Doug Vitale Tech Blog - 17 Feb 2013
When you view files and directories on Linux hosts, how can you tell which users have access? And how do you determine the extent of their access? Before approaching the sizable (but very important) subject of Linux (and Unix) file permissions, it is helpful to review the definitions of key terms which IT professionals need to be familiar with. Before proceeding, let’s define these terms clearly.
Common across all operating system (OS) platforms, files are the objects or things that OSes and user applications work with. More specifically, a file is a distinct collection of data that has a name and properties, or characteristics. Files can take the form of text documents, graphics, music, scripts, etc. If you prefer the geeky definition, Wikipedia states that a computer file is “a block of arbitrary information, or resource for storing information, which is available to a computer program and is usually based on some kind of durable storage.”
Computer files can be created, edited, deleted, moved, and stored. The orderly arranging of files is accomplished by means of directories, which are simply containers for files and other directories. On the Windows operating system, directories are often called “folders” because they are visually represented by icons resembling the paper folders which you would find in filing cabinets. This method of depicting directories as paper folders has also been adopted by Linux desktop environments, such as KDE and GNOME.
Directories are arranged in a hierarchical model. Users and software can use these directories to navigate the file system to find certain files. Files are often logically co-located based on type and usage.A simple example of a file system hierarchyDisplaying file permissions
When you open a shell on a Linux host, you acquire the ability to interact with the files which that host is storing. So let’s return to the original question of how you would view and configure file permissions on Linux. Let’s say you open a bash shell and are presented with the shell prompt, aka the command line interface. Then you issue the ls -l command to tell bash to display the contents of your current working directory (for example, your home folder located at /home/your_account_name). You will see output similar to this example
(I entered ls -l on my Windows home folder using Cygwin
drwxr--r-- 1 doug Domain Users 0 Nov 19 16:13 AppData
drwx------ 1 doug Domain Users 0 Jan 10 12:39 Desktop
drwx------ 1 doug Domain Users 0 Jan 22 10:49 Documents
drwx------ 1 doug Domain Users 0 Jan 9 11:08 Favorites
-rwx------ 1 doug Domain Users 12 Jan 22 10:49 key.txt
-rwx------ 1 doug Domain Users 130048 Jan 9 10:59 metadata.db
drwx------ 1 doug Domain Users 0 Nov 19 16:13 Music
lrwxrwxrwx 1 SYSTEM SYSTEM 35 Nov 19 16:13 My Documents -> /cygdrive/c/Users/doug/Documents
-rwx------ 1 doug Domain Users 3670016 Feb 14 15:01 NTUSER.DAT
-rwx------ 1 SYSTEM SYSTEM 20 Nov 19 16:13 ntuser.ini
drwx------ 1 doug Domain Users 0 Dec 27 14:25 Pictures
lrwxrwxrwx 1 SYSTEM SYSTEM 66 Nov 19 16:13 Recent -> /cygdrive/c/Users/doug/AppData/Roaming/Microsoft/Windows/Recent
drwx------ 1 doug Domain Users 0 Nov 19 16:41 Searches
lrwxrwxrwx 1 SYSTEM SYSTEM 66 Nov 19 16:13 SendTo -> /cygdrive/c/Users/doug/AppData/Roaming/Microsoft/Windows/SendTo
drwx------ 1 doug Domain Users 0 Dec 28 13:13 Software
lrwxrwxrwx 1 SYSTEM SYSTEM 70 Nov 19 16:13 Start Menu -> /cygdrive/c/Users/doug/AppData/Roaming/Microsoft/Windows/Start Menu
drwx------ 1 doug Domain Users 0 Feb 14 13:47 Temp
drwx------ 1 doug Domain Users 0 Nov 27 15:46 VideosUsers, groups, and access rights
In the Linux OS, each file and directory is assigned access rights based on the owner of the file, the members of the file’s group (possibly including the owner), and everybody else (others). By default, the user who creates a file becomes its owner. All members of a file’s group have the same permissions on the file. All users belong to at least one group. From a security perspective, you should pay particular attention to permissions set for the ‘Others’, i.e. all those users who are not the owner and not in the group associated with the file or directory in question.
The types of rights include read, write, and execute.Read
means the ability to view a file; to read a directory is to view a listing of its contents.Write
means the ability to change or delete a file, or create, change, or delete the contents of a directory. A user with write access to a directory can delete files in the directory even if he does not have write permissions on those files being deleted.Execute
means the ability to run or launch a file, or to enter or search a directory and access any subdirectories (but not view the directory’s contents unless the read permission is also granted; however, files can still be directly accessed if you can provide the full path).
Lots more info here