5.3 Gestione Permessi e Proprietà dei file

Introduction

Being a multi-user system, Linux needs some way to track who owns each file and whether or not a user is allowed to perform actions on that file. This is to ensure the privacy of users who might want to keep the content of their files confidential, as well as to ensure collaboration by making certain files accessible to multiple users.

This is done through a three-level permissions system: every file on disk is owned by a user and a user group and has three sets of permissions: one for its owner, one the group who owns the file and one for everyone else. In this lesson, you will learn how to query the permissions for a file and how to manipulate them.

Querying Information about Files and Directories

The command ls is used to get a listing of the contents of any directory. In this basic form, all you get are the filenames:

$ ls
Another_Directory  picture.jpg  text.txt

But there is much more information available for each file, including type, size, ownership and more. To see this information you must ask ls for a “long form” listing, using the -l parameter:

$ ls -l
total 536
drwxrwxr-x 2 carol carol   4096 Dec 10 15:57 Another_Directory
-rw------- 1 carol carol 539663 Dec 10 10:43 picture.jpg
-rw-rw-r-- 1 carol carol   1881 Dec 10 15:57 text.txt

Each column on the output above has a meaning:

  • The first column on the listing shows the file type and permissions.For example, on drwxrwxr-x:
    • The first character, d, indicates the file type.
    • The next three characters, rwx, indicate the permissions for the owner of the file, also referred to as user or u.
    • The next three characters, rwx, indicate the permissions of the group owning the file, also referred to as g.
    • The last three characters, r-x, indicate the permissions for anyone else, also known as others or o.
  • The second column indicates the number of hard links pointing to that file. For a directory, this means the number of subdirectories, plus a link to itself (.) and the parent directory (..).
  • The third and fourth columns show ownership information: respectively the user and group that own the file.
  • The fifth column shows the filesize, in bytes.
  • The sixth column shows the precise date and time, or timestamp, when the file was last modified.
  • The seventh and last column shows the file name.

If you wish to see the filesizes in “human readable” format, add the -h parameter to ls. Files less than one kilobyte in size will have the size shown in bytes. Files with more than one kilobyte and less than one megabyte will have a K added after the size, indicating the size is in kilobytes. The same follows for filesizes in the megabyte (M) and gigabyte (G) ranges:

$ ls -lh
total 1,2G
drwxrwxr-x 2 carol carol 4,0K Dec 10 17:59 Another_Directory
----r--r-- 1 carol carol    0 Dec 11 10:55 foo.bar
-rw-rw-r-- 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip
-rw------- 1 carol carol 528K Dec 10 10:43 picture.jpg
---xr-xr-x 1 carol carol   33 Dec 11 10:36 test.sh
-rwxr--r-- 1 carol carol 1,9K Dec 20 18:13 text.txt
-rw-rw-r-- 1 carol carol 2,6M Dec 11 22:14 Zipped.zip

To only show information on a specific set of files, add the names of these files to ls:

$ ls -lh HugeFile.zip test.sh
total 1,2G
-rw-rw-r-- 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip
---xr-xr-x 1 carol carol   33 Dec 11 10:36 test.sh

What about Directories?

If you try to query information about a directory using ls -l, it will show you a listing of the directory contents instead:

$ ls -l Another_Directory/
total 0
-rw-r--r-- 1 carol carol 0 Dec 10 17:59 another_file.txt

To avoid this and query information about the directory itself, add the -d parameter to ls:

$ ls -l -d Another_Directory/
drwxrwxr-x 2 carol carol 4096 Dec 10 17:59 Another_Directory/

Seeing Hidden Files

The directory listing we have retrieved using ls -l before is incomplete:

$ ls -l
total 544
drwxrwxr-x 2 carol carol   4096 Dec 10 17:59 Another_Directory
-rw------- 1 carol carol 539663 Dec 10 10:43 picture.jpg
-rw-rw-r-- 1 carol carol   1881 Dec 10 15:57 text.txt

There are three other files in that directory, but they are hidden. On Linux, files whose name starts with a period (.) are automatically hidden. To see them we need to add the -a parameter to ls:

$ ls -l -a
total 544
drwxrwxr-x 3 carol carol   4096 Dec 10 16:01 .
drwxrwxr-x 4 carol carol   4096 Dec 10 15:56 ..
drwxrwxr-x 2 carol carol   4096 Dec 10 17:59 Another_Directory
-rw------- 1 carol carol 539663 Dec 10 10:43 picture.jpg
-rw-rw-r-- 1 carol carol   1881 Dec 10 15:57 text.txt
-rw-r--r-- 1 carol carol      0 Dec 10 16:01 .thisIsHidden

The file .thisIsHidden is simply hidden because its name starts with ..

