Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Chapter 7. Control Access to Files

Section Interpret Linux File System Permissions

SectionObjectives
SectionLinux File-system Permissions
SectionView File and Directory Permissions and Ownership
SectionExamples of Permission Effects

Quiz: Interpret Linux File System Permissions

Manage File System Permissions from the Command Line

Objectives
Change File and Directory Permissions
Change File and Directory User or Group Ownership

Guided Exercise: Manage File System Permissions from the Command Line

Manage Default Permissions and File Access

Objectives
Special Permissions
Default File Permissions

Guided Exercise: Manage Default Permissions and File Access

Lab: Control Access to Files

Summary

Abstract

Goal	Set Linux file-system permissions on files and interpret the security effects of different permission settings.
Objectives	List file-system permissions on files and directories, and interpret the effects of those permissions on access by users and groups. Change the permissions and ownership of files with command-line tools. Control the default permissions of user-created files, explain the effects of special permissions, and use special and default permissions to set the group owner of files that are created in a directory.
Sections	Interpret Linux File System Permissions (and Quiz) Manage File System Permissions from the Command Line (and Guided Exercise) Manage Default Permissions and File Access (and Guided Exercise)
Lab	Control Access to Files

Interpret Linux File System Permissions

Objectives

List file system permissions on files and directories, and interpret the effect of those permissions on access by users and groups.

Linux File-system Permissions

File permissions control access to files. Linux file permissions are flexible and can handle most normal permission cases.

Files have three user categories that permissions apply to. The file is owned by a user, normally the file creator. The file is also owned by a single group, which is usually the primary group of the user who created the file, but you can change it.

You can set different permissions for the owning user (user permissions), the owning group (group permissions), and for all other users on the system that are not the user or a member of the owning group (other permissions).

The most specific permissions take precedence. User permissions override group permissions, which override other permissions.

As an example of how group membership enables collaboration between users, imagine that your system has two users: alice and bob. alice is a member of the alice and web groups, and bob is a member of the bob, wheel, and web groups. When alice and bob work together, the files should be associated with the web group, and group permissions should allow both users to have access to the files.

Three permission categories apply: read, write, and execute. The following table explains how these permissions affect access to files and directories.

Table 7.1. Effects of Permissions on Files and Directories

Permission	Effect on files	Effect on directories
`r` (read)	File contents can be read.	Contents of the directory (the file names) can be listed.
`w` (write)	File contents can be changed.	Any file in the directory can be created or deleted.
`x` (execute)	Files can be executed as commands.	The directory can become the current working directory. You can run the `cd` command to it, but it also requires read permission to list files there.

Users normally have both read and execute permissions on read-only directories so that they can list the directory and have read-only access to all of its contents. If a user has only read access on a directory, then they can list the names of the files in it. However, the user cannot access other information, such as permissions or time stamps. If a user has only execute access on a directory, then they cannot list file names in the directory. If they know the name of a file that they have permission to read, then they can access the contents of that file from outside the directory by explicitly specifying the relative file name.

Anyone who owns or has both write and execute permissions on a directory can remove files from it, regardless of the ownership or permissions on the file itself. You can override this behavior by using the sticky bit permission, to be discussed later in this chapter.

Note

Linux file permissions work differently from the Microsoft NTFS file-system permissions. On Linux, permissions apply only to the file or directory on which they are set. The subdirectories within a directory do not automatically inherit the parent directory's permissions. However, directory permissions can block access to the directory contents, if they are set restrictively.

The read permission on a Linux directory is similar to List folder contents in Windows. The write permission on a Linux directory is similar to Modify in Windows; it implies the ability to delete files and subdirectories. In Linux, with write permissions and the sticky bit on a directory, then only the user or group owner can delete files, which is similar to the Windows Write behavior.

The Linux root user has the equivalent of the Windows Full Control permission on all files. However, SELinux policy can use process and file security contexts to restrict access even to the root user. SELinux is discussed in the Red Hat System Administration II (RH134) course.

View File and Directory Permissions and Ownership

The ls command -l option shows detailed information about permissions and ownership:

[user@host ~]$ ls -l test
-rw-rw-r--. 1 student student 0 Mar  8 17:36 test

Use the ls command -d option to show detailed information about a directory itself, and not its contents.

[user@host ~]$ ls -ld /home
drwxr-xr-x. 5 root root 4096 Feb 31 22:00 /home

The first character of the long listing is the file type, and is interpreted as follows:

- is a regular file.
d is a directory.
l is a symbolic link.
c is a character device file.
b is a block device file.
p is a named pipe file.
s is a local socket file.

The next nine characters represent the file permissions. These characters are interpreted as three sets of three characters: The first set are permissions that apply to the file owner. The second set are for the file's group owner. The last set applies to all other (world) users. If a set is an rwx string, then that set has all three permissions: read, write, and execute. If a letter is replaced by a - dash character, then that set does not have that permission.

After the second column (the link count), the first name specifies the file owner, and the second name is the file's group owner.

In the first example, the permissions for the student user are the first set of three characters. The student user has read and write permissions on the test file, but not execute permission. The second set of three characters are the permissions for the student group: read and write permissions on test, but not execute permission. The third set of three characters are the permissions for all other users: only read permission on test.

The most specific set of permissions applies. So if the student user has different permissions from the student group, and the student user is also a member of that group, then only the user owner permissions apply. This permission allows setting a more restrictive set of permissions on a user than their group membership provides, when it might not be practical to remove the user from the group.

