Tuesday, January 20, 2009

Linux Permissions

I was describing to a new coworker how to set up secure shell (ssh) to use private key authentication instead of password authentication. As I was showing him, I mentioned that it was important to make sure that the user’s key file had the right permissions on it. He responded that he had trouble wrapping his head around Linux permissions, so I thought I would post something here.

File permissions in Linux hinge greatly on the ownership of a file. In Linux, each file is owned by a user and a group. Permissions are then assigned based on what the owner can do, what the assigned group can do, and what everyone else can do.

If you look at the properties of any file in Linux, you can tell all of this information. Usually, you can use the ‘ls’ command to reveal pretty much everything:

ls_output

What you can see is that each file has an owner and a group. In this case all of these files are owned by scrosby user and assigned to scrosby group.

The permissions for the file are laid out in order from left to right in one long string shown in the first column of output. The first character is a file description, the next three characters are the permissions that apply to the files owner. The next three after that are the permissions that apply to the group assigned to the file and the last three characters are the permissions that apply to everyone else.

The next part is the actual permissions. The basic permissions are Read (shown by the letter r), Write (shown by the letter w) and eXecute (shown by the letter x).

When the read flag is set for the owner, then that means that the owner can read the file. This would be shown as:

-r--------

A file that looks like this is read-only for the owner. If I wanted a file to be read/write for the owner, it would have:

-rw-------

If I wanted a file to be read/write for the owner and the group, it would look like:

-rw-rw----

If I wanted a file to be read/write for owner and group and read only for everyone else, it would look like:

-rw-rw-r--

Scripts and directories also will sometimes have the x flag set. If I want a file to be read/write for user and group, and executable by the group, it would look like:

-rw-rwx---

These permissions are set using the chmod command or in today’s world, there is usually a dialog box with check boxes to set permissions. If you are a dinosaur like me though, the command line is a bit quicker and more reliable for this type of thing. The command line uses a bit mask to create permissions. If you are familiar with binary code, you will know that three 1’s (ie 111) is equal to 7 in binary, 010 is 2, 011 is 3, and so on. If you want to set all three bits (read, write, and execute) you set all bits to 1 (which is machine talk for ‘on’) convert it to decimal…or 7. If you only want to enable read and execute, you set the first and third bit to 1 like 101 which is 5 in decimal. This is set for all three user categories (user, group, others).

For example if I want a file to be read/write/execute for owner, read/execute for group and unreadable for everyone else, the bit mask would be 750. This mask is used with the chmod command to set the permissions:

chmod 750 somefile

No comments: