Controlling Access to Files

1. Chmod

Chmod - This command is used to change the permissions of a file/folder.

The command ls -l, can be used to see the permissions on the file and its owner. For example, ls -l file1.txt it will display:

-rwxr–rw- 1 user user 0 Sep 24 12:59 file1.txt

On each line, the first character identifies the type of entry that is being listed. If it is a dash (-) it is a file. If it is the letter d it is a directory.

-rwxr–rw- 1 user user 0 Sep 24 12:59 file1.txt
|[-][-][-]-   [------] [---]
| |  |  | |      |       |
| |  |  | |      |       +-----------> 7. Group
| |  |  | |      +-------------------> 6. Owner
| |  |  | +--------------------------> 5. Alternate Access Method
| |  |  +----------------------------> 4. Others Permissions
| |  +-------------------------------> 3. Group Permissions
| +----------------------------------> 2. Owner Permissions
+------------------------------------> 1. File Type

The next nine characters represent the settings for the three sets of permissions.

1. The first three characters show the permissions for the user who owns the file (user permissions).

2. The middle three characters show the permissions for members of the file’s group (group permissions).

3. The last three characters show the permissions for anyone not in the first two categories (other permissions).
   There are three characters in each set of permissions. The characters are indicators for the presence or absence of one of the permissions. They are either a dash (-) or a letter. If the character is a dash, it means that permission is not granted. If the character is an r, w, or an x, that permission has been granted.

The letters represent:

• r: Read permissions. The file can be opened, and its content viewed.

• w: Write permissions. The file can be edited, modified, and deleted.

• x: Execute permissions. If the file is a script or a program, it can be run (executed).
  For example:

1. --- means no permissions have been granted at all.
2. rwx means full permissions have been granted. The read, write, and execute indicators are all present.

• -rwxr–rw- This section will display the permissions.

• 1 – Number of hard links. Usually a hard link is an additional name for a file.

• user user – Displays the owner and group owner of the file.

• 0 – Displays the file size.

• Sep 24 12:59 – Displays the last time the file was modified.

• file1.txt – Name file/folder

Changing Permissions with the Symbolic Method

To use chmod to set permissions, we need to tell it:

• Who: Who we are setting permissions for.

• What: What change are we making? Are we adding or removing the permission?

• Which: Which of the permissions are we setting?

We use indicators to represent these values, and form short permissions statements such as u+x, where u means user (who), + means add (what), and x means the execute permission (which).

• Who is u, g, o, a (for user, group, other, all)

• What is _+, -, _= (for add, remove, set exactly)

• Which is r, w, x (for read, write, execute)

Examples

Remove read and write permission for group and other on file1.txt:

chmod go-rw file1.txt

• Add execute permission for everyone on file2.txt:

chmod a+x file2.txt

Changing Permissions with the Numeric Method

You may have seen chmod being used with numbers, rather than letters. The numbers ultimately follow the same convention as above, but are much simpler to write out. Each user permission in rwx is given a certain value:

• r is given a value of 4
• w is given a value of 2
• x is given a value of 1

That means a total value of 7 means 4 + 2 + 1, or rwx. A value of 5 would mean 4 + 1, or r-x. We can assign the owner, group, and other users a number each. So given a permission set like this:

rwx  r-x  --x
^    ^    ^
|    |    |
|    |    └ - -  the permission of "others", i.e. anyone who is not an owner or a group
|    └ - - the group's permissions 
└ - - the owner's permissions

The owner has a permission value of 7, the group has 5, and any other users have a permission of 1. So we can write this as 751.
To apply these permissions to our file, file.txt, then, we can write the following:

chmod 751 file.txt 

To add a sticky bit to a numeric permission, we just add a a 1 to the start, so permissions 755 with a sticky bit become 1755.

2. Chown

chown – This command is used to change the owners of files/folders. The basic command is:

chown [owner/group owner] [name file]

Basically, if we have a file.txt file and we want to make the owner of this file xitjkt2 and the group owner to clients, then the command we will use is:

chown xitjkt2:clients file.txt

So, as you can see, we separated the owner and group owner with the symbol : (colon). If we only want to change the file owner, we can use:

chown xitjkt2 file.txt

We omit the group owner and just type in the new file owner, under such conditions, the group owner will remain unchanged. Another similar example is if we want to change the group owner of a file, the command would be as follows:

chown :clients file.txt

In this condition, only the group owner will change to clients (the owner remains unchanged).

