Showing posts with label permissions. Show all posts
Showing posts with label permissions. Show all posts

Default File Permissions on Creation - Umask

With the umask command you can set, what permissions a file will normally have when it's first created. It's a bit complicated, though: You have to XOR 666 for files and 777 for directories with the numerical permission code you want the file to have. (see man umask for more)

With umask you see the current mask, with umask -S you see it understandably. The default in Ubuntu is umask 022, which means that files will be -rw-r--r-- by default. With umask 026 you can prevent files from being readable and directories being accessible by "other"s (meaning anyone) by default (-rw-r-----).

You can also use the much easier symbols like with chmod, e.g. umask u=rwx.

Understanding Directory Rights in Linux

Directory rights in Linux can be pretty confusing. Unfortunately many chmod howtos don't explain them properly. So here's a really quick guide. You should first know how to handle chmod (man chmod) and what the rwx flags normally mean: read-write-execute. For directories they have slightly different functions which I will now explain.

If you use ls -l it would display for example drwx--srwt someuser somegroup(...).
The first letter of the permission string is always d and stands for directory. Than come the letters for the user (rwx), the group (--s) and others, meaning everyone who is not the user of the group (rwt).

If you have only reading rights you can do nothing (chmod a+r-wx mydir). If you're the owner you can list the contents it seems.

If you have reading and execute rights (chmod a-w+rx), you can see cd into the directory and list its files. But you can not create any files.

If you have only writing rights, you can not do anything with it.

If you have writing and execute rights, you can create new files, but not list the directory's contents. But you can still access the files, if you know their name and have permissions for that.

rws (with x) or rwS (without x)
If the directory's group permission is set to super (chmod g+s), new files have are owned by the same group as the directory.

rwt or rwT(without x)
If the text bit is set (chmod o+t), files in the directory can only be deleted by their owner, not the group. But they can still be overwritten, if the files permissions allow that. So it's no real protection.

This means that usually there's little sense in a directory that's r-- or -w-, as that let's you do hardly anything. You should usually set the directory to r-x, -wx or rwx.

Important: A user needs to have at least execute (x) rights to all directories above the directory in order to be able to do anything in it.

Be aware that the handling is usually on the careful side, so if you are the user and your permissions are --- but the group's permissions are rwx and you're in the group as well, you won't be able to access the file or directory. Because the more restrictive rights for the user will be used in favour of the permissions of the group you are in.

Also notice that in the example commands, e.g. chmod a+r-wx, I usually set the permissions for a, which stands for all and means user, group and others. This is just to make sure you can reproduce what I have written here. Of course you should carefully select what the rights for the owner(o), the group(g) and the others(o) should be: E.g. chmod u=rwx g=rx o-rwx mydir.

Also check out Wikipedia on file permissions as well as these articles by LinuxExposed for files and directories.

Protect Files

If you want to make sure a file or directory structure can not be modified by anyone, this command helps:

sudo chattr +i