The directories . and .. however are special. . is a pointer to the current directory, while .. is a pointer to the parent directory (the directory which contains the current directory). In Linux, every directory contains at least these two special directories.

TipYou can combine multiple parameters for ls (and many other Linux commands). ls -l -a can, for example, be written as ls -la.

Understanding Filetypes

We have already mentioned that the first letter in each output of ls -l describes the type of the file. The three most common file types are:- (normal file)

A file can contain data of any kind. Files can be modified, moved, copied and deleted.d (directory)

A directory contains other files or directories and helps to organize the file system. Technically, directories are a special kind of file.l (soft link)

This “file” is a pointer to another file or directory elsewhere in the filesystem.

In addition to those, there are three other file types that you should at least know about, but are out of scope for this lesson:b (block device)

This file stands for a virtual or physical device, usually disks or other kinds of storage devices. For example, the first hard disk in the system might be represented by /dev/sda.c (character device)

This file stands for a virtual or physical device. Terminals (like the main terminal on /dev/ttyS0) and serial ports are common examples of character devices.s (socket)

Sockets serve as “conduits” passing information between two programs.

WarningDo not alter any of the permissions on block devices, character devices or sockets, unless you know what you’re doing. This may prevent your system from working!

Understanding Permissions

In the output of ls -l the file permissions are shown right after the filetype, as three groups of three characters each, in the order rw and x. Here is what they mean. Keep in mind that a dash - represents the lack of a particular permission.

Permissions on Files

r

Stands for read and has an octal value of 4 (don’t worry, we will discuss octals shortly). This means permission to open a file and read its contents.w

Stands for write and has an octal value of 2. This means permission to edit or delete a file.x

Stands for execute and has an octal value of 1. This means that the file can be run as an executable or script.

So, for example, a file with permissions rw- can be read and written to, but cannot be executed.

Permissions on Directories

r

Stands for read and has an octal value of 4. This means permission to read the directory’s contents, like filenames. But it does not imply permission to read the files themselves.w

Stands for write and has an octal value of 2. This means permission to create or delete files in a directory, or change their names, permissions and owners. If a user has the write permission on a directory, the user can change permissions of any file in the directory, even if the user has no permissions on the file or if the file is owned by another user.x

Stands for execute and has an octal value of 1. This means permission to enter a directory, but not to list its files (for that, the r permission is needed).

The last bit about directories may sound a bit confusing. Let’s imagine, for example, that you have a directory named Another_Directory, with the following permissions:

$ ls -ld Another_Directory/
d--xr-xr-x 2 carol carol 4,0K Dec 20 18:46 Another_Directory

Also imagine that inside this directory you have a shell script called hello.sh with the following permissions:

-rwxr-xr-x 1 carol carol 33 Dec 20 18:46 hello.sh

If you are the user carol and try to list the contents of Another_Directory, you will get an error message, as your user lacks read permission for that directory:

$ ls -l Another_Directory/
ls: cannot open directory 'Another_Directory/': Permission denied

However, the user carol does have execute permissions, which means that she can enter the directory. Therefore, the user carol can access files inside the directory, as long as she has the correct permissions for the respective file. In this example, the user has full permissions for the script hello.sh, so she can run the script, even if she can’t read the contents of the directory containing it. All that is needed is the complete filename.

$ sh Another_Directory/hello.sh
Hello LPI World!

As we said before, permissions are specified in sequence: first for the owner of the file, then for the owning group, and then for other users. Whenever someone tries to perform an action on the file, the permissions are checked in the same fashion. First the system checks if the current user owns the file, and if this is true it applies the first set of permissions only. Otherwise, it checks if the current user belongs to the group owning the file. In that case, it applies the second set of permissions only. In any other case, the system will apply the third set of permissions. This means that if the current user is the owner of the file, only the owner permissions are effective, even if the group or other permissions are more permissive than the owner’s permissions.

