Saturday, December 28, 2013

Unix - File Access Rights and Ownerships

File Attributes

#/$ ls -l /tmp
drwxr-xr-x  4 vijay  wheel           10 Apr 16  2010 testFolder
-rw-r--r--  2 vijay  wheel       368884 Feb 13  2012 news.txt
-rwx------  2 vijay  wheel         2687 Feb 13  2012 secret.txt
-rwxr-xr-x  2 vijay  wheel        11762 Nov 10  2011 code.c

Symbolic permissions


Option   Letter   Represents
(who)   u   User
(who)   g   Group owner
(who)   o   Other
(who)   a   All (“world”)
(action)   +   Adding permissions
(action)   -   Removing permissions
(action)   =   Explicitly set permissions
(permissions)   r   Read
(permissions)   w   Write
(permissions)   x   Execute
(permissions)   t   Sticky bit
(permissions)   s   Set UID or GID

To modify the access rights, modify the file attributes.
# chmod 777 testfile   Allows access by File Owner, Group Members, and All-other-users.
# chmod –R 755 /tmp/test/   -R affects access rights all the files and sub-folders in /tmp/test/
# chmod go= testfile   Symbolic permission (who) (action) (permissions)
# chmod go-w,a+x testfile

Extended file attributes

# getfacl testfile
# setfacl -k testfile
# setfacl -m u:trhodes:rwx,group:web:r--,o::--- testfile

setuid (4), setgid (2), and sticky (1) permissions

# chmod 4755 testfile
=> File will always use permissions and the same user ID of who assigned it)
-rwsr-xr-x (x of owner is replaced with s)

# chmod 2755 testfile
=> File will always use permissions of the group (of the group to assigner belongs)
-rwxr-sr-x (x of group is replaced with s)

# chmod 1777 testdir
=> Allows file deletion only by the owner (make sense for directories)
drwxrwxrwt (x of all-users is replaced with t)


File flags (FreeBSD specific)

File flags are used to prevent accidental editing/removal of files (non-directory) by the root and/or the file owners in FreeBSD.

To view them:
# ls -lo /etc | grep rc.conf
-rw-r--r--  1 root  wheel  schg 1897 Mar  1 2012  rc.conf

In the above case, the secret tool 'schg' makes the file rc.conf unmodifiable even by the superuser (root) without removing the flag. This feature provides one additional level of protection for important files from accidental modifications by the system administrator(s).

Super user (root) only assignable flags

  • sappnd, sappend : sets the system append-only flag (by super-user only)
  • sunlnk, sunlink : sets the system undeletable flag (by super-user only)
  • schg, schange, simmutable : sets the system immutable flag (by super-user only)

Normal user assignable flags

  • uappnd, uappend : sets the user append-only flag (by owner or super-user only)
  • uunlnk, uunlink : sets the user undeletable flag (by owner or super-user only)
  • uchg, uchange, uimmutable : sets the user immutable flag (by owner or super-user only)

To edit these flags chflags command is used. For example:
# chflags sunlink testfile   => Undeletable
# chflags nosunlink testfile

# chflags schg httpd.conf  => System immutable (no change) flag
# chflags noschg httpd.conf

File Ownership

To change the file ownership:
# chown –R vijay:wheel *

Note: Unix commands and file locations used here have been tested on FreeBSD systems.