Ownership & Permissions

In linux we have two type of ownership.

1. User Ownership
2. Group Ownership

Whenever we create a file or directory who creates the file become the user owner and the user primary group become the group owner of it.


First test user indicate user owner and second shows group ownership.
We can change the user and group ownership of file and directory using chown, chgrp commands. chgrp is used to change the group ownership and chown is used to change the user-ownership of 
file/directory.

In the above example we have changed the group ownership of myproject directory. Same as can change user ownership.If we have changed a user primary group then after that file or directory 
group ownership will be the new group…
As shown below first create a group then change the user primary group after that login with username and password and make a directory or file and check the group ownership.


You can use chown with -R option. It will change the subdirectory or files also.
        [test1@CENTOS ~]# chown -R user:group directory
For more options see the documentation
        [test1@CENTOS ~]# man chown

                                        PERMISSIONS

 Permission    Numeric Value
 read        4
 write        2
 execute          1

We apply these permission for user,group & other. To set the permission we use numeric value or text value.

-rwxrwxrwx. 1 root root 23224 Jul 18 2016 crclient

Sometime you will see a  “.”  or  “+” after other permissions.
    .  =  you can specify control by selinux

    + = Selinux policy is applied on this file

When we apply permission on a file/directory in numeric form then it overwrite the existing permissions. But in text form we add/change the permission with existing permissions.

Apply permission in numeric form 
        [test1@CENTOS ~]# chmod 754 file1

 7 = read,write,execute permission for user. 
 5 = read,execute permission for group 
 4 = read permission for other users.

Apply permission in text form
    [test1@CENTOS ~]# chmod u+r,g+w,o-w file1

In above example we added read permission for user, write permission for group and removed write permission from others. To apply the permission for subfiles or directory use:
    [test1@CENTOS ~]# chmod -R u+r,g+w,o-w dir1

Understanding Advanced Permissions :
There are three advanced permissions.

    1. Set user ID (SUID) permission
    2. Group ID (SGID) permission
    3. Sticky bit

1. Set user ID (SUID) permission: This permission is used when we have to give users root permission to execute a file or certain task of a file. Ex: When a user changes his password he write it in /etc/shadow file. This file is accessible by only root. To allow users to write his password in /etc/shadow we use SUID. On /usr/bin/passwd utility by default have this permission. Who gives users temporarily root permission to write in this file. SUID have numeric value 4.
You can see the SUID permission with ls -l as an s at the position where normally you would expect to see the x for the user permissions:
    [root@test ~]# chmod 4755 /opt/dir1            // To apply SUID.//
    [root@test ~]# chmod u+s /opt/dir1
    [root@test ~]# ls -l /usr/bin/passwd
    -rwsr-xr-x. 1 root root 32680 Jan 28 2010 /usr/bin/passwd


2. Group ID (SGID) permission: This permission do the less or more work of SUID. But the main use of SGID is When 2 users are member of there primary group. And also the member of secondry 
group sales. If we create a share directory /opt/sales for group sales. Then file/directory created by a user can not be used by other users cause of member of a secondry group. To solve this issue set SGID permission on /opt/sales . Now file/directory created in /opt/sales can be accessed by other users. SGID has numeric value 2.

    [root@test ~]# chmod 2755 /opt/dir1             // To apply SGID.//
    [root@test ~]# chmod g+s /opt/dir1
    [root@test opt]# ls -ld sales
     drwxr-sr-x. 2 root sales 4096 Mar 15 21:28 sales

3. Sticky bit: This permission is useful to protect files against accidental deletion in an environment where multiple users have write permissions in the same directory.
Ex:- In a shared directory if multiple users have write permission. Then a user can delete a file/directory created by other user. After applying sticky bit a user can delete files only if either of the following is true:

■ The user is owner of the file.
■ The user is owner of the directory where the file exists.

Sticky bit has numeric value 1.When using ll, you can see sticky bit as a “t” at the position where you normally see the execute permission for others:
    [root@test ~]# chmod 1755 /opt/dir1         // To apply sticky bit.//
    [root@test ~]# chmod +t /opt/dir1
    [root@test opt]# ll /
    drwxrwxrwt. 39 root root 4096 Mar 16 10:30 tmp

No comments:

Post a Comment