Lecture 11 (File Per Missions)

8/6/2019 Lecture 11 (File Per Missions)

1/37

28/10/10 Punjab University College of Information Technology (PUCIT) 1

Instructor: Arif Butt.TA: Dilawer Hussain.

Lecture # 10

File Permissions

Course: Intro to Computing

Instructor: Arif Butt

TA: Dilawer Hussain

Punjab University College of Information Technology (PUCIT)

University of the Punjab


2/37



Today's Agenda

Introduction to Permissions

Changing Permissions

Symbolic Method

Binary Method Special Access Bit

Permissions Lab


3/37



Introduction to Permissions


4/37



Permission Types Diagram


5/37



Introduction

UsersEvery user of a system is assigned a unique UID. Users names andUIDs are stored in /etc/passwd file. Users cannot read, write orexecute each others files without permissions.

Groups

Users are assigned to groups with unique GID. GIDs are stored in/etc/group. Each user is given his own private group by default(primary group) in Red Hat. He/she can belong to other groups

(secondary groups) to gain additional access. All users in a group canshare files that belong to that group.


6/37



Levels of Permission

There are three levels of permissions to files and directories inLinux. These levels correspond to the following three Categories:

User/owner (u) The owner is the user who created the file.Any file you create, your own.

Group (g) A user / owner of a file can grant access of afile to the members of a designated group.

Others (o) A user / owner of a file can also open up access

of a file to all other users on the system.

if


7/37



Categories of Permission (Files)

Each level, or category, has associated privileges. These privilegescome in the form of three permissions:

Forfiles the permissions have following meanings:

READ ( r) Enables users to open files and read its contentsusing; less, more, head, tail, cat, grep, sort, view.

WRITE (w) Enables users to open a file and change itscontents using vi, vim.

EXECUTE (x) Enables users to execute files as commands.

I t t A if B tt


8/37



Displaying Permissions

Examining the following long listing of the /etc/passwd filegives :

(File access Permission) (Number of links) (User) (Group) (File Size) (Last Modification Date)(LM Time)



9/37



Displaying Permissions (cont..)



10/37



Displaying Permissions (cont..)

When a user accesses a file, the user is compared with thepermission set of the file.

If the user matches the user permissions apply

If the group matches, but the user does not, the group

permissions apply

If neither matches the other permission applies



11/37



Categories of Permission (Directories)

READ Users can view filenames in the directory

WRITE Users can create, delete files in the directory.

EXECUTE Users can search in the directory and changeto it using the cd command.

Instructor: Arif Butt.


12/37



Examples

- - x permissions on a directory will not let the user to viewdirectory contents or create or delete files in that directory.However, the user can run executable file located in that directory.

r - xpermissions on a directory are OK, means ls can be done.

- w xpermissions on a directory are OK, means a file can be createdin this directory, however, ls cannot be done.

rw- orr - - or-w- permissions on a directory have no effect if theexecute bit is not set.



13/37


TA: Dilawer Hussain.

chmod Command

chmod is used to change file access permission

SYNOPSIS

Description

chmodtakes two lists as its arguments:permission changes andfilenames.



14/37



Changing Permissions


15/37



16/37



Symbols for Level

Table below lists the level options that can be used with the

chmod command.

Instructor: Arif Butt.TA Dil H i


17/37



Symbols for Permission

+ Add the following permissions (does not affect otherpermissions)

- Remove the following permissions (does not affect otherpermissions)

= Assigns entire set of permissions

Instructor: Arif Butt.TA: Dila er H ssain


18/37



Adding Rights to a File

Adding write privileges for the group can be done by running chmodas follows:

Examining the permissions of the /etc/passwd file after themodifications shows the following::

Write bit added

Instructor: Arif Butt.TA: Dilawer Hussain


19/37



Removing Rights from a File

Removing write bit form the group can be done by running chmod asfollows:

Examining the permissions of the /etc/passwd file after themodifications shows the following::

Write bit removed

Instructor: Arif Butt.TA: Dilawer Hussain


20/37



Settings

Here are some common examples of settings that can be usedwith chmod:



21/37



Examples

Add the execute permission and remove the write permission for

the mydata file for all categories (i.e. user, group and other) Theread permission is not changed

Set the permissions for the group to read and write

Set permissions for other users to read

Set the read permission for other users, but the write and executepermissions are removed



22/37


Examples (cont..)

Another permission character exists, a, which represents all the

categories. The a character is the default. In the next example, thetwo commands are equivalent. The read permission is explicitly setwith the a character denoting all types of users: other, group, anduser.

By adding the -R option, we can change permissions for entiredirectory trees. To allow everyone read and write access to the

mylinux directory in our login directory,we just type:



23/37


Changing Permissions: Binary Method

The absolute method changes all the permissions at once, instead

of specifying one or the other.

The three access levels, each with three permissions, conform to anoctal binary format.

Three octal digits in a number translate into three sets of threebinary digits, which is nine altogether and the exact number ofpermissions for a file.

