Using Linux:Managing Users and Groups






-->















Previous
Table of Contents
Next




When you combine these values, you get three numbers that make up the file’s permission. Common permission combinations are:


Permission
Value
Meaning

-rw-------
600
The owner has read and write permissions. This is what you want set on most of your files.

-rw-r--r--
644
The owner has read and write permissions. The group and world has read only permissions. Be sure you want to let other people read this file.

-rw-rw-rw-
666
Everybody has read and write permissions on a file. This is bad. You don’t want other people to be able to change your files.

-rwx------
700
The owner has read, write, and execute permissions. This is what you want for programs that you wish to run.

-rwxr-xr-x
755
The owner has read, write, and execute permissions. The rest of the world has read and execute permissions.

-rwxrwxrwx
777
Everyone has read, write, and execute privileges. Like the 666 setting, this is bad. Allowing others to edit your files is a cookbook formula for disaster.

-rwx--x--x
711
The owner has read, write, and execute privileges. The rest of the world has execute only permissions. This is useful for programs that you want to let others run, but not copy.

drwx------
700
This is a directory created with the mkdir command. Only the owner can read and write into this directory. Note that all the directories must have the executable bit set.

drwxr-xr-x
755
This directory can be changed only by the owner, but everyone else can view its contents.

drwx--x--x
711
A handy trick to use when you need to keep a directory world readable, but you don’t want people to be able to see a directory listing via the ls command. Only if the person knows the filename they wish to retrieve will they be allowed to read it.

Now that you’re fluent with permissions, learning chmod is easy. To change the permissions on a file, log in as the root user and enter the following command:


[root@insoc /root]# chmod permissions file


where permissions is a numeric value (three digits), which we discussed above, and file is the name of the file for which you want this to affect.
For example, to set the index.html file to be changeable by the owner, but only readable by the file’s group and the world, the command would be:


[root@insoc /root]# chmod 644 index.html


To recursively change the permissions on all the files in a specific directory, use the -R option in chmod. For example, to make all the files in /usr/bin set to the permissions 755, you would use:


[root@insoc /root]# chmod -R 755 /usr/bin


Advanced Concepts: Password Authentication Module
The Password Authentication Module (PAM) is for those who want to modify the security model that comes with Red Hat. By default, the model is reasonably strict about who may enter the system and in most instances, does not need to be adjusted. Like the password and group configuration files, though, understanding this subsystem will better prepare you for troubleshooting problems.



What are SetUID programs
SetUID is a special permission applied to programs. Remember how everything in Linux has an owner? This concept of ownership applies to programs in execution (processes) as well. Each process is owned by the person who invoked it. For example, if you log in as yourself, start the program xtetris, and then list the running processes using the ps command, you'll see that you are the owner of the xtetris process. But if you do a directory listing on the xtetris program using ls -l, you'll see that the file itself is owned by the root user.
Under normal circumstances, this is good. You want to make programs available to your users to run without giving away the privilege to change them. However, you occasionally run across a need for the program to run not as the user who invokes it, but as the user the file is owned by. The ping command is a common instance of this. For ping to work, it must be run as the root user. To allow normal users of the system to use ping, you can make it SetUID.
To make a file SetUID, prefix the permissions with the number 4. For example:


[root@insoc /root] # chmod 4755 /bin/ping








Previous
Table of Contents
Next