3.4. File security
The Linux security model is based on the one used on UNIX systems, and is as rigid as the UNIX security model (and sometimes even more), which is already quite robust. On a Linux system, every file is owned by a user and a group user. There is also a third category of users, those that are not the user owner and don’t belong to the group owning the file. For each category of users, read, write and execute permissions can be granted or denied.
We already used the long option to list files using the ls -l command, though for other reasons. This command also displays file permissions for these three user categories; they are indicated by the nine characters that follow the first character, which is the file type indicator at the beginning of the file properties line. As seen in the examples below, the first three characters in this series of nine display access rights for the actual user that owns the file. The next three are for the group owner of the file, the last three for other users. The permissions are always in the same order: read, write, execute for the user, the group and the others. Some examples:
marise:~> ls -l To_Do -rw-rw-r-- 1 marise users 5 Jan 15 12:39 To_Do marise:~> ls -l /bin/ls -rwxr-xr-x 1 root root 45948 Aug 9 15:01 /bin/ls*
The first file is a regular file (first dash). Users with user name marise or users belonging to the group users can read and write (change/move/delete) the file, but they can’t execute it (second and third dash). All other users are only allowed to read this file, but they can’t write or execute it (fourth and fifth dash).
The second example is an executable file, the difference: everybody can run this program, but you need to be root to change it.
The Info pages explain how the ls command handles display of access rights in detail, see the section What information is listed.
For easy use with commands, both access rights or modes and user groups have a code. See the tables below.
|0 or –||The access right that is supposed to be on this place is not granted.|
|4 or r||read access is granted to the user category defined in this place|
|2 or w||write permission is granted to the user category defined in this place|
|1 or x||execute permission is granted to the user category defined in this place|
|o||permissions for others|
This straight forward scheme is applied very strictly, which allows a high level of security even without network security. Among other functions, the security scheme takes care of user access to programs, it can serve files on a need-to-know basis and protect sensitive data such as home directories and system configuration files.
You should know what your user name is. If you don’t, it can be displayed using the id command, which also displays the default group you belong to and eventually other groups of which you are a member:
tilly:~> id uid=504(tilly) gid=504(tilly) groups=504(tilly),100(users),2051(org)
Your user name is also stored in the environment variable USER:
tilly:~> echo $USER tilly
3.4.2. The tools
18.104.22.168. The chmod command
A normal consequence of applying strict file permissions, and sometimes a nuisance, is that access rights will need to be changed for all kinds of reasons. We use the chmod command to do this, and eventuallyto chmod has become an almost acceptable English verb, meaning the changing of the access mode of a file. The chmod command can be used with alphanumeric or numeric options, whatever you like best.
The example below uses alphanumeric options in order to solve a problem that commonly occurs with new users:
asim:~>./hello bash: ./hello: bad interpreter: Permission denied asim:~>cat hello #!/bin/bash echo "Hello, World" asim:~>ls -l hello -rw-rw-r-- 1 asim asim 32 Jan 15 16:29 hello asim:~>chmod u+x helloasim:~>./hello Hello, World asim:~>ls -l hello -rwxrw-r-- 1 asim asim 32 Jan 15 16:29 hello*
The + and – operators are used to grant or deny a given right to a given group. Combinations separated by commas are allowed. The Info and man pages contain useful examples. Here’s another one, which makes the file from the previous example a private file to user asim:
asim:~>chmod u+rwx,go-rwx helloasim:~>ls -l hello -rwx------ 1 asim asim 32 Jan 15 16:29 hello*
The kind of problem resulting in an error message saying that permission is denied somewhere is usually a problem with access rights in most cases. Also, comments like, “It worked yesterday,” and “When I run this as root it works,” are most likely caused by the wrong file permissions.
