📜Day 6: File Permissions🔒 and Access Control Lists📚📰
Rhythm Mishra
Today is more on Reading, Learning and Implementing File permissions
File Permissions and Ownership in Linux
In the Linux operating system, understanding file permissions and ownership is crucial for managing and securing your files and directories. These concepts are fundamental to controlling access and protecting sensitive data. Let's delve into file permissions, ownership, and how they work in Linux.
File Permissions:
File permissions define who can perform various operations on a file or directory, such as reading, writing, and executing. In Linux, each file has three sets of permissions, associated with three categories of users:
Owner: The user who owns the file. This user can control permissions, including changing them.
Group: The group associated with the file. All users in this group share the same permissions.
Others: Everyone else, or "world," who doesn't belong to the owner's group.
File permissions are represented using a combination of three characters for each category, which are:
Read (r): The ability to view the content of the file or directory.
Write (w): The ability to modify the file or directory.
Execute (x): The ability to run a file or access contents within a directory.
Using numeric values, these permissions are represented as:
- Read (4), Write (2), Execute (1)
You can use these values to set permission bits in a numerical format, such as 644 or 755, to quickly assign permissions to owner, group, and others.
Changing Permissions:
To change file permissions, you can use the chmod command. For example, to give the owner of a file read and write permissions, you'd use:
EX:- chmod u+rw devops.txt
Write an article about File Permissions based on your understanding from the notes.
File permissions in Linux are a cornerstone of security and access control. They enable you to define who can do what with your files and directories, whether it's reading, writing, or executing. The system distinguishes between owners, groups, and others, and assigns permissions accordingly.
inux provides another layer of file and directory permissions through Access Control Lists (ACLs). ACLs allow fine-grained control over who can access files and directories. They are more flexible than the traditional owner, group, and other permissions.
getfacl: This command is used to view ACL information for a file or directory.setfacl: This command allows you to set or modify ACLs. You can specify permissions for specific users and groups.
Using ACLs, you can grant or restrict access for specific users or groups beyond the standard owner, group, and others. It's a valuable tool for complex access control scenarios.
File System Hierarchy
In Linux, everything is represented as a file including a hardware program. The files are stored in a directory and every directory stores their respective files. This in Linux is called the File System Hierarchy (FSH).
The root directory is "/" (forward slash) and it is the base directory.
Understanding the Directories:
"/" : This is the root directory or the base directory.
"/root" : It is the home directory of the root user and it stores information about the root user i.e. super user.
"/home" : It is the home directory for the Local Users. It stores information about the user like personal information, user information, files, login scripts etc.
"/bin" : User Binaries . These directories include executable files or programs for commands that are run on the terminal for all users. When you run a command in the terminal, its corresponding executable file is located in the /bin directory which helps in executing the command.
"/sbin" : System Binaries . It also contains binary executable or programs for system administrative commands. These are used for system administration and system maintenance. You need administrative privileges to run these commands. for e.g.: reboot, iptables etc.
"/etc" : This contains Configuration files of the system, application or the server. It also contains subdirectories essential for proper functioning of the system and application.
"/usr" : Unix System Resources or User Binaries or User Programs. It is a directory where most of your installed software and resources reside. It helps keep the system files separate from user-installed files, making it easier to manage and maintain the system.
"/opt" : Optional Application. This directory is used for installing software from a third party vendor. This helps keep these applications separate from the system's default software and prevents conflicts with system files. The software code is stored in the /opt directory and the binary executables are linked to /bin directory so that all users can run the software.
"/lib" : This directory in contains essential library files that are crucial for the operating system and applications to function.
"/boot" : This directory contains the boot executable files that are essential for secured boot of the system. For example: GRUB's boot loader file and Linux Kernels are stored here.
"/var" : Variable files. This directory stores the variable files such as log files. In short the content which grows with time, are stored in /var directory. For example: /var/log, /var/lib, /var/mail etc.
"/mnt" : This directory is used to manually mount a filesystem or a device temporarily. It is a standard location where external storage devices, such as USB drives, external hard disks, or network shares, can be temporarily mounted.
"/media" : Removable Media Devices. This directory is used to automatically mount removable media devices temporarily. It is the standard location where removable media devices such as USB drives, external hard disks, CD-ROMs, and other storage devices can be mounted.
"/temp" : Contains temporary files created by the system and the users. These files get deleted when the system is rebooted.
