File and directory permissions in the Linux world are very simple at first, but when we start taking into account the sticky bit and other tools like chattr, things get complicated. Every administrator should have these concepts very clear because if not, the system will become a Swiss cheese in two days. This guide will explain from the basics to the most complex.
BASIC PERMISSIONS:
The permissions of a file are divided into three sets of permissions, the first three correspond to the owner of the user, the next three to the group to which it belongs, and the other three to others.
An example in which the .profile file belongs to the root user and the root group, the owner has read and write permissions, the group has read permissions, and others have read permissions.
-rw-r--r-- 1 root root 140 nov 19 2007 .profile
To assign permissions to files, the easiest way is to learn the correspondence:
R: 4 --> Lectura
W: 2 --> Escritura
X: 1 --> Ejecución
Therefore, if we want to assign RW permissions for the owner, WX for the group, and R for others, it would be done as follows: chmod 634 FILE
To be able to do a cd, execution permissions are needed in the directory, passage permissions.
To access a subdirectory that belongs to us but hangs from another, execution permissions are needed in the intermediate directory to be able to pass through it.
If read permissions are granted without execution and an ls -la of the directory is done:
ls: no se puede acceder a aaa/.: Permiso denegado
ls: no se puede acceder a aaa/..: Permiso denegado
ls: no se puede acceder a aaa/ff.sh: Permiso denegado
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..
-????????? ? ? ? ? ? ff.sh
UMASK:
This refers to the default permissions that files and directories will adopt when created. To define the umask value, you have to think “in reverse: wildcard”. An example will make it clear: umask 007 would be equivalent to chmod 770.
It is also important to note that files will be generated with the permissions indicated in umask but with the execution permission removed. If I assign a umask of 522, they would be created with the following permissions:
- Directories: 255
- Files: 244
Another aspect to consider is that the value of umask is linked to the user. To define a global umask, we must edit the file: /etc/profile, and if we want to do it for a single user: ~/.bashrc. The changes will not take effect until the user logs out and logs back in.
STICKY BIT:
We can know if the sticky bit is activated by looking at the execution permissions. For the owner and group, it is represented with an s, and for others, with a t. If the execution bit was already enabled, the s or t will appear in lowercase, otherwise in uppercase.
- Example where the execution permission is NOT enabled and the Sticky bit is enabled: rwSr-Sr-T.
- Example where the execution permission is enabled and the Sticky bit is enabled: rwsr-sr-t.
This bit will behave differently depending on whether it is defined in a directory or a file.
File:
4000 --> Si es ejcutable se ejecutará con los permisos del propoietario
2000 --> Si es ejecutable se ejecutará con los permisos del grupos
1000 --> Se empleaba para que el SO mantuviese el fichero en SWAP, actualmente es ignorado
Directory:
4000 --> No se utiliza para nada
2000 --> Los ficheros o directorios generados pertenecerán al grupo al que pertenece el directorio actual.
1000 --> Los fichero o directorios solo pueden ser renombrados o borrados por el propietario del elemento, el propietario del directorio o el usuario root, aunque el resto de usuarios tenga permisos de escritura.
NOTE: However, they can be edited if you have the appropriate permissions.
To remove the sticky bit, it is not enough to execute 0799, for example, you have to do it with:
- chmod -s
- chmod -t
CHATTR:
NOTE:
- The c, s, and u options are not natively implemented in ext2 and ext3
- The j option only works on ext3
- The D option requires a kernel >= 2.5.19
+A --> No se actualiza la hora de acceso al fichero, pero sà la de modificación.
+a --> Solo se puede añadir al fichero, solo ROOT puede asignar este parámetro.
+c --> Comprime de forma transparente el fichero
+D --> Si se aplica a un directorio los cambios realizados en él son escritos al momento en el disco duro.
+d --> Este fichero será ignorado por el programa dump (Backups)
E --> Indica que hay un problema de compresión con el fichero, no se puede modificar, solo se puede ver con lsattr
e --> Indica que se emplean "extents" para saber las posiciones del disco que contienen la información del fichero, no se debe modificar.
I --> Indica que el directorio es indexado empleando hashed tree, no tocar
h --> Indica que el tamaño del fichero se entrega en bloques no en sectores, no tocar.
+i --> No puede ser borrado, renombrado o vinculado mediante un link.
+j --> La información del fichero es escrita primero al journal si la partición está montada con las opciones "data=ordered" or "data=writeback".
+s --> Cuando se borre este fichero se sobreescribe se escriben ceros ;)
+S --> La información se escribe al momento en el disco.
+T --> Si se deshabilita el algoritmo de distribución de datos en el disco (Orlov) intentará meter los datos lo mas juntos posible entre ellos.
+t --> Deshabilita el "tail-merging" (aprovechar huecos de otros ficheros para meter información de este fichero) del fichero, opción necasaria para LILO (acceso directo el disco).
+u --> Permite el "undelete" del fichero
X --> Indica que el contenido de un fichero comprimido puede ser accedido en "raw", no se puede cambiar
Z --> Indica que el contenido de un fichero comprimido está "dirty", no se puede cambiar
We can see the attributes of a file with the lsattr command.
To check options like +A, we can use the stat tool.
stat FILE: Displays information about file access.
I hope you find this article useful as in my opinion it is quite comprehensive ;)
UPDATE: There are also ACLs that can be very helpful.