*nix Commands: 102 - Part 2: Tha Perms
Results 1 to 8 of 8

Thread: *nix Commands: 102 - Part 2: Tha Perms

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324

    Post *nix Commands: 102 - Part 2: Tha Perms

    *nix Commands: Tha' Perms

    Ok. For this section we are going to cover an introduction to files and navigation. As a reminder who think I should add something more, please send it to me as a PM. There are many tutorials envisioned for the *nix commands and everything shall be done step-by-step rather than to throw everything out at once.

    Let's begin with the concept of permissions. As many of you know and realize *nix is an excellent server based OS and was developed as such right from the beginning. As such, users had to be kept from getting into each other's files and stuff. File names and directory names can be up to 256 characters in length. Any combination of numbers and letters are allowed but it is recommended not to use special characters as they have meaning to the OS. Some special characters like . are used to hide files or identify system files. These can be seen through the usage of ls -a. If you think someone has been into your *nix box, always check for these kinds of hidden files or directories.

    I created a dumdumfile for this section. (Editor's Note:you'll see me reference these a lot. I might actually post some labs for the tutorials, perhaps here or on my website when I update it this month (yes, I will update it!)). The example I will use is from my RH box:

    -rw-rw-r-- 1 mittens mittens 0 Dec 13 10:46 dumdumfile

    This is further divided down into the following areas:

    - = column 0 represents whether this is a file, directory or link; - means file, d means directory, l means link

    rw-rw-r-- = is divided into 3 sections: columns 1-3 (rw-) represents permissions for owner/user, columns 4-6 (rw-) represents permissions for group and columns 7-9 represents permissions for everyone else or other.

    1 = number of absolute links to the location. Files have 1 while directories have at least 2, one for the directory and one for it's parent directory

    mittens = name of the owner/user of the file/directory

    mittens = name of the group that has permission to the file

    0 = size of the file/directory in bytes

    Dec 13 10:46 = date of creation/modification/access

    dumdumfile = name of file or directory

    Now what is important to us is really the permissions for owner, group and others (everyone else). You'll notice that they are in groups of three. Permissions are assigned by a combination of r (read), w (write) and x (execute). To assign or alter permissions you would use:

    chmod permissions <file/directory name>: prounounced as ch-mod and basically, to my understanding, means change mode. The permissions can either be added in the octal (numeric) method or the character (alphabetical) method. Now, the combination of permissions has an affect as to how one can use the file or directory.

    For files:
    r only = allows you to read the files contents
    rw = allows you to read and modify the files contents
    rx = allows you to read and execute (assuming its a program or a script)

    For directories:
    r only = allows you to see what is in the directory (files and subdirectories) using ls
    rx = allows you to get a long listing (ls -l) of the directory as well as navigate into it
    wx = allows you to create and delete directory contents
    x = allows you to move into a directory

    Remember that directory permissions affect the contents of the directory while file permissions affect the contents of the file. You'll notice that both are very similar in their concept. That is because *nix views everything that is on it -- you as a user, the files, the directories, the components, etc. -- as a series of files. Everything to *nix kernel and OS is a file.

    Now that said, if I wanted to change the permissions of my dumdumfile to ensure that no one but me has access I can use either method:

    chmod u+rwx,go-rwx dumdumfile

    This would result as such:

    -rwx------ 1 mittens mittens 0 Dec 13 10:46 dumdumfile

    This would be the character method. The character method identifies the various permissions by their starting letter -- r, w and/or x -- and the users/groups by the starting letter: u = user/owner, g = users group, o = others/everyone else. By simply adding a permission or subtracting a permission you can alter the permissions. You need not add or subtract them all at once. I may decide that others should be allowed to read the file:

    chmod o+r dumdumfile

    results in perms as:

    -rw----r-- 1 mittens mittens 0 Dec 13 10:46 dumdumfile

    Simple. Easy enough. But what about octal method? Well, much like any computer system, *nix likes it's binary. You can find my tutorial on Binary here: http://www.antionline.com/showthread...hreadid=124423 . Remember that there are only 3 permissions. Which results in the following:

    rwx **decimal **perm
    0011x
    0102w
    0113wx
    1004r
    1015rx
    1106rw
    1117rwx

