|
File Security
The Unix workgroups system provides
flexible file security. Workgroups allow you to specify the level of access
different types of users have to your files and directories. In other words, who
can use your files and how.
Introduction to WorkgroupsThe basic idea of the workgroups
system is to organize users who work together into groups. For example, at a
university users might be divided into faculty, staff and student groups. At a
business users might be grouped by job categories such as management, sales and
secretarial. Users in the same workgroup can give each other special privileges
to access files. For example, all the users in the managers group can
edit the EmployeeEval file while all the users in the sales group
can edit the NovSales file. Every user is a member of at least one group
and users can be members of multiple groups.
Execute the groups command to display the groups that you
belong to. For example, $ groups
managers sales
shows that this user is a member of both the managers and sales
groups. The first group shown is considered the primary
group. In the above example, the primary group is managers.
Workgroups and FilesEvery Unix file or directory is
associated with exactly one user (also called the file's owner) and one group. A
newly created file or directory is associated with the username and primary group of the person who created
it. For example, suppose Kathy whose username is kathyr and primary group
is sales starts a text editor and creates the file NovSales. The
NovSales file will be associated with the user kathyr and group
sales. To see what user and group a file belongs to use the long file
list option, -l, with the ls command.[1] $ ls -l
-rw-r--r-- 1 kathyr sales 0 Oct 08 OctSales
-rw-r--r-- 1 kathyr sales 0 Nov 08 NovSales
-rw-r--r-- 1 kathyr sales 0 Dec 17 EmployeeEvals
You can associate any file that you own with any group you are a
member of using the chgrp command. For example, kathyr could
associate the file EmployeeEvals with the managers group instead
of the sales group. $ chgrp managers EmployeeEval
$ ls -l
-rw-r--r-- 1 kathyr sales 0 Oct 08 OctSales
-rw-r--r-- 1 kathyr sales 0 Nov 08 NovSales
-rw-r--r-- 1 kathyr managers 0 Dec 17 EmployeeEvals
The -R option to the chgrp command recursively
descends through a directory, including all subdirectories, and changes the
group associations. For example, if EmployeeEvalDir is a directory with
two subdirectories, SalariedDir and HourlyDir, each with several
hundred employee evaluations $ chgrp -R managers EmployeeEvalDir
will change the group associated with the EmployeeEvalDir,
SalariedDir and HourlyDir directories as well as each evaluation
within the directories.
Note: If you are a member of more than one group and only have access
privileges to files associated with your primary group then read: Older Unix Systems and Logging in to Groups.
Workgroups and File Permissions
A file's owner can control access to the file via the Unix file permission system. The file permission system
allows you to define the level of access to individual files and directories for
three different types of users.
| Abb. |
Person |
Description |
| u |
user |
The user associated with the file (i.e. the file's owner). |
| g |
group |
Members of the group associated with the file. |
| o |
other |
Everyone else. |
There are three kinds of access or permissions each different type of user
can be given.
| Abb. |
Permission |
| r |
read permission |
| w |
write permission |
| x |
execute permission |
These permissions have different meanings when applied to a directory versus
a regular file. Permissions allow the following access to a regular file.
| Permission |
Required To |
| read |
Copy and view a file.
Access a file with commands such as cat and grep. |
| write |
Edit, delete and overwrite a file.
|
| execute |
Run a program or shell script. |
Permissions allow the following access to a directory.
| Permission |
Required To |
| read |
List directory contents with ls.
Access directory with commands such as find. |
| write |
Create, edit, rename and delete files and subdirectories within a directory. |
| execute |
Cd into a directory.
List directory contents with ls.
Create, edit, rename, access and delete files or subdirectories within
the directory.
Execute a program or shell script within the directory.
|
A permission is said to be turned on if it
is available. If not, it is said to be turned
off. See the read, write and execute permission glossary entries for more detailed
descriptions of these permissions.
File Permission List
The -l (long file listing) option with the ls command shows the permissions associated with
files and directories. $ ls -l
-rwxr--r-- 1 kathyr staff 1024 Oct 15 prog1
-rwxr-xr-x 1 kathyr staff 1024 Nov 05 prog2
-rw-r--r-- 1 kathyr staff 0 Nov 08 file1
-rw------- 1 kathyr staff 16 Nov 07 file2
drwx------ 2 kathyr staff 512 Nov 08 sdir/
The file permissions list is in the first
section of ls output. It consists of 10 single character columns. The
first column of the file permissions list is d if the listing is for a
directory, - for a regular file as well as identifying some more
unusual file types. The next three columns define the permissions available to
the user. They are in the order rwx (read, write, execute) and will
have a - if that permission is turned off. If a file is not a program
or script, it will not have the execute permission turned on, even for the user.
The next three columns define the permissions available to members of the group
associated with the file. The final three columns of the file permissions list
define the permissions available to others.
Figure 1: File Permissions List
In Figure 1, the permissions list indicates a regular file because the first
column is a dash, -. The user has read, write and execute permissions.
The group has read permission but not write or execute permission. Likewise
others have only read access to the file.
Changing File Permissions
You can change a file or directory's permissions list using the chmod command. chmod [who op permission] filename
who can be any combination of
| u |
(user) |
| g |
(group) |
| o |
(other) |
| a |
(all) (i.e. ugo) |
op sets, adds or removes permissions. It is specified as
| = |
(set permission exactly), or |
| + |
(add permission), or |
| - |
(remove permission) |
permission can be any combination of
| r |
(read) |
| w |
(write) |
| x |
(execute) |
Examples
chmod u=rw,g=,o= file1 Set the permissions on file1 so
that only the user has read and write access. The members of the file's group
and others have no access to the file. Because the = operator is
used, the permissions are set exactly.
chmod u=rwx,g=rx,o= dir1 This sets the permissions on the
directory dir1 so that the user has read, write and execute access, the
group has read and execute access and others have no access.
chmod ug=rw,o= file1 Set the permissions on file1 so
that both the user and members of the file's group have read and write access.
Others have no access to the file.
chmod u=,g=rw,o= f1 Set the permissions on f1 so that
the group has read and write access while the user and others have no access.
Note: The user will not be able to read or edit the file even though the user
is a member of its group.
chmod g+w file1 For file1, add write permission for
the group. There is no affect on any other permissions.
chmod a-w,a+r readonly Remove write and add read permission
to the file readonly for everyone (user, group and other).
chmod go-wr * Remove read and write permission for the group
and others for all files and subdirectories in the current directory.
chmod go-xwr dir1 Remove all permission for the group and
others for the directory dir1. They can no longer list the contents of
the directory with the ls command, cd into the directory or use
files within the directory.
chmod -R o-rwx ~ The chmod command with the -R
option recursively descends through a directory structure setting the
permissions of each file and subdirectory as it proceeds. The tilde ~
specifies your home directory. The above example will remove all
permissions granted to others from all files and directories belonging to you.
Related Links
File Security, Part 2
Learn how to search for files based on their permissions and how to set the
default permission for all newly created files and directories.
Prerequisite
Read the Unix 101: File Permissions article if you haven't
already. It will teach you the basics of Unix file permissions including the
workgroup system and using the chmod command to set read (r), write (w) and
execute (x) permissions for the user (u), group (g) and others (o). In this
article, we'll move beyond the basics and learn to specify file permissions
using octal numbers, search for files based on their permission list and how to
set default permissions for all files.
Symbolic vs. Octal Permission
SpecificationThe find command can be used to search for files based
on the permission list while the umask command can be used to set the default
permissions for new files and directories. In some modern Unix flavors (those
which comply with the POSIX.2 standard), the permissions can be specified
using symbolic mode. Symbolic mode uses the u,g,o (user, group, other) and r,w,x
(read, write, execute) symbols that you learned when using the chmod command. In older flavors of Unix, permission
lists for find and umask must be specified using octal numbers. To
see if your system supports symbolic mode check the man pages for find
and umask or simply try the following commands. $ find . -perm u=w -print
$ umask -S
If they execute without errors then read the symbolic mode section of this article. If errors occur
then skip to the octal numbers section of this article. Virtually any
Unix flavor will support octal number specification of file permissions and they
are very easy to use. It is worth learning octal number permission specification
even if your Unix flavor supports symbolic mode specification.