Basic Symbols
Some more basic symbols
| S:NO | Symbol | Explanation | Examples | |
| 1 | / | The forward slash (/) represents the "root" of the filesystem. (Every directory/file in the Linux filesystem is nested under the root / directory.) / also use for directoty separation and path separation | / is a root directory | |
| /home/user/samle/test.txt | ||||
| 2 | ~ | is equal to the current user's home directlry. E.g: /home/someone/ | cd ~ | |
| ls ~ | ||||
| 3 | * | A symbol which stands for "everything". Let's say you want to remove all the .jpg files from your Downloads folder which have their name starting with the "E" character, then you can use this symbol to represent all the other letters except E. See the example. | rm ~/Downloads/E*.jpg | |
| ls /etc/*c | ||||
| nano /var/log/nginx/* | ||||
| 4 | & | Run a command in the background. It will return the PID of the newly running process to you and won't show you the output. | sudo apt update & | |
| 5 | && | These symbols written together stand for "and". So if you want to run 2 commands together, you can use it. | sudo apt update && sudo apt upgrade | |
| 6 | \ | Allows you to continue writing commands/Bash syntax in new line. | sudo \ | |
| apt \ | ||||
| update | ||||
| 7 | .. | In many cases, especially in navigation, the two dots stand for the parent folder. | cd .. | |
| 8 | . | In navigation or referring to files/folders, the dot stands for the current folder. | ls . | |
| 9 | # | Everything after this symbol in the same line is considered to be a comment, so it won't be processed by the shell. | cd # This commands moves you somewhere. | |
| 10 | This is called "Piping", which is the process of redirecting the output of one command to the input of another command. Very useful and common in Linux/Unix-like systems. | |||
| 11 | \> | Take the output of a command and redirect it into a file (will overwrite the whole file). | ls ~ > output.txt | |
| 12 | < | Read the contents of a file into the input of a command. | grep bash < /etc/profile | |
| 13 | \>> | Append a text or a command output into the last line of a file. | echo "First Line" > output.txt | |
| echo "See this is the last line" >> output.txt |
File Permissions
File type:
The file type is determined by the first character of the permission sequence. These are the symbols and their meaning
| Symbol | Meaning |
| - | Regular file |
| d | Directory |
| c | Character Device |
| b | Block Device |
| s | Local Socket file |
| p | Named Pipe |
| l | Symbolic link |
File Permission:
The Read, Write and execute have been assigned certain values. These values can be used to In order to set permissions for a given file.
| Permission | Value |
| Read (r) | 4 |
| Write (w) | 2 |
| Execute (x) | 1 |
We can use these values to set file permissions. For example suppose we have a file file.txt and we have to give all the permissions to that file for the User, Group and Others.
since we have to give all the permission, we will sum up the values i.e. 4+2+1 = 7. So the Value 7 resembles all the permissions are granted.
chmod 777 file.txt
#Output
-rwxrwxrwx 1 root root Date Time file.txt
Similarly if we need to remove write and execute permission for Group and Others from file.txt, we will subtract their respective values from the total i.e. 7 .
Read+Write = 2+1 = 3, so we will subtract 3 from the Group and Other section of the file .
chmod 744 file.txt
#Output
-rwxr--r-- 1 root root Date Time file.txt
And similarly we can modify the user permission according to our need.
Read More about File permission Click Here.
Access Control Lists
Access Control Lists (ACLs) provide a more flexible way of controlling access to files and directories than the traditional Unix file permissions. While standard file permissions (read, write, execute) in Unix are limited to the owner, group, and others, ACLs allow you to define permissions for specific users and groups beyond these basic categories.
some basic commands:
"chown" : This command is used to change the Owner of file. A Owner is the entity that created that files and owns it. This command will help in tweaking the file and changing its Ownership.
chown file.txt"chgrp" : This command is used to change the Group of the file. A Group is a collection of users and it provides a way to assign permissions to multiple users simultaneously. This command helps in modifying/changing the group that owns the file.
chgrp file.txt"chmod" : This command is used to change/modify the file permissions of a file or directory.
chmod 777 file.txt
ACL commands:
"setfacl" : This is used to set ACLs. For e.g. to grant read and write access to a file for a specific user:
setfacl -m u:username:rw file.txt-moption insetfaclstands for "modify," and it is used to modify the ACL of a file or directory by adding or changing ACL entries.rw: Read and Write Permissionu: To specify the username"gefacl" : This command is used to view access control lists of a file or directory.
getfacl file.txtRemoving ACLs:
To remove ACLs from a file or directory, you can use the
setfaclcommand with the-boption:setfacl -b file.txt
Read More about ACLs, Click Here .
Scenario Based Practice
Scenario:
Scenario: You are a system administrator for a company that hosts sensitive financial data on a Linux server. There are three user accounts: Alice, Bob, and Charlie. The financial data files are stored in a directory called "financials," and you want to ensure proper file permissions and access control lists (ACLs) are set up to maintain security and restrict access appropriately.
Initial Setup:
Alice is the owner of the "financials" directory.
Bob is a member of the "finance" group, and Charlie is not a member of any special group.
Tasks:
File Permissions:
Task 1: Set the appropriate file permissions on the "financials" directory to ensure that only Alice can create, delete, and modify files within it.
Task 2: Grant read and execute permissions on the "financials" directory to members of the "finance" group without allowing them to modify or delete files.
Access Control Lists (ACLs):
Task 3: Use ACLs to grant Bob read and write access to a specific file1 and file2 within the "financials" directory without affecting other files.
Task 4: Use ACLs to ensure that Charlie has no access to any file within the "financials" directory, even if the directory permissions would allow it.
Verification and Troubleshooting:
- Task 5: Check the current file permissions and ACLs for the "financials" directory to ensure they match the desired configuration.