    So if I wanted to alter my permissions on my dumdumfile (say its a script and I want my group and others to be able to use it but not modify it) I would then try:

    chmod 755 dumdumfile

    results in perms as:

    -rwxrw-rw- 1 mittens mittens 0 Dec 13 10:46 dumdumfile

    Now, with the octal method this is an all or nothing. You cannot assign individual permissions but have to assign all the permissions needed. Sort of an all or nothing kind of deal. Play with some dumdum files and directories experimenting with the permissions to see more as to how they work. Ah but we need to know how to create those dumdum files and directories now, don't we?

    Well for that we have two commands we can use:
    touch <filename>: Touch creates an empty file.

    file <filename/directory name>: tells you what kind of "file" something is. i.e., is it an ascii file, executable, script, directory, etc.

    I had to edit this after reading some of the comments thus far. It had occurred to me to put this in but when a tutorial gets long I sometimes forget. By default, when a file is first created or a directory created they each have permissions of 666 and 777 respectively. Files do not have execute enabled by default because not all files will be scripts or programs. Directories, however, do need to be navigated into.

    Now, if I wanted to ensure a secure system where users weren't getting into each other's stuff, I'd have to go and manually change everything, right? Well, nope.

    umask value: refers to user mask. And basically removes the permissions you do not want to apply. The most common permission that we don't want to have is write of course, especially for our group and everyone else. So if I want to make sure that when I create files that permission is removed I would type umask 022. This will remove only the write permission every time I create a file or directory. Note that this applies only to new files. Existing files permissions will not be changed. (Note: there is no DOS command to match this one)

    mkdir -p <directory(ies)>: to create a single directory use, mkdir directory name. To create a directory with subdirectories use the option -p. As an example I could create mkdir -p dir1/dir2/dir3 dir4. (note the space in between dir3 and dir4) This would result in two directories being created in my present location and dir1 would have a subdirectory of dir2 with a subdirectory of dir3.

    I'm going to finish this off with the navigation command, cd. Much like it's DOS child, cd allows you to "change directory". Typing cd by itself results in being taken back to the home directory of the user you are logged in as. You can cd to the parent directory by typing cd ... Note the spaces. Unlike DOS, *nix is not forgiving with this command if you forget the spaces.

    *nix CommandDOS Command
    cdcd
    chmodattrib (this is the closest that exists)
    mkdirmd
    mkdirno true equivilant other than multiple mds
    touchno equivilant in DOS; in Windows you can create empty files by right-clicking on the desktop
    ls -adir /ah

    My next tutorial will probably cover commands that allow us to copy files, remove files and move/rename files. In addition, I will cover the differences between absolute addressing and relative addressing in*nix. As you may have noticed, their ain't no drive letters! Eeep!
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    677
    Good tutorial, It certainly refreshed my memory!

    I usually do file permissions and file manipulation from inside X, well, KDE really, so it's just a case of clicking a box, but thanks for refreshing my memory on the command-line way of doing things, its always useful if the machine refuses to boot up for some reason!
    One Ring to rule them all, One Ring to find them.
    One Ring to bring them all and in the darkness bind them.
    (The Lord Of The Rings)
    http://www.bytekill.net

  3. #3
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,540

    CHMOD

    Some remark while playing with CHMOD:

    Beware 666 and 777. Biblical implications aside, either of these settings will allow everyone to read and write to a file or directory. Such settings as these could allow tampering with sensitive files, so in general, it's not a good idea to allow these settings. (See: RedHat Linux 6.1 Reference Guide )

    (Just some remark cause you were speaking about Dumdum files.)


