33dots » access rights http://www.33dots.com Wed, 12 Oct 2011 17:07:54 +0000 http://wordpress.org/?v=2.8.3 en hourly 1 Revisiting File Access Modes in Linux http://www.33dots.com/index.php/linux/revisiting-file-access-modes-in-linux.html http://www.33dots.com/index.php/linux/revisiting-file-access-modes-in-linux.html#comments Tue, 04 Aug 2009 14:26:36 +0000 tony http://www.33dots.com/?p=106 I recently found out that I’ve a messed up understanding of linux file access mode [or file permissions] :(
Like, i thought it was possible to rename/delete a file if we have the write permission on that file. Also i thought it was not possible to delete/rename a file if we[or our groups] don’t own, cant read or write a file. Both of them seems to be false.. pretty bad right?

Back to learning basics,
A file or directory(folder) is owned by a User(u) and a Group(g). There are three permissions read(r), write(w) and execute(x), which has different meaning for files and directories. Each of these permissions can be set for the user(u), the group(g) and others(o).
The root user, the one with UID = 0 has full access irrespective of any set permissions.

Lets take the case of files,
r(read) : Read the file, and also copy the file.
See the shell examples. Comments are included beginning with a #

[john@localhost test]$ ls -l
total 4
-r-------- 1 john john 9 Jul 29 12:18 testfile		#we only have read permission
[john@localhost test]$ cat testfile			#we read it
abcde...
[john@localhost test]$ cp testfile testfile2		#we copy it
[john@localhost test]$ ls -l
total 8
-r-------- 1 john john 9 Jul 29 12:18 testfile
-r-------- 1 john john 9 Jul 29 12:20 testfile2

w(write) :Write to the file. Add/change/append/remove content to it.

[john@localhost test]$ ls -l
total 8
--w-r-xr-x 1 john john 9 Jul 29 12:18 testfile	 #we have only write set on these files
--w-r-xr-x 1 john john 9 Jul 29 12:20 testfile2
[john@localhost ~]$ echo "abcde" > testfile
[john@localhost ~]$ echo "abcdef" >> testfile
[john@localhost ~]$ cat testfile		#we can write to the file
abcde
abcdef

But this does not mean we have the rights to rename/move/delete the file. This is actually controlled by the write permissions in the directory on which the file resides.

[john@localhost test]$ chmod u-w .	#we remove the write on the current directory
[john@localhost test]$ ls -l
total 8
-rwxr-xr-x 1 john john 9 Jul 29 12:18 testfile    #we have write access on these files
-rwxr-xr-x 1 john john 9 Jul 29 12:20 testfile2
[john@localhost test]$ mv testfile testfile3
mv: cannot move `testfile' to `testfile3': Permission denied
[john@localhost test]$ rm testfile
rm: remove write-protected regular file `testfile'? y
rm: cannot remove `testfile': Permission denied   #we cant rename/delete the file

x(Execute) : Run the script or program.

[john@localhost ~]$ touch script	#we create a file and try to run but fails
[john@localhost ~]$ ./script
-bash: ./script: Permission denied
[john@localhost ~]$ chmod u+x scrip	#we also set execute and runs it fine
[john@localhost ~]$ ./script
[john@localhost ~]$

Note that it is also required to have read permission for execution.

[john@localhost ~]$ chmod u-r script	#we remove the read
[john@localhost ~]$ ./script
bash: ./script: Permission denied	#not allowed

Now, the case of directories,

r(read) : List the contents of the directory. Also this enables TAB completion feature.

[john@localhost ~]$ chmod u=r test/	#we set only read access to directory test/
[john@localhost ~]$ ls  test/
testfile  testfile2			#listing works fine

Listing doesn’t mean we can read/access the files inside. Nor we could cd into the directory. These are controlled by the execute permission of the directory.