For users with modern Unix flavors.
For all users.
Symbolic Mode
Searching for File Based on the Permission
List
The Unix find command can be used to search for files based
on their available permissions. For example, $ find /home/kathyr -perm ugo=r -print
/home/kathyr/readonly
/home/kathyr/temp/readme.txt
recursively descends through the /home/kathyr directory, searching
for files that have read permission only for the user, group and others.
If the permission list is preceded by a minus sign (-), the
find command will search for files with at
least the permissions specified. For example, $ find /home/kathyr -perm -ugo=r -print
/home/kathyr/readonly
/home/kathyr/writeto
/home/kathyr/temp/readme.txt
...
recursively descends through the /home/kathyr directory searching
for files that have at least read permission for the user, group and others. It
will find files that have read permission only; read and write permission; or
read, write and execute permission. However, it will not find files with write
and execute permission but not read permission.
You do not have to include all classes (u,g and o) when using find.
For example, $ find startdir -perm -o=w -print
recursively descends through the startdir directory searching for
files that have write permission for others. It will list all files and
directories to which others have write access regardless of the status of all
other permissions.
Examples: Using Find with Permission
Lists
- $ find ~ -perm u=rw,go=r -print
Recursively descend through the home directory searching for all files that have read
and write permission for the user and read permission only for the group and
others. Print the results to the screen. This example is likely to find files
but not directories or programs since these would have execute permission
available to the user.
- $ find ~ -perm u=rwx,go=rx
-print
Starting with the home directory, find all files that have read, write and
execute permission for the user and read and execute permission for the group
and others. This example is likely to find programs and directories since
these generally have execute permission turned on.
- $ find ~ -perm -o=w
-print
Starting with the home directory, find all files that have at least write permission for others. This will
find files that have write only; write and read; or write, read and execute
permission for others with any level of permissions available to the user and
group. The only files it will not find are those that do not have write
permission available to others.
- $ find ~ ! -perm -g=r
-print
Starting with the home directory, find all files where the group does not
have read access. (Note that this uses the not
(!) operator with the find command.) This can also
be done with the minus operator in the permission list.
$ find ~ -perm -g-r
-print
- $ find ~ -perm -o=rw
-print
Starting with the home directory, find all files that have at least write
and read permission for others. This will find files with write and read or
write, read and execute permission for others. It will not find files with
just read or just write permission for others.
- $ find ~ \( -perm -o=w -o
-perm -o=r \) -print
Starting with the home directory, find all files that have at least write
permission or at least read permission for others. (Note that this uses the
or (-o) operator with
the find command.) This is different from the above example because it
will find files with just read or just write permission as well as files with
write and read or write, read and execute permission.
- $ find ~ \( -perm -g=w -o
-perm -o=w \) -exec chmod \{\} go-w
\;
Starting with the home directory, find all files that have at least write
permission available to the group or at least write permission available to
others and use the chmod command to remove those permissions.
Setting Default Permissions with the Umask
Command
The default permissions assigned to a newly created file or directory depend
of your system and system administrator. The defaults can be changed with the umask command. umask permission-list
For example,
$ umask a=rx,ug+w
specifies that all users have read and, if relevant, execute permission
for newly created files and directories. Additionally, write privileges are
granted to the user and group.
$ umask a=rwx,g=rx,o=
specifies that the user has all permissions, the groups has read and
execute permission and others have no permissions.
Type umask -S without specifying a permission list to see
the current permission defaults. For example,
$ umask -S
u=rwx,g=rx,o=rx
indicates that the user has full access to all files and directories
created while the group and others have read and execute permission but are
denied write access.
