Last Update: Sep 04, 2024 | Published: Jul 10, 2014
Using the Linux LS command to list files in a directory. (Image: Stuart Burns)
Looking at the output of the command, moving from left to right, you see the following characters: r,w,x or –. These are the security attributes for the file. The initial character is either a – or d. The d refers to a directory, which underneath it all is a special file. After that, there are nine characters that appear to have a lot of repetition of the rights mentioned above. The apparent repetition comes from the fact that this field contains the rights for not only the user who created the file, but also the users group and lastly, everyone else, also known as “other.” Following on with the next two text lines, “stuart stuart” refers to the owner and the group owner of the file, which is usually the same as the creator. The second instance is the group the file belongs to. You may be thinking “They are the same!” Well, they are, kind of. The last two items on the screen shot, going from left to right, perhaps stating the obvious, are the creation date and lastly the file name. If we look at a Windows server box we can we see that the rights, although not identical are very similar in nature to those offered by Linux. (See below.)System file permissions settings in Windows Server 2008. (Image: Stuart Burns)
chmod 664 myfile.txtThis gives the user read and execute (Remember: Read is 4, Write is 2) permissions and everyone else just read permissions. This can be modified to give different access to different users. It is also possible to setup default rights on newly created files, both locally on a per user and a group basis. This is done with what is known as a umask. This is usually set to 002 and is in effect subtracted from the initial rights that a file has. It provides a way to control the rights on newly created files. You can set the umask quite easily by issuing the command umask 002. You would use this command to prevent files from being made executable by default, as an example. Each column maps to the User, Group and Other.
groups stuartFor a more involved example, let’s say we want to run a fictitious accounts department. We want our group of accountants to be able to edit and update the files, and the files to be owned by the group rather than individuals. The following steps describe how to do this: 1. Create a new group and give it a name. I am creating a shared folder in the root directory, imaginatively called “shared” using the command mkdir /shared (Note: I realise that in a production environment the server should not be on, and I recommend giving it its own partition.) 2. Next, add a new group. To add the group, use the command as shown below:
groupadd testersA user can be a member of several groups. An example would be “id stuart” as it’s shown in the graphic below. 3. Next, it’s a good idea to remove the “Other” rights from /shared. As you know from previous installments in this articles series, the command we need is chmod, so type:
chmod 770 /sharedNotice in the screenshot that we have an entry in the etc/group file.
Adding users to group using the Linux CHMOD command. (Image: Stuart Burns)
4. Now we need to add users to the new group. Use the user mod command to do this. The -a is important. If you leave it out, then you’ll end up changing the users’ primary group! usermod -a -G testers stuart5. You can add several users in one command, chaining one user after the next. If we let a user create files that would mean that the file owner would be the individual owner in both the UID and GID. Fixing that problem is quite straightforward. Again, we fall back to using the chmod command:
chmod g+s /sharedThis is known as an Set Group ID (SGID). This lets us create files in the folder, and the file inherits the group rights. Lastly, the following command prevents deletion of files by anyone except the owner.
chmod o+t /shared
Output from the LS -L command. (Image: Stuart Burns)
You may be wondering about the chmod commands that we used. Now that you understand how the rights work, there is a shortcut you can use. If you want to do simple modifications for example adding the execute right to the group, you can use the command: chmod g+o myfileYou can can vary the use of it to use o for owner, g for group and o for other. Then you can add or remove the rights using a + or a – symbol. Lastly add the rights (r, w or x if you had forgotten) and the filename. In summary, this is a basic introduction to managing files and users in Linux. There are additional things that you can do to make the control more fine grained, but are beyond the scope of this basic file system intro. I would also suggest that you take your time and make sure you get the rights correct as frequently virtual break-ins are related to lax file rights. If you’d like to review the Linux articles we’ve posted so far, I’ve included links to them below.