When using chmod with numeric arguments, the values for each granted access right have to be counted together per group. Thus we get a 3-digit number, which is the symbolic value for the settings chmodhas to make. The following table lists the most common combinations:
|chmod 400 file||To protect a file against accidental overwriting.|
|chmod 500 directory||To protect yourself from accidentally removing, renaming or moving files from this directory.|
|chmod 600 file||A private file only changeable by the user who entered this command.|
|chmod 644 file||A publicly readable file that can only be changed by the issuing user.|
|chmod 660 file||Users belonging to your group can change this file, others don’t have any access to it at all.|
|chmod 700 file||Protects a file against any access from other users, while the issuing user still has full access.|
|chmod 755 directory||For files that should be readable and executable by others, but only changeable by the issuing user.|
|chmod 775 file||Standard file sharing mode for a group.|
|chmod 777 file||Everybody can do everything to this file.|
If you enter a number with less than three digits as an argument to chmod, omitted characters are replaced with zeros starting from the left. There is actually a fourth digit on Linux systems, that precedes the first three and sets special access modes. Everything about these and many more are located in the Info pages.
22.214.171.124. Logging on to another group
When you type id on the command line, you get a list of all the groups that you can possibly belong to, preceded by your user name and ID and the group name and ID that you are currently connected with. However, on many Linux systems you can only be actively logged in to one group at the time. By default, this active or primary group is the one that you get assigned from the /etc/passwd file. The fourth field of this file holds users’ primary group ID, which is looked up in the /etc/group file. An example:
asim:~>id uid=501(asim) gid=501(asim) groups=100(users),501(asim),3400(web) asim:~>grep asim /etc/passwd asim:x:501:501:Asim El Baraka:/home/asim:/bin/bash asim:~>grep 501 /etc/group asim:x:501:
The fourth field in the line from /etc/passwd contains the value “501”, which represents the group asim in the above example. From /etc/group we can get the name matching this group ID. When initially connecting to the system, this is the group that asim will belong to.
|User private group scheme|
|In order to allow more flexibility, most Linux systems follow the so-called user private group scheme, that assigns each user primarily to his or her own group. This group is a group that only contains this particular user, hence the name “private group”. Usually this group has the same name as the user login name, which can be a bit confusing.|
Apart from his own private group, user asim can also be in the groups users and web. Because these are secondary groups to this user, he will need to use the newgrp to log into any of these groups (usegpasswd for setting the group password first). In the example, asim needs to create files that are owned by the group web.
asim:/var/www/html>newgrp webasim:/var/www/html>id uid=501(asim) gid=3400(web) groups=100(users),501(asim),3400(web)
When asim creates new files now, they will be in group ownership of the group web instead of being owned by the group asim:
asim:/var/www/html>touch testasim:/var/www/html>ls -l test -rw-rw-r-- 1 asim web 0 Jun 10 15:38 test
Logging in to a new group prevents you from having to use chown (see Section 126.96.36.199) or calling your system administrator to change ownerships for you.
See the manpage for newgrp for more information.
188.8.131.52. The file mask
When a new file is saved somewhere, it is first subjected to the standard security procedure. Files without permissions don’t exist on Linux. The standard file permission is determined by the mask for new file creation. The value of this mask can be displayed using the umask command:
Instead of adding the symbolic values to each other, as with chmod, for calculating the permission on a new file they need to be subtracted from the total possible access rights. In the example above, however, we see 4 values displayed, yet there are only 3 permission categories: user, group and other. The first zero is part of the special file attributes settings, which we will discuss in Section 184.108.40.206 and Section 4.1.6. It might just as well be that this first zero is not displayed on your system when entering the umask command, and that you only see 3 numbers representing the default file creation mask.
Each UNIX-like system has a system function for creating new files, which is called each time a user uses a program that creates new files, for instance, when downloading a file from the Internet, when saving a new text document and so on. This function creates both new files and new directories. Full read, write and execute permission is granted to everybody when creating a new directory. When creating a new file, this function will grant read and write permissions for everybody, but set execute permissions to none for all user categories. This, before the mask is applied, a directory has permissions 777 orrwxrwxrwx, a plain file 666 or rw-rw-rw-.
