On the other hand, if you examine the device file for a hard drive, you see the following:
$ ls -l /dev/sda
brw-r----- 1 root disk 8, 0 2007-10-23 18:11 /dev/sda
In this example, b designates a block device (a device that transfers and caches data in blocks) with similar permissions. Other device entries you will run across on your Linux system include symbolic links, designated by s.
You can use the chmod command to alter a file's permissions. This command uses various forms of command syntax, including octal or a mnemonic form (such as u, g, o, or a and rwx, and so on) to specify a desired change. The chmod command can be used to add, remove, or modify file or directory permissions to protect, hide, or open up access to a file by other users (except for root, which can access any file or directory on a Linux system).
The mnemonic forms of chmod's options (when used with a plus character, +, to add, or a minus sign, -, to take away) designate the following:
> u — Adds or removes user (owner) read, write, or execute permission
> g — Adds or removes group read, write, or execute permission
> o — Adds or removes read, write, or execute permission for others not in a file's group
> a —Adds or removes read, write, or execute permission for all users
> r — Adds or removes read permission
> w — Adds or removes write permission
> x — Adds or removes execution permission
For example, if you create a file, such as a readme.txt, the file will have default permissions (set by the umask setting in /etc/bashrc) of the following:
-rw-rw-r-- 1 andrew andrew 0 2007-10-23 19:08 readme.txt
As you can see, you and members of your group can read and write the file. Anyone else can only read the file (and only if it is outside of your home directory, which will have read, write, and execute permission set only for you, the owner). You can remove all write permission for anyone by using chmod, the minus sign, and aw, as follows:
$ chmod a-w readme.txt
$ ls -l readme.txt
-r--r--r-- 1 andrew andrew 12 Jan 2 16:48 readme.txt
Now, no one can write to the file (except you, if the file is in your home or /tmp directory because of directory permissions). To restore read and write permission for only you as the owner, use the plus sign and the u and rw options, like this:
$ chmod u+rw readme.txt
$ ls -l readme.txt
-rw------- 1 andrew andrew 0 2007-10-23 19:08 readme.txt
You can also use the octal form of the chmod command (for example, to modify a file's permissions so that only you, the owner, can read and write a file). Use the chmod command and a file permission of 600, like this:
$ chmod 600 readme.txt
If you take away execution permission for a directory, files might be hidden inside and may not be listed or accessed by anyone else (except the root operator, of course, who has access to any file on your system). By using various combinations of permission settings, you can quickly and easily set up a more secure environment, even as a normal user in your home directory.
Other useful commands for assigning and managing permissions include the following:
> chgrp — Changes the group ownership of a file or directory
> chown — Changes the owner of a file or directory
These commands, which modify file ownerships and permissions, can be used to model organizational structures and permissions in the real world onto your Fedora system. For example, a human resources department can share health-benefit memos to all company employees by making the files readable (but not writable) by anyone in an accessible directory. On the other hand, programmers in the company's research and development section, although able to access each other's source code files, would not have read or write access to HR payscale or personnel files (and certainly would not want HR or Marketing poking around R&D).
These commands help you easily manage group and file ownerships and permissions from the command line. It is essential that you know these commands because some times you might have only a command-line interface to work with; perhaps some idiot system administrator set incorrect permissions on X11, rendering the system incapable of working with a graphical interface.
Understanding Set User ID and Set Group ID Permissions
Another type of permission is 'set user ID' (
One commonly used program with suid permissions is the passwd command:
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 25604 2007-04-05 09:54 /usr/bin/passwd
This setting allows normal users to execute the command (as root) to make changes to a root-only accessible file, /etc/passwd.
You also can assign similar permission using the chfn command. This command allows users to update or change finger information in /etc/passwd. You accomplish this permission modification by using a leading 4 (or the mnemonic s) in front of the three octal values.
Other files that might have suid or guid permissions include at, rcp, rlogin, rsh, chage, chsh, ssh, crontab, sudo, sendmail, ping, mount, and several UNIX-to-UNIX Copy (UUCP) utilities. Many programs (such as games) might also have this type of permission to access a sound device.
Files or programs that have suid or guid permissions can sometimes present security holes because they bypass normal permissions. This problem is especially compounded if the permission extends to an executable binary (a command) with an inherent security flaw because it could lead to any system user or intruder gaining root access. In past exploits, this typically happened when a user fed a vulnerable command with unexpected input (such as a long pathname or option); the command would bomb out, and the user would be presented a root prompt. Although Linux developers are constantly on the lookout for poor programming practices, new exploits are found all the time, and can crop up unexpectedly, especially in newer software packages that haven't had the benefit of peer developer review.
Savvy Linux system administrators keep the number of suid or guid files present on a system to a minimum. The find command can be used to display all such files on your system:
# find / -type f -perm +6000 -exec ls -l {} ;
