Goal	To set Linux file system permissions on files and interpret the security effects of different permission settings.
Objectives	Explain how the Linux file permissions model works. Change the permissions and ownership of files using command-line tools. Configure a directory in which newly created files are automatically writable by members of the group which owns the directory, using special permissions and default umask settings.
Sections	Linux File System Permissions (and Practice) Managing File System Permissions from the Command Line (and Practice) Managing Default Permissions and File Access (and Practice)
Lab	Controlling Access to Files with Linux File System Permissions

Linux File System Permissions

Interpret file and directory permissions as displayed with the ls command.

Objectives

After completing this section, students should be able to explain how the Linux file permissions model works.

Linux file system permissions

Access to files by users are controlled by file permissions. The Linux file permissions system is simple but flexible, which makes it easy to understand and apply, yet able to handle most normal permission cases easily.

Files have just three categories of user to which permissions apply. The file is owned by a user, normally the one who created the file. The file is also owned by a single group, usually the primary group of the user who created the file, but this can be changed. Different permissions can be set for the owning user, the owning group, and for all other users on the system that are not the user or a member of the owning group.

The most specific permissions apply. So, user permissions override group permissions, which override other permissions.

In the graphic that follows, joshua is a member of the groups joshua and web, while allison is a member of allison, wheel, and web. When joshua and allison have the need to collaborate, the files should be associated with the group web and the group permissions should allow the desired access.

Figure 6.1: Group membership illustration

There are also just three categories of permissions which apply: read, write, and execute. These permissions affect access to files and directories as follows:

Table 6.1. Effects of permissions on files and directories

Permission	Effect on files	Effect on directories
`r` (read)	Contents of the file can be read.	Contents of the directory (file names) can be listed.
`w` (write)	Contents of the file can be changed.	Any file in the directory may be created or deleted.
`x` (exec)	Files can be executed as commands.	Contents of the directory can be accessed (dependent on the permissions of the files in the directory).

Note that users normally have both read and exec on read-only directories, so that they can list the directory and access its contents. If a user only has read access on a directory, the names of the files in it can be listed, but no other information, including permissions or time stamps, are available, nor can they be accessed. If a user only has exec access on a directory, they cannot list the names of the files in the directory, but if they already know the name of a file which they have permission to read, then they can access the contents of that file by explicitly specifying the file name.

A file may be removed by anyone who has write permission to the directory in which the file resides, regardless of the ownership or permissions on the file itself. (This can be overridden with a special permission, the sticky bit, which will be discussed at the end of the unit.)

Viewing file/directory permissions and ownership

The -l option of the ls command will expand the file listing to include both the permissions of a file and the ownership:

[student@desktopX ~]$ ls -l test
-rw-rw-r--. 1 student student 0 Feb  8 17:36 test

The command ls -l directoryname will show the expanded listing of all of the files that reside inside the directory. To prevent the descent into the directory and see the expanded listing of the directory itself, add the -d option to ls:

[student@desktopX ~]$ ls -ld /home
drwxr-xr-x. 5 root root 4096 Jan 31 22:00 /home

Note

Unlike NTFS permissions, Linux permissions only apply to the directory or file that they are set on. Permissions on a directory are not inherited automatically by the subdirectories and files within it. (The permissions on a directory may effectively block access to its contents, however.) All permissions in Linux are set directly on each file or directory.

The read permission on a directory in Linux is roughly equivalent to List folder contents in Windows.

The write permission on a directory in Linux is equivalent to Modify in Windows; it implies the ability to delete files and subdirectories. In Linux, if write and the sticky bit are both set on a directory, then only the user that owns a file or subdirectory in the directory may delete it, which is close to the behavior of the Windows Write permission.

Root has the equivalent of the Windows Full Control permission on all files in Linux. However, root may still have access restricted by the system's SELinux policy and the security context of the process and files in question. SELinux will be discussed in a later course.

