File and Directory Permissions

Objective:

The objective of this lab is to understand file and directory permissions

Users and Groups

Get existing users and groups

Let us start by looking at users and groups that exist on a Linux system after installation.

Check groups on Linux system

To list groups on your Linux system use (command below shows last three groups): 

cat /etc/group | tail -3

lightdm:x:122:
mark:x:1000:
mfernand-stu:x:1001:

Check users on Linux system

To list users on your Linux system use (command below shows last four users): 

cat /etc/passwd | tail -4

Debian-exim:x:103:105::/var/spool/exim4:/usr/sbin/nologin
lightdm:x:116:122:Light Display Manager:/var/lib/lightdm:/bin/false
mark:x:1000:1000:Mark Fernandes,,,:/home/mark:/bin/bash
mfernand-stu:x:1001:1001:MySeneca user:/home/mfernand-stu:/bin/bash

Notice each user:

  • gets their own group

    In the listing above, I have user mfernand-stu (MySeneca user) and the other mark (another user) they both have their own group. We can get more details about each user by using the id command, like so: 

    id mark
id mfernand-stu

    uid=1000(mark) gid=1000(mark) groups=1000(mark),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(bluetooth),116(scanner)
uid=1001(mfernand-stu) gid=1001(mfernand-stu) groups=1001(mfernand-stu)

  • gets their own home directory: 

    ls -ld /home/*

    drwx------  2 root         root         16384 Sep 14 14:30 /home/lost+found
drwxr-xr-x 14 mark         mark          4096 Nov  5 17:00 /home/mark
drwxr-xr-x 27 mfernand-stu mfernand-stu  4096 Nov  9 08:04 /home/mfernand-stu

Add a new group

su -
addgroup developer

Adding group `developer' (GID 1002) ...
Done.

Add an existing user to the new group and verify

id mfernand-stu
usermod -g developer mfernand-stu
id mfernand-stu

uid=1001(mfernand-stu) gid=1001(mfernand-stu) groups=1001(mfernand-stu)
uid=1001(mfernand-stu) gid=1002(developer) groups=1002(1002(developer)

User and Group permissions

The permissions table

Notice how turning r, w, and x in rwx on and off corresponds to how the bits of the binary values of the numbers between 1 and 7 turn on (1) and off (0)

Decimal Binary Octal rwx
0 000 0 ---
1 001 1 –x
2 010 2 -w-
3 011 3 -wx
4 100 4 r--
5 101 5 r-x
6 110 6 rw-
7 111 7 rwx
       
8 1 000 10 –x ---
       

A worked out example

  1. Create a directory in /tmp and change pwd into that directory 

    cd /tmp
pwd
rm -rf /tmp/rough_work
mkdir -p rough_work/secrets
cd /tmp/rough_work/secrets
pwd

    /tmp
/tmp/rough_work/secrets

  2. Recreate /tmp/rough_work/ using root account 

    su -
rm -rf /tmp/rough_work
mkdir -p /tmp/rough_work/secrets
ls -ld /tmp/rough_work
ls -ld /tmp/rough_work/secrets

    drwxr-xr-x 3 root root 4096 Nov  9 14:01 /tmp/rough_work
drwxr-xr-x 2 root root 4096 Nov  9 14:01 /tmp/rough_work/secrets

  3. Transfer ownership to user and login as that user 

    su -
chown -R mfernand-stu:developer /tmp/rough_work
ls -ld /tmp/rough_work
ls -ld /tmp/rough_work/secrets
su - mfernand-stu

    drwxr-xr-x 2 mfernand-stu developer 4096 Nov  9 14:01 /tmp/rough_work
drwxr-xr-x 2 mfernand-stu developer 4096 Nov  9 14:01 /tmp/rough_work/secrets

  4. Add two files and check their initial permissions and then change them 

    touch afile secrets/bfile
ls -l afile secrets/bfile
cat afile | wc

    -rw-r--r-- 1 mfernand-stu developer 0 Nov  9 14:11 afile
-rw-r--r-- 1 mfernand-stu developer 0 Nov  9 14:11 secrets/bfile
      0       0       0

    echo 'OPS105 in afile' > afile
cat afile
cat afile | wc
cat secrets/bfile | wc

    OPS105 in afile
      1       3      16
      0       0       0

  5. Initial permissions of afile and bfile are 

    ls -l afile secrets/bfile

    -rw-r--r-- 1 mfernand-stu developer 16 Nov  9 14:11 afile
-rw-r--r-- 1 mfernand-stu developer  0 Nov  9 14:11 secrets/

