thiussat

So you installed a Linux distro and have entered computer culture shock. Things work a little differently, as you can see, from Windows. One of the biggest questions I see is about what Linux files are executable and what determines if they can be executed. If you want to learn, read on.

There are no file extensions with Linux, so one of the first things you need to get used to is that ".foo" or ".bar" means absolutely nothing to a Unix/Linux OS -- the extensions are only there to help humans determine what a file might be. On Windows, file extensions are everything and the machine doesn't know what to do with a file if the extension is not there (try to delete the ".exe" extension from a file and see if it lets you execute it). This is not the case with Unix/Linux. With Linux, what determines if a file is executable is not the file extension, but rather the -x bit in the file's permissions. All files and directories in Linux have a set of permissions. This is known as "Discretionary Access Controls" and this model is built into all Unix like OS's (and works the same way on BSD, Solaris, HP-UX, AIX, Linux and Mac OS X). This is in fact one of the main reasons why Unix has better security.

So, here's how this DAC works. Every file and directory has a set of permissions that are dependent on three things: the user, the group, and others. The "user" is the person who "owns" the file. The "group" means special users in a group that the owner has specified. And the "other users" means all other users. (Let me add that the "root" user will have full access to every file, regardless of permissions, which is why it's important that you protect the root account).

Now, permissions are outlined like so:

To translate the above:

U = User (also known as the Owner)
G = Group
O = Others

r = read
w = write
x = execute

NOTE: There are other bits that are sometimes seen like "s" or even "T" but that isn't something to worry about right now and is beyond the scope here.

Often you will see files defined like so:

The "d" means the file is a directory. The other possible bits that describe file types are:

So "lrwxrwxrwx" means the file is a symbolic link. prwxrwxrwx means the file is a named pipe. And so on.


You might ask, how do you see permissions? Well, you simply do:

or:

Most files are not going to look like "rwxrwxrwx" (if they do, you got problems). Instead you might see something like this:
What does this mean? Well, it shows that the user/owner of the file has read, write, and execute permissions on the file. The "group" only has read and execute permissions. And the "other" users only have read access. If a permission is not set, you will see the "-" which denotes the r/w/x bit is not set at all.

So, now that you understand what file permissions are and how they work, you might ask how to change them. Well that is done with a command known as "chmod." So, let's say that you have a file (or directory) that looks like "rwxr-xrwx" and you don't like the fact that people in the "other" group have full access to the file (read, write and execute). If you wanted to get rid of the "write" bit, then you would do:

What does this command mean? Well the "o-w" means you want to take the write bit away from "others" who are not in any group. If you wanted to give the permission back, you would do

So, to take away permissions you use the minus sign and to give permissions you use the + sign. If you wanted to take permissions away from the owner (user) of the file, you do:
Or if you wanted to take them away from the "group" you would do:

If you wanted to take away the -x bit from everyone, then you would do
The "a" stands for "all" and means the execute permissions will be taken from everyone except the root user, of course.

You can also take away or add more than one permission. Let's say you wanted to take away read, write, and execute from the "others." Thus you would do:
You can also use "=" to erase all permissions on a file and then specify what specific permissions you want. For instance:

Means that the permissions on this file will be exactly "read" for everyone (r--r--r--). The "=" takes away all permissions that were previously assigned to the file and assigns it the permissions you specify.

Now, let's say you have a directory and you want to change the permissions for all files within it. All you have to do is add the -R flag. For instance, if you had a directory and wanted to take away write permissions from the "other" group for all files in the directory. You would do:

Where: "-R" stands for recursive.

In case you haven't figured it out: a = all, u = user, g = group, and o = others. Just remember that "u" denotes "user" which is the same thing as the owner of the file.

Chown and Chgrp

You can also change who owns the file and what group the file is in. To change the owner of the file, you use the "chown" command. For instance:

will change the the owner of the file to John.

Similarly, you can change the group of the file by using the "chgrp" command. If you want to see a list of all groups on your machine, you can type:

So, lets say you want to put the file "foobar" into the "root" group. You would type:


Advanced:

Sometimes it is cumbersome to change permissions with the a, o, u, g +-rwx bits. This is especially true if you are wanting to set permissions to all the files in a directory or all files on a partition. For this purpose, there is a shortcut that takes some getting used to. This notation is numerical (octal to be precise) and the logic is this:

Where:

read bits = 4
write bits = 2
execute bits = 1

You may ask, how does one combine these permissions (like rw or rx or wx). That is done by simply adding the digits. If you want "rx" you add 4 (read) + 1 (execute) = 5.

