{"id":2798,"date":"2022-02-19T22:16:34","date_gmt":"2022-02-19T22:16:34","guid":{"rendered":"https:\/\/dft.wiki\/?p=2798"},"modified":"2022-05-19T03:58:39","modified_gmt":"2022-05-19T03:58:39","slug":"file-permissions-and-proprieties-in-linux","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=2798","title":{"rendered":"File Permissions and Proprieties in Linux"},"content":{"rendered":"<p>File (and directory) <strong>permissions<\/strong> in Linux and Unix-based systems define what the owner, the group and the others can or can not do with it.<\/p>\n<p>Execute the following command in any directory that contains files and or directories (the command <code>stat<\/code> can give even more information):<\/p>\n<pre>ls -l<\/pre>\n<p>It might print an output that resembles the following:<\/p>\n<pre><strong>-rw-r--r--<\/strong> 1 owner owner  310  Oct 31 16:32 fileName\r\n<strong>drwxr-xr-x<\/strong> 2 owner group 4096  Apr 26 2021  directoryName<\/pre>\n<p>Each line starts with a series of 10 consecutive characters.<\/p>\n<p><strong>Except for the first character<\/strong>, the others can be:<\/p>\n<ul>\n<li><strong>r<\/strong>\n<ul>\n<li>Reading access<\/li>\n<\/ul>\n<\/li>\n<li><strong>w<\/strong>\n<ul>\n<li>Writing access<\/li>\n<\/ul>\n<\/li>\n<li><strong>x<\/strong>\n<ul>\n<li>Executing access<\/li>\n<\/ul>\n<\/li>\n<li><strong>&#8211;<\/strong>\n<ul>\n<li>No access<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>They are grouped as:<\/p>\n<ul>\n<li>-uuu&#8212;&#8212;\n<ul>\n<li>Privileges of the user that owns the file<\/li>\n<\/ul>\n<\/li>\n<li>&#8212;-ggg&#8212;\n<ul>\n<li>Privileges of the group that owns the file<\/li>\n<\/ul>\n<\/li>\n<li>&#8212;&#8212;-ooo\n<ul>\n<li>Privileges of any other user<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Example:<\/p>\n<ul>\n<li>-rwx&#8211;xr&#8211;\n<ul>\n<li>The owner can Read Write and Execute<\/li>\n<li>The group can only Execute<\/li>\n<li>The others can only Read<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Exclusively the <strong>first character<\/strong> can be:<\/p>\n<ul>\n<li><strong>&#8211;<\/strong>\n<ul>\n<li>Regular file.<\/li>\n<\/ul>\n<\/li>\n<li><strong>b<\/strong>\n<ul>\n<li>Block special file.<\/li>\n<\/ul>\n<\/li>\n<li><strong>c<\/strong>\n<ul>\n<li>Character special file.<\/li>\n<\/ul>\n<\/li>\n<li><strong>d<\/strong>\n<ul>\n<li>Directory<\/li>\n<\/ul>\n<\/li>\n<li><strong>l<\/strong>\n<ul>\n<li>Symbolic link.<\/li>\n<\/ul>\n<\/li>\n<li><strong>p<\/strong>\n<ul>\n<li>FIFO<\/li>\n<\/ul>\n<\/li>\n<li><strong>s<\/strong>\n<ul>\n<li>Socket<\/li>\n<\/ul>\n<\/li>\n<li><strong>w<\/strong>\n<ul>\n<li>Whiteout<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>What the file is cannot be changed but it is important to know how to identify when it is a directory and a symbolic link. All the others are special usages.<\/p>\n<hr \/>\n<p>Another notation for representing file privileges is using 3 digit numbers where:<\/p>\n<ul>\n<li>4 = Read<\/li>\n<li>2 = Write<\/li>\n<li>1 = Execute<\/li>\n<\/ul>\n<p>And they can be combined to provide multiple privileges:<\/p>\n<ul>\n<li>0 = No access<\/li>\n<li>3 = Write + Execute<\/li>\n<li>5 = Read + Execute<\/li>\n<li>6 = Read + Write<\/li>\n<li>7 = Read + Write + Execute<\/li>\n<\/ul>\n<p>Example:<\/p>\n<ul>\n<li>750\n<ul>\n<li>The owner can Read, Write, and Execute.<\/li>\n<li>The group can Read and Execute.<\/li>\n<li>Others have no access at all.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p>System administrators use the command <code>chmod<\/code> to change the permission in the files:<\/p>\n<ul>\n<li>chmod +x fileName\n<ul>\n<li>Allow owner, group, and others to execute access.<\/li>\n<\/ul>\n<\/li>\n<li>chmod -w fileName\n<ul>\n<li>Disallow owner, group, and others to write access.<\/li>\n<\/ul>\n<\/li>\n<li>chmod g=r fileName\n<ul>\n<li>Allow the group to only read, removing any other access it already has.<\/li>\n<\/ul>\n<\/li>\n<li>chmod o+x -R fileName\n<ul>\n<li>Allow others to execute and preserve any other access it already has recursively.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Hint: use <code>-v<\/code> for more verbose output.<\/p>\n<hr \/>\n<p>The attributed define what can be done with the file, not who.<\/p>\n<p>List the attributes of a file or directory:<\/p>\n<pre>lsattr<\/pre>\n<p>A series of 22 characters (<code>----------------------<\/code>) inform all the attributes for each object in the current directory.