Paranoid Penguin - Linux Filesystem Security, Part I
Listing 4. Changing a File's Permissions with chmod
bash-$ ls -l baton_dealers.txt -rw-rw-r-- 1 maestro conductors 35414 Mar 25 01:38 baton_dealers.txt bash-$ chmod go-rw baton_dealers.txt bash-$ ls -l baton_dealers.txt -rw------- 1 maestro conductors 35414 Mar 25 01:38 baton_dealers.txt
In Listing 4's sample chmod command (chmod go-rw), go tells chmod to change the group permissions and other permissions; -rw says to remove read and write permissions for those two categories of permissions, group and other. Thus, a chmod command has three parts: a permission category, some combination of u, g and o or a for all; an operator, - to remove, + to add; and a list of permissions to add or remove, usually r, w or x.
We now know how to change basic permissions on regular files, but what about directories? Directory permissions work slightly differently from permissions on regular files. Read and write are similar; for directories these permissions translate to list the directory's contents and create or delete files within the directory, respectively.
Execute is a little less intuitive on directories, however. Here, execute translates to use anything within or change working directory to this directory. That is, if a user or group has execute permissions on a given directory, the user or group can list that directory's contents, read that directory's files (assuming those individual files' own permissions include this) and change the working directory to that directory with the command cd. If a user or group does not have execute permission on a given directory, the user or group is unable to list or read anything in it, regardless of the permissions set on the things inside. If you lack execute permission on a directory but do have read permission and you try to list its contents with ls, you receive an error message that, in fact, lists the directory's contents. But this doesn't work if you have neither read nor execute permissions on the directory.
Suppose our example system has a user named biff who belongs to the group drummers. Also suppose that his home directory contains a directory called extreme_casseroles that he wishes to share with his fellow percussionists. Listing 5 shows how biff might set that directory's permissions.
Listing 5. A Group-Readable Directory
bash-$ chmod g+rx extreme_casseroles bash-$ ls -l extreme_casseroles drwxr-x--- 8 biff drummers 288 Mar 25 01:38 extreme_casseroles
Per Listing 5, only biff has the ability to create, change or delete files inside extreme_casseroles. Other members of the group drummers can list its contents and cd to it. Everyone else on the system, however, is blocked from listing, reading, cd-ing or doing anything else with the directory.
Those are the most basic concepts and practical uses of Linux filesystem security. In Part II, we'll go further in depth and discuss (among other things) setuid, setgid and numeric permission modes. Until then, be safe!
Mick Bauer, CISSP, is Linux Journal's security editor and an IS security consultant in Minneapolis, Minnesota. He's the author of Building Secure Servers With Linux (O'Reilly & Associates, 2002).
- Readers' Choice Awards 2013
- Mars Needs Women
- Linux Kernel News - November 2013
- Sublime Text: One Editor to Rule Them All?
- RSS Feeds
- Raspberry Pi: the Perfect Home Server
- December 2013 Issue of Linux Journal: Readers' Choice
- Tech Tip: Really Simple HTTP Server with Python
- IBM Will Minimize Impact of Future Disasters
- Linux Systems Administrator
- The kernel doesn't really
38 min 48 sec ago
1 hour 9 min ago
1 hour 9 min ago
3 hours 14 min ago
- This should be very helpful
4 hours 28 min ago
- As much as I share your point
6 hours 48 min ago
- So girls had it better ?
10 hours 20 min ago
- Reply to comment | Linux Journal
10 hours 40 min ago
- why is GNOME 3 in the fifth position at 14.1 %?
16 hours 12 min ago
- Sublime Is Brilliant!
21 hours 15 min ago