Administration Guide Draft/Permissions

Introduction
Managing user permissions is an important administrative task. There are many commmand line tools available such as,  , and. Use command line tools in either : symbolic and numeric mode to alter user permissions. The symbolic method uses symbols such as,  ,  ,  , and so on, to representing owners, groups, and permissions to alter permissions. The numeric method uses a numbering scheme.

Each file and directory has permissions for the owner (UID), group (GID), and everyone else (WORLD). The permissions for each group consist of three (binary) bits. There are 10 bits in total:  (the 10th bit is the setuid or sticky bit - this will be described later). To alter permissions for owner use first three bits. Use the next three bits to alter permissions of group, and use the last three bits to alter permissions for everyone else.

Use the  command to view file and directory permissions:

ls -l file1 -rw-rw-r-- 1 user1 group1 0 Oct 22 17:51 file1

The above example shows the following permissions for the  file:
 * user1: read and write
 * group1: read and write
 * everyone else: read

The three main symbols used to represent permissions are,  , and. These represent read, write, and execute permissions respectively. File permissions are as follows:
 * read: files can be opened and viewed using commands such as  and
 * write: edit, save, and delete files
 * execute: allows you to execute the file (files will not be executable unless you also have read permissions)

Permissions for directories are as follows:
 * read: list the contents using the  command
 * write: edit, save, and delete files within said directory
 * execute: allows you to change into said directory using the  command. Execute permissions are required to perform a long listing using the   command. Without execute permissions the   command will return output similar to the following:

ls -l test1/ ls: cannot access test1/file1: Permission denied ls: cannot access test1/file2: Permission denied total 0 -????????? ? ? ? ?               ? file1 -????????? ? ? ? ?               ? file2

The Concept Of umask
The User File Creation Mask or  value is the   built-in that defines the default mode for newly created files or directories. The  value is determined when the effective permissions value of the new files is subtracted from a value of the full file permissions. On Linux systems, full file permissions are:


 * 777 - for directories
 * 666 - for files

The default  values on Fedora are set in. The default  for user root is 0022 and for regular users (users whose UID is identical to their primary group's GID),   value is set to 0002. For practical purposes, the first 0 is ignored - it denotes that this value is an octal number. To calculate the default creation mode (effective permissions) of all files and directories created by root user, subtract 022 from the full access mode value of 777 for directories or 666 for files. This means that:


 * new files created by root have permissions set to 644 (666 - 022), or  in a symbolic denotation
 * new directories created by root have permissions set to 755 (777 - 022), or  in a symbolic denotation

Using the same technique, default permissions for files and directories created by normal users are:


 * 664 (666 - 002) or  for files
 * 775 (777 - 002) or  for directories

User can change this behavior by running  command with a desired mode as a command argument:

umask 0022

This will cause all new files created by user to have permissions set to 644 and all new directories' permissions set to 755. The change will be in effect until the shell environment is re-initialized. To make permanent changes add  command to user's   file. For example, user may wish to have all new files and directories accessible only by himself. In other words, effective permissions on new files should be 600 or  and on new directories 700 or. To achieve this, add the line:

umask 0077

to the end of  file, which is the file located under the user's home directory.

Symbolic Method
The following table describes the symbols used to change permissions using the symbolic method. Familiarize yourself with this table before proceeding to the next section:

To add a permission to a user, group, or everyone else, use the  symbol. The following example adds execute permissions for the owner :

chmod u+x file1

To add execute permissions to the owner, and the group, use the following command:

chmod u+x,g+x file1

Please note there is no space between the  and. Permissions do not have to be specified separately. The following has the same result as running the  command:

chmod ug+x file1

You must list all permissions needed when you assign permissions using the  symbol. For example, if the owner of the  file has read, write, and execute permissions, the follow command removes all but the owners read permissions:

chmod u=r file1

Note, if the group and everyone else had permissions, the previous command would not remove those permissions. You must only list all the permissions if you specify the owner, group, or everyone else when using the  command.

Use the  symbol to remove permissions. For example, if the owner of the  file had execute permissions, the following command would remove those permissions:

chmod u-x file1

Numeric Method
The following table describes the numbering scheme used when changing permissions using the numeric method:

Use the  command to change permissions regardless of whether you are using the symbolic or numeric method.

To set permissions using the numeric method, use the  command, where   are values between   and. The table above describes the permissions each value (0-7) applies. The first value is the permission for the owner. The second value is for the group, and the third value is for everyone else.

Use the following command to assign the owner read, write, and execute permissions, and remove all permissions for the group and everyone else:

chmod 700 file1

View the permissions using the  command:

ls -l -rwx-- 1 user1 user1 0 Oct 27 16:02 file1

Use the following command to add read and write permissions for the  file for the owner, group, and everyone else:

chmod 666 file1

To change permissions on a folder, and all files and sub-directories within that folder, use the  option:

chmod -R 700 folder1

This applies mode  permissions to the   folder, and recursively changes the permissions of all files and sub-directories within the   folder.