The umask value is subtracted from these default permissions after the function has created the new file or directory. Thus, a directory will have permissions of 775 by default, a file 664, if the mask value is(0)002. This is demonstrated in the example below:
bert:~>mkdir newdirbert:~>ls -ld newdir drwxrwxr-x 2 bert bert 4096 Feb 28 13:45 newdir/ bert:~>touch newfilebert:~>ls -l newfile -rw-rw-r-- 1 bert bert 0 Feb 28 13:52 newfile
|Files versus directories|
|A directory gets more permissions by default: it always has the execute permission. If it wouldn’t have that, it would not be accessible. Try this out by chmodding a directory 644!|
If you log in to another group using the newgrp command, the mask remains unchanged. Thus, if it is set to 002, files and directories that you create while being in the new group will also be accessible to the other members of that group; you don’t have to use chmod.
The root user usually has stricter default file creation permissions:
[root@estoban root]# umask 022
These defaults are set system-wide in the shell resource configuration files, for instance /etc/bashrc or /etc/profile. You can change them in your own shell configuration file, see Chapter 7 on customizing your shell environment.
220.127.116.11. Changing user and group ownership
When a file is owned by the wrong user or group, the error can be repaired with the chown (change owner) and chgrp (change group) commands. Changing file ownership is a frequent system administrative task in environments where files need to be shared in a group. Both commands are very flexible, as you can find out by using the --help option.
The chown command can be applied to change both user and group ownership of a file, while chgrp only changes group ownership. Of course the system will check if the user issuing one of these commands has sufficient permissions on the file(s) she wants to change.
In order to only change the user ownership of a file, use this syntax:
chown newuser file
If you use a colon after the user name (see the Info pages), group ownership will be changed as well, to the primary group of the user issuing the command. On a Linux system, each user has his own group, so this form can be used to make files private:
jacky:~>id uid=1304(jacky) gid=(1304) groups=1304(jacky),2034(pproject) jacky:~>ls -l my_report -rw-rw-r-- 1 jacky project 29387 Jan 15 09:34 my_report jacky:~>chown jacky: my_reportjacky:~>chmod o-r my_reportjacky:~>ls -l my_report -rw-rw---- 1 jacky jacky 29387 Jan 15 09:34 my_report
If jacky would like to share this file, without having to give everybody permission to write it, he can use the chgrp command:
jacky:~>ls -l report-20020115.xls -rw-rw---- 1 jacky jacky 45635 Jan 15 09:35 report-20020115.xls jacky:~>chgrp project report-20020115.xlsjacky:~>chmod o= report-20020115.xlsjacky:~>ls -l report-20020115.xls -rw-rw---- 1 jacky project 45635 Jan 15 09:35 report-20020115.xls
This way, users in the group project will be able to work on this file. Users not in this group have no business with it at all.
Both chown and chgrp can be used to change ownership recursively, using the -R option. In that case, all underlying files and subdirectories of a given directory will belong to the given user and/or group.
|On most systems, the use of the chown and chgrp commands is restricted for non-privileged users. If you are not the administrator of the system, you can not change user nor group ownerships for security reasons. If the usage of these commands would not be restricted, malicious users could assign ownership of files to other users and/or groups and change behavior of those users’ environments and even cause damage to other users’ files.|
18.104.22.168. Special modes
For the system admin to not be bothered solving permission problems all the time, special access rights can be given to entire directories, or to separate programs. There are three special modes:
- Sticky bit mode: After execution of a job, the command is kept in the system memory. Originally this was a feature used a lot to save memory: big jobs are loaded into memory only once. But these days memory is inexpensive and there are better techniques to manage it, so it is not used anymore for its optimizing capabilities on single files. When applied to an entire directory, however, the sticky bit has a different meaning. In that case, a user can only change files in this directory when she is the user owner of the file or when the file has appropriate permissions. This feature is used on directories like/var/tmp, that have to be accessible for everyone, but where it is not appropriate for users to change or delete each other’s data. The sticky bit is indicated by a t at the end of the file permission field:
mark:~>ls -ld /var/tmp drwxrwxrwt 19 root root 8192 Jan 16 10:37 /var/tmp/
The sticky bit is set using the command chmod o+t directory. The historic origin of the “t” is in UNIX’ save Text access feature.