Modifying File Permissions

The command chmod is used to modify the permissions for a file, and takes at least two parameters: the first one describes which permissions to change, and the second one points to the file or directory where the change will be made. However, the permissions to change can be described in two different ways, or “modes”.

The first one, called symbolic mode offers fine grained control, allowing you to add or revoke a single permission without modifying others on the set. The other mode, called numeric mode, is easier to remember and quicker to use if you wish to set all permission values at once.

Both modes will lead to the same end result. So, for example, the commands:

$ chmod ug+rw-x,o-rwx text.txt

and

$ chmod 660 text.txt

will produce exactly the same output, a file with the permissions set:

-rw-rw---- 1 carol carol  765 Dec 20 21:25 text.txt

Now, let’s understand how each mode works.

Symbolic Mode

When describing which permissions to change in symbolic mode the first character(s) indicate(s) whose permissions you will alter: the ones for the user (u), for the group (g), for others (o) and/or for all the three together (a).

Then you need to tell the command what to do: you can grant a permission (+), revoke a permission (-), or set it to a specific value (=).

Lastly, you specify which permission you wish to affect: read (r), write (w), or execute (x).

For example, imagine we have a file called text.txt with the following permission set:

$ ls -l text.txt
-rw-r--r-- 1 carol carol 765 Dec 20 21:25 text.txt

If you wish to grant write permissions to members of the group owning the file, you would use the g+w parameter. It is easier if you think about it this way: “For the group (g), grant (+) write permissions (w)”. So, the command would be:

$ chmod g+w text.txt

Let’s check the result with ls:

$ ls -l text.txt
-rw-rw-r-- 1 carol carol 765 Dec 20 21:25 text.txt

If you want to remove read permissions for the owner of the same file, think about it as: “For the user (u) revoke (-), read permissions (r)”. So the parameter is u-r, like so:

$ chmod u-r text.txt
$ ls -l text.txt
--w-rw-r-- 1 carol carol 765 Dec 20 21:25 text.txt

What if we want to set the permissions exactly as rw- for everyone? Then think of it as: “For all (a), set exactly (=), read (r), write (w), and no execute (-)”. So:

$ chmod a=rw- text.txt
$ ls -l text.txt
-rw-rw-rw- 1 carol carol 765 Dec 20 21:25 text.txt

Of course, it is possible to modify multiple permissions at the same time. In this case, separate them with a comma (,):

$ chmod u+rwx,g-x text.txt
$ ls -lh text.txt
-rwxrw-rw- 1 carol carol 765 Dec 20 21:25 text.txt

The example above can be read as: “For the user (u), grant (+) read, write and execute (rwx) permissions, for the group (g) revoke (-), execute permissions (x)”.

When run on a directory, chmod modifies only the directory’s permissions. chmod has a recursive mode, useful when you want to change the permissions for “all files inside a directory and its subdirectories”. To use this, add the parameter -R after the command name and before the permissions to change, like so:

$ chmod -R u+rwx Another_Directory/

This command can be read as: “Recursively (-R), for the user (u), grant (+) read, write and execute (rwx) permissions”.

WarningBe careful and think twice before using the -R switch, as it is easy to change permissions on files and directories which you do not want to change, especially on directories with a large number of files and sub-directories.

Numeric Mode

In numeric mode, the permissions are specified in a different way: as a three-digit numeric value on octal notation, a base-8 numeric system.

Each permission has a corresponding value, and they are specified in the following order: first comes read (r), which is 4, then write (w), which is 2 and last is execute (x), represented by 1. If there is no permission, use the value zero (0). So, a permission of rwx would be 7 (4+2+1) and r-x would be 5 (4+0+1).

The first of the three digits on the permission set represents the permissions for the user (u), the second for the group (g) and the third for the owner (o). If we wanted to set the permissions for a file to rw-rw----, the octal value would be 660:

$ chmod 660 text.txt
$ ls -l text.txt
-rw-rw---- 1 carol carol 765 Dec 20 21:25 text.txt

Besides this, the syntax in numeric mode is the same as in symbolic mode, the first parameter represents the permissions you wish to change, and the second one points to the file or directory where the change will be made.

TipIf a permission value is odd, the file surely is executable!

Which syntax to use? The numeric mode is recommended if you want to change the permissions to a specific value, for example 640 (rw- r-- ---).