Permissions on Directories
Execute permission on a directory does not allow files within that directory to be executed. Rather, it allows users to change into that directory using the  command. It also allows user to perform a long listing using  command. However, files within a directory can be executed if said files have execute permissions.

Managing Permissions Using The Graphical User Interface
Follow these steps to access a graphical user interface (GUI) for managing permissions on files and folders:


 * Right click on the file or folder.
 * On the menu that appears, click the Properties menu item.
 * Click the Permissions tab.

Folder Permissions
The following table describes the Folder Access permissions. Changes to Folder Access permissions take immediate effect:

The following table describes File Access permissions. This allows finer-grained control of files within directories. Changes to File Access permissions take effect only after clicking the Apply permissions to enclosed files button.

When the File Access is set to ---, clicking Apply permissions to enclosed files keeps the current file permissions without changing them.

If the Execute: Allow executing file as program box is ticked, execute permissions are applied for everyone to files within that directory. If the Execute: Allow executing file as program box is not ticked, and you click the Apply permissions to enclosed files button, execute permissions are not removed from files within that directory.

If you are a member of a Secondary Group, change the group owner using the Groupdrop-down menu.

File Permissions
The following table describes the Access permissions for files. Changes to Access permissions take immediate effect:

Ticking the Execute: Allow executing file as program box applies execute permissions for everyone to the file.

If you are a member of a Secondary Group you can change the group owner using the Group drop-down menu.

Special Permissions
There are two special permissions that can be set on executable files: Set User ID (setuid) and Set Group ID (sgid). These permissions allow the file being executed to be executed with the privileges of the owner or the group. For example, if a file was owned by the root user and has the setuid bit set, no matter who executed the file it would always run with root user privileges.

Set User ID (setuid)
You must be the owner of the file or the root user to set the setuid bit. Run the following command to set the setuid bit:

chmod u+s file1

View the permissions using the  command:

ls -l file1 -rwSrw-r-- 1 user1 user1 0 2007-10-29 21:41 file1

Note the capital. This means there are no execute permissions. Run the following command to add execute permissions to the  file, noting the lower case  :

chmod u+x file1

ls -l file1 -rwsrw-r-- 1 user1 user1 0 2007-10-29 21:41 file1

Note the lower case. This means there are execute permissions.

Alternatively, you can set the setuid bit using the numeric method by prepending a  to the mode. For example, to set the setuid bit, read, write, and execute permissions for owner of the  file, run the following command:

chmod 4700 file1

Set Group ID (setgid)
When the Set Group ID bit is set, the executable is run with the authority of the group. For example, if a file was owned by the  group, no matter who executed that file it would always run with the authority of the   group. For example, run the following command as to set the setgid bit on the  file:

chmod g+s

Note that both the setuid and setgid bits are set using the  symbol. Alternatively, prepend a 2 to the mode. For example, run the following command as root to set the setgid bit, and read, write, and execute permissions for the owner of the  file:

chmod 2700 file1

The setgid is represented the same as the setuid bit, except in the group section of the permissions:

ls -l file1 -rwx--S--- 1 user1 user1 0 2007-10-30 21:40 file1

Use the  command to set the setuid bit. Use the  command to set the setgid bit.

Special Permissions for Directories
There are two special permissions for directories: the sticky bit and the setgid bit. When the sticky bit is set on a directory, only the root user, the owner of the directory, and the owner of a file can remove files within said directory.

Sticky Bit
An example of the sticky bit is the  directory. Use the  command to view the permissions:

ls -ld /tmp drwxrwxrwt 24 root root  4096 2007-10-30 22:00 tmp

The  at the end symbolizes that the sticky bit is set. A file created in the  directory can only be removed by its owner, or the root user. For example, run the following command to set the sticky bit on the  folder:

chmod a+t folder1

Alternatively, prepend a  to the mode of a directory to set the sticky bit:

chmod 1777 folder1

The permissions should be read, write, and execute for the owner, group, and everyone else, on directories that have the sticky bit set. This allows anyone to  into the directory and create files.

Set Group ID
When the setgid bit is set on a directory, all files created within said directory inherit the group ownership of that directory. For example, the  folder is owned by the user , and the group  :

ls -ld folder1 drwxrwxr-x 2 user1 group1 4096 2007-10-30 22:25 folder1

Files created in the  folder will inherit the   group membership:

touch folder1/file1

ls -l folder1/file1 -rw-rw-r-- 1 user1 group1 0 2007-10-30 22:29 folder1/file1

To set the setgid bit on a directory, use the  command:

chmod g+s folder1

View the permissions using the  command, noting the   in the group permissions:

ls -ld folder1 drwxrwsr-x 2 user1 group1 4096 2007-10-30 22:32 folder1

Alternatively, prepend a  to the directories mode:

chmod 2770 folder1