Solution:
Task 1:
Task 2:
Task 3:
Task 4:
Task 5:
NOTE: In case you get an error while using acl commands, try installing the acl package by your default package installer. For ubuntu users:sudo apt install acl is the command.
Create a simple file and dols -ltrto see the details of the files
Each of the three permissions are assigned to three defined categories of users. The categories are:
owner — The owner of the file or application.
chownis used to change the ownership permission of a file or directory.group — The group that owns the file or application.
chgrpis used to change the group permission of a file or directory.others — All users with access to the system. (outside the users are in a group)
chmodis used to change the other users permissions of a file or directory.
As a task, change the user permissions of the file and note the changes afterls -ltr
- In the image above, there's a shell script file named
variables-and-structures.shwith permissions set for user, group, and others. To restrict permissions, only the user can read and write to this file.
chmod 600 variables-and-structures.sh && ls -ltr
- Now, let's change the permissions for the file so that the group can read, write and execute.
chmod 670 variables-and-structures.sh && ls -ltr
- Now, let's change the permissions for the file so that the others can read and execute.
chmod 675 variables-and-structures.sh && ls -ltr
Write an article about File Permissions based on your understanding from the notes
- In Unix- and Linux-based systems, file permissions control who may read, write, and execute a file or directory, ensuring security. The main part of system security is necessary for safeguarding private information and managing user access to system resources.
Permission Categories
1. Owner (User)
- The owner of a file or directory is the user who created it. The owner has the most control over the file and can change its permissions.
2. Group
- A group is a collection of users. Files can belong to a specific group, and all users within that group can access the file according to group permissions.
3. Others
- "Others" represent all users who are neither the owner nor part of the group.
Types of Permissions
1. Read (r)
Files: Allows reading the content of the file.
Directories: Allows viewing the list of files within the directory.
2. Write (w)
Files: Permits modification, editing, and deletion of the file's content.
Directories: Allows adding, removing, or renaming files within the directory.
3. Execute (x)
Files: Enables executing the file as a program or script.
Directories: Allows accessing contents and traversing the directory.
Representing Permissions
Permissions are represented by a 10-character string:
-rw-rwxr-x (or) drwxr-xr-x
The first character (
-ord) denotes the file type (-for regular files,dfor directories).The next nine characters represent the permissions for the owner, group, and others in sets of three.
Modifying Permissions
Symbolic Method
The chmod command uses symbols (+, -, =) to modify permissions.
+adds permissions.-removes permissions.=sets permissions.
Example: chmod u+r file.txt grants the owner read permission.
Octal Method
Using octal numbers (0-7) to represent permissions simplifies permission settings.
4for read (r).2for write (w).1for execute (x).
Example: chmod 675 variables-and-structures.sh && ls -ltr sets permissions to -rw-rwxr-x.
Read about ACL and try out the commandsgetfaclandsetfacl
- Access Control Lists (ACLs) in Linux extend traditional file permissions by allowing more granular control over access rights for files and directories. They provide a way to set permissions for specific users or groups beyond the standard owner, group, and others.
Here's a brief explanation of getfacl and setfacl commands along with an example:
Before that, we need to install sudo apt install acl -y
getfacl Command:
- The
getfaclcommand is used to retrieve the Access Control List (ACL) entries for files and directories. It displays the detailed ACL information, including permissions for users and groups.
getfacl variables-and-structures.sh
setfacl Command
- The
setfaclcommand is used to set or modify ACL entries for files and directories, granting or revoking specific permissions for users or groups.
setfacl -m u:user:<permission> variables-and-structures.sh
-m: Modify ACL entries.u:user: Specify the user for whom you're setting permissions.permissions: Define the permissions (e.g.,rfor read,wfor write,xfor execute).
getfacl variables-and-structures.sh
Conclusion
This blog explored Linux file systems, emphasizing the File System Hierarchy, basic symbols, and commands for efficient terminal use. Key points included file permissions using the "chmod" command and an introduction to Access Control Lists (ACLs) for advanced access management. The hands-on practice offered practical application, providing readers with essential knowledge for effective Linux system administration. I hope this adds value to your learnings.
_________________________________________________________________________________________
Thank you for taking the time to read this blog. I hope you found valuable insights! If you enjoyed the content, please consider giving it a like, sharing it, and following for more insightful posts in the future. Your support means a lot! Looking forward to sharing more knowledge with you! 🚀
🙌A special thanks to Shubham Londhe #TrainWithShubham and the DevOps community for organizing this fantastic initiative. Let's learn, grow, and make a difference through DevOps!
Let's Connect..!
🌐GitHub
:)Happy Learning...
Thank you for reading! 💚
Subscribe to my newsletter
Read articles from Rhythm Mishra directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Rhythm Mishra
Rhythm Mishra
🛠️ DevOps Engineer 🛠️ with a focus on streamlining deployments 🚀 and fostering collaboration 🤝 between development and operations teams. Specializing in automating pipelines ⚙️ and implementing scalable cloud solutions ☁️. Committed to lifelong learning 📚 and sharing practical insights into DevOps challenges and solutions 💡.