  4. #4
    larryjs
    Guest
    yes victorkaum thats right...better yet look out for the deadly umask command (esp 666) as it sets your default permissions for file viewing

  5. #5
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,540

    Thumbs up umask

    Indeed: didn't thought about that one
    thnx larrjs

  6. #6
    Senior Member
    Join Date
    Jul 2001
    Posts
    138
    I suggested Ms Mittens mention this for the Linux users. She asked me to say something about it, so I just copied the man file that came with my Mandrake distro. This way I won't forget an important option. This only works on Linux (so far as I know) because it sets bits specific to the ext2 or ext3 file system. This is great for modifying files that you don't want deleted on accident (by intruders) or overwritten with bogus information. An example would be system log files. (as well as system commands) Two important options are:
    +a for append only mode and
    +i for immutable (can't be deleted or modified)
    Enjoy:

    CHATTR(1)

    NAME
    chattr - change file attributes on a Linux second extended
    file system

    SYNOPSIS
    chattr [ -RV ] [ -v version ] [ mode ] files...

    DESCRIPTION
    chattr changes the file attributes on a Linux second
    extended file system.

    The format of a symbolic mode is +-=[ASacdisu].

    The operator `+' causes the selected attributes to be
    added to the existing attributes of the files; `-' causes
    them to be removed; and `=' causes them to be the only
    attributes that the files have.

    The letters `ASacdijsu' select the new attributes for the
    files: don't update atime (A), synchronous updates (S),
    append only (a), compressed (c), no dump (d), immutable
    (i), data journalling (j), secure deletion (s), and
    undeletable (u).

    OPTIONS
    -R Recursively change attributes of directories and
    their contents. Symbolic links encountered during
    recursive directory traversals are ignored.

    -V Be verbose with chattr's output and print the pro*
    gram version.

    -v version
    Set the file's version/generation number.

    ATTRIBUTES
    When a file with the 'A' attribute set is modified, its
    atime record is not modified. This avoids a certain
    amount of disk I/O for laptop systems.

    A file with the `a' attribute set can only be open in
    append mode for writing. Only the superuser can set or
    clear this attribute.

    A file with the `c' attribute set is automatically com*
    pressed on the disk by the kernel. A read from this file
    returns uncompressed data. A write to this file compresses
    data before storing them on the disk.

    A file with the `d' attribute set is not candidate for
    backup when the dump(8) program is run.

    A file with the `i' attribute cannot be modified: it can*
    not be deleted or renamed, no link can be created to this
    file and no data can be written to the file. Only the
    superuser can set or clear this attribute.

    A file with the `j' attribute has all of its data written
    to the ext3 journal before being written to the file
    itself, if the filesystem is mounted with the
    "data=ordered" or "data=writeback" options. When the
    filesystem is mounted with the "data=journalled" option
    all file data is already journalled and this attribute has
    no effect.

    When a file with the `s' attribute set is deleted, its
    blocks are zeroed and written back to the disk.

    When a file with the `S' attribute set is modified, the
    changes are written synchronously on the disk; this is
    equivalent to the `sync' mount option applied to a subset
    of the files.

    When a file with the `u' attribute set is deleted, its
    contents are saved. This allows the user to ask for its
    undeletion.

    AUTHOR
    chattr was written by Remy Card <Remy.Card@linux.org>.

    BUGS AND LIMITATIONS
    As of Linux 2.2, the `c', 's', and `u' attribute are not
    honored by the kernel filesystem code. These attributes
    will be implemented in a future ext2 fs version.

    The `j' option is only useful if the filesystem is mounted
    as ext3.

    AVAILABILITY
    chattr is part of the e2fsprogs package and is available
    from http://e2fsprogs.sourceforge.net.
    -----------------------------------------------------
    Warfare is the Way of deception.
    -Sun Tzu \"The Art of War\"

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    touch***************************no equivilant in DOS; in Windows you can create empty files by right-clicking on the desktop
    Not entirely true. You can achieve the same thing in DOS by using:
    echo "" > filename.

    Also, it might be worth mentioning that chmod +s filename will force a script to execute as its owner. This is useful for creating scripts for applications that don't need root permissions, but will be run by the init process as root.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  8. #8
    thanks for the tut toots. (no offense for all those femiNazis out here.)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides