LPI Linux Certification in a Nutshell (31 page)
Read LPI Linux Certification in a Nutshell Online
Authors: Adam Haeder; Stephen Addison Schneiter; Bruno Gomes Pessanha; James Stanger
Tags: #Reference:Computers
New files are created with a default access mode to automatically
set the permission levels. Regardless of your default umask, access
modes on existing files can be changed or modified at will.
When new files are created, the protection bits are set
according to the user’s
default setting. That default is established using the
umask
command, probably in a
startup script. This command accepts only one argument, which is a
three-digit octal string that masks the user, group, and other
permission bits for newly created files and directories. Without a
value,
umask
reports the current value:
$umask0022
When provided with an integer,
umask
sets
the value for the current shell:
$umask 2$umask0002
A
umask
of 22 can be rewritten as 022, or
as 000010010 in binary.
The process of creating the initial mode for newly created files
begins with a raw initial mode string, as defined in
Table 7-4
.
Table 7-4. Initial access modes
Form | For files | For directories |
|---|---|---|
Symbolic | rw-rw-rw- | rwxrwxrwx |
Binary | 110110110 | 111111111 |
Octal | 6 6 6 | 7 7 7 |
The special bits are always turned off and are not masked by the
umask
. When a file is created, the
umask
is subtracted from 666; for directories, it
is subtracted from 777. This calculation yields the effective
protection mode for the file or directory. For example, a
umask
of 22 (022) is applied to a new file,
masking the write permission for group and other user classes:
110 110 110
- 000 010 010
-------------
110 100 100
This is the same as mode 644, orrw-r--r--.
Using the same mask on a directory yields a similar
result:
111 111 111
- 000 010 010
-------------
111 101 101
This is the same as mode 755, orrwxr-xr-x, which is appropriate for
directories. A umask of 002 or 022 is typical, although if you wish to
ensure maximum privacy, a umask of 077 blocks all access except for
the superuser. To set a custom umask, enter the
umask
command in a startup script, such as
~/.bash_profile
. Here’s an example of the
umask
in action:
$umask 27$touch afile$mkdir adir$ls -ld adir afiledrwxr-x--- 2 jdean jdean 1024 Jan 2 20:31 adir
-rw-r----- 1 jdean jdean 0 Jan 2 20:31 afile
In this case, the
umask
of 27 makes the
file
afile
read-only to members of the group and
disallows access to the file to all others.
As you can see in the output of the previous example,
ls
adds an extra letter at the beginning of the
mode string for the
adir
directory. This symbol
indicates the type of file being listed and is not part of the access
mode. The letterdindicates a
directory, a-indicates a file,
the letterlindicates a symbolic
link, abindicates a block device
(such as a disk), and acindicates
a character device (such as a terminal).
Access modes can be changed with the
chmod
command, which accepts either
octal
or
symbolic
access
mode specifications. Octal bits, as shown in the previous section, are
specified explicitly. However, some people prefer to use symbolic
forms because they usually modify an existing mode instead of
completely replacing it. Symbolic mode specifications have three
parts, made up of individual characters, as shown in
Table 7-5
.
Table 7-5. Symbolic modes for the chmod command
Category | Mode | Description |
|---|---|---|
User class | u | User |
| | g | Group |
| | o | Other |
| | a | All classes |
Operation | - | Take away permission |
| | + | Add permission |
| | = | Set permission |
Permissions | r | Read permission |
| | w | Write permission |
| | x | Execute permission |
| | X | Execute permission for directories |
| | s | SUID or SGID |
| | t | Sticky bit |
The individual user class characters and permissions characters
may be grouped to form compound expressions, such asugfor user and group combined orrwfor read and write. Here are some
examples of symbolic mode specifications:
u+xAdd execute permission for the user.
go-wRemove write permission from group and other
classes.o+tSet the sticky bit.
a=rwSet read and write, but not execute, permissions for
everyone.a+XGive everyone execute permission for directories and for
those files with any existing execute permission.
The
chmod
command is used to modify the
mode.
The steps you may use to create a useful workgroup
directory for a small team of people are briefly described here. The
goals of the directory are as follows:
The workgroup is to be called
sales
and
has members
jdoe
,
bsmith
,
and
jbrown
.The directory is
/home/sales
.Only the creators of files in
/home/sales
should be able to delete them.Members shouldn’t worry about file ownership, and all group
members require full access to files.Nonmembers should have no access to any of the files.