Examples: Linux user, group, other concepts

Users and their groups:

    lucy     lucy,ricardo
    ricky    ricky,ricardo
    ethel    ethel,mertz
    fred     fred,mertz

File attributes (permissions, user & group ownership, name):

    drwxrwxr-x   ricky   ricardo   dir (which contains the following files)
      -rw-rw-r--   lucy    lucy      lfile1
      -rw-r--rw-   lucy    ricardo   lfile2
      -rw-rw-r--   ricky   ricardo   rfile1
      -rw-r-----   ricky   ricardo   rfile2

Allowed/denied behavior	Controlling permissions
`lucy` is the only person who can change the contents of `lfile1`.	`lucy` has write permissions on the file `lfile1` as the owner. No one is listed as a member of the group `lucy`. The permissions for other do not include write permissions.
`ricky` can view the contents of `lfile2`, but cannot modify the contents of `lfile2`.	`ricky` is a member of the group `ricardo`, and that group has read-only permissions on `lfile2`. Even though other has write permissions, group permissions take precedence.
`ricky` can delete `lfile1` and `lfile2`.	`ricky` has write permissions on the directory containing both files, and as such, he can delete any file in that directory.
`ethel` can change the contents of `lfile2`.	Since `ethel` is not `lucy`, and is not a member of the `ricardo` group, other permissions apply to her, and those include write permission.
`lucy` can change the contents of `rfile1`.	`lucy` is a member of the `ricardo` group, and that group has both read and write permissions on `rfile1`.
`ricky` can view and modify the contents of `rfile2`. `lucy` can view but not modify the contents of `rfile2`. `ethel` and `fred` do not have any access to the contents of `rfile2`.	`ricky` owns the file and has both read and write access to `rfile2`. `lucy` is a member of the `ricardo` group, and that group has read-only access to `rfile2`. other permissions apply to `ethel` and `fred`, and those permissions do not include read or write permission.

References

ls(1) man page

info coreutils (GNU Coreutils)

Section 13: Changing file attributes

Discuss Red Hat System Administration I

Go to community

RH124 Chapter 15 Lab 3: Install zsh Package

VictoriaB97

16 sty 2024

Hello,I am trying to finish up Lab 3 of the Chapter 15 Comprehensive Review Labs in RH124, and when I type in sudo dnf install zsh for the 6th specification of the lab, I get an error message basically saying that it failed to download metadata for the repo 'ansible-2.9-for-rhel-9-x86_64-rpms', and that they could not download repomd.xml. It provided a 404 status code.Can someone please let me know what the problem is, and if there is a current workaround? Thanks.

378

Red Hat System Administration I | Guided Exercise: Explain and Investigate RPM Software Pack

AbeHiero

10 lis 2023

I cannot start the lab with command: lab start software-rpm. I get this error:ModuleNotFoundError: No module named 'rhcsa-classroom'Script software-rpm not in course library rhcsa-classroom Anyone else see this?

172

Red Hat System Administration I (RH124)

Haley_Ruccio

19 lip 2023

The first of two courses covering the core system administration tasks needed to manage Red Hat Enterprise Linux serversRed Hat System Administration I (RH124) is designed for IT professionals without previous Linux system administration experience. The course provides students with Linux administration competence by focusing on core administration tasks. This course also provides a foundation for students who plan to become full-time Linux system administrators by introducing key command-line concepts and enterprise-level tools. This course is the first of a two-course series that takes a computer professional without Linux system administration knowledge to become a fully capable Linux administrator. These concepts are further developed in the follow-on course, Red Hat System Administration II (RH134).This course is based on Red Hat® Enterprise Linux 9.0.Course content summaryIntroduce Linux and the Red Hat Enterprise Linux ecosystem.Run commands and view shell environments.Manage, organize, and secure files.Manage users, groups and user security policies.Control and monitor systemd services.Configure remote access using the web console and SSH.Configure network interfaces and settings.Manage software using DNFAudience for this courseThe primary persona is a technical professional with current or pending responsibilities as a Linux enterprise or cloud system administrator.This course is popular in Red Hat Academy, and is targeted at the student who is planning to become a technical professional using Linux.Prerequisites for this courseBasic technical user skills with computer applications on some operating systems are expected.Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technical requirements for this course.This course is not designed for bring your own device (BYOD).Internet access is not required but is recommended so that students can research and browse Red Hat online resources.

336

Revision: rh124-7-1b00421