- SUID (set user ID) and SGID (set group ID): represented by the character s in the user or group permission field. When this mode is set on an executable file, it will run with the user and group permissions on the file instead of with those of the user issuing the command, thus giving access to system resources. We will discuss this further in Chapter 4.
- SGID (set group ID) on a directory: in this special case every file created in the directory will have the same group owner as the directory itself (while normal behavior would be that new files are owned by the users who create them). This way, users don’t need to worry about file ownership when sharing directories:
mimi:~>ls -ld /opt/docs drwxrws--- 4 root users 4096 Jul 25 2001 docs/ mimi:~>ls -l /opt/docs -rw-rw---- 1 mimi users 345672 Aug 30 2001-Council.doc
This is the standard way of sharing files in UNIX.
Linux and Unix chmod command
On Linux and other Unix-like operating systems, there is a set of rules for each file which defines who can access that file, and how they can access it. These rules are called file permissions or file modes. The command name chmod stands for “change mode”, and it is used to define the way a file can be accessed.
Before continuing, you should read the section What Are File Permissions, And How Do They Work? in our documentation of the umask command. It contains a comprehensive description of how to define and express file permissions.
In general, chmod commands take the form:
If no options are specified, chmod modifies the permissions of the file specified byfilename to the permissions specified by permissions.
permissions defines the permissions for the owner of the file (the “user”), members of the group who owns the file (the “group”), and anyone else (“others”). There are two ways to represent these permissions: with symbols (alphanumericcharacters), or withoctal numbers (the digits 0 through 7).
Let’s say you are the owner of a file named myfile, and you want to set its permissions so that:
- the user can read, write, and execute it;
- members of your group can read and execute it; and
- others may only read it.
This command will do the trick:
chmod u=rwx,g=rx,o=r myfile
This is an example of using symbolic permissions notation. The letters u, g, and ostand for “user“, “group“, and “other“. The equals sign (“=“) means “set the permissions exactly like this,” and the letters “r“, “w“, and “x” stand for “read”, “write”, and “execute”, respectively. The commas separate the different classes of permissions, and there are no spaces in between them.
Here is the equivalent command using octal permissions notation:
chmod 754 myfile
Here the digits 7, 5, and 4 each individually represent the permissions for the user, group, and others, in that order. Each digit is a combination of the numbers 4, 2, 1, and 0:
- 4 stands for “read”,
- 2 stands for “write”,
- 1 stands for “execute”, and
- 0 stands for “no permission.”
So 7 is the combination of permissions 4+2+1 (read, write, and execute), 5 is 4+0+1(read, no write, and execute), and 4 is 4+0+0 (read, no write, and no execute).
See below for more examples of both types of notation.
chmod [OPTION]... MODE[,MODE]... FILE... chmod [OPTION]... OCTAL-MODEFILE... chmod [OPTION]... --reference=RFILE FILE...
|-c, –changes||Like –verbose, but gives verbose output only when a change is actually made.|
|-f, –silent, –quiet||Quiet mode; suppress most error messages.|
|-v, –verbose||Verbose mode; output a diagnostic mesage for every file processed.|
|–no-preserve-root||do not treat ‘/‘ (the root directory) in any special way. This is the default.|
|–preserve-root||Do not operate recursively on ‘/‘.|
|–reference=RFILE||Set permissions to match those of file RFILE, ignoring any specifiedMODE.|
|-R, –recursive||change files and directories recursively.|
|–help||Display a help message and exit.|
|–version||Output version information and exit.|
chmod changes the file mode of each specified FILE according to MODE, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.
