|Purchase "Deploying Suse Linux Enterprise Server"
File & Directory Permissions on Linux
When configuring file sharing within your network, a good understanding of basic file and directory permissions is necessary regardless of the Operating System being used. One of the biggest obstacles administrators face is the fact that (by default) Linux Operating Systems utilize more "secure" file and directory permissions by default. This is different than the "Everyone has read/write access" defaults of Microsoft Windows based Operating Systems. Because of these differences, many administrators coming from a Windows background find it frustrating and confusing to configure file sharing with Linux. (Also because of this, most Windows servers have very insecure file and directory permissions on their shares as most admins don't bother to change them from the defaults).
With Linux, file and directory permissions are separated into two parts: basic file permissions and ACLs (Access Control Lists). All Linux distributions (and all applications) abide by basic permissions, but unfortunately, not all Distributions and applications have support for ACLs (although this is changing). In most cases (when dealing with Linux Clients) it is wise to simply use basic file permissions and only utilize ACLs when absolutely needed and when you know all applications will support them (without overriding them). This section will hopefully show you how to easily utilize basic file permissions for most deployments and touch upon ACLs for special cases that you may encounter.
Linux Operating Systems allow you to provide basic permissions for every file and directory depending upon if you are the "Owner" of the file/directory, are in the same "Group" as the "Group Ownership" of the file/directory, or if you are simply "Others" (meaning everyone else). The basic rights that you can change for these permissions are "Read", "Write", and "eXecute", where:
- "Read" means to be able to open and view the file
- "Write" means to overwrite or modify the file
- "eXecute" means to run the file as a binary
- "Read" means to be able to view the contents of the directory
- "Write" means to be able to create new files/directories within the directory
- "eXecute" means to be able to "Change Directory" (cd) into the directory
- Most of the time you set "Read" and "eXecute" together on directories (kind of useless when set by themselves)
To view the permissions of files and directories you can utilize the Command Line program "ls" with either the "-l" or the "-dl" options.
The output of the "ls -dl" command would be in the form:
perms D owner group size modified date name drwxr-xr-x 2 mpetersen company 4096 2007-07-10 13:43 fileperms -rw-r--r-- 1 mpetersen company 9698 2007-07-10 13:42 fileperms.html
Where "perms" are the permissions of the file/directory as 10 characters, the first character represents "special bits" (covered later) and the rest of the characters represent the rights of each "entity" using three characters - "rwx" for read, write execute. Such that a -rw-rw-r-- entry would indicate that the owner and group would have read-write privileges, while everyone else would only have read privileges.
Note: In the above example the fileperms3.html file has an additional plus (+)character after the permissions, this indicates that it has additional ACLs applied to it.
A few words about Groups within Linux: By default when someone creates a new file, the Group Ownership of that file is specified as the users "Default Group". To access that file as another user, that user does not need to have the same "Default Group", that user only needs to be a member of the group listed as the "Group Owner" of the file.
To change permissions of files/directories here are a few commands that you can use:
- chown - This will change the ownership of the file/directory (need to be root to use)
- chgrp - This allows you to change "Group Ownership" of a file or directory
- chmod - This allows you to change the "access rights" to the file or directory, such as:
- chmod +rx filename* - will add read and execute permissions for the owner, group and others
- chmod g+w filename - will add write perms to the group
- chmod go-w filename - would remove write perms for the group as well as everyone else.
* Note the "chmod +w filename" command will only add write permissions for the owner and not the group or others (unlike a "chmod +rx filename" command).
Working with Numeric Permissions
An alternative to using the "g+rw" or "o-rx" options to the chmod command is to set permissions on files/directories using numeric options. This has the benefit of working very well with scripts. Also, if you know exactly what permissions you want on a file it can be quicker using the numeric options instead of the standard way. For instance:
chmod 660 filename
would be the equivalent of issuing:
chmod g+rw filename chmod o-rw filename
When using numeric permissions, you specify the exact rights for every entity (owner, group, others) instead of adding or subtracting rights using "o-rw", etc. So if you simply want to add Group Write access to a file, it is easier to simply do a "chmod g+w filename" instead of figuring out the exact numeric rights you want to give the filename.
To figure out the exact numeric rights, use the following chart to equate the right with a number:
0 no access 1 eXecute 2 Write 4 Read
Then whatever rights you want to give the file/directory, you simply add up numbers for the rights. For example, if you want read and write privileges, you would add 2 and 4, which would give you 6, so if you want owner and group read/write access you would issue the following command: "chmod 660 filename".
Note: Most people find the numeric permissions very confusing, so normally I try to avoid explaining it (unless they are "Power Users"). It is easier for people to grasp the concept of adding/subtracting rights to a file/directory instead of the numeric permissions.
Default Permissions on Linux
Most Linux Distributions, by default, will set the permissions on any new file/directory created to only be writable by the owner of the file/directory and give the group members and others read-only access (and eXecute privilege for directories). This may not be what you want when you are working on a network and try to collaborate with other people.
These default permissions are set by a command called "umask" and is automatically ran when you first log into the machine (although you can re-run this command at any time). The umask command takes a 3 digit number that is "subtracted" from the default permission value that Linux gives files and directories to come up with the default permissions for the system.
The "default" permission value that Linux sets on a file (without applying a umask) is "666" which would be the owner, group and others have read-write access to it. When you set a umask of "022" during login (most distributions use "022"), the default permissions for files then becomes "644" since the umask is subtracted from "666".
The "default" permission value that Linux sets on a directory (without applying a umask) is "777" (to allow eXecutable permissions to be set by default), and the umask is applied in the same manner as files.
So, when you are working with files over a network, it is probably a good idea to change the umask to either "002" which would allow owner and group members to have writable permissions and others to have read-only permissions, or to "007" which would do the same as the previous example, but give others no permissions to the file or directory.
Once you figure out the umask you want to use, to set it within most Linux distributions you would adjust the /etc/profile file. However, with Suse Linux, you only need to create a new file named /etc/profile.local and add the following into it to adjust the default permissions:
Note: You only need to worry about the umask number if you are going to have Linux computers access files on your server through NFS, Samba (for Windows Networking) has it's own specifications for default file permissions.
|Purchase "Deploying Suse Linux Enterprise Server"