07-08-2019, 12:43 PM
Command line quick tips: Permissions
<div><p>Fedora, like all Linux based systems, comes with a powerful set of security features. One of the basic features is <em>permissions</em> on files and folders. These permissions allow files and folders to be secured from unauthorized access. This article explains a bit about these permissions, and shows you how to share access to a folder using them.</p>
<p> <span id="more-23584"></span> </p>
<h2>Permission basics</h2>
<p>Fedora is by nature a multi-user operating system. It also has <em>groups</em>, which users can be members of. But imagine for a moment a multi-user system with no concept of permissions. Different logged in users could read each other’s content at will. This isn’t very good for privacy or security, as you can imagine.</p>
<p>Any file or folder on Fedora has three sets of permissions assigned. The first set is for the <em>user</em> who owns the file or folder. The second is for the <em>group</em> that owns it. The third set is for everyone else who’s not the user who owns the file, or in the group that owns the file. Sometimes this is called the <em>world</em>.</p>
<h2>What permissions mean</h2>
<p>Each set of permissions comes in three flavors — <em>read</em>, <em>write</em>, and <em>execute</em>. Each of these has an initial that stands for the permission, thus <em>r</em>, <em>w</em>, and <em>x</em>.</p>
<h3>File permissions</h3>
<p>For <em>files</em>, here’s what these permissions mean:</p>
<ul>
<li>Read ®: the file content can be read</li>
<li>Write (w): the file content can be changed</li>
<li>Execute (x): the file can be executed — this is used primarily for programs or scripts that are meant to be run directly</li>
<li></li>
</ul>
<p>You can see the three sets of these permissions when you do a long listing of any file. Try this with the <em>/etc/services</em> file on your system:</p>
<pre class="wp-block-preformatted">$ <strong>ls -l /etc/services</strong><br />-rw-r--r--. 1 root root 692241 Apr 9 03:47 /etc/services</pre>
<p>Notice the groups of permissions at the left side of the listing. These are provided in three sets, as mentioned above — for the user who owns the file, for the group that owns the file, and for everyone else. The user owner is <em>root</em> and the group owner is the <em>root</em> group. The user owner has read and write access to the file. Anyone in the group <em>root</em> can only read the file. And finally, anyone else can also only read the file. (The dash at the far left shows this is a regular file.)</p>
<p>By the way, you’ll commonly find this set of permissions on many (but not all) system configuration files. They are only meant to be changed by the system administrator, not regular users. Often regular users need to read the content as well.</p>
<h3>Folder (directory) permissions</h3>
<p>For folders, the permissions have slightly different meaning:</p>
<ul>
<li>Read ®: the folder contents can be read (such as the <em>ls</em> command)</li>
<li>Write (w): the folder contents can be changed (files can be created or erased in this folder)</li>
<li>Execute (x): the folder can be searched, although its contents cannot be read. (This may sound strange, but the explanation requires more complex details of file systems outside the scope of this article. So just roll with it for now.)</li>
</ul>
<p>Take a look at the <em>/etc/grub.d</em> folder for example:</p>
<pre class="wp-block-preformatted">$ <strong>ls -ld /etc/grub.d</strong><br />drwx------. 2 root root 4096 May 23 16:28 /etc/grub.d</pre>
<p>Note the <em>d</em> at the far left. It shows this is a directory, or folder. The permissions show the user owner (<em>root</em>) can read, change, and <em>cd</em> into this folder. However, no one else can do so — whether they’re a member of the <em>root</em> group or not. Notice you can’t <em>cd</em> into the folder, either:</p>
<pre class="wp-block-preformatted">$ <strong>cd /etc/grub.d</strong><br />bash: cd: /etc/grub.d: Permission denied</pre>
<p>Notice how your own home directory is setup:</p>
<pre class="wp-block-preformatted">$ <strong>ls -ld $HOME</strong><br />drwx------. 221 paul paul 28672 Jul 3 14:03 /home/paul</pre>
<p>Now, notice how no one, other than you as the owner, can access anything in this folder. This is intentional! You wouldn’t want others to be able to read your private content on a shared system.</p>