[john@localhost ~]$ cat test/testfile
cat: test/testfile: Permission denied
[john@localhost ~]$ cd test/
-bash: cd: test/: Permission denied
[john@localhost ~]$ find test/
test/
find: test/: Permission denied		#as you can see find/cat/cd etc not allowed.
[john@localhost ~]$ ls -l test/
total 0					#ls -l doesnt show details bcoz it cant
?--------- ? ? ? ?            ? testfile	#access the file for more details

This read permission only affects the directory which it is set and not its subdirectories. We can have an unreadable directory with readable subdirectories. However the execute permission must be set on the parent directory.

[john@localhost ~]$ chmod u-r test/	#remove read on directory test/
[john@localhost ~]$ ls test/		#we cant list test/
ls: test/: Permission denied
[john@localhost ~]$ ls test/sub/	#but we can list test/sub/
sub  subfile  subfile2

w(write) : Create, rename, move, delete files/folders. But we also need the Execute permission set, to do all these operations.

[john@localhost ~]$ chmod u=wx test/	#we enable both write and execute for test/
[john@localhost ~]$ touch test/testfile4
[john@localhost ~]$ mv test/testfile4 test/testfile5	#we are able to create and rename files

Its possible to delete/move/rename the files/folders that we[or our groups] don’t own, cant read or write.

[john@localhost ~]$ su
Password:
[root@localhost john]# touch test/testfile6	#we create a file as root user
[root@localhost john]# chmod a= test/testfile6	#we remove all the permission on this file
[root@localhost john]# ls -l test/testfile6
---------- 1 root root 0 Jul 30 13:00 test/testfile6
[root@localhost john]# exit
exit
[john@localhost ~]$ rm test/testfile6
rm: remove write-protected regular empty file `test/testfile6'? y
[john@localhost ~]$		#as you can see we were able to delete it as john.

A user can remove directories created by anyone, if he has write and execute permission on its parent directory. However, if it contains files, this is not possible.

[john@localhost test]$ ls -ld .		#we see that user john has write and execute
drwxr-xr-x 3 john john 4096 Jul 30 13:20 .
[john@localhost test]$ su
Password:
[root@localhost test]# mkdir test1 test2	#we make an empty and
[root@localhost test]# touch test1/testfile	#a non empty directory as root
[root@localhost test]# ls -l
total 20
drwxr-xr-x 2 root root 4096 Jul 30 17:17 test2
drwxr-xr-x 2 root root 4096 Jul 30 17:17 test1
[root@localhost test]# exit
exit
[john@localhost test]$ rm -R test2
rm: remove write-protected directory `test2'? y		#delete success as normal user
[john@localhost test]$ rm -R test1
rm: descend into write-protected directory `test1'? y
rm: remove write-protected regular empty file `test1/testfile'? y
rm: cannot remove `test1/testfile': Permission denied	#we cant delete the one with contents

The write permission too only affects the directory on which it is set and not its subdirectories. We can have an unwritable directory with writable subdirectories. However the execute permission must be set on the parent directory.

[john@localhost ~]$ chmod u=x test1/		#we enable only execute for the directory 'test1/'
[john@localhost ~]$ touch test1/subfile3	#cant write to test1/
touch: cannot touch `test1/subfile3': Permission denied
[john@localhost ~]$ touch test1/sub/subfile	#still we are able to create files in test1/sub/
[john@localhost ~]$ mkdir test1/sub/sub
[john@localhost ~]$ ls -l test1/sub
total 8
drwxrwxr-x 2 john john 4096 Aug  3 12:09 sub
-rw-rw-r-- 1 john john    0 Aug  3 12:39 subfile
-rw-rw-r-- 1 john john    0 Aug  3 12:04 subfile2

x(execute) :Access the files in the directory for reading, writing etc. Enables cd to it.

[john@localhost ~]$ chmod u=x test/		#we set execute on the directory
[john@localhost ~]$ cd test
[john@localhost test]$ cat testfile
abcde...
[john@localhost test]$ ls -l testfile		#cd/reading files  are possible
-rwxr-xr-x 1 john john 9 Jul 29 12:18 testfile
[john@localhost test]$ ls
ls: .: Permission denied		#listing not possible as we dont have read set

This also enables accessing the directory for write operations.

