LPI Linux Certification in a Nutshell (31 page)

Read LPI Linux Certification in a Nutshell Online

Authors: Adam Haeder; Stephen Addison Schneiter; Bruno Gomes Pessanha; James Stanger

Tags: #Reference:Computers

BOOK: LPI Linux Certification in a Nutshell
4.21Mb size Format: txt, pdf, ePub
Setting Access Modes

New files are created with a default access mode to automatically
set the permission levels. Regardless of your default umask, access
modes on existing files can be changed or modified at will.

New files

When new files are created, the protection bits are set
according to the user’s
default setting. That default is established using the
umask
command, probably in a
startup script. This command accepts only one argument, which is a
three-digit octal string that masks the user, group, and other
permission bits for newly created files and directories. Without a
value,
umask
reports the current value:

$
umask
0022

When provided with an integer,
umask
sets
the value for the current shell:

$
umask 2
$
umask
0002

A
umask
of 22 can be rewritten as 022, or
as 000010010 in binary.

The process of creating the initial mode for newly created files
begins with a raw initial mode string, as defined in
Table 7-4
.

Table 7-4. Initial access modes

Form

For files

For directories

Symbolic

rw-rw-rw-

rwxrwxrwx

Binary

110110110

111111111

Octal

6 6 6

7 7 7

The special bits are always turned off and are not masked by the
umask
. When a file is created, the
umask
is subtracted from 666; for directories, it
is subtracted from 777. This calculation yields the effective
protection mode for the file or directory. For example, a
umask
of 22 (022) is applied to a new file,
masking the write permission for group and other user classes:

110 110 110
- 000 010 010
-------------
110 100 100

This is the same as mode 644, or
rw-r--r--
.

Using the same mask on a directory yields a similar
result:

111 111 111
- 000 010 010
-------------
111 101 101

This is the same as mode 755, or
rwxr-xr-x
, which is appropriate for
directories. A umask of 002 or 022 is typical, although if you wish to
ensure maximum privacy, a umask of 077 blocks all access except for
the superuser. To set a custom umask, enter the
umask
command in a startup script, such as
~/.bash_profile
. Here’s an example of the
umask
in action:

$
umask 27
$
touch afile
$
mkdir adir
$
ls -ld adir afile
drwxr-x--- 2 jdean jdean 1024 Jan 2 20:31 adir
-rw-r----- 1 jdean jdean 0 Jan 2 20:31 afile

In this case, the
umask
of 27 makes the
file
afile
read-only to members of the group and
disallows access to the file to all others.

As you can see in the output of the previous example,
ls
adds an extra letter at the beginning of the
mode string for the
adir
directory. This symbol
indicates the type of file being listed and is not part of the access
mode. The letter
d
indicates a
directory, a
-
indicates a file,
the letter
l
indicates a symbolic
link, a
b
indicates a block device
(such as a disk), and a
c
indicates
a character device (such as a terminal).

Changing access modes

Access modes can be changed with the
chmod
command, which accepts either
octal
or
symbolic
access
mode specifications. Octal bits, as shown in the previous section, are
specified explicitly. However, some people prefer to use symbolic
forms because they usually modify an existing mode instead of
completely replacing it. Symbolic mode specifications have three
parts, made up of individual characters, as shown in
Table 7-5
.

Table 7-5. Symbolic modes for the chmod command

Category

Mode

Description

User class

u

User

 

g

Group

 

o

Other

 

a

All classes

Operation

-

Take away permission

 

+

Add permission

 

=

Set permission
exactly

Permissions

r

Read permission

 

w

Write permission

 

x

Execute permission

 

X

Execute permission for directories
and files with another execute permission, but not plain
files

 

s

SUID or SGID
permissions

 

t

Sticky bit

The individual user class characters and permissions characters
may be grouped to form compound expressions, such as
ug
for user and group combined or
rw
for read and write. Here are some
examples of symbolic mode specifications:

u+x

Add execute permission for the user.

go-w

Remove write permission from group and other
classes.

o+t

Set the sticky bit.

a=rw

Set read and write, but not execute, permissions for
everyone.

a+X

Give everyone execute permission for directories and for
those files with any existing execute permission.

The
chmod
command is used to modify the
mode.

Setting Up a Workgroup Directory

The steps you may use to create a useful workgroup
directory for a small team of people are briefly described here. The
goals of the directory are as follows:

  • The workgroup is to be called
    sales
    and
    has members
    jdoe
    ,
    bsmith
    ,
    and
    jbrown
    .

  • The directory is
    /home/sales
    .

  • Only the creators of files in
    /home/sales
    should be able to delete them.

  • Members shouldn’t worry about file ownership, and all group
    members require full access to files.

  • Nonmembers should have no access to any of the files.

