Tuesday, October 20, 2009

File Access Permissions on Linux

File protection with chmod
chmod 400 file To protect a file against accidental overwriting.
chmod 500 dir To protect yourself from accidentally removing, renaming or moving files from this directory.
chmod 600 file A private file only changeable by the user who entered this command.
chmod 644 file A publicly readable file that can only be changed by the issuing user.
chmod 660 file Users belonging to your group can change this files, others don't have any access to it at all.
chmod 700 file Protects a file against any access from other users, while the issuing user still has full access.
chmod 755 dir For files that should be readable and executable by others, but only changeable by the issuing user.
chmod 775 file Standard file sharing mode for a group.
chmod 777 file Everybody can do everything to this file.

Special modes sticky bit
• sticky bit
– chmod +t
• when set on
– file: if sticky bit set, after job execution, the command is kept in memory
– directory: can only change files in this dir when user is owner of the file or has appropriate permissions see /tmp

Special modes set id
• set user id bit SUID
– chmod u+s
• set group id bit (SGID)
– chmod g+s
• when set on
– binary file: when run it runs with the group and or user of the file not the group/user of the person running it.
– directory: (SGID only) every file created in the directory takes same group as the directory, not the creator's group.
note: existing and copied files keep their group id)

Special modes numeric (octal) representation
0 setuid, setgid, sticky bits are cleared
1 sticky bit is set
2 setgid bit is set
3 setgid and sticky bits are set
4 setuid bit is set
5 setuid and sticky bits are set
6 setuid and setgid bits are set
7 setuid, setgid, sticky bits are set

Special modes textual representation
• SUID: If set, then replaces "x" in the owner permissions to "s", if owner has execute ermissions, or to "S" otherwise. Examples:
-rws------ both owner execute and SUID are set
-r-S------ SUID is set, but owner execute is not set
• SGID: If set, then replaces "x" in the group permissions to "s", if group has execute permissions, or to "S" otherwise. Examples:
-rwxrws--- both group execute and SGID are set
-rwxr-S--- SGID is set, but group execute not set
• Sticky bit: If set, then replaces "x" in the others permissions to "t", if others have execute permissions, or to "T" otherwise. Examples:
-rwxrwxrwt both others execute and sticky bit are set
-rwxrwxr-T sticky bit is set, but others execute is not set