Lecture
In this lecture, we will focus on the properties of objects that allow you to control access to these very objects. I want to remind once again that Linux is a multi-user multitasking operating system and the issue of separation of powers is one of the most crucial. Each Linux object has an owner. When executing a *** command with ls -l, you can see the owner’s name in the third column of the results of the ls command :
igor @ adm-ubuntu: ~ / linux $ ls -l
total 4
-rw-r – r– 1 igor igor 0 2009-10-12 17:55 atrrib.txt
-rw-r – r– 1 root root 0 2009-10-13 12:26 file.txt
lrwxrwxrwx 1 igor igor 10 2009-10-13 12:27 link1 -> atrrib.txt
drwxr-xr-x 3 igor igor 4096 2009-10-08 17:08 temp
From the results above, we see that the owner of the file.txt file is the root user , and the owner of all other objects is the igor user. Notice also the first column. It specifies the access rights to the object, as well as the type of the object itself. The very first character indicates the type of object. If the first character is a dash, then the object is either a regular file or a “hard” link. Below are the remaining characters denoting the type of object.
d - directory;
l is a symbolic link;
b - block type file device;
c is a file device of character type (buffered);
u is a file device of symbolic type (unbuffered);
p - named pipes (pipe)
Now look at the remaining 9 positions in the first column. These properties must be considered in three. Thus, we have the first three properties, the second and the third. The first trio sets the object access rights for the object owner. The second displays the access rights for the group owner of the file, and the third triple for all other users. The order of characters describing the rights in triples is the same - rwx (r - read, w - write, x - execute). If there is a “dash” in place of the symbol, then the property is not set (it is impossible to perform the corresponding action on the object). Consider the following defined rights: -rw-r – r– . The first character (“dash”) tells us that this is a regular regular file. Next comes the first three rw- . The set bit r says that the owner of the file can read information from the file, w means that the file can be changed, and “dash” instead of x means that the file is not executable. Accordingly, the second trio tells us that for the group owner is allowed only to view the contents of the file. The third trio establishes the right to view the file for other users.
For the directory, these rights ( rwx ) are treated a little differently. If the property w is set for a directory, it means you can create objects within the directory. If the property r is set, then you can find out what is inside the directory (execute a com *** with ls ). If the property x is set for the directory, it means you can go to this directory (make it the current com *** th cd ). In Figure 1, a small memo graphically.
Picture 1
There are three more properties of the object. These are the setuid , setgid and sticky bits. With these bits, newbies often get confused. Here you need a little patience and practical training to figure out what's what. Of practical interest is setting the setuid bit for executable files and setting the setgid bit for a directory. The sticky bit property makes sense only for a directory.
If the setuid bit is set for the executable file (process), then this process will not work with user rights, but with the rights set for the process. A good example here is the com *** passwd and the passwd file . After executing com *** at ls -l / usr / bin / passwd we will see the following result:
igor @ adm-ubuntu: ~ / linux / dir $ ls -l / usr / bin / passwd
-rwsr-xr-x 1 root root 41292 2009-07-31 16:55 / usr / bin / passwd
In the first three of rights we see not rwx , but rws . s - means that the setuid bit is set. Now we will execute a com *** with ls -l / etc / passwd and see the rights to the text file passwd
igor @ adm-ubuntu: ~ / linux / dir $ ls -l / etc / passwd
-rw-r – r– 1 root root 1785 2009-10-16 09:01 / etc / passwd
We see that only the user root has the right to write to this file. For all others, there is a right only to read. If the setuid bit would not be set for the passwd program, then a regular user would not be able to change his password, since the passwd program would work with the rights of the user who started it. But the setuid bit is set, which means that the program will work with the rights of its owner, and not the user running the program. The owner of the passwd program is the root user , which means that a regular user who runs the passwd program will be able to change his password (make changes to the / etc / passwd file ).
The setgid property for the directory means that all created objects within the directory will, as the owner group, accept the directory owner group, not the user who creates the object. This bit is used to organize public directories for users.
The sticky bit set for the directory allows only the owner and the root user to delete and rename files in this directory, even if the write permission is set for other users.
Now consider two commands that allow you to change the owner of the object and change its basic properties (the object has other properties, but we'll talk about them later).
You can change the owner of an object using the chown command . This com *** u can only be executed by the superuser - root . The command syntax is simple: chown newuser: newgroup file . If the com *** in chown is performed with the -R key for the directory, then the change will be made for all objects in this directory. For the rest of the chown command, see man chown .
To change the properties of objects there is a com *** and chmod . Its syntax in a simplified form is denoted as chmod expression file , where the expression consists of three components: for whom, the action and properties. See Figure 2:
Figure 2
Consider a few examples.
chmod ug + wx file1 - add write and execute permissions for the owner and group.
chmod o-rwx file1 - we take away all rights ( rwx ) for other users.
chmod a-wx file1 - we take away all rights to write and execute for all users. ugo is equal to a, that is, one could write ugo-wx - this is equivalent to a-wx .
chmod ug = rw file1 - set permissions. We do not add as with +, namely we install. That is, if the rights were –xr-xr– , then after this command there will be rw-rwr– .
chmod u + s file1 - install setuserid -bits .
chmod g + s file1 - install setgroupid -bits .
I recommend practicing the installation rights. Especially the setuid and setgid bits and see what results will be obtained when installing those or other rights. For this experiment, create one or two test users. Use for this com *** th adduser .
There is another option how to set permissions - numeric. Each bit has its own numerical weight. The bit r is 4, the bit w is 2, the bit x is 1. If the bits can be summed. That is, if you want to set the rights rw, then it will be 4 plus 2 equal to 6. See an example.
chmod 644 file1 - setting permissions for writing, reading for the owner and setting permissions for the group and other users. The numbers are set in the same way as the rights are displayed using the ls -l command . The first figure for the owner, the second for the group, the third for all other users. The disadvantage of this method is that each time you need to set permissions for all groups. This way you can set the additional bits setuid, setgid, sticky bit . For this you need to add one more number in front: 1 - for sticky bit , 2 - for setgid , 4 - for setuid . For example, chmod 4666 file1 will set the setuid bit, among other rights.
I also want to note that com *** and chmod does not change the rights of symbolic links. If you execute com *** in chmod for a symbolic link, the rights of the file to which the link refers are changed. Try also changing the rights for hard links and answering yourself the question to which rights are attached - to the file name or to the data?
Comments
To leave a comment
LINUX operating system
Terms: LINUX operating system