[john@localhost test]$ chmod u=wx .	# we set write and create items
[john@localhost test]$ mkdir test
[john@localhost test]$

Though directory execute permissions only affects the directory on which it is set, we are not allowed to access its subdirectories even if we have the appropriate permissions on the subdirectory. So we can say that execute permission on a directory has a fall through effect to all its child directories at any depth.

[john@localhost ~]$ ls -ld test1/
drwxrwxr-x 3 john john 4096 Aug  3 12:04 test1/
[john@localhost ~]$ ls -ld test1/sub/
drwxrwxr-x 4 john john 4096 Aug  3 12:41 test1/sub/
[john@localhost ~]$ ls -ld test1/sub/sub/
drwxrwxr-x 2 john john 4096 Aug  3 12:09 test1/sub/sub/
[john@localhost ~]$ chmod u-x test1/		#we remove execute on test1/
[john@localhost ~]$ touch test1/testfile
touch: cannot touch `test1/testfile': Permission denied
[john@localhost ~]$ touch test1/sub/testfile
touch: cannot touch `test1/sub/testfile': Permission denied
[john@localhost ~]$ touch test1/sub/sub/testfile
touch: cannot touch `test1/sub/sub/testfile': Permission denied
[john@localhost ~]$ ls test1/sub/
ls: test1/sub/: Permission denied
[john@localhost ~]$ mkdir test1/sub/sub2
mkdir: cannot create directory `test1/sub/sub2': Permission denied
[john@localhost ~]$	#as you can see we cant do anything in its child directories

By default read and execute permission is given in all directories for all users, except /root and user’s home directories and a few others. With read permission we can list the items and with the execute permission we can cd to them and access the items.
Without the execute bit set in / and /home we would not be able to create any files/folders in our home directory ~/ even though we have full permissions on ~/.

A directory with only execute set allows us to access the files but not list or write to it. This scenario is particularly useful in a ~/public_html/ directories where we allow a webserver to access our files but not list them.

[john@localhost ~]$ chmod u=x test1/
[john@localhost ~]$ ls test1/
ls: test1/: Permission denied
[john@localhost ~]$ cat test1/testfile
abcde...
[john@localhost ~]$ ls -l test1/testfile	#ls -l works bcoz ls can access the file
-rw-rw-r-- 1 john john 0 Aug  3 11:54 test1/testfile	#file to get its details..

Sticky bit
The sticky bit is used to avoid the default behavior of delete/rename/move the items inside a directory. When sticky bit is set, items inside the directory can be renamed or deleted only by the item’s owner, the directory’s owner, or the superuser. Without the sticky bit set, as we’ve seen earlier, any user with write and execute permissions for the directory can rename or delete contained files, regardless of owner.
Sticky bit is set on the /tmp directory to prevent ordinary users from deleting or moving other users’ files

[john@localhost ~]$ ls -ld /tmp			#/tmp has full permission for everyone
drwxrwxrwt 32 root root 4096 Jul 30 13:18 /tmp	#the last t shows that sticky bit is set
[john@localhost ~]$ touch /tmp/test		#we create files with two users
[john@localhost ~]$ su tony
Password:
[tony@localhost john]$ touch /tmp/test1
[tony@localhost john]$ exit
exit
[john@localhost ~]$ rm /tmp/test	#john is able to remove the file created by him
[john@localhost ~]$ rm /tmp/test1	#but not the one created by tony
rm: remove write-protected regular empty file `/tmp/test1'? y
rm: cannot remove `/tmp/test1': Operation not permitted
[john@localhost ~]$

Thanks to,
Introduction to Linux by Machtelt Garrels
Understanding Access Permissions by znx
And the Linux Info pages

]]> http://www.33dots.com/index.php/linux/revisiting-file-access-modes-in-linux.html/feed 0