The symbolic mode is more useful if you want to flip just a specific value, regardless of the current permissions for the file. For example, I can add execute permissions for the user using just chmod u+x script.sh without regard to, or even touching, the current permissions for the group and others.

Modifying File Ownership

The command chown is used to modify the ownership of a file or directory. The syntax is quite simple:

chown username:groupname filename

For example, let’s check a file called text.txt:

$ ls -l text.txt
-rw-rw---- 1 carol carol 1881 Dec 10 15:57 text.txt

The user who owns the file is carol, and the group is also carol. Now, let’s modify the group owning the file to some other group, like students:

$ chown carol:students text.txt
$ ls -l text.txt
-rw-rw---- 1 carol students 1881 Dec 10 15:57 text.txt

Keep in mind that the user who owns a file does not need to belong to the group who owns a file. In the example above, the user carol does not need to be a member of the students group. However, she does have to member of the group in order to transfer the file’s group ownership to that group.

User or group can be omitted if you do not wish to change them. So, to change just the group owning a file you would use chown :students text.txt. To change just the user, the command would be chown carol: text.txt or just chown carol text.txt. Alternatively, you could use the command chgrp students text.txt to change only the group.

Unless you are the system administrator (root), you cannot change ownership of a file owned by another user or a group that you don’t belong to. If you try to do this, you will get the error message Operation not permitted.

Querying Groups

Before changing the ownership of a file, it might be useful to know which groups exist on the system, which users are members of a group and to which groups a user belongs. Those tasks can be accomplished with two commands, groups and groupmems.

To see which groups exist on your system, simply type groups:

$ groups
carol students cdrom sudo dip plugdev lpadmin sambashare

And if you want to know to which groups a user belongs, add the username as a parameter:

$ groups carol
carol : carol students cdrom sudo dip plugdev lpadmin sambashare

To do the reverse, displaying which users belong to a group, use groupmems. The parameter -g specifies the group, and -l will list all of its members:

$ groupmems -g cdrom -l
carol
Tipgroupmems can only be run as root, the system administrator. If you are not currently logged in as root, add sudo before the command.

Special Permissions

Besides the read, write and execute permissions for user, group and others, each file can have three other special permissions which can alter the way a directory works or how a program runs. They can be specified either in symbolic or numeric mode, and are as follows:

Sticky Bit

The sticky bit, also called the restricted deletion flag, has the octal value 1 and in symbolic mode is represented by a t within the other’s permissions. This applies only to directories, and on Linux it prevents users from removing or renaming a file in a directory unless they own that file or directory.

Directories with the sticky bit set show a t replacing the x on the permissions for others on the output of ls -l:

$ ls -ld Sample_Directory/
drwxr-xr-t 2 carol carol 4096 Dec 20 18:46 Sample_Directory/

In numeric mode, the special permissions are specified using a “4-digit notation”, with the first digit representing the special permission to act upon. For example, to set the sticky bit (value 1) for the directory Another_Directory in numeric mode, with permissions 755, the command would be:

$ chmod 1755 Another_Directory
$ ls -ld Another_Directory
drwxr-xr-t 2 carol carol 4,0K Dec 20 18:46 Another_Directory

Set GID

Set GID, also known as SGID or Set Group ID bit, has the octal value 2 and in symbolic mode is represented by an s on the group permissions. This can be applied to executable files or directories. On executable files, it will grant the process resulting from executing the file access to the privileges of the group who owns the file. When applied to directories, it will make every file or directory created under it inherit the group from the parent directory.

Files and directories with SGID bit show an s replacing the x on the permissions for the group on the output of ls -l:

$ ls -l test.sh
-rwxr-sr-x 1 carol carol 33 Dec 11 10:36 test.sh

To add SGID permissions to a file in symbolic mode, the command would be:

$ chmod g+s test.sh
$ ls -l test.sh
-rwxr-sr-x 1 carol root     33 Dec 11 10:36 test.sh

The following example will make you better understand the effects of SGID on a directory. Suppose we have a directory called Sample_Directory, owned by the user carol and the group users, with the following permission structure:

$ ls -ldh Sample_Directory/
drwxr-xr-x 2 carol users 4,0K Jan 18 17:06 Sample_Directory/

Now, let’s change to this directory and, using the command touch, create an empty file inside it. The result would be:

