4.5 manage file permissions and ownership v3
TRANSCRIPT
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
System Administration
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Key Knowledge Areas
Manage access permissions on regular and special files as well as directories. Use access modes such as suid, sgid and the sticky bit to maintain security. Know how to change the file creation mask. Use the group field to grant file access to group members.
Devices, Linux Filesystems, Filesystem Hierarchy Standard
Manage file permissions and ownership
Terms and Utilities
chmod umask chown chgrp
2
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
Permissions
3
Permissions are for Superuser, User and group
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
Security levels
4
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
configuring files
5
• User information is stored in two files:/etc/passwd/etc/shadow• Group information is stored in one file:/etc/group
/etc/passwd List of user records, one per line, with columns separated by colons. Format: login:x:userid:groupid:gecos:homedir:shellEx: root:x:0:0:root:/root:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
Ex:
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
configuring files
6
/etc/shadow Similar to passwd colon-separated-column list of records: Format: login:password:password aging fieldsaging fields track dates for password resets, locks, etcEx: root:pB8msP1fCbCqc:13904:0:99999:7:::
nisburgh:vRoPw6a/jQsp.:14466:0:99999:7:::
/etc/groups Same colon-separated-column list of records formatFormat: groupname:grouppassword:groupid:secondarymembersGroup passwords allow temporary access to a group, rarely used, not set up by defaultEx: daemon:x:2:root,bin,daemon
apache:x:48:jack,nisburgh
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
manage files with management commands
7
For /etc/passwd shadow and groups While it is possible to edit the three files directly, it’s easier and safer to use:management commands to create, modify and delete users and groupsuseradd, usermod, userdel, groupadd, groupmod, groupdel
Useradd Add a new user to the systemAccepts various arguments to control the settings on the user account. Most common is -g to specify primary group of user, and -G to list secondary group memberships. Ex: useradd lisa
useradd -g clowns -G trouble,simpson bart
Usermod Modify a user’s settings. Ex: usermod -G detention bart
userdel Remove a user from the system. Main option is -r, which tells userdel to remove the user’s home and spool directories. Ex: userdel moe
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
Passwords
8
Passwd Change login password.•Root can change the password for any user on the system•Root can setup password aging, allowing for timed password resets and account disabling•passwd is preferred way to lock user accountEx: passwd -l mary
PASSWORD AGING•To set maximum lifetime for a user’s password: passwd -x days login•When user’s password has expired, the number of days it can remain expired before disabling the account completely can be set: passwd -i days login
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
Permissions
9
Linux supports 3 main types of access on a file:1.read View the contents2.write Modify the contents and metadata3.Execute Run the contents
Actually, it’s different for files and directories
Files Directories
Read View the contents List contents
Write Change the contents/metadata Create/delete entries, change metadata
Execute Run the contents Operate with directory as CWD
Combining these permissions allows for the most common access levels:Read only; Read/Write; Execute; etc
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
Ownership and Permissions
10
All files are associated with one user and one group (ownership). This creates the foundation for the main security infrastructure in the Linux (Unix).
When a process attempts an operation on a file, the user and group of the process (every process is associated with one user and one group) are compared with the user and group of the file, which determines what level of permissions is granted or denied on the file.
Every file has 3 levels of permissions:
•User•Group•Other
When a process seeks access, the process user is compared to the file user - if they match, the process gets the User permissions. Next Group. If no match, Other level access
All permission information is summarized with 9 characters:rwxrwxrwx
The presence of the letter indicates the permission is granted, a hyphen in it’s place indicates the permission is denied. Read only: r--r--r--
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
Directory and File permissions
11
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
groups
12
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
chown
13
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
chgrp
14
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
chmod
15
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
chmod
16
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
chmod symbolic codes
17
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
chmod octal commands
18
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
umask
19
Core
Lin
ux fo
r Re
d H
at a
nd F
edor
a le
arni
ng u
nder
GN
U F
ree
Doc
umen
tatio
n Li
cens
e -
Copy
left
(c) A
cáci
o O
livei
ra 2
012
Ev
eryo
ne
is p
erm
itte
d to
co
py
and
dis
trib
ute
verb
atim
co
pie
s o
f th
is li
cen
se d
ocu
me
nt,
cha
ngin
g is
allo
wed
Manage file permissions and ownership
Permissions – /etc/passwd
20