The format of a symbolic mode is:
where perms is either zero or more letters from the set r, w, x, X, s and t, or a single letter from the set u, g, and o. Multiple symbolic modes can be given, separated by commas.
A combination of the letters u, g, o, and a controls which users’ access to the file will be changed: the user who owns it (u), other users in the file’s group (g), other users not in the file’s group (o), or all users (a). If none of these are given, the effect is as if a were given, but bits that are set in the umask are not affected.
The operator + causes the selected file mode bits to be added to the existing file mode bits of each file; – causes them to be removed; and = causes them to be added and causes unmentioned bits to be removed except that a directory’s unmentioned set user and group ID bits are not affected.
The letters r, w, x, X, s and t select file mode bits for the affected users: read (r), write (w), execute (x), execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), restricted deletion flag or sticky bit (t). For directories, the execute options X and X define permission to view the directory’s contents.
Instead of one or more of these letters, you can specify exactly one of the letters u, g, or o: the permissions granted to the user who owns the file (u), the permissions granted to other users who are members of the file’s group (g), and the permissions granted to users that are in neither of the two preceding categories (o).
A numeric mode is from one to four octal digits (0–7), derived by adding up the bits with values 4, 2, and 1. Omitted digits are assumed to be leading zeros. The first digit selects the set user ID (4) and set group ID (2) and restricted deletion or sticky (1) attributes. The second digit selects permissions for the user who owns the read (4), write (2), and execute (1); the third selects permissions for other users in the file’s group, with the same values; and the fourth for other users not in the file’s group, with the same values.
chmod never changes the permissions of symbolic links; the chmod system call cannot change their permissions. This is not a problem since the permissions of symbolic links are never used. However, for each symbolic link listed on the command line, chmod changes the permissions of the pointed-to file. In contrast, chmodignores symbolic links encountered during recursive directory traversals.
Setuid And Setgid Bits
chmod clears the set-group-ID bit of a regular file if the file’s group ID does not match the user’s effective group ID or one of the user’s supplementary group IDs, unless the user has appropriate privileges. Additional restrictions may cause the set-user-ID and set-group-ID bits of MODE or RFILE to be ignored. This behavior depends on the policy and functionality of the underlying chmod system call. When in doubt, check the underlying system behavior.
chmod preserves a directory’s set-user-ID and set-group-ID bits unless you explicitly specify otherwise. You can set or clear the bits with symbolic modes like u+s and g-s, and you can set (but not clear) the bits with a numeric mode.
Restricted Deletion Flag (or “Sticky Bit”)
The restricted deletion flag or sticky bit is a single bit, whose interpretation depends on the file type. For directories, it prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory; this is called the restricted deletion flag for the directory, and is commonly found on world-writable directories like /tmp. For regular files on some older systems, the bit saves the program’s text image on the swap device so it will load more quickly when run; this is called the sticky bit.
chmod 644 file.htm
Set the permissions of file.htm to “owner can read and write; group can read only; others can read only”.
chmod u=rw example.jpg
Change the permissions for the owner of example.jpg so that the owner may read and write the file. Do not change the permissions for the group, or for others.
chmod u+s comphope.txt
Set the “Set-User-ID” bit of comphope.txt, so that anyone who attempts to access that file does so as if they are the owner of the file.
chmod u-s comphope.txt
The opposite of the above command; un-sets the SUID bit.
chmod 755 file.cgi
Set the permissions of file.cgi to “read, write, and execute by owner” and “read and execute by the group and everyone else”.
chmod 666 file.txt
Set the permission of file.txt to “read and write by everyone.”.
chmod a=rw file.txt
Accomplishes the same thing as the above command, using symbolic notation.