The following steps will satisfy the goals:

  1. Create the new group:

    #
    groupadd sales
  2. Add the existing users to the group:

    #
    usermod –a -G sales jdoe
    #
    usermod –a -G sales bsmith
    #
    usermod –a -G sales jbrown
  3. Create a directory for the group:

    #
    mkdir /home/sales
  4. Set the ownership of the new directory:

    #
    chgrp sales /home/sales
  5. Protect the directory from others:

    #
    chmod 770 /home/sales
  6. Set the SGID bit to ensure that the
    sales
    group will own all new files. Also set the sticky bit to protect
    files from deletion by nonowners:

    #
    chmod g+s,o+t /home/sales
  7. Test it:

    #
    su - jdoe
    $
    cd /home/sales
    $
    touch afile
    $
    ls -l afile
    -rw-rw-r-- 1 jdoe sales 0 Jan 3 02:44 afile
    $
    exit
    #
    su - bsmith
    #
    cd /home/sales
    #
    rm afile
    rm: cannot unlink 'afile': Operation not permitted

After the
ls
command, we see that the group
ownership is correctly set to
sales
. After the
rm
command, we see that
bsmith
cannot delete
afile
,
which was created by
jdoe
. We also note that
although
afile
has mode 664, the directory
containing it has mode 770, preventing other users from reading the
file.

On the Exam

For the exam, you should be prepared to answer questions on file
and directory permissions in both
symbolic and numeric (octal) forms. You should also be
able to translate between the two forms given an example.

Name

chmod

Syntax
chmod [
options
]
symbolic_mode
[,
symbolic_mode
]...
files
chmod [
options
]
octal_mode files
chmod [
options
] --reference=
rfile files
Description

Modify the access mode on
files
.
In the first form, use one or more comma-separated
symbolic_mode
specifications to modify
files
. In the second form, use an
octal_mode
to modify
files
. In the third form, use the mode
of
rfile
as a template to be applied to
files
.

Frequently used options
-c

Like verbose mode, but report only changes.

-R

Use recursive mode, descending through directory
hierarchies under
files
and
making modifications throughout.

-v

Use verbose behavior, reporting actions for all
files
.

Example 1

Set the mode for a file to
rw-r--r--
, using an octal
specification:

$
chmod 644 afile
$
ls -l afile
-rw-r--r-- 1 jdean jdean 0 Jan 2 20:31 afile
Example 2

Set the same permission using a symbolic specification,
using the verbose option:

$
chmod -v u=rw,go=r afile
mode of afile retained as 0644 (rw-r--r--)
Example 3

Recursively remove all permissions for
other
on a directory:

$
chmod -R -v o-rwx adir
mode of adir retained as 0770 (rwxrwx---)
mode of adir/file1 changed to 0660 (rw-rw----)
mode of adir/file2 changed to 0660 (rw-rw----)
mode of adir/file3 changed to 0660 (rw-rw----)
mode of adir/file4 changed to 0660 (rw-rw----)
mode of adir/dir1 changed to 0770 (rwxrwx---)
mode of adir/dir1/file6 changed to 0660 (rw-rw----)
mode of adir/dir1/file5 changed to 0660 (rw-rw----)
mode of adir/dir2 changed to 0770 (rwxrwx---)
Example 4

Set the sticky bit on a directory:

$
chmod -v +t adir
mode of adir changed to 1770 (rwxrwx--T)

Modification of ownership parameters may become necessary
when moving files, setting up workgroups, or working in a user’s
directory as
root
. This is accomplished using
the
chown
command, which can change
user and group ownership, and the
chgrp
command for modifying group ownership.

Name

chown

Syntax
chown [
options
]
user-owner files
chown [
options
]
user-owner. files
chown [
options
]
user-owner.group-owner files
chown [
options
] .
group-owner files
chown [
options
] --
reference
=
rfile files
Description

Used to change the owner and/or group of
files
to
user-owner
and/or
group-owner
. In the first form,
user-owner
is made the owner of
files
and the group is not affected. In
the second form (note the trailing dot on
user-owner
), the
user-owner
is made the owner of
files
, and the group of the files is
changed to
user-owner
’s default group.
In the third form, both
user-owner
and
group-owner
are assigned to
files
. In the fourth form, only the
group-owner
is assigned to
files
, and the user is not affected. In
the fifth form, the owner and group of
rfile
is used as a template and applied
to
files
. Only the superuser may change
file ownership, but group ownership may be set by anyone belonging
to the target
group-owner
.

Note

Note that historically BSD systems have used the
user
.
group
syntax, but SysV-based systems have used
user
:
group
(
:
instead of
.
). Older versions of GNU
chown
accepted only the
BSD syntax, but recent versions support
both.

Frequently used options
-c

Like verbose mode, but report only changes.

-R

Use recursive mode, descending through directory
hierarchies under
files
and
making modifications throughout.

-v

Use verbose behavior, reporting actions for all
files
.

Example 1

As root, set the user owner of a file:

#
chown -v jdoe afile
owner of afile changed to jdoe
Example 2

As root, set the user and group owner of a file:

#
chown -v jdoe.sales afile
owner of afile changed to jdoe.sales

Other books

Riley by Susan Hughes
The Duke's Cinderella Bride by Carole Mortimer
Photo Finished by Laura Childs
Promise of Paradise by Tianna Xander
The Adam Enigma by Meyer, Ronald C.; Reeder, Mark;
Wild Thing: A Novel by Bazell, Josh