The following steps will satisfy the goals:
Create the new group:
#
groupadd salesAdd the existing users to the group:
#
usermod –a -G sales jdoe#usermod –a -G sales bsmith#usermod –a -G sales jbrownCreate a directory for the group:
#
mkdir /home/salesSet the ownership of the new directory:
#
chgrp sales /home/salesProtect the directory from others:
#
chmod 770 /home/salesSet the SGID bit to ensure that the
sales
group will own all new files. Also set the sticky bit to protect
files from deletion by nonowners:#
chmod g+s,o+t /home/salesTest it:
#
su - jdoe$cd /home/sales$touch afile$ls -l afile-rw-rw-r-- 1 jdoe sales 0 Jan 3 02:44 afile
$exit#su - bsmith#cd /home/sales#rm afilerm: cannot unlink 'afile': Operation not permitted
After the
ls
command, we see that the group
ownership is correctly set to
sales
. After the
rm
command, we see that
bsmith
cannot delete
afile
,
which was created by
jdoe
. We also note that
although
afile
has mode 664, the directory
containing it has mode 770, preventing other users from reading the
file.
On the Exam
For the exam, you should be prepared to answer questions on file
and directory permissions in both
symbolic and numeric (octal) forms. You should also be
able to translate between the two forms given an example.
chmod
chmod [options]symbolic_mode[,symbolic_mode]...fileschmod [options]octal_mode fileschmod [options] --reference=rfile files
Modify the access mode onfiles.
In the first form, use one or more comma-separatedsymbolic_modespecifications to modifyfiles. In the second form, use anoctal_modeto modifyfiles. In the third form, use the mode
ofrfileas a template to be applied tofiles.
- -c
Like verbose mode, but report only changes.
- -R
Use recursive mode, descending through directory
hierarchies underfilesand
making modifications throughout.- -v
Use verbose behavior, reporting actions for all
files.
Set the mode for a file torw-r--r--, using an octal
specification:
$chmod 644 afile$ls -l afile-rw-r--r-- 1 jdean jdean 0 Jan 2 20:31 afile
Set the same permission using a symbolic specification,
using the verbose option:
$chmod -v u=rw,go=r afilemode of afile retained as 0644 (rw-r--r--)
Recursively remove all permissions for
other
on a directory:
$chmod -R -v o-rwx adirmode of adir retained as 0770 (rwxrwx---)
mode of adir/file1 changed to 0660 (rw-rw----)
mode of adir/file2 changed to 0660 (rw-rw----)
mode of adir/file3 changed to 0660 (rw-rw----)
mode of adir/file4 changed to 0660 (rw-rw----)
mode of adir/dir1 changed to 0770 (rwxrwx---)
mode of adir/dir1/file6 changed to 0660 (rw-rw----)
mode of adir/dir1/file5 changed to 0660 (rw-rw----)
mode of adir/dir2 changed to 0770 (rwxrwx---)
Set the sticky bit on a directory:
$chmod -v +t adirmode of adir changed to 1770 (rwxrwx--T)
Modification of ownership parameters may become necessary
when moving files, setting up workgroups, or working in a user’s
directory as
root
. This is accomplished using
the
chown
command, which can change
user and group ownership, and the
chgrp
command for modifying group ownership.
chown
chown [options]user-owner fileschown [options]user-owner. fileschown [options]user-owner.group-owner fileschown [options] .group-owner fileschown [options] --reference=rfile files
Used to change the owner and/or group offilestouser-ownerand/orgroup-owner. In the first form,user-owneris made the owner offilesand the group is not affected. In
the second form (note the trailing dot onuser-owner), theuser-owneris made the owner offiles, and the group of the files is
changed touser-owner’s default group.
In the third form, bothuser-ownerandgroup-ownerare assigned tofiles. In the fourth form, only thegroup-owneris assigned tofiles, and the user is not affected. In
the fifth form, the owner and group ofrfileis used as a template and applied
tofiles. Only the superuser may change
file ownership, but group ownership may be set by anyone belonging
to the targetgroup-owner.
Note that historically BSD systems have used theuser.groupsyntax, but SysV-based systems have useduser:group(:instead of.). Older versions of GNU
chown
accepted only the
BSD syntax, but recent versions support
both.
- -c
Like verbose mode, but report only changes.
- -R
Use recursive mode, descending through directory
hierarchies underfilesand
making modifications throughout.- -v
Use verbose behavior, reporting actions for all
files.
As root, set the user owner of a file:
#chown -v jdoe afileowner of afile changed to jdoe
As root, set the user and group owner of a file:
#chown -v jdoe.sales afileowner of afile changed to jdoe.sales