Use ls -l to see the permissions of files (list-long). They will appear like this, note that I have added spaces between permissions to make it easier to read:
Where: r = read, w = write, x = execute
- rwx rw- r-- 1 newuser newuser typeownergroupothers |
The two names at the end are the username and group respectively.
Change file access permissions for a file(s).
There are two methods to change permissions using chmod; letters or numbers.
use a + or - (plus or minus sign) to add or remove permissions for a file respectively. Use an equals sign =, to specify new permissions and remove the old ones for the particular type of user(s).
You can use chmod letter where the letters are:
a (all (everyone)), u (user), g (group) and o (other).
Examples:
chmod u+rw somefile |
This would give the user read and write permission.
chmod o-rwx somefile |
This will remove read/write/execute permissions from other users (doesn't include users within your group).
chmod a+r somefile |
This will give everyone read permission for the file.
chmod a=rx somefile |
This would give everyone execute and read permission to the file, if anyone had write permission it would be removed.
you can also use numbers (instead of letters) to change file permissions. Where:
r (read) = 4 w (write) = 2 x (execute) = 1
Numbers can be added together so you can specify read/write/execute permissions; read+write = 6, read+execute = 5, read+write+execute = 7
Examples:
chmod 777 somefile |
This would give everyone read/write/execute permission on “this_file”. The first number is user, second is group and third is everyone else (other).
chmod 521 somefile |
This would give the user read and execute permission, and the group write permission (but not read permission!) and everyone else execute permission. (Note that it's just an example, settings like that don't really make sense...).
Changes the ownership rights of a file (hence the name 'chown' - change owner). This program can only be used by root.
Use the -R option to change things recursively, in other words, all matching files including those in subdirectories.
Command syntax:
chown owner:group the_file_name |
Only the person who created the file within a directory may delete it, even if other people have write permission. You can turn it on by typing:
chmod 1700 somedirectory (where 1 = sticky bit) |
or (where t represents the sticky bit)
chmod +t somedirectory |
To turn it off you would need to type:
chmod 0700 somefile (where the zero would mean no sticky bit) |
or (where t represents the sticky bit)
chmod -t somefile |
Note that the permissions aren't relevant in the numbers example, only the first number (1 = on, 0 = off).
An example of a sticky directory is usually /tmp
Allow SUID/SGID (switch user ID/switch group ID) access. You would normally use chmod to turn this on or off for a particular file, suid is generally considered a security hazard so be careful when using this.
Example:
chmod u+s file_name |
This will give everyone permission to execute the file with the permissions of the user who set the +s switch.
Security Hazard | |
---|---|
This is obviously a security hazard. You should avoid using the suid flag unless necessary. |
Change file system attributes (works on ext2fs and possibly others...). Use the -R option to change files recursively, chattr has a large number of attributes which can be set on a file, read the manual page for further information.
Example:
chattr +i /sbin/lilo.conf[1] |
This sets the 'immutable' flag on a file. Use a '+' to add attributes and a '-' to take them away. The +i will prevent any changes (accidental or otherwise) to the “lilo.conf” file. If you wish to modify the lilo.conf file you will need to unset the immutable flag: chattr -i. Note some flags can only be used by root; -i, -a and probably many others.
Note there are many different attributes that chattr can change, here are a few more which may be useful:
A (no Access time) --- if a file or directory has this attribute set, whenever it is accessed, either for reading of for writing, it's last access time will not be updated. This can be useful, for example, on files or directories which are very often accessed for reading, especially since this parameter is the only one which changes on an inode when it's opened.
a (append only) --- if a file has this attribute set and is open for writing, the only operation possible will be to append data to it's previous contents. For a directory, this means that you can only add files to it, but not rename or delete any existing file. Only root can set or clear this attribute.
s (secure deletion) --- when such a file or directory with this attribute set is deleted, the blocks it was occupying on disk are written back with zeroes (similar to using shred). Note that this does work on the ext2, and ext3 filesystems but is unlikely to work on others (please see the documentation for the filesystem you are using). You may also like to see shred, please see Chapter 7
(list attributes). This will list if whether a file has any special attributes (as set by chattr). Use the -R option to list recursively and try using the -d option to list directories like other files rather than listing their contents.
Command syntax:
lsattr |
This will list files in the current directory, you may also like to specify a directory or a file:
lsattr /directory/or/file |
[1] | This example and tiny parts of the explanation have been taken from the Linux Online Classroom, see [4] in the Bibliography for further information. |