The umask command changes the default permissions for files and
directories created in the current shell session. (Note that in X Windows this will only affect the current window). To change the default permission for all
shell sessions put the appropriate umask command in your shell startup file. The Unix shell reads a startup file
before it does anything else. The file contains commands that set up your
working environment. The appropriate startup file depends on your shell.
| Shell |
Startup File |
| Bourne (sh) |
.profile |
| Korn (ksh) |
.profile |
| Bash (bash) |
.bash_profile
.profile (if .bash_profile not found) |
| Z-Shell (zsh) |
.zprofile |
| C-Shell (csh) |
.cshrc |
| TC-Shell (tcsh) |
.tcshrc
.cshrc (if .tcshrc not found) |
It will be located in your home directory. Note that by default the ls command does not display files whose filenames
begin with a dot (.). To display these files use the
-a option. For example, to see your startup file use the
following command. $ ls -a ~
Octal Mode
Specifying Permissions with Octal NumbersThe first article on file security covered setting file permissions using the chmod command. For example, $ chmod u=rw,go=r myfile
sets the permissions on the file myfile so that the user has read and write access and the group and others have only read access. The chmod command also supports specifying permissions using octal numbers. An octal number is a number between 0 and 7 that uniquely defines the permissions available to a single category of user. For example, $ chmod 644 myfile
is equivalent to the example above. In general chmod nnn file...
sets the permissions for the files specified by the file list based on three octal numbers. The first specifies the access for the user, the second for the group and the last for others. The octal number, n, is a number between 0 and 7. Each type of permission has an octal number associated with it.
| Permissions |
Octal Number |
| Execute |
1 |
| Write |
2 |
| Read |
4 | The file permission is determined by adding the octal numbers of each desired permission. This provides seven unique numbers for every possible combination of read, write and execute permission. If a 0 is used then no access is granted. The following table shows the combination of file permissions for each of the octal numbers. Octal
Number | Permissions | Description | | 0 | - | No permission to read, write or execute. | | 1 | x | Execute permission only. | | 2 | w | Write permission only. | | 3 | xw | Execute and write permission. | | 4 | r | Read permission only. | | 5 | xr | Execute and read permission. | | 6 | wr | Write and read permission. | | 7 | xwr | Execute, write and read permission. |
Examples: Using Chmod with Octal
Numbers
- $ chmod 660 chap1 chap2
For the user and group allow read and write access to the files
chap1 and chap2. The octal number specifying read and write
permission, 6, is determined by adding 4 to give read permission and 2 to give
write permission. Others have no access to the files as specified by the octal
number 0.
- $ chmod 700 dir1
Set permissions on the directory dir1 so that the user has complete
access (read + write + execute = 2 + 4 + 1 = 7). The group and others have no
access to the directory.
- $ chmod 444 README
Set permissions on the file README so that anyone can read the file
but no one, including the file owner, can edit it (i.e. no write permission).
- $ chmod 640 ourplan
For the file ourplan, grant the user read and write access. Grant
members of the group read access but no write access. Grant all others no
access at all.
- $ chmod 750 ourproject
For the directory ourproject, grant the owner full access. Grant the
group execute and read access so that they can cd into the directory and list the files, but not
delete the directory or create new files within it. Grant all others no access
to the directory.
- $ chmod -R 444 public_html/
Recursively descend through the public_html directory setting the
access privileges to read only for all users. Note that this will remove
execute privileges for the public_html directory and all subdirectories
so that the user cannot cd into the directory or list the files within
the directory. You can use the find command with the -type f option to
change the permissions for regular files but not directories.
$ find public_html -type f -exec chmod 444
\{\} \;
Searching for File Based on the Permission
ListThe Unix find command can be used to search for files based on their available permissions. For example, $ find /home/kathyr -perm 444 -print
/home/kathyr/readonly
/home/kathyr/temp/readme.txt
recursively descends through the /home/kathyr directory searching for files that have read permission only for the user, group and others. If the permission list is preceded by a minus sign (-), the find command will search for files with at least the permissions specified. For example, $ find /home/kathyr -perm -444 -print
/home/kathyr/readonly
/home/kathyr/writeto
/home/kathyr/temp/readme.txt
...
recursively descends through the /home/kathyr directory searching for files that have at least read permission for the user, group and others. It will find files that have read permission only; read and write permission; or read, write and execute permission. However it will not find files with write and execute permission but not read permission. Zero (i.e. no permission) can be used as a wild card when using at least permission lists. For example, $ find startdir -perm -002 -print
recursively descends through the startdir directory searching for files that have write permission for others. It will list all files and directories to which others have write access regardless of the status of all other permissions.