$ cd Sample_Directory/
$ touch newfile
$ ls -lh newfile
-rw-r--r-- 1 carol carol 0 Jan 18 17:11 newfile

As we can see, the file is owned by the user carol and group carol. But, if the directory had the SGID permission set, the result would be different. First, let’s add the SGID bit to the Sample_Directory and check the results:

$ sudo chmod g+s Sample_Directory/
$ ls -ldh Sample_Directory/
drwxr-sr-x 2 carol users 4,0K Jan 18 17:17 Sample_Directory/

The s on the group permissions indicates that the SGID bit is set. Now, let’s change to this directory and, again, create an empty file with the touch command:

$ cd Sample_Directory/
$ touch emptyfile
$ ls -lh emptyfile
 -rw-r--r-- 1 carol users 0 Jan 18 17:20 emptyfile

As we can see, the group who owns the file is users. This is because the SGID bit made the file inherit the group owner of its parent directory, which is users.

Set UID

SUID, also known as Set User ID, has the octal value 4 and is represented by an s on the user permissions in symbolic mode. It only applies to files and its behavior is similar to the SGID bit, but the process will run with the privileges of the user who owns the file. Files with the SUID bit show a s replacing the x on the permissions for the user on the output of ls -l:

$ ls -ld test.sh
-rwsr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh

You can combine multiple special permissions in one parameter by adding them together. So, to set SGID (value 2) and SUID (value 4) in numeric mode for the script test.sh with permissions 755, you would type:

$ chmod 6755 test.sh

And the result would be:

$ ls -lh test.sh
-rwsr-sr-x 1 carol carol 66 Jan 18 17:29 test.sh
TipIf your terminal supports color, and these days most of them do, you can quickly see if these special permissions are set by glancing at the output of ls -l. For the sticky bit, the directory name might be shown in a black font with blue background. The same applies for files with the SGID (yellow background) and SUID (red background) bits. Colors may be different depending on which Linux distribution and terminal settings you use.

Guided Exercises

  1. Create a directory named emptydir using the command mkdir emptydir. Now, using ls, list the permissions for the directory emptydir.
  2. Create an empty file named emptyfile with the command touch emptyfile. Now, using chmod with symbolic notation, add execute permissions for the owner of the file emptyfile, and remove write and execute permissions for everyone else. Do this using only one chmod command.
  3. What will be the permissions for a file called text.txt after you use the command chmod 754 text.txt?
  4. Let’s assume a file named test.sh is a shell script with the following permissions and ownership:-rwxr-sr-x 1 carol root 33 Dec 11 10:36 test.sh
    • What are the permissions for the owner of the file?
    • If the user john runs this script, under which user’s privileges will it be run?
    • Using the numeric notation, which should be the syntax of chmod to “unset” the special permission granted to this file?
  5. Consider this file:$ ls -l /dev/sdb1 brw-rw—- 1 root disk 8, 17 Dec 21 18:51 /dev/sdb1Which kind of file is sdb1? And who can write to it?
  6. Consider the following 4 files:drwxr-xr-t 2 carol carol 4,0K Dec 20 18:46 Another_Directory —-r–r– 1 carol carol 0 Dec 11 10:55 foo.bar -rw-rw-r– 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip drwxr-sr-x 2 carol users 4,0K Jan 18 17:26 Sample_DirectoryWrite down the corresponding permissions for each file and directory using numeric 4-digit notation.Another_Directoryfoo.barHugeFile.zipSample_Directory

Explorational Exercises

  1. Try this on a terminal: create an empty file called emptyfile with the command touch emptyfile. Now “zero out” the permissions for the file with chmod 000 emptyfile. What will happen if you change the permissions for emptyfile by passing only one value for chmod in numeric mode, such as chmod 4 emptyfile? What if we use two, such as chmod 44 emptyfile? What can we learn about the way chmod reads the numerical value?
  2. Can you execute a file for which you have execute, but not read permissions (--x)? Why or why not?
  3. Consider the permissions for the temporary directory on a Linux system, /tmp:$ ls -l /tmp drwxrwxrwt 19 root root 16K Dec 21 18:58 tmpUser, group and others have full permissions. But can a regular user delete any files inside this directory? Why is this?
  4. A file called test.sh has the following permissions: -rwsr-xr-x, meaning the SUID bit is set. Now, run the following commands:$ chmod u-x test.sh $ ls -l test.sh -rwSr-xr-x 1 carol carol 33 Dec 11 10:36 test.shWhat did we do? What does the uppercase S mean?
  5. How would you create a directory named Box where all the files are automatically owned by the group users, and can only be deleted by the user who created them?

