Module 17

Ownership and Permissions

Exam Objective
5.3 Managing File Permissions and Ownership

Objective Description
Understanding and manipulating file permissions and ownership
settings.
Ownership
File Ownership
● File ownership is critical for security.

● By default, users will own the files they create. Ownership can be changed
by admin.

● Every file also has a group owner. By default, primary group of user who
creates file will be group owner of any new files.

● Remember: UIDs and GIDs are associated with username and group name.

● The id command can be used to view user UID, GID, username, and group
name(s).
File Ownership
● When a user creates a file with the touch command it will belong to the
current user and their primary group.

● File ownership can be confirmed using the long listing -l option of the ls
command.
sysadmin@localhost:~$ touch /tmp/filetest1

sysadmin@localhost:~$ ls -l /tmp/filetest1

-rw-rw-r--. 1 sysadmin sysadmin 0 Oct 21 10:18 /tmp/filetest1

Changing Groups
● To create a file under a different group, use the newgrp command to change your current
primary group.

● Use the groups command to view user group information.

● Verify new primary group using the id command:

sysadmin@localhost:~$ id

uid=502(sysadmin) gid=503(sysadmin)
groups=503(sysadmin),10001(research),10002(development)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

sysadmin@localhost:~$ newgrp research

sysadmin@localhost:~$ id

uid=502(sysadmin) gid=10001(research)
groups=503(sysadmin),10001(research),10002(development)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

The newgrp command opens a new shell; as long as the user stays in that shell, the primary group won't change. To
switch the primary group back to the original, the user can leave the new shell by running the exit command.
Changing Group Ownership
● To change the group owner of existing file, use the chgrp command.

● The root user can use chgrp command to change group owner of any file. A
regular user can change group owner of the file to a group they are a
member of:
sysadmin@localhost:~$ touch sample

sysadmin@localhost:~$ ls -l sample

-rw-rw-r-- 1 sysadmin sysadmin 0 Dec 10 00:44 sample

sysadmin@localhost:~$ chgrp research sample

sysadmin@localhost:~$ ls -l sample

-rw-rw-r--. 1 sysadmin research 0 Oct 23 22:12 sample

Permissions
Permissions
● To display the file type and permissions of a file, use the ls -l command:
root@localhost:~# ls -l /etc/passwd

-rw-r--r--. 1 root root 4135 May 27 21:08 /etc/passwd

● File Type:
-rw-r--r--. 1 root root 4135 May 27 21:08 /etc/passwd

The first character of each line indicates the type of file. Possible values for file types:
- regular file c character file
d directory p pipe file
l symbolic link s socket file
b block file
Permissions
● Permission Groups
-rw-r--r--. 1 root root 4135 May 27 21:08 /etc/passwd

The next nine characters demonstrate the permissions of the file. These determine the level of access a user will
have on the file.

○ User Owner:
-rw-r--r--. 1 root root 4135 May 27 21:08 /etc/passwd

Characters 2-4 indicate the permissions for the user that owns the file.

○ Group Owner:
-rw-r--r--. 1 root root 4135 May 27 21:08 /etc/passwd

Characters 5-7 indicate permissions for the group that owns the file.
Permissions

○ Other Permissions:
-rw-r--r--. 1 root root 4135 May 27 21:08 /etc/passwd

Characters 8-10 indicate the permissions for others or what is sometimes referred to as the world's permissions.
Permission Types
● Each group is attributed three types of permissions: read, write, and
execute:

● Read:
○ File - allows process to read contents of the file, which means contents can be viewed and
copied.
○ Directory - Names of directory are listed, but no other details are available.
Permission Types
● Write:
○ File - Can be written to by the process. The w permission requires r permission to work.

○ Directory - Files can be added to or removed from the directory. The w permission requires the x permission
to work.

● Execute:
○ File - a file can be executed or run as a process.
○ Directory - User can use the cd command to get into directory and use pathname to access files in
directory.
Example Scenario
Based on the following information, what access would the user bob have
on the file abc.txt?

drwxr-xr-x. 17 root root 4096 23:38 /

drwxr-xr--. 10 root root 128 03:38 /data

-rwxr-xr--. 1 bob bob 100 21:08 /data/abc.txt

Answer: None.
In order to do anything with the file, the user must first "get into" the /data directory. The permissions
for bob for the /data directory are the permissions for "others" (r--), which means bob can't even use
the cd command to get into the directory. If the execute permission (--x) was set for the directory, then the
user bob would be able to "get into" the directory, meaning the permissions of the file itself would apply.

drwxr-xr--. 10 root root 128 03:38 /data

Changing Permissions
● There are two techniques that can be used with this command: symbolic
and numeric.

● Symbolic Method
○ The chmod (change mode) command is used to change permissions on a directory.
○ Characters indicate which permission group (user, group, others) to apply the changes to:
Changing Permissions
○ Next, choose an indicator to indicate how to modify permissions:

○ Lastly, use the following characters to specify the permission type to change:

○ To give the user owner read permission on a file named abc.txt, you could use the
following command:
root@localhost:~# chmod u+r abc.txt
Changing Permissions
● Numeric Method
○ Based on the octal numbering system where each permission type is assigned a numeric
value.
○ Numeric values: 4 = Read, 2 = Write, 1 = Execute

○ By using a combination of numbers from 0 to 7, any possible combination of read, write and
execute permissions can be specified for a single permission group set:
7 = rwx 3 = -wx
6 = rw- 2 = -w-
5 = r-x 1 = --x
4 = r-- 0 = ---

○ To set the permissions of a file named abc.txt to be rwxr-xr-- you could use the
following command:
root@localhost:~]# chmod 754 abc.txt
Default Permissions
● The umask command is used to determine default permissions that are set when a file or
directory is created.
● The umask value is subtracted from the maximum allowable default permissions.
● Maximum default values for files and directories:

○ File = rw-rw-rw-

○ Directory = rwxrwxrwx
● The umask command can be used to display the current umask value:

sysadmin@localhost:~$ umask

0002

- First 0 means umask is given as octal number.

- Second 0 indicates which permission to subtract from default user owner permissions.
- Third 0 indicates which permission to subtract from default group owner’s permissions.
- Last 2 indicates which permission to subtract from default other’s permissions.
Default Permissions
● How does umask work?
● Assume that the umask is set to 027:
File default 667
Umask -027
Result 640

● The 027 umask means that, by default new files would receive 640 or rw-r----- permissions:

sysadmin@localhost:~$ umask 027

sysadmin@localhost:~$ touch sample

sysadmin@localhost:~$ ls -l sample

-rw-r-----. 1 sysadmin sysadmin 0 Oct 28 20:14 sample