remove, or emulate absolute mode (ie: describe permissions from scratch). They are:

'+' : add permissions '-': remove permissions '=': emulate absolute mode

The permissions we have seen already, they are nothing new: 'r' : read permission 'w': write permission 'x': execute permission

There are actually quite a few more options available, but they should not be necessary for casual use. If you are really curious I direct you to 'man chmod'. Perhaps some more examples are in order.

chmod a+x filename # adds execute permissions to allchmod u+x filename # adds execute permissions to the file's ownerchmod ug+w filename # adds write permissions to the file's owner and groupchmod o-rwx filename # removes read, write, and execute permissions from otherchmod a=rx filename # creates a 555 permission from scratch

As you can see pretty much any combination is valid as long as you follow the '[entity][operator][permissions]' formula.

THE STICKY BIT

Linux directory access permissions say that if a user has write permissions on a directory, they can rename or remove files there,even if the files don't belong to them.When the owner of the directory sets the sticky bit, renames/removals are only allowed by the files owner, the directories owner and the root user.

chmod +t /tmp to set the sticky bitchmod -t /tmp to remove the sticky bitorchmod 1755 /tmp prefix a '1' to set the sticky bit

Setting the sticky bit on files was once used to force a copy of the file to stay in swap space, in an attempt to speed execution the next time the file was used. This hasn't been used in quite some time, due to advances in memory management. You can still set the sticky bit on a file, but the kernel will just ignore it.

Well, I hope this has helped you get a handle on Linux file permissions. It's really not as hard as it might seem. That's all for now, happy chmoding to you!previous upProtecting Files Using Encrypted ContainersBookmark this post with:

| | | | | 29 comments | Discuss Article | printer-friendly version

By Azmeen on Wed, 2003-08-20 20:40This article can be improved by touching on the chattr command as well :) reply

By mlp68 on Wed, 2003-09-17 00:13I see that the comments have dried up some time ago...

One suggestion, one comment: You could add some sentences about umask and what it does.

The comment is about this suid- "myscript" thing. I know it's just to show the recipe, but it suggests that it's ok to have such a script, while it's not. ("'myscript' is a shell script that we are writing that performs a useful function.") The target here are people new to Linux, and they may not know better. Fundamentally, such a script cannot be made unexploitable (path issues. temp file issues. IFS issues. Remaining race conditions that cannot be fixed. And so on and so on.) Because of that, the Linux kernel will not honor the suid bit for scripts, so on linux one is safe. But Solaris has no such inhibitions, for example.

Just my 5cts on this peripheral issue. Nice article!

mlp reply

By king_nothingzzz on Fri, 2004-01-16 01:48

Quote:

Originally posted by mlp68

The comment is about this suid- "myscript" thing. I know it's just to show the recipe, but it suggests that it's ok to have such a script, while it's not. ("'myscript' is a shell script that we are writing that performs a useful function.") The target here are people new to Linux, and they may not know better. Fundamentally, such a script cannot be made unexploitable (path issues. temp file issues. IFS issues. Remaining race conditions that cannot be fixed. And so on and so on.) Because of that, the Linux kernel will not honor the suid bit for scripts, so on linux one is safe.

Firstly, i think that this is a very informative article. I really appreciate the authors help towards people who are new to Linux. This covers up pretty much everything that one needs to know about file permissions for basic usage.

Secondly, i think all that bashing from mlp68 was totally unwanted. As far as i know, no newbie will even think about 'myscript', they will concentrate on how to go ahead setting file permissions. I'm saying this from a newbie's point of view. I'm not a Linux 'Guru', but certainly not a newbie.

I know how a newbie (with considerable IQ) will think while reading the article and what he/she concludes from it.

I mean, how many newbies do you know who know anything about path issues, temp file issues, IFS issue etc??

Once again, i say that this is a very good article

Cheers

King Nothing reply

By mlp68 on Fri, 2004-01-16 18:14I wouldn't call my comment "bashing" - it's just a friendly comment.

M. reply

By king_nothingzzz on Sat, 2004-01-17 01:25Maybe *Bashing* was an inappropriate word, but it did look like that to me.

No offense, but still all those things that you said were not necessary

King Nothing reply

By bulliver on Fri, 2004-04-30 01:22I didn't consider it bashing, in fact I'm still trying to figure out what the hell mlp68 is talking about. It was just a random example, and i used the 'myscript' thing because I wanted to fit chmod + x into the example. Wouldn't work with an image or mp3 in the example would it :).

BTW I just wanted to say that I did not add the parts about suid or the sticky bit, they were added by whoever proofread the article prior to posting it here.

Cheers folks.... reply

By mlp68 on Fri, 2004-04-30 13:55Hi Bulliver,

first off, sorry if others perceived my comment as bashing. It's a great and well-written article. I was just referring to that paragraph

Quote:

SETUID

Normally, when a program is run it inherits all the rights/restrictions of the user that

executed it. if a user can't read /var/log/messages, then neither can any program/script executed by that user. There is a way around this, we again use the chmod command but add a '4' at the beginning of the permission string, example:

code:chmod 4755 myscript

this would execute 'myscript' with the permissions of the files owner(such as root, if the file is own by root),and not the normal user executing 'myscript'. As you can imagine, this should be used sparingly if at all, as it defeats the normal permission structure,and can lead to security issues.

You say the right warning words, but since the linux kernel doesn't honor the SUID bit for scripts at all (because of the security flaws I listed, and some more), this wouldn't work. But worse, other flavors of Unix don't have those inhibitions about suid scripts, and that's where it could become dangerous (that's why I said a novice could take away from here that it is ok, while it's not). You can have a suid (or guid) executable, but not a script.