Summary

As a multi-user system, Linux needs a way to track who owns and who can access each file. This is done through a three-level permissions system, and in this lesson we learned all about how this system works.

In this lessen you have learned how use ls to get information about file permissions, how to control or change who can create, delete or modify a file with chmod, both in numeric and symbolic notation and how to change the ownership of files with chown and chgrp.

The following commands were discussed in this lesson:ls

List files, optionally including details such as permissions.chmod

Change the permissions of a file or directory.chown

Change the owning user and/or group of a file or directory.chgrp

Change the owning group of a file or directory.

Answers to Guided Exercises

  1. Create a directory named emptydir using the command mkdir emptydir. Now, using ls, list the permissions for the directory emptydir.Add the -d parameter to ls to see the file attributes of a directory, instead of listing its contents. Therefore the answer is:ls -l -d emptydirBonus points if you merged the two parameters in one, as in ls -ld emptydir.
  2. Create an empty file named emptyfile with the command touch emptyfile. Now, using chmod in symbolic notation, add execute permissions for the owner of the file emptyfile, and remove write and execute permissions for everyone else. Do this using only one chmod command.Think about it this way:
    • “For the user who owns the file (u) add (+) execute (x) permissions”, so u+x.
    • “For the group (g) and other users (o), remove (-) write (w) and execute (x) permissions”, so go-wx.To combine these two sets of permissions, we add a comma between them. So the final result is:chmod u+x,go-wx emptyfile
  3. What will be the permissions of a file called text.txt after I use the command chmod 754 text.txt?Remember that in numeric notation each digit represents a set of three permissions, each one with a respective value: read is 4write is 2execute is 1 and no permission is 0. We get the value for a digit by adding the corresponding values for each permission. 7 is 4+2+1, or rwx5 is 5+0+1, so r-x and 4 is just read, or r--. The permissions for text.txt would berwxr-xr–
  4. Let’s assume a file named test.sh is a shell script with the following permissions and ownership:-rwxr-sr-x 1 carol root 33 Dec 11 10:36 test.sh
    • What are the permissions for the owner of the file?The permissions for the owner (2nd to 4th characters in the output of ls -l) are rwx, so the answer is: “to read, to write to and to execute the file”.
    • If the user john runs this script, under which user’s privileges will it be run?Pay attention to the permissions for the group. They are r-s, wich means the SGID bit is set. The group who owns this file is root, so the script, even when started by a regular user, will be run with root privileges.
    • Using the numeric notation, which should be the syntax of chmod to “unset” the special permission granted to this file?We can “unset” the special permissions by passing a 4th digit, 0, to chmod. The current permissions are 755, so the command should be chmod 0755.
  5. Consider this file:$ ls -l /dev/sdb1 brw-rw—- 1 root disk 8, 17 Dec 21 18:51 /dev/sdb1Which kind of file is sdb1? And who can write to it?The first character of the output from ls -l shows the kind of file. b is a block device, usually a disk (internal or external), connected to the machine. The owner (root) and any users of the group disk can write to it.
  6. Consider the following 4 files:drwxr-xr-t 2 carol carol 4,0K Dec 20 18:46 Another_Directory —-r–r– 1 carol carol 0 Dec 11 10:55 foo.bar -rw-rw-r– 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip drwxr-sr-x 2 carol users 4,0K Jan 18 17:26 Sample_DirectoryWrite down the corresponding permissions for each file and directory using 4-digit numeric notation.The corresponding permissions, in numeric notation, are as follows:Another_DirectoryAnswer: 17551 for the sticky bit, 755 for the regular permissions (rwx for the user, r-x for group and others).foo.barAnswer: 0044No special permissions (so the first digit is 0), no permissions for the user (---) and just read (r—​r--) for group and others.HugeFile.zipAnswer: 0664No special permissions, so the first digit is 06 (rw-) for the user and group, 4 (r--) for the others.Sample_DirectoryAnswer: 27552 for the SGID bit, 7 (rwx) for the user, 5 (r-x) for the group and others.

