Access

Links;

• Role-based access control
• Linux file and directory permissions
• Unix Access Control Lists (ACL)
• Slightly Skeptical View on Unix Access Control Lists (ACLs)

In Linux systems file access is controlled as follows.

Access is defined by three permissions;

• read permission (r)
• write permission (w)
• execute permission (x)

A set of permissions may be designated by a string such as r-- meaning read only or rw- meaning read and write or --x meaning execute only. These permissions can also be represented as octal and would be 4,6,1 consecutively. These are binary 100, 110 and 001.

Every file belongs to a user and a group and must have permissions set for;

• the user
• the group
• the others

In a Linux commands this is done with a string such as

• ---rwxr-xr-x or 755 in three-digit octal.
• ---rw-rw-r-- or 664 in three-digit octal.
• ---r-x------ or 500 in three-digit octal.

The first --- is for the "setuid bit","setgid bit" and the "sticky bit" ugo rather than rwx the --- can be ommitted. ugo is described below.

When a person tries to access a file

• if they are a user then the user access permissions will apply irrespective of the group or other permissions
• else if they are a member of the file's group then the group access permissions will apply irrespective of the other permissions.
• else the other access permissions will apply.

Thus one could create a group called "jerks" and use it to deny some people access to a file that was accessible to anybody who was not a member of the group. Of course this is of limited value because it would require the file to belong to the group jerks! Also on most systems a user can remove themselves from a group.

Directory Access

Directories are controlled in the same way but;

• read permission - means you can see a list of the files in the directory with the ls command.
• write permission - means you can create, delete and rename files in the directory
• execute permission allows the user to make the directory the current directory with a cd command.
• only execute permission allows a user to access the files in a directory as long as the user knows the names of the files in the directory, and the user is allowed to read the files.

Directories also have some other access controls the "setuid bit","setgid bit" and the "sticky bit" ugo;

• When the setuid bit is 1, then when an executable is run, it does not run with the privileges of the user who ran it, but with those of the file owner instead.
• A file which has the setgid bit 1, when executed, instead of running with the privileges of the group of the user who started it, runs with those of the group which owns the file: in other words, the group ID of the process will be the same as that of the file. A directory which has the setgid bit set, forces the group of the files created inside it, to be that of the directory rather than the user that created them.
• By setting the "sticky bit" to 1 only the user (or root user) of a file or directory can delete or rename it.

Access Commands

chmod

Add Execute by User permission;

chmod u+x file descriptor

Assign Read Write Execute permission to User, Read Execute permission to Group, Execute permission to Others;

chmod 751 file descriptor chmod u=rwx,g=rx,o=x file descriptor

Assign Read only permission to file for All that means User Group and Others;

chmod =r file descriptor chmod a-wx,a+r file descriptor chmod 444 file descriptor

chown

Change the owner of file or files to "root";

chown root file descriptor

Likewise, but also change its group to "staff";

chown root:staff file descriptor

Change the owner of file or files and subfiles to "root";

chown -hR root file descriptor

chgrp

Change the group of file or files to "staff";

chgrp staff file descriptor

Change the group of file or files and subfiles to "staff";

chgrp -hR staff file descriptor

© Tom de Havas 2011. The information under this section is my own work it may be reproduced without modification but must include this notice.