Viewing Permissions in The File Listing
A quick and easy way to list a file’s permissions are with the long listing (-l) option of the ls command. For example, to view the permissions of file.txt, you could use the command:
ls -l file.txt
…which will display output that looks like the following:
-rwxrw-r-- 1 hope hopestaff 123 Feb 03 15:36 file.txt
Here’s what each part of this information means:
|–||The first character represents the file type: “–” for a regular file, “d” for a directory, “l” for a symbolic link.|
|rwx||The next three characters represent the permissions for the file’s owner: in this case, the owner may read from, write to, and/or execute the file.|
|rw-||The next three characters represent the permissions for members of the group that the file belongs to. In this case, any member of the file’s owning group may read from or write to the file. The final dash is a placeholder; group members do not have permission to execute this file.|
|r–||The permissions for “others” (everyone else). Others may only read this file.|
|1||The number of hard links to this file.|
|hope||The file’s owner.|
|hopestaff||The group to whom the file belongs.|
|123||The size of the file in blocks.|
|Feb 03 15:36||The file’s mtime (date and time when the file was last modified).|
|file.txt||The name of the file.|
access — The system function which checks a user’s permissions to access a file.
chown — Change the ownership of files or directories.
getfacl — Display file access control lists.
ls — List the contents of a directory or directories.
The Unix operating system (and likewise, Linux) differs from other computing environments in that it is not only a multitaskingsystem but it is also a multi-user system as well.
What exactly does this mean? It means that more than one user can be operating the computer at the same time. While your computer will only have one keyboard and monitor, it can still be used by more than one user. For example, if your computer is attached to a network, or the Internet, remote users can log in via telnet or ssh (secure shell) and operate the computer. In fact, remote users can execute X applications and have the graphical output displayed on a remote computer. The X Windows system supports this.
The multi-user capability of Unix is not a recent “innovation,” but rather a feature that is deeply ingrained into the design of the operating system. If you remember the environment in which Unix was created, this makes perfect sense. Years ago before computers were “personal,” they were large, expensive, and centralized. A typical university computer system consisted of a large mainframe computer located in some building on campus and terminals were located throughout the campus, each connected to the large central computer. The computer would support many users at the same time.
In order to make this practical, a method had to be devised to protect the users from each other. After all, you could not allow the actions of one user to crash the computer, nor could you allow one user to interfere with the files belonging to another user.
This lesson will cover the following commands:
- chmod – modify file access rights
- su – temporarily become the superuser
- chown – change file ownership
- chgrp – change a file’s group ownership
Linux uses the same permissions scheme as Unix. Each file and directory on your system is assigned access rights for the owner of the file, the members of a group of related users, and everybody else. Rights can be assigned to read a file, to write a file, and to execute a file (i.e., run the file as a program).
To see the permission settings for a file, we can use the ls command as follows:
[me@linuxbox me]$ls -l some_file
-rw-rw-r-- 1 me me 1097374 Sep 26 18:48 some_file
We can determine a lot from examining the results of this command:
- The file “some_file” is owned by user “me”
- User “me” has the right to read and write this file
- The file is owned by the group “me”
- Members of the group “me” can also read and write this file
- Everybody else can read this file
Let’s try another example. We will look at the bash program which is located in the /bin directory:
[me@linuxbox me]$ls -l /bin/bash
-rwxr-xr-x 1 root root 316848 Feb 27 2000 /bin/bash
Here we can see:
- The file “/bin/bash” is owned by user “root”
- The superuser has the right to read, write, and execute this file
- The file is owned by the group “root”
- Members of the group “root” can also read and execute this file
- Everybody else can read and execute this file
In the diagram below, we see how the first portion of the listing is interpreted. It consists of a character indicating the file type, followed by three sets of three characters that convey the reading, writing and execution permission for the owner, group, and everybody else.
The chmod command is used to change the permissions of a file or directory. To use it, you specify the desired permission settings and the file or files that you wish to modify. There are two ways to specify the permissions, but I am only going to teach one way.