Answers to Explorational Exercises

  1. Try this on a terminal: create an empty file called emptyfile with the command touch emptyfile. Now “zero out” the permissions for the file with chmod 000 emptyfile. What will happen if you change the permissions for emptyfile by passing only one value for chmod in numeric notation, such as chmod 4 emptyfile? What if we use two, such as chmod 44 emptyfile? What can we learn about the way chmod reads the numerical value?Remember that we “zeroed out” the permissions for emptyfile. So, its initial state would be:———- 1 carol carol 0 Dec 11 10:55 emptyfileNow, let’s try the first command, chmod 4 emptyfile:$ chmod 4 emptyfile $ ls -l emptyfile ——-r– 1 carol carol 0 Dec 11 10:55 emptyfileThe permissions for others were changed. And what if we try two digits, such as chmod 44 emptyfile?$ chmod 44 emptyfile $ ls -l emptyfile —-r–r– 1 carol carol 0 Dec 11 10:55 emptyfileNow, the permissions for group and others were affected. From this, we can conclude that in numeric notation chmod reads the value “backwards”, from the least significant digit (others) to the most significant one (user). If you pass one digit, you modify the permissions for others. With two digits you modify group and others, and with three you modify usergroup and others and with four digits you modify usergroupothers and the special permissions.
  2. Can you execute a file for which you have execute, but not read permissions (--x)? Why or why not?At first, the answer seems obvious: if you have execute permission, the file should run. However, without read permission the system cannot open the file and read its contents to execute. Therefore, without read permission you cannot execute a file, even if you have execute permission for it.
  3. Consider the permissions for the temporary directory on a Linux system, /tmp:$ ls -l /tmp drwxrwxrwt 19 root root 16K Dec 21 18:58 tmpUser, group and others have full permissions. But can a regular user delete any files inside this directory? Why is this?/tmp is what we call a world writeable directory, meaning that any user can write to it. But we don’t want one user modifying files created by others, so the sticky bit_ is set (as indicated by the t on the permissions for others). This means that an user can delete files in /tmp, but only if they created that file.
  4. A file called test.sh has the following permissions: -rwsr-xr-x, meaning the SUID bit is set. Now, run the following commands:$ chmod u-x test.sh $ ls -l test.sh -rwSr-xr-x 1 carol carol 33 Dec 11 10:36 test.shWhat did we do? What does the uppercase S mean?We removed execute permissions for the user who owns the file. The s (or t) takes the place of the x on the output of ls -l, so the system needs a way to show if the user has execute permissions or not. It does this by changing the case of the special character.A lowercase s on the first group of permissions means that the user who owns the file has execute permissions and that the SUID bit is set. An uppercase S means that the user who owns the file lacks (-) execute permissions and that the SUID bit is set.The same can be said for SGID. A lowercase s on the second group of permissions means that the group who owns the file has execute permissions and that the SGID bit is set. An uppercase S means that the group who owns the file lacks (-) execute permissions and that the SGID bit is set.This is also true for the sticky bit, represented by the t in the third group of permissions. Lowercase t means the sticky bit is set and that others have execute permissions. Uppercase T means the sticky bit is set and that others do not have execute permissions.
  5. How would you create a directory named Box where all the files are automatically owned by the group users, and can only be deleted by the user who created them?This is a multi-step process. The first step is to create the directory:$ mkdir BoxWe want every file created inside this directory to be automatically assigned to the group users. We can do this by setting this group as the owner of the directory, and then by setting the SGID bit on it. We also need to make sure that any member of the group can write to that directory.Since we do not care about what the other permissions are, and want to “flip” only the special bits, it makes sense to use the symbolic mode:$ chown :users Box/ $ chmod g+wxs Box/Note that if you current user does not belong to the group users, you will have to use the command sudo before the commands above to do the change as root.Now for the last part, making sure that only the user who created a file is allowed to delete it. This is done by setting the sticky bit (represented by a t) on the directory. Remember that it is set on the permissions for others (o).$ chmod o+t Box/The permissions on the directory Box should appear as follows:drwxrwsr-t 2 carol users 4,0K Jan 18 19:09 BoxOf course, you can specify SGID and the sticky bit using only one chmod command:$ chmod g+wxs,o+t Box/Bonus points if you thought of that.