3. Umask

The user file-creation mode mask umask is used to determine the file permission for newly created files. It can be used to control the default file permission for new files. It is a four-digit octal number. A umask can be set or expressed using:

• Symbolic values

• Octal values
  Use the umask command to set default file permissions on Linux and Unix-like machines.

The umask command without any arguments will display the current value of the shell’s umask. Example:

[user@host ~]$ umask
0002

1. A umask of 022 allows only you to write data, but anyone can read data.

2. A umask of 077 is good for a completely private system. No other user can read or write your data if umask is set to 077.

3. A umask of 002 is good when you share data with other users in the same group. Members of your group can create and modify data files; those outside your group can read data file, but cannot modify it. Set your umask to 007 to completely exclude users who are not group members.

umask Example

The following example explains how the umask affects the permissions of files and directories. Look at the default umask permissions for both files and directories in the current shell. The owner and group both have read and write permission on files, and other is set to read. The owner and group both have read, write, and execute permissions on directories. The only permission for other is read.

[user@host ~]$ umask
0002
[user@host ~]$ touch default
[user@host ~]$ ls -l default.txt
-rw-rw-r--. 1 user user 0 May  9 01:54 default.txt
[user@host ~]$ mkdir default
[user@host ~]$ ls -ld default
drwxrwxr-x. 2 user user 0 May  9 01:54 default

By setting the umask value to 0, the file permissions for other change from read to read and write. The directory permissions for other changes from read and execute to read, write, and execute.

[user@host ~]$ umask 0
[user@host ~]$ touch zero.txt
[user@host ~]$ ls -l zero.txt
-rw-rw-rw-. 1 user user 0 May  9 01:54 zero.txt
[user@host ~]$ mkdir zero
[user@host ~]$ ls -ld zero
drwxrwxrwx. 2 user user 0 May  9 01:54 zero 

To mask all file and directory permissions for other, set the umaskvalue to 007.

[user@host ~]$ umask 007
[user@host ~]$ touch seven.txt
[user@host ~]$ ls -l seven.txt
-rw-rw----. 1 user user 0 May  9 01:55 seven.txt
[user@host ~]$ mkdir seven
[user@host ~]$ ls -ld seven
drwxrwx---. 2 user user 0 May  9 01:54 seven

A umask of 027 ensures that new files have read and write permissions for user and read permission for group. New directories have read and write access for group and no permissions for other.

[user@host ~]$ umask 027
[user@host ~]$ touch two-seven.txt
[user@host ~]$ ls -l two-seven.txt
-rw-r-----. 1 user user 0 May  9 01:55 two-seven.txt
[user@host ~]$ mkdir two-seven
[user@host ~]$ ls -ld two-seven
drwxr-x---. 2 user user 0 May  9 01:54 two-seven 

The default umask for users is set by the shell startup scripts. By default, if your account's UID is 200 or more and your username and primary group name are the same, you will be assigned a umask of 002. Otherwise, your umask will be 022.

As root, you can change this by adding a shell startup script named /etc/profile.d/local-umask.sh that looks something like the output in this example:

[root@host ~]# cat /etc/profile.d/local-umask.sh
# Overrides default umask configuration
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
    umask 007
else
    umask 022
fi

The preceding example will set the umask to 007 for users with a UID greater than 199 and with a username and primary group name that match, and to 022 for everyone else. If you just wanted to set the umask for everyone to 022, you could create that file with just the following content:

# Overrides default umask configuration
umask 022

To ensure that global umask changes take effect you must log out of the shell and log back in. Until that time the umask configured in the current shell is still in effect.

The chmod command in Linux works in a similar way to the umask command. It too is used to define permissions for files and folders.
The difference between umask and chmod is that umask changes the default permissions and thus the permissions for all newly created files and folders, while chmod sets permissions for files and folders that already exist