The first octal digit applies to the owner category, the second to thegroup, and the third to the others category. Owner Group Other

The actual octal digit you choose determines the read, write, andexecute permissions for each category.

6 4 2



24/37


Numbers to change a file's mode

Thechmod utility can also use numbers to change a file's mode. The

numbers range from 0-7 (octal)



25/37


Changing Permissions with Numbers

Each Permission is assigned a number

Read = 4 write = 2 execute = 1

Add these numbers for each user category :

Owner Group Other

- r w - r - - r - -4 2 4 4

6 4 4

Use with chmod:

Permission changed



26/37


Fun with Numbers and chmod

Heres a list of some common settings, numerical values and their

meanings:



27/37


Fun with Numbers (cont)



28/37


Example

File created

Default permission

Permission changed

Permission implemented



29/37


Permission Defaults: umask

To display the current default permissions, use the umaskcommand

with no arguments. The -S option uses the symbolic format.

You can set a new default set of permissions for the files that youcreate. The following example specifies read, write and executepermissions to owner and gives no permissions to group or others.



30/37


Permission Defaults: umask (cont..)

Note: For files delete umask from 666 and 777 for directories

A umask of 022 means that files will have permissions of 644 whiledirectories will have permissions of 755

Example 666 022 = 644 777 022 =755

If you trust no one use the following mask



31/37


Special Access Bits

When a user starts a process it runs with the permissions of that

user. If you run vi, and try to edit /etc/shadow the operation willfail. Or if you try to edit your personal information in the file/etc/passwd again the operation will fail

Although /etc/passwd is a file that cannot be changed by a regular

user, however, a regular user can use /usr/bin/chfn program tochange his personal information contained in it. Similarly, a regularuser can use /usr/bin/passwd and /usr/bin/chage program to changehis password related information in /etc/shadow file. This isbecause these programs have their SUID permissions set

Three special types of permissions are available for executable filesand public directories: setuid, setgid, and sticky bit. When thesepermissions are set, any user who runs that executable file assumesthe ID of the owner (or group) of the executable file.



32/37


Special Access Bits (cont..)

setuid Permission: When setuid permission is set on an executable file, aprocess that runs this file is granted access on the basis of the owner ofthe file. The access is not based on the user who is running the executablefile. This special permission allows a user to access files and directoriesthat are normally available only to the owner

setgid Permission:The setgid permission is similar to the setuid

permission. The process's effective group ID (GID) is changed to thegroup that owns the file, and a user is granted access based on thepermissions that are granted to that group. The /usr/bin/mail commandhas setgid permissions

Sticky Bit:The sticky bit is a permission bit that protects the files withina directory. If the directory has the sticky bit set, a file can be deleted onlyby the file owner, the directory owner, or by a privileged user. The rootuser and the Primary Administrator role are examples of privileged users.



33/37


Permissions Lab


P i i L b


34/37


Permissions Lab

1. Login as root and create three users tariq, khan and jamil and

assign them passwords.

2. Login as khan and create a directory ~/dir1 and a file ~/dir1/file1and check its permissions.

3. Login as tariq or jamil and try to access the home directory ofkhan. What happens?

4. Login as khan and create a directory /tmp/dir1 and a file/tmp/dir1/file1 and check its permissions.

5. Login as tariq or jamil and try to access the dir1 just created bykhan. See What happens?


P i i L b ( t )


35/37


Permissions Lab (cont..)

6. Login as root and create two groups sales and mkt. Make tariqs

primary group as sales. Make khans primary group as sales andkhans secondary group as mkt. Make jamil primary group as mkt.Confirm using id command.

7. Login as khan and change permissions on /tmp/dir1/file1 so that

owner can read and write the file, group members can only read thefile nad others can do nothing. (Remember only root or owner of afile can change a files permissions).

8. Login as tariq or jamil and try to access the /tmp/dir1/file1. Whathappens? Check the owner ship of /tmp/dir1/file1, it is owned by

user khan and the group khan. So it can be accessed by only userkhan and users who are members of group khan.


P i i L b (C t )


36/37


Permissions Lab (Cont..)

9. Login as root or khan and change the group owner ship of

/tmp/dir1/file1. Let his owner be khan and change the group tosales using the chmod command.

10.Login as tariq and try changing the contents of /tmp/dir1/file1.Since group permissions apply to tariq, so now he can read as

well as write to /tmp/dir1/file1.

11.Login as jamil and try changing the contents of /tmp/dir1/file1.Since others permissions apply to jamil, so he cannot read orwrite to /tmp/dir1/file1.

12.Login as root and make sales a secondary group of jamil. Thenlogin as jamil and again try accessing /tmp/dir1/file1. Success.


Thi t d !


37/37


Things to do!

For a complete understanding perform the

questions in sequence given in the slides(Permissions Lab).

You are required to submit the solution of these labquestions hand written. Execute all the commands

on the console before writing the solution down. Good Luck

If you have problems visit me in counseling hours. . . .

Lecture 11 (File Per Missions)

Documents

Transcript of Lecture 11 (File Per Missions)