<h2>Making a shared folder</h2>
<p>You can exploit this permissions capability to easily make a folder to share within a group. Imagine you have a group called <em>finance</em> with several members who need to share documents. Because these are user documents, it’s a good idea to store them within the <em>/home</em> folder hierarchy.</p>
<p>To get started, <a href="https://fedoramagazine.org/howto-use-sudo/">use </a><em><a href="https://fedoramagazine.org/howto-use-sudo/">sudo</a></em> to make a folder for sharing, and set it to be owned by the <em>finance</em> group:</p>
<pre class="wp-block-preformatted">$ sudo mkdir -p /home/shared/finance<br />$ sudo chgrp finance /home/shared/finance<br /></pre>
<p>By default the new folder has these permissions. Notice how it can be read or searched by anyone, even if they can’t create or erase files in it:</p>
<pre class="wp-block-preformatted">drwxr-xr-x. 2 root root 4096 Jul 6 15:35 finance</pre>
<p>That doesn’t seem like a good idea for financial data. Next, use the <em>chmod</em> command to change the mode (permissions) of the shared folder. Note the use of <em>g</em> to change the owning group’s permissions, and <em>o</em> to change other users’ permissions. Similarly, <em>u</em> would change the user owner’s permissions:</p>
<pre class="wp-block-preformatted">$ sudo chmod g+w,o-rx /home/shared/finance</pre>
<p>The resulting permissions look better. Now, anyone in the <em>finance</em> group (or the user owner <em>root</em>) have total access to the folder and its contents:</p>
<pre class="wp-block-preformatted">drwxrwx---. 2 root root 4096 Jul 6 15:35 finance</pre>
<p>If any other user tries to access the shared folder, they won’t be able to do so. Great! Now our finance group can put documents in a shared place.</p>
<h2>Other notes</h2>
<p>There are additional ways to manipulate these permissions. For example, you may want any files in this folder to be set as owned by the group <em>finance</em>. This requires additional settings not covered in this article, but stay tuned to the Magazine for more on that topic soon.</p>
</div>
<div><p>Fedora, like all Linux based systems, comes with a powerful set of security features. One of the basic features is <em>permissions</em> on files and folders. These permissions allow files and folders to be secured from unauthorized access. This article explains a bit about these permissions, and shows you how to share access to a folder using them.</p>
<p> <span id="more-23584"></span> </p>
<h2>Permission basics</h2>
<p>Fedora is by nature a multi-user operating system. It also has <em>groups</em>, which users can be members of. But imagine for a moment a multi-user system with no concept of permissions. Different logged in users could read each other’s content at will. This isn’t very good for privacy or security, as you can imagine.</p>
<p>Any file or folder on Fedora has three sets of permissions assigned. The first set is for the <em>user</em> who owns the file or folder. The second is for the <em>group</em> that owns it. The third set is for everyone else who’s not the user who owns the file, or in the group that owns the file. Sometimes this is called the <em>world</em>.</p>
<h2>What permissions mean</h2>
<p>Each set of permissions comes in three flavors — <em>read</em>, <em>write</em>, and <em>execute</em>. Each of these has an initial that stands for the permission, thus <em>r</em>, <em>w</em>, and <em>x</em>.</p>
<h3>File permissions</h3>
<p>For <em>files</em>, here’s what these permissions mean:</p>
<ul>
<li>Read ®: the file content can be read</li>
<li>Write (w): the file content can be changed</li>
<li>Execute (x): the file can be executed — this is used primarily for programs or scripts that are meant to be run directly</li>
<li></li>
</ul>
<p>You can see the three sets of these permissions when you do a long listing of any file. Try this with the <em>/etc/services</em> file on your system:</p>
<pre class="wp-block-preformatted">$ <strong>ls -l /etc/services</strong><br />-rw-r--r--. 1 root root 692241 Apr 9 03:47 /etc/services</pre>