Now, these digits are used on all classes (user, group, other) in the order like I showed in the previous section. For instance, if you want "r-x" on all three classes, you would use 5 5 5 like so:

Thus:

Would set permissions on the file to r-xr-xr-x

Another example:

would set permissions like so:

and would look like:

rwx------

The 7 sets the user's permission to rwx (4+2+1). The 0 means no permissions at all. Thus 700 = rwx for "user/owner" and no permissions for "group" or "others."

One last example. Let's say you wanted the user to have all permissions (7) and the other two classes to have only read permissions, you would do:

Which is equivalent to:

Try some for yourself to become familiar with this. It's easy once you get the hang of it.

__________________

Secure Your Network With Tomato Linux Vs. Windows Security Think You Can Brute Force Long Passwords? Linux File Permissions HOWTO Secure Ubuntu With AppArmor

"I can't bring myself to try Linux Mint because they keep naming the OS after ex-girlfriends or women I've had bad run ins with. Cassandra was a sexual harassing shift manager. And Felicia was a stalker who knew how to turn a good day into a hellish experience in 0-60." -- Anub1s from BBR forums

losttsol

Good info. I remember some of this from Linux class. I ended up using the numbers mostly, seemed easier because you only use a few combos of them normally.

__________________

Trippen Out

Thank you for the time it took to write this and share it with us. I indeed learned a lot.

__________________

drelyn86

why no information on the fourth digit?

__________________
"Linux is everywhere. It is all around us. Even now, in this very room. You can see it when you look out your window or when you turn on your television. You can feel it when you go to work... when you go to church... when you pay your taxes."

thiussat

That was my fault. I had inadvertently put a "-" between each "rwx" bit by mistake. It should indeed look like this:

rwxrwxrwx

with no "-" in between.

It is now fixed in my original post. Thanks.

__________________

Secure Your Network With Tomato Linux Vs. Windows Security Think You Can Brute Force Long Passwords? Linux File Permissions HOWTO Secure Ubuntu With AppArmor

"I can't bring myself to try Linux Mint because they keep naming the OS after ex-girlfriends or women I've had bad run ins with. Cassandra was a sexual harassing shift manager. And Felicia was a stalker who knew how to turn a good day into a hellish experience in 0-60." -- Anub1s from BBR forums

SilentPixel

+rep, I knew most of this but it should help to explain it to others

__________________

drelyn86

What I was talking about was the fourth (optional) digit when you use chmod.

Source: http://en.wikipedia.org/wiki/File_system_permissions

__________________
"Linux is everywhere. It is all around us. Even now, in this very room. You can see it when you look out your window or when you turn on your television. You can feel it when you go to work... when you go to church... when you pay your taxes."

thiussat

Yeah, those are the SUID and SGID bits and I mentioned them in my original post. I said that they were "beyond the scope" because this thread is intened more for people who know nothing about file permissions. It wouldn't make sense to explain SUID and GUID because it isn't wise to go mucking with those bits unless you have a good reason to.

For those wondering WTH this is about, well SUID and GUID bits are used when a user needs to launch a root level program, but instead of giving him full root access, the program has the SUID bit set to it so that the user can start it without having to be root. This is a security issue, though. Any program with a SUID bit that has a security flaw can be used to take over the whole system. Therefore, advanced users should go through and look for all files and directories with the SUID bit set and determine if it is really needed. If not, remove it.

The fact that an attacker can overtake the whole system by exploiting one root process is probably the biggest flaw with the UNIX file permissions system (Discretionary Access Controls). However, this flaw can be overcome with a Mandatory Access Control system as I described in this post.

__________________

Secure Your Network With Tomato Linux Vs. Windows Security Think You Can Brute Force Long Passwords? Linux File Permissions HOWTO Secure Ubuntu With AppArmor

"I can't bring myself to try Linux Mint because they keep naming the OS after ex-girlfriends or women I've had bad run ins with. Cassandra was a sexual harassing shift manager. And Felicia was a stalker who knew how to turn a good day into a hellish experience in 0-60." -- Anub1s from BBR forums

drelyn86

Ah, k... just kind of skimmed through it. My bad.

I don't really use either the SUID or SGID bits... but I do use the Sticky bit on certain folders in my NFS shares.

__________________
"Linux is everywhere. It is all around us. Even now, in this very room. You can see it when you look out your window or when you turn on your television. You can feel it when you go to work... when you go to church... when you pay your taxes."