Examples: Using Find with Permission
ListsIf you are not familiar with the find command read the Power Commands: Find feature article.
- $ find ~ -perm 644 -print
Recursively descend through the home directory searching for all files that have read
and write permission (read + write = 4 + 2 = 6) for the user and read
permission (read = 4) only for the group and others. Print the results to the
screen. This example is likely to find files but not directories or programs
since these would have execute permission available to the user.
- $ find ~ -perm 755 -print
Starting with the home directory, find all files that have read, write and
execute permission (read + write + execute = 4 + 2 + 1 = 7) for the user and
read and execute permission (read + execute = 4 + 1 = 5) for the group and
others. This example is likely to find programs and directories since these
generally have execute permission turned on.
- $ find ~ -perm -002
-print
Starting with the home directory, find all files that have at least write permission for others. This will
find files that have write only; write and read; or write, read and execute
permission for others with any level of permissions available to the user and
group. The only files it will not find are those that do not have write
permission available to others.
- $ find ~ ! -perm -040
-print
Starting with the home directory, find all files where the group does not
have read access. (Note that this uses the not
(!) operator with the find command.)
- $ find ~ -perm -006
-print
Starting with the home directory, find all files that have at least write
and read permission for others. This will find files with write and read or
write, read and execute permission for others. It will not find files with
just read or just write permission for others.
- $ find ~ \( -perm -002 -o
-perm -004 \) -print
Starting with the home directory, find all files that have at least write
permission or at least read permission for others. (Note that this uses the
or (-o) operator with
the find command.) This is different from the above example because it
will find files with just read or just write permission as well as files with
write and read or write, read and execute permission.
- $ find ~ \( -perm -020 -o
-perm -002 \) -exec chmod \{\} go-w
\;
Starting with the home directory, find all files that have at least write
permission available to the group or at least write permission available to
others and use the chmod command to remove those
permissions.
Setting Default Permissions with the Umask
Command
The default permissions assigned to a newly created file or directory depend
of your system and system administrator. These defaults can be changed with the
umask command. umask nnn
The octal numbers in the umask command, nnn define the permissions
NOT granted to the user, group or others
(respectively). For example,
$ umask 027
specifies the octal number 0 for the user, 2 for the group and 7 for others.
The octal number 0 indicates that no permissions are denied to the user, i.e.
the user has read, write and execute permissions for all newly created files and
directories. The octal number 2 denies write permission to the group. So members
of the group have read and, if relevant, execute permission for files and
directories created. The octal number 7 denies all permissions to others.
Type umask without specifying a permission list to see the current
permission defaults. For example, $ umask
022
indicates that the user has full access to all files and directories created
and that the group and others are denied write access.
The umask command changes the default permissions for files and
directories created in the current shell session. (Note that in X Windows this will only affect the current window). To change the default permission for all
shell sessions put the appropriate umask command in your shell startup file. The Unix shell reads a startup file
before it does anything else. The file contains commands that set up your
working environment. The appropriate startup file depends on your shell.
| Shell |
Startup File |
| Bourne (sh) |
.profile |
| Korn (ksh) |
.profile |
| Bash (bash) |
.bash_profile
.profile (if .bash_profile not found) |
| Z-Shell (zsh) |
.zprofile |
| C-Shell (csh) |
.cshrc |
| TC-Shell (tcsh) |
.tcshrc
.cshrc (if .tcshrc not found) |
It will be located in your home directory. Note that by default the ls command does not display files whose filenames
begin with a dot (.). To display these files use the
-a option. For example, to see your startup file use the
following command. $ ls -a ~
http://unix.about.com/library/weekly/aa090400a.htm
| 
Seguridad de los a
Responder a este mensaje