Examples of Permission Effects

The following examples illustrate how file permissions interact. For these examples, your system has four users with the following group memberships:

User	Group Memberships
`operator1`	operator1, consultant1
`database1`	database1, consultant1
`database2`	database2, operator2
`contractor1`	contractor1, operator2

Those users work with files in the dir directory. A long listing of the files in that directory is as follows:

[database1@host dir]$ ls -la
total 24
drwxrwxr-x.  2 database1 consultant1   4096 Mar  4 10:23 .
drwxr-xr-x. 10 root      root          4096 Mar  1 17:34 ..
-rw-rw-r--.  1 operator1 operator1     1024 Mar  4 11:02 app1.log
-rw-r--rw-.  1 operator1 consultant1   3144 Mar  4 11:02 app2.log
-rw-rw-r--.  1 database1 consultant1  10234 Mar  4 10:14 db1.conf
-rw-r-----.  1 database1 consultant1   2048 Mar  4 10:18 db2.conf

The ls command -a option shows the permissions of hidden files, including the special files to represent the directory and its parent. In this example, the . special directory reflects the permissions of dir itself, and the .. special directory reflects the permissions of its parent directory.

For the db1.conf file, the user that owns the file (database1) has read and write permissions but not execute permission. The group that owns the file (consultant1) has read and write permissions but not execute permission. All other users have read permission but not write or execute permissions.

The following table explores some effects of this set of permissions for these users:

Effect	Why is this effect true?
The `operator1` user can change the contents of the `db1.conf` file.	The `operator1` user is a member of the `consultant1` group, and that group has both read and write permissions on the `db1.conf` file.
The `database1` user can view and modify the contents of the `db2.conf` file.	The `database1` user owns the `db2.conf` file and has both read and write access.
The `operator1` user can view but not modify the contents of the `db2.conf` file.	The `operator1` user is a member of the `consultant1` group, and that group has only read access to the `db2.conf` file.
The `database2` and `contractor1` users do not have any access to the contents of the `db2.conf` file.	The `other` permissions apply to the `database2` and `contractor1` users, and those permissions do not include the read or write permission.
The `operator1` user is the only user who can change the contents of the `app1.log` file.	The `operator1` user and members of the `operator1` group have write permission on the file, whereas other users do not. However, the only member of the `operator1` group is the `operator1` user.
The `database2` user can change the contents of the `app2.log` file.	The `database2` user is not the owner of the `app2.log` file and is not in the `consultant1` group, and so the `other` permissions apply. The `other` permissions grant write permission to the file.
The `database1` user can view the contents of the `app2.log` file, but cannot modify the contents of the `app2.log` file.	The `database1` user is a member of the `consultant1` group, and that group has only read permissions on the `app2.log` file. Even though the `other` permissions include write permission, the group permissions take precedence.
The `database1` user can delete the `app1.log` and `app2.log` files.	The `database1` user has write permissions on the `dir` directory, which the `.` special directory shows, and therefore can delete any file in that directory. This operation is possible even if the `database1` user does not have write permission on the files directly.

References

ls(1) man page

info coreutils (GNU Coreutils)

Section 13: Changing File Attributes

Discuss Red Hat System Administration I

Go to community

RH124 Chapter 15 Lab 3: Install zsh Package

VictoriaB97

16 sty 2024

Hello,I am trying to finish up Lab 3 of the Chapter 15 Comprehensive Review Labs in RH124, and when I type in sudo dnf install zsh for the 6th specification of the lab, I get an error message basically saying that it failed to download metadata for the repo 'ansible-2.9-for-rhel-9-x86_64-rpms', and that they could not download repomd.xml. It provided a 404 status code.Can someone please let me know what the problem is, and if there is a current workaround? Thanks.

378

Red Hat System Administration I | Guided Exercise: Explain and Investigate RPM Software Pack

AbeHiero

10 lis 2023

I cannot start the lab with command: lab start software-rpm. I get this error:ModuleNotFoundError: No module named 'rhcsa-classroom'Script software-rpm not in course library rhcsa-classroom Anyone else see this?

1183

Red Hat System Administration I (RH124)

Haley_Ruccio

19 lip 2023

The first of two courses covering the core system administration tasks needed to manage Red Hat Enterprise Linux serversRed Hat System Administration I (RH124) is designed for IT professionals without previous Linux system administration experience. The course provides students with Linux administration competence by focusing on core administration tasks. This course also provides a foundation for students who plan to become full-time Linux system administrators by introducing key command-line concepts and enterprise-level tools. This course is the first of a two-course series that takes a computer professional without Linux system administration knowledge to become a fully capable Linux administrator. These concepts are further developed in the follow-on course, Red Hat System Administration II (RH134).This course is based on Red Hat® Enterprise Linux 9.0.Course content summaryIntroduce Linux and the Red Hat Enterprise Linux ecosystem.Run commands and view shell environments.Manage, organize, and secure files.Manage users, groups and user security policies.Control and monitor systemd services.Configure remote access using the web console and SSH.Configure network interfaces and settings.Manage software using DNFAudience for this courseThe primary persona is a technical professional with current or pending responsibilities as a Linux enterprise or cloud system administrator.This course is popular in Red Hat Academy, and is targeted at the student who is planning to become a technical professional using Linux.Prerequisites for this courseBasic technical user skills with computer applications on some operating systems are expected.Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technical requirements for this course.This course is not designed for bring your own device (BYOD).Internet access is not required but is recommended so that students can research and browse Red Hat online resources.

336

Revision: rh124-9.3-770cc61