  6. Take away write permissions from afile and read permission from bfile 

    chmod u-w afile
chmod 244 secrets/bfile
ls -l afile secrets/bfile

    -r--r--r-- 1 mfernand-stu developer 16 Nov  9 14:11 afile
--w-r--r-- 1 mfernand-stu developer  0 Nov  9 14:11 secrets/bfile

  7. Consequence of removing read permission on bfile 

    cat afile secrets/bfile

    OPS105 in afile
cat: secrets/bfile: Permission denied

  8. Consequence of removing write permission on afile 

    echo 'another line for afile' > afile

    -bash: afile: Permission denied

    It is possible to write to bfile since bfile has write permission enabled but we cannot see the updates made because bfile does not have read permission. 

    echo 'first line for bfile' > secrets/bfile
ls -l afile secrets/bfile

    -r--r--r-- 1 mfernand-stu developer 16 Nov  9 14:11 afile
--w-r--r-- 1 mfernand-stu developer 21 Nov  9 14:43 secrets/bfile

    cat afile secrets/bfile

    OPS105 in afile
cat: secrets/bfile: Permission denied

    ls -l afile secrets/bfile

    -r--r--r-- 1 mfernand-stu developer 16 Nov  9 14:11 afile
--w-r--r-- 1 mfernand-stu developer 21 Nov  9 14:44 secrets/bfile

  9. Set the permissions back to defaults 

    chmod 644 afile
chmod u=rw,go=r secrets/bfile
ls -l afile secrets/bfile

    -rw-r--r-- 1 mfernand-stu developer 16 Nov  9 14:11 afile
-rw-r--r-- 1 mfernand-stu developer 21 Nov  9 14:44 secrets/bfile

  10. After permissions are set back to their original values, it is possible to read and write to those same files as when they were initially created. 

    echo 'another line for afile' > afile
echo 'first line for bfile' > secrets/bfile
cat afile secrets/bfile

    another line for afile
first line for bfile

Practice Questions

  1. Fill in the following table, assume aFile for file:

    No Present Desired Octal Symbolic
    1 rwxr-xr-- --------- chmod 000 aFile chmod a= aFile
    2 --------- rwx------    
    3 rwx------ rw-r--r--    
    4 rw-r--r-- rwxr-xr-x    
    5 rwxr-xr-x rw-rw-r--    
    6 rw-rw-r-- -w--w----    
    7 -w--w---- --------x    
    8 --------x rwxr-x--x    
    9 rwxr-x--x r---w---x    
    10 r---w---x -------w-    

    So in #1 above we could change the Present permissions of aFile into the Desired permissions by using octal or symbolic methods with either of the following two commands: 

    # using octal, we can set the permissions as
chmod 000 aFile

# using symbolic, we can set the same permissions in one of several ways, some of them are
chmod a= aFile
   or
chmod a-rwx aFile
   or
chmod u-rwx,g-rwx,o-rwx aFile

    When answering the part for symbolic permissions, practice using all three: +, -, and = since the permissions are known before you set them to the desired permissions. The octal method does not care what the existing permissions are and so octal is best used when you want to replace the existing permissions to their new values or you do not know what the present permissions are before attempting to set them.


  2. How does each permissions when set/unset affect the following utilities: cat nano ls cd when they access files and directories

    Object Read Write Execute
    File      
    Directory      

    In other words, when the read permission is taken away from a file and a directory, can cat be used to see the contents of the file or can ls be used to see the contents of the directory.


  3. Create a file and make a directory and zero out (remove) all permissions from the file and the directory.
    • Now attempt to move the file into the directory. What are the minimum directory permissions needed to move the file into the directory.
    • After you moved the file into the directory, (the file should still have no permissions) what are the minimum permissions needed to edit the file, and to delete the file.
    • If the same permissions that you gave the file so you could update and delete the file, were also given to group, will a user who isn't in the same group as you be able to delete the file?

    • How can you change the permissions of the file or the directory so a non-group user could edit the file but not delete it?


  4. What does execute permissions on a directory affect? Meaning, if execute permissions are taken away from a directory, what commands cannot be used? Let's say you have a directory structure as follows: 

    /tmp/
   `-- ops105/
            `-- puzzleDir/
                        `-- secretFile

    What would be the minimum permissions you need to give to directories ops105 and puzzleDir so anyone (user, group,others) can access secretFile so they can see the contents of secretFile but not change them. Only user should be allowed to modify secretFile. What would be the permissions for ops105 and puzzleDir directories. These minimum permissions are called pass-through permissions. What are they and how would you set them using octal and using symbolic.

Last Updated: 2020-Nov-09 Mon 13:12