Sunday, July 20, 2014

Unix / Linux - File Access Control

File access rights

  • UNIX is a multi-user system. Every file and directory in your account can be protected from or made accessible to other users by changing its access permissions. Every user has responsibility for controlling access to their files to:
    - Preventing unauthorized
    - Preventing accidental damage
  • Based on relationship between processes and files:
    - every process is owned by someone and belongs to some group
    - every file is owned by someone and belongs to some group

Applying Access rights

  • When you login your shell, it owned by you and is stamped with your UID and GID (User ID and Group ID)
  • Almost every command you run and every file you create is stamped with your UID and GID
  • Standard unix model for access control is based on relationship between processes and files


  • Permissions for a file may be any or all of:
         r   -   read
         w   -   write
         x   -   execute = running a program
         s   -   setID change the UID or GID or process
  • Permissions for a directory may be any or all of:
         r   -   read
         w   -   write
         x   -   search directory(cd)
         s   -   sticky - finer control over write access to directories
  • Each permission (rwx) can be controlled at three levels:
         u   -    user = yourself
         g   -    group = can be people in the same project
         o   -    other = everyone on the system
  • File access permissions are displayed using the ls -l command. The output from the ls -l command shows all permissions for all levels as three groups of three according to the scheme: Example outputs from the ls -l command:
         -rw-------  2 smith  staff 3287 Apr  8 12:10 file1
            - User has read and write permission. Group and
              others have no permissions. 
    type user group others
     d   rwx   rwx    rwx
     -   rwx   rwx    rwx
  • Note: a directory must have both r and x permissions if the files it contains are to be accessed. 

Setting Permissions

  • The chmod command is used to change access permissions for files which you own. 
  • Only owner or super user may change permissions
  • The syntax is:
         chmod  [-R]  [permission-mode]   filename
  • The -R option enables recursion through a directory structure.
  • Also:
          who            action          permissions
         u = user        + = add         r = read
         g = group       - = remove      w = write
         o = other                       x = execute
         a = all

    Now lets see some examples.
     chmod   a+r   sample.f
- Adds read permission for all users to the file sample.f. a stands for all, + stands for add and r for read.

     chmod   o-r   sample.f
- Removes read permission for others to the file sample.f.

     chmod   og+rx   prog*
- Adds read and execute permissions for group and others to all files which contain "prog" as the first four characters of their name.

     chmod   +w   *
- Adds write permission for user to all files in current directory.  

Numeric notation

File access permissions can also be changed by a numerical (octal) chmod specification. Read permission is given the value 4, write permission the value 2 and execute permission 1.
     r  w  x
     4  2  1
These values are added together for any one user category:
     0   =   no permissions
     1   =   execute only
     2   =   write only
     3   =   write and execute (1+2)
     4   =   read only
     5   =   read and execute (4+1)
     6   =   read and write (4+2)
     7   =   read and write and execute (4+2+1)
So access permissions can be expressed as three digits. For example:
                           user    group   others
     chmod 640 file1       rw-     r--     ---
     chmod 754 file1       rwx     r-x     r--
     chmod 664 file1       rw-     rw-     r--
So chmod 640 means, 6 for users, 4 for group and 0 for others.
Read only file:
chmod 400 file.txt
Changes file.txt to read only.

Never set write permission for all other users on a file or directory which is in your home directory. If you do other users will be able to change its content. This can represent a serious security risk.  

Default Permissions using unmask

The umask command is used to set your default file permissions.
Typically, the umask command is included as part of your .profile, .cshrc or .login file.
It defaults to files and directories created by process
Not applied when files/directories are copied
The umask command accepts only octal specifications. Note that these are different than those used by the chmod command, and in fact, represent which permissions to "mask out", or remove.
     Octal number             Access permissions given
         0                    rwx     read, write and
         1                    rw-     read and write
         2                    r-x     read and execute
         3                    r--     read only
         4                    -wx     write and execute
         5                    -w-     write only
         6                    --x     execute only
         7                    ---     no permissions
Example umask commands:
     umask 077
- Subtracts 077 from the system defaults for files (666) and directories (777). Results in default access permissions for your files of 600 (rw-------) and for directories of 700 (rwx------).

     umask 002
- Subtracts 002 from the sytem defaults to give a default access permission for your files of 664 (rw-rw-r--) and for your directories of 775 (rwxrwxr-x).

     umask 022
- Subtracts 022 from the system defaults to give a default access permission for your files of 644 (rw-r--r--) and for your directories of 755 (rwxr-xr-x).



Post a Comment