File and Directory Permissions
The course is part of this learning path
This course covers the security features that you can use in order to secure your files and directories on Linux. We look at permissions, data sharing, special modes, file attributes, ACLs, and rootkits. You will also have the chance to follow along with guided demonstrations which will give you a practical understanding of the concepts covered.
- Learn how Linux file and directory permissions work and how to apply the proper permissions to files and directories
- Learn how to share data securely with groups and multiple users on a Linux system
- Understand how special modes add extra security to file systems
- Learn how to make files unchangeable even by the root user and how to secure the log files on a Linux system by making them append-only
- Learn how to secure files and directories using ACLs
- Learn about rootkits and how to discover and remove them
This course is intended for anyone who wants to understand how to secure their Linux systems.
To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.
When you create a file it's group is set to your primary group. So if you're a member of multiple groups for example, sales and training group. If sales is your primary or first group, then when you create a new file it will be in the sales group. If you wanna change the group of a file use the chgrp command. You can see that when I created the sales.data file that it was put in my primary group which is jason. I'm also a member of the sales group so, let's change the group to sales for this file. Now we can see that the group is sales and let's give permissions so that other people in the sales group can edit the file. There we go. So, instead of keeping files in different people's home directories maybe you could have a common place to store these. So on this system there's a user local sales directory and you can see that the sales group has read, write and execute permissions for that. So I'm gonna put this shared file in that shared location. Now, anyone that is a member of the sales group can edit that file. Let's look at directory permissions again. Permissions on a directory can affect the files in that directory. The common problem is having proper permission set on a file within a directory, only to have the incorrect permission set on the directory itself. Not having the correct permissions on a directory can prevent the execution of the file for example. If you are sure that a file's permission is correct start looking at the directory it's in. And then look at that directories parent directory and work your way all the way towards the root of the file system. The permissions are set to 755 on this directory. And if I look in the directory I see one file. And that is an executable file and it currently works. So let's change the directory permissions on my cat to 400. And now I only have read permission I don't have writer execute permission on that directory. You can see that the only information I get from ls is the file name that is in that directory because of the read permission. Since the permissions are set improperly on the directory I can't even execute the file that's in that directory. Let's changed the permissions to give me execute permissions on that directory. And now we see that it works. And you can also see that ls -l works. The file creation mask is what determines the permissions of file will receive when it's created. If no mask were used then the default permissions would be 777 for directories and 666 for files. The file creation mask is typically set by system administrators to some same default. However, it can be overridden on a per user basis by using the umask command. The umask command sets the file creation mask to the mode that you pass to it. If you use a -S that means you mask will display and except symbolic notation. The mode supply to umask works in the opposite way as the mode given to chmod. So when you give chmod seven, that's interpreted to mean read, write and execute permission or all permissions. However when you supply seven to umask, that is interpreted to mean no permission or all permissions off. So you can think of chmod as turning on or adding and giving permissions while umask turns off, subtracts or takes away permissions. A quick way to estimate what a umask mode will do to the default permissions, is to subtract the octal umask mode from 777 in the case of directories and from 666 in the case of files. For example, let's take a umask of 022. If we subtract that from 777, we are left with a default file creation mode of 755 for directories and 666 minus 022 is 644. So for files the default file creation mode is 644. If we use a umask of 002 then we'll have the default permissions for directories of 775 and 664 for files. Using a umask 002 is ideal for working with members of your group, since the permissions allow members of the group to manipulate those files and directories that you create. Again this method of subtracting these permissions is an estimation so, here's an example of using a umask where this breaks down a little bit. So mask is 007 if you subtract that from 777, you're left with 770 for directory permissions which is fine. However, 666 minus 007 would leave you with six, six negative one. So, there is no negative one permission there's just no permission. So, it breaks down a little bit but it gives you a good idea of what to expect. Here are some fairly common umask 022, 002. 077 and 007. This table contains all the resulting permissions created by each and every one of the eight umask permutations. If you were to run umask without any arguments it will display the umask in four characters instead of the three that we've been working with. The three characters we've been working with represent user group and other. However, there is one other class and this class is considered special modes. And these special modes are setuid, setgid and sticky. Just know that the special modes are declared by prepending a character to the octo mode that you normally use with umask or chmod. So the important point here is to know that umask 0022, is exactly the same as umask 022. Or chmod 0644 is the same as chmod 644. We're not gonna cover these special modes in this course but, I wanted you to be aware that one they exist and two they're the reason why umask is displayed in four characters instead of three. You can see that our umask is set to 0022. Using a capital S we can get symbolic mode. Let's see what the default permissions are. The touch command either creates a file if it doesn't exist or it updates the timestamp of a file. So we see the directory was created with 755 permissions and the file 644. Let's set umask to use 007, Oops! And umask 0007 is the same as 007. And in this case we can see that directories are created with 770 permissions and files are created with 660 permissions. Permissions can represented by symbols or numbers. The effect permissions have on directories is slightly different than they have on files. We talked about how to change permissions with chmod command. We talked about some strategies of working with members of your group and finally we covered the file creation mask and the umask command.
Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Amazon.com. Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.