Have a look at http://www.phrack.org/phrack/47/P47-05 (question 10) which I just googled. It has a nice summary and explanation of the 4 easiest exploits. (There are more.)

Again, I didn't mean to diminish your great article, just point out this thing. Sorry if it came across the wrong way.

mlp reply

By thrice on Fri, 2004-05-14 00:46i think its a great article. i've never really understood how absolute modes worked because the explanations i've read ramble on about bits and such, but your illustration made it verry simple. thanks again reply

By bulliver on Fri, 2004-05-14 01:38Thanks man, means a lot... reply Read full thread

MySQL root password recovey

Written by Boby - 2004-11-15 16:40

This tutorial is written in two ways. One way is for the compiled MySQL and one for the installed MySQL by RPM [tested only in Fedora]. It's not big deal, but I hope it is accessible also to newbies because the directory's change in both examples.

--------------------If you compiled MySQL by yourself, go this way:

Maybe you have to change the directory where you installed MySQL (here it's /usr/local/mysql/ ).

1. Gain root access to your Linux system[boby@space boby]$ su -Password:[root@space root]#

2. First you have to stop the daemon[root@space root]# /etc/init.d/mysql.server stop[root@space root]#

3. You will now start MySQL in safe mode without reading the grant tables with all MySQL database passwords and also you will disable networking. The "safe_mysqld" command will do this trick for you.[root@space root]# /usr/local/mysql/bin/safe_mysqld --user=mysql --skip-grant-tables --skip-networking &[root@space root]#

4. The "mysqladmin" command can now reset the root password. In this case we are setting it to "newpassword".[root@space root]# /usr/local/mysql/bin/mysqladmin -u root flush-privileges password "newpassword"[root@space root]#

5. And finally restart the daemon[root@space root]# /etc/init.d/mysql.server restart[root@space root]#

6. You can use now your new root password[root@space root]# /usr/local/mysql/bin/mysql -u root -pEnter password:Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 2 to server version: 4.0.20-standard

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

[Ad: Advertisement]

--------------------If you installed MySQL by RPM or use the package that comes with the distribution, go this way:

1. Gain root access to your Linux system[boby@space boby]$ su -Password:[root@space root]#

2. First you have to stop the daemon[root@space root]# /etc/init.d/mysqld stop[root@space root]#

3. You will now start MySQL in safe mode without reading the grant tables with all MySQL database passwords and also you will disable networking. The "safe_mysqld" command will do this trick for you.[root@space root]# /usr/bin/safe_mysqld --user=mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --datadir=/var/lib/mysql--skip-grant-tables --skip-networking &[root@space root]#

4. The "mysqladmin" command will now reset[rewrite] the root password. In this case we are setting it to "newpassword".[root@space root]# mysqladmin -u root flush-privileges password "newpassword"[root@space root]#

5. Stop the running daemonkill `cat /var/run/mysqld/mysqld.pid`

6. And finally restart it[root@space root]# /etc/init.d/mysqld start[root@space root]#

7. You can use now your new root password[root@space root]# mysql -u root -pEnter password:Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 2 to server version: 4.0.20-standard

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

--------------------

Hope this helped you!Please post any mistakes or if I forgot something.

Bobyprevious upBreaking/RESETTING grub password

Breaking/RESETTING grub password

Written by gnukish - 2005-06-18 08:23

Courtesy: ThinkDigit Forums

This guide illustrates three methods to break the grub password===================================================METHOD 1===================================================HOW TO RESET UR ROOT PASSWORD IF U FORGET IT

While Booting ( Redhat ) just press "e" in GRUBu will find 3 lines of code..Goto to the 2nd line press "e"again and type "1" in the endthen press ENTER..Then press "b" and it will boot you into your shell..Just type "passwd" and change your ROOT password...don't need to know the old one..===================================================METHOD 2==================================================="I, uh, forgot the root password"

Let's look at recovering the root password from the boot loader. If you're using GRUB, then, as GRUB loads up, highlight the Red Hat Linux entry on the GRUB menu and then press [E] to edit the boot configuration. Locate the following line, something that looks like this:

kernel /boot/vmlinuz-2.4.20-0.70 root=LABEL=/hdc=ide-scsi

Type the number '1' at the end. Doing so boots the PC into run level 1-single user mode, where you're automatically logged in as root. This done, type 'passwd' at the prompt. You can enter a new password here.===================================================METHOD 3===================================================Question.I am doing a project on Linux platform. Someone has added the GRUB password to the computer on which I am working and has also changed the root password. I can crack the root password, if there is no Grub password, from the initial screen (i.e. from the init 1); but with the GRUB password. While reading LinuxForYou, I saw your section and thought you may be able to help.

Answer.To break the GRUB start-up password, follow the steps given below:

1. Boot the system with the first Linux CD. At the boot prompt, type linux rescue to switch to rescue mode. In rescue mode you will be asked if similar steps should be followed, which need to be followed in the installation. Once you get the # prompt, type the following command:

# chmod /mnt/sysImage

2. Edit the grub.conf file and remove the passwd line from the file. Save the file and exit.

3. Once your machine reboots, you will be able to start your Linux OS in the usual

[Ad: Advertisement]

manner.===================================================

previous upA Couple Quick find TipsBookmark this post with:

| | | | | 1 comment | Discuss Article | printer-friendly version

By linuxprosun on Sat, 2005-09-03 04:17hi,

after using 1st CD in rescue mode and it while finds out the linux image you have to use

# chroot /mnt/sysimage --> currently, the linux is virtual, and chroot changes the / to the original filesystem which is currently mounted on /mnt/sysimage

wheread chmod is used to change the file permissions

bye

prosun reply Read full thread