Unix comes with excellent security features , customizable file permissions are one of them. Unix file permissions allow you to define who can read, write, and execute each file on your system. If you have a WordPress site or use a Linux server with another type of site you will find this tutorial useful. Web hosts usually allow users to change Unix file permissions from their cPanel so that they can achieve extra security by protecting vulnerable files and directories at the root level.
The most important thing you need to know is that Unix treats everything as a file. Not only files but directories and devices are also files on a Unix system. Unix assigns three types of owners to each file: U ser, Group , and Other.
To configure your file permissions, you need to decide which rights you want to grant to each of those owners. The User is the person who created the given file. Anyone who creates a new file in a Unix system will automatically be granted User rights over that file. Group usually contains more than one users. Everyone who belongs to the same user group as User will be automatically the member of Group. You can use Group if you want to assign group permissions to a certain file. For instance, you can allow or forbid to the whole group to read, write, or execute a file with just one command.
Finally, Other means everyone else who can access the file. Unix treats them as the third kind of owners, and you can set separate permissions for them. Essentially, members of the Other group are users who neither created the file nor belong to the same user group as the person who created the file. Every file on a Unix system comes with three kinds of permissions: Read , Write , and Execute. You can set each kind separately. With the help of these permissions, you can grant or deny reading , writing , and executing rights to the three aforementioned owner types User , Group , Other.
The Read permission grants users the right to open or read a file. The user can only see the contents of the file but cannot modify it. When the Read permission belongs to a directory, the user can only list its contents but cannot modify or delete it. Write allows users to edit the contents of a file.
When the Write permission is set on a directory, users can add, rename, and remove all the files residing in the directory. The Execute permission means that a user can run the file as a program. Execute makes sense when you work with an executable file, for instance a script. Unix has a great way to let you know which permissions are set for each file in a directory.
You only need to open your terminal and navigate into the folder you are interested in. You can do that by using the cd Unix command. For instance, if you want to navigate into the directory called etc you need to enter the following command:. As you can see on the screenshot below, this command shows all the files inside the directory, together with their Unix file permissions:.
Inside my terminal, directories are blue and files are white your terminal may use different colors, however. You can see the file permissions in the first column. For instance, drwxr-xr-x is a file permission.
For a single laptop system, we might provide protection by locking the computer in a desk drawer or file cabinet. For multi-user systems, different mechanisms are used for the protection. Types of Access : The files which have direct access of the any user have the need of protection. The mechanism of the protection provide the facility of the controlled access by just limiting the types of access to the file. Access can be given or not given to any user depends on several factors, one of which is the type of access required.
Several different types of operations can be controlled: Attention reader! Read — Reading from a file. Write — Writing or rewriting the file. Execute — Loading the file and after loading the execution process starts. Append — Writing the new information to the already existing file, editing must be end at the end of the existing file. Delete — Deleting the file which is of no use and using its space for the another data. You must be extremely careful when you set special permissions, because special permissions constitute a security risk.
Also, all users can set special permissions for files that they own, which constitutes another security concern. You should monitor your system for any unauthorized use of the setuid permission and the setgid permission to gain superuser capabilities. A suspicious permission grants ownership of an administrative program to a user rather than to root or bin. When setuid permission is set on an executable file, a process that runs this file is granted access on the basis of the owner of the file.
The access is not based on the user who is running the executable file. This special permission allows a user to access files and directories that are normally available only to the owner. For example, the setuid permission on the passwd command makes it possible for users to change passwords. A passwd command with setuid permission would resemble the following:. This special permission presents a security risk. Some determined users can find a way to maintain the permissions that are granted to them by the setuid process even after the process has finished executing.
Use a shell script, or avoid using the reserved UIDs with setuid permissions. The setgid permission is similar to the setuid permission. The process's effective group ID GID is changed to the group that owns the file, and a user is granted access based on the permissions that are granted to that group. When the setgid permission is applied to a directory, files that were created in this directory belong to the group to which the directory belongs.
The files do not belong to the group to which the creating process belongs. Any user who has write and execute permissions in the directory can create a file there.
However, the file belongs to the group that owns the directory, not to the group that the user belongs to. You should monitor your system for any unauthorized use of the setgid permission to gain superuser capabilities. A suspicious permission grants group access to such a program to an unusual group rather than to root or bin. The sticky bit is a permission bit that protects the files within a directory.
If the directory has the sticky bit set, a file can be deleted only by the file owner, the directory owner, or by a privileged user. The root user and the Primary Administrator role are examples of privileged users. For instructions, see Example When you create a file or directory, you create it with a default set of permissions. The system defaults are open.
A text file has permissions, which grants read and write permission to everyone. A directory and an executable file have permissions, which grants read, write, and execute permission to everyone.
The value assigned by the umask command is subtracted from the default. This process has the effect of denying permissions in the same way that the chmod command grants them. For example, the chmod command grants write permission to group and others. The umask command denies write permission to group and others.
The following table shows some typical umask settings and their effect on an executable file. For more information on setting the umask value, see the umask 1 man page. The chmod command enables you to change the permissions on a file. You must be superuser or the owner of a file or directory to change its permissions. Absolute Mode — Use numbers to represent file permissions.
When you change permissions by using the absolute mode, you represent permissions for each triplet by an octal mode number. Absolute mode is the method most commonly used to set permissions.
Symbolic Mode — Use combinations of letters and symbols to add permissions or remove permissions.
0コメント