*************************************************************************** * Guide to Unix Permissions * * by fugjostle * * * * V.0.1.beta * *************************************************************************** [root@g0tr00t]# ls -l drwxr-xr-x 5 fugjostle staff 4096 Apr 12 20:15 programs -rwxr-xr-x 1 fugjostle staff 505 May 17 21:44 ybc.pl -rwx------ 1 fugjostle staff 3159 Feb 12 16:15 userdb This guide has been written to help you understand the above and show you how to change these details. To start off, lets have a quick overview of what we are looking at: drwxr-xr-x --> file type and file permissions 1 --> the number of links to the file fugjostle --> the owner of the file staff --> the group ownership of the file 505 --> size of the file in bytes Apr 12 20:15 --> the file modification time ybc.pl --> the name of the file With this basic knowledge we can look at the permissions. Lets break them down into four parts -> [d] [rwx] [r-x] [r-x]: [d] --> Everything in the filesystem is a file including pipes and directories. They can be written to and read from. This first column signifies the type of file: - regular file such a text document d directory l symbolic link c character device b block device There are a few more possible entries in this column but I'll let you figure them out. As you can see from the directory listing we have 1 directory and 2 regular files. [rwx] --> These are the permissions for the 'owner' of the file. The owner of the file is the person who created the file and in the example we can see its mine (fugjostle). They state that the owner has Read(r), Write(w) and Execute(x) permissions on the file. It is also important at this stage to differentiate between directories and files: r This allows the owner to open a file and read its contents. When used on a directory this allows the owner to use the 'ls' command and get a directory listing of the files in the directory. w This allows the owner to modify the file or to overwrite it. In terms of directories this permission allows the owner to add, delete and rename files held in the directory. x This allows the owner to run the file as a program. In terms of directories this permission allows you to access the files. Without this permission you can list the files but cannot access them. Commands like 'cd' will fail on these directories. [r-x] --> This set of permissions defines access for the group members. The group is defined as 'staff' and they have Read(r) and Execute(x) access but NO Write(w) access. This mean that members of the staff group can read and run the file/program but cannot modify it. [r-x] --> This is the third and final set of permissions. These are applied to all the people who are NOT the owner and NOT in the group. These basically cover all other users on the system. As you can see, they the same permissions as the group. and that is basically that for file permissions... but there are three more that we haven't looked at yet... Sticky, SUID and SGID. These are special permissions that do some fancy stuff. These replace the Execute(x) field, they are lower case if they actually replace an 'x' or capital letters if no 'x' was replaced. -Set UID uses the 'x' from the 'owner' permissions, e.g., rwsr-xr-x. -Set GID uses the 'x' from the 'group' permissions, e.g., r-xr-sr-x. -Sticky bit uses the 'x' from 'other' permissions, e.g., rwxrwxrwt. I don't want to go into too much detail but SetUID programs change the users UID's to the owners UID. For example programs such as 'passwd' run as root (in order to access the shadow file) but are used by normal users to change their password. Therefore a user can run 'passwd' and instead of it running with the permissions of the user, it sets the UID (user identity) as root. SetGID does the same but for the group not the owner. The Sticky bit has a long history and you can go and read about it... but its basically used by directories to allow users to share a directory like /tmp but keep their files private. Now... here we go... chmod !!! chmod is your friend ! chmod allows you to change the permissions of file if you're the owner of the file. For a complete reference of chmod just type 'man chmod' at the command line. With chmod you can use letters to apply permissions, for example: [root@g0tr00t]# chmod ug=rx ybc.pl This will set ybc.pl to r-xr-x---. You have All(a), Owner(u), Group(g), Other(o) at your disposal and you can replace(=), add(+) or remove(-) permissions. This is all well and good but I prefer the Octal method and I'm going to concentrate on this :-) chmod [-R] <4 digit code> file The -R option makes the changes recursive, which can come in handy with directories. The first digit will stay at 0 for now... we will come back to it later. The second digit defines the 'owner' permissions, the third digit defines the 'group' permissions and the last digit defines the 'other' permissions, for example, chmod 0755 ybc.pl The way to work it out is: r = 4 w = 2 x = 1 so: r-- = 4 = 4 rw- = 4 + 2 = 6 rwx = 4 + 2 + 1 = 7 so for the permission "rwxr-xr-x": rwx = 7 (4 + 2 + 1) r-x = 5 (4 + 0 + 1) r-x = 5 (4 + 0 + 1) we get 0755 !!! simple right !! Going back to the first digit, the mighty '0'. This allows us to set the special permissions SUID, SGID and the Sticky bit. SUID = 4 SGID = 2 Sticky = 1 Now you can make the following file executable and SUID: [root@g0tr00t]# ls -l -rw-r--r-- 1 fugjostle staff 505 May 17 21:44 ybc.pl [root@g0tr00t]# chmod 4755 ybc.pl [root@g0tr00t]# ls -l -rwsr-wr-w 1 fugjostle staff 505 May 17 21:44 ybc.pl Piece of Pie, Easy a Cake !!! *************************************************************************** Greetz to: ReDeeMeR, BarnseyBoy, Reeferman, gabbana, Wang, Enstyne, munk, [502BOP], Muad_Dib, Macster, n0face, palmito, kph, Homicide, Col, Axem, Booto, _Penguin, think12, nsh, Chawmp, shad and everyone in #CA who are way too numerous to mention. ***************************************************************************