<p>Notice the groups of permissions at the left side of the listing. These are provided in three sets, as mentioned above — for the user who owns the file, for the group that owns the file, and for everyone else. The user owner is <em>root</em> and the group owner is the <em>root</em> group. The user owner has read and write access to the file. Anyone in the group <em>root</em> can only read the file. And finally, anyone else can also only read the file. (The dash at the far left shows this is a regular file.)</p>
<p>By the way, you’ll commonly find this set of permissions on many (but not all) system configuration files. They are only meant to be changed by the system administrator, not regular users. Often regular users need to read the content as well.</p>
<h3>Folder (directory) permissions</h3>
<p>For folders, the permissions have slightly different meaning:</p>
<ul>
<li>Read ®: the folder contents can be read (such as the <em>ls</em> command)</li>
<li>Write (w): the folder contents can be changed (files can be created or erased in this folder)</li>
<li>Execute (x): the folder can be searched, although its contents cannot be read. (This may sound strange, but the explanation requires more complex details of file systems outside the scope of this article. So just roll with it for now.)</li>
</ul>
<p>Take a look at the <em>/etc/grub.d</em> folder for example:</p>
<pre class="wp-block-preformatted">$ <strong>ls -ld /etc/grub.d</strong><br />drwx------. 2 root root 4096 May 23 16:28 /etc/grub.d</pre>
<p>Note the <em>d</em> at the far left. It shows this is a directory, or folder. The permissions show the user owner (<em>root</em>) can read, change, and <em>cd</em> into this folder. However, no one else can do so — whether they’re a member of the <em>root</em> group or not. Notice you can’t <em>cd</em> into the folder, either:</p>
<pre class="wp-block-preformatted">$ <strong>cd /etc/grub.d</strong><br />bash: cd: /etc/grub.d: Permission denied</pre>
<p>Notice how your own home directory is setup:</p>
<pre class="wp-block-preformatted">$ <strong>ls -ld $HOME</strong><br />drwx------. 221 paul paul 28672 Jul 3 14:03 /home/paul</pre>
<p>Now, notice how no one, other than you as the owner, can access anything in this folder. This is intentional! You wouldn’t want others to be able to read your private content on a shared system.</p>
<h2>Making a shared folder</h2>
<p>You can exploit this permissions capability to easily make a folder to share within a group. Imagine you have a group called <em>finance</em> with several members who need to share documents. Because these are user documents, it’s a good idea to store them within the <em>/home</em> folder hierarchy.</p>
<p>To get started, <a href="https://fedoramagazine.org/howto-use-sudo/">use </a><em><a href="https://fedoramagazine.org/howto-use-sudo/">sudo</a></em> to make a folder for sharing, and set it to be owned by the <em>finance</em> group:</p>
<pre class="wp-block-preformatted">$ sudo mkdir -p /home/shared/finance<br />$ sudo chgrp finance /home/shared/finance<br /></pre>
<p>By default the new folder has these permissions. Notice how it can be read or searched by anyone, even if they can’t create or erase files in it:</p>
<pre class="wp-block-preformatted">drwxr-xr-x. 2 root root 4096 Jul 6 15:35 finance</pre>
<p>That doesn’t seem like a good idea for financial data. Next, use the <em>chmod</em> command to change the mode (permissions) of the shared folder. Note the use of <em>g</em> to change the owning group’s permissions, and <em>o</em> to change other users’ permissions. Similarly, <em>u</em> would change the user owner’s permissions:</p>
<pre class="wp-block-preformatted">$ sudo chmod g+w,o-rx /home/shared/finance</pre>
<p>The resulting permissions look better. Now, anyone in the <em>finance</em> group (or the user owner <em>root</em>) have total access to the folder and its contents:</p>
<pre class="wp-block-preformatted">drwxrwx---. 2 root root 4096 Jul 6 15:35 finance</pre>
<p>If any other user tries to access the shared folder, they won’t be able to do so. Great! Now our finance group can put documents in a shared place.</p>
<h2>Other notes</h2>
<p>There are additional ways to manipulate these permissions. For example, you may want any files in this folder to be set as owned by the group <em>finance</em>. This requires additional settings not covered in this article, but stay tuned to the Magazine for more on that topic soon.</p>
</div>