<\/p>\n<p>The seven most important attributes are:<\/p>\n<ul>\n<li><strong>A<\/strong>\n<ul>\n<li>Do not update access timestamp (<code>atime<\/code>).<\/li>\n<\/ul>\n<\/li>\n<li><strong>S<\/strong>\n<ul>\n<li>Changes are synchronously updates don&#8217;t the disk.<\/li>\n<\/ul>\n<\/li>\n<li><strong>a<\/strong>\n<ul>\n<li>The file&#8217;s content can only be appended, not modified.<\/li>\n<\/ul>\n<\/li>\n<li><strong>i<\/strong>\n<ul>\n<li>The fIle becomes immutable, impossible to be modified.<\/li>\n<\/ul>\n<\/li>\n<li><strong>j<\/strong>\n<ul>\n<li>The changes are updated in the ext3 journal prior to changing the file itself.<\/li>\n<\/ul>\n<\/li>\n<li><strong>t<\/strong>\n<ul>\n<li>Do not allow tail-merging.<\/li>\n<\/ul>\n<\/li>\n<li><strong>u<\/strong>\n<ul>\n<li>Then the fil is deleted its data is saved, allowing undeletion<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Use the <code>chattr<\/code> command to change its attributes:<\/p>\n<ul>\n<li>sudo chattr +a fileName\n<ul>\n<li>Activating the attribute that only allows appending content.<\/li>\n<\/ul>\n<\/li>\n<li>sudo chattr -i -R fileName\n<ul>\n<li>Deactivating the immutable attribute if active <strong>recursively<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<li>sudo chattr =ua fileName\n<ul>\n<li>Activate <strong>only<\/strong> the listed attributes. All the others will be deactivated.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>SUID (Set-user Identification) &amp; SGID (Set-group identification)<\/strong><\/p>\n<p>Whenever the either of the permission flags is set on an executable file it will provide the privileges of the file owner during the execution. In other words, if a regular user is allowed to execute a script that is owned by root, for example, it will be executed with root privileges.<\/p>\n<ul>\n<li>2000\n<ul>\n<li>SGID is set.<\/li>\n<\/ul>\n<\/li>\n<li>4000\n<ul>\n<li>SUID is set.<\/li>\n<\/ul>\n<\/li>\n<li>6000\n<ul>\n<li>SGID + SUID are set.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Another notation is used in the comment that lists the files of an directory that will contain <strong>s<\/strong> replacing<strong> x<\/strong> as follows:<\/p>\n<ul>\n<li>&#8212;<strong>s<\/strong>&#8212;&#8212;\n<ul>\n<li>SUID is set.<\/li>\n<\/ul>\n<\/li>\n<li>&#8212;&#8212;<strong>s<\/strong>&#8212;\n<ul>\n<li>SGID is set.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Command to set SUID<\/p>\n<pre>chmod u+s fileName<\/pre>\n<p>Command to unset SGID<\/p>\n<pre>chmod g-s fileName<\/pre>\n<hr \/>\n<p><strong>STICKY BIT<\/strong><\/p>\n<p>It is primarily used on shared directories, where users can create new files, read and execute files owned by other users, but are not allowed to remove files owned by other users.<\/p>\n<ul>\n<li>1000\n<ul>\n<li>Sticky bit set.<\/li>\n<\/ul>\n<\/li>\n<li>&#8212;&#8212;&#8212;<strong>t<\/strong>\n<ul>\n<li>The<strong> x<\/strong> from others is replaced by a <strong>t<\/strong> when the bit is set.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Command to set the sticky bit on a directory (or file):<\/p>\n<pre>chmod +t fileName<\/pre>\n<hr \/>\n<p><strong>BONUS<\/strong><\/p>\n<p>For security reasons it is highly recommended to identify and unset the SUID and SGID of files. It can easily be abused.<\/p>\n<p>Searching:<\/p>\n<pre>find \/ -perm \/2000\r\nfind \/ -perm \/4000\r\nfind \/ -user root -perm \/6000<\/pre>\n<p>OR<\/p>\n<pre>find \/ -perm \/g+s\r\nfind \/ -perm \/u+s\r\nfind \/ -user root -perm \/u+s,g+s<\/pre>\n<p>To search and unset on the fly:<\/p>\n<pre>for i in `find \/ -perm +2000` do chmod g-s $i done<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>File (and directory) permissions in Linux and Unix-based systems define what the owner, the group [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,6],"tags":[],"class_list":["post-2798","post","type-post","status-publish","format-standard","hentry","category-linux","category-raspberry-pi"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2798","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2798"}],"version-history":[{"count":5,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2798\/revisions"}],"predecessor-version":[{"id":2885,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2798\/revisions\/2885"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2798"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2798"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2798"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}