It is easy to think of the permission settings as a series of bits (which is how the computer thinks about them). Here’s how it works:
rwx rwx rwx = 111 111 111 rw- rw- rw- = 110 110 110 rwx --- --- = 111 000 000 and so on... rwx = 111 in binary = 7 rw- = 110 in binary = 6 r-x = 101 in binary = 5 r-- = 100 in binary = 4
Now, if you represent each of the three sets of permissions (owner, group, and other) as a single digit, you have a pretty convenient way of expressing the possible permissions settings. For example, if we wanted to set some_file to have read and write permission for the owner, but wanted to keep the file private from others, we would:
[me@linuxbox me]$chmod 600 some_file
Here is a table of numbers that covers all the common settings. The ones beginning with “7” are used with programs (since they enable execution) and the rest are for other kinds of files.
|777||(rwxrwxrwx) No restrictions on permissions. Anybody may do anything. Generally not a desirable setting.|
|755||(rwxr-xr-x) The file’s owner may read, write, and execute the file. All others may read and execute the file. This setting is common for programs that are used by all users.|
|700||(rwx——) The file’s owner may read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only the owner may use and must be kept private from others.|
|666||(rw-rw-rw-) All users may read and write the file.|
|644||(rw-r–r–) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.|
|600||(rw——-) The owner may read and write a file. All others have no rights. A common setting for data files that the owner wants to keep private.|
The chmod command can also be used to control the access permissions for directories. In most ways, the permissions scheme for directories works the same way as they do with files. However, the execution permission is used in a different way. It provides control for access to file listing and other things. Here are some useful settings for directories:
|777||(rwxrwxrwx) No restrictions on permissions. Anybody may list files, create new files in the directory and delete files in the directory. Generally not a good setting.|
|755||(rwxr-xr-x) The directory owner has full access. All others may list the directory, but cannot create files nor delete them. This setting is common for directories that you wish to share with other users.|
|700||(rwx——) The directory owner has full access. Nobody else has any rights. This setting is useful for directories that only the owner may use and must be kept private from others.|
Becoming the superuser for a short while
It is often useful to become the superuser to perform important system administration tasks, but as you have been warned (and not just by me!), you should not stay logged on as the superuser. In most distributions, there is a program that can give you temporary access to the superuser’s privileges. This program is called su (short for substitute user) and can be used in those cases when you need to be the superuser for a small number of tasks. To become the superuser, simply type the sucommand. You will be prompted for the superuser’s password:
After executing the su command, you have a new shell session as the superuser. To exit the superuser session, type exitand you will return to your previous session.
In some distributions, most notably Ubuntu, an alternate method is used. Rather than using su, these systems employ thesudo command instead. With sudo, one or more users are granted superuser privileges on an as needed basis. To execute a command as the superuser, the desired command is simply preceeded with the sudo command. After the command is entered, the user is prompted for the user’s password rather than the superuser’s:
[me@linuxbox me]$sudo some_command
Changing file ownership
You can change the owner of a file by using the chown command. Here’s an example: Suppose I wanted to change the owner of some_file from “me” to “you”. I could:
[root@linuxbox me]#chown you some_file
Notice that in order to change the owner of a file, you must be the superuser. To do this, our example employed the sucommand, then we executed chown, and finally we typed exit to return to our previous session.
chown works the same way on directories as it does on files.
Changing group ownership
The group ownership of a file or directory may be changed with chgrp. This command is used like this:
[me@linuxbox me]$chgrp new_group some_file
In the example above, we changed the group ownership of some_file from its previous group to “new_group”. You must be the owner of the file or directory to perform a chgrp.
|-rw-------||(600)||Only the owner has read and write permissions.|
|-rw-r--r--||(644)||Only the owner has read and write permissions; the group and others have read only.|
|-rwx------||(700)||Only the owner has read, write, and execute permissions.|
|-rwxr-xr-x||(755)||The owner has read, write, and execute permissions; the group and others have only read and execute.|
|-rwx--x--x||(711)||The owner has read, write, and execute permissions; the group and others have only execute.|
|-rw-rw-rw-||(666)||Everyone can read and write to the file. (Be careful with these permissions.)|
|-rwxrwxrwx||(777)||Everyone can read, write, and execute. (Again, this permissions setting can be hazardous.)|