To introduce permissions as they apply to both directories and files in CentOS Linux, let’s look at the following command output.
[centos@centosLocal etc]$ ls -ld /etc/yum*
drwxr-xr-x. 6 root root 100 Dec 5 06:59 /etc/yum
-rw-r--r--. 1 root root 970 Nov 15 08:30 /etc/yum.conf
drwxr-xr-x. 2 root root 187 Nov 15 08:30 /etc/yum.repos.d
Note − The three primary object types you will see are
- “-“ − a dash for plain file
- “d” − for a directory
- “l” − for a symbolic link
We will focus on the three blocks of output for each directory and file −
- drwxr-xr-x : root : root
- -rw-r–r– : root : root
- drwxr-xr-x : root : root
Now let’s break this down, to better understand these lines −
d | This means the object type is a directory |
rwx | Indicates directory permissions applied to the owner |
r-x | Indicates directory permissions applied to the group |
r-x | Indicates directory permissions applied to the world |
root | The first instance indicates the owner of the directory |
root | The second instance indicates the group to which group permissions are applied |
Understanding the difference between owner, group and world are important. Not understanding this can have big consequences on servers that host services to the Internet.
Before we give a real-world example, let’s first understand the permissions as they apply to directories and files.
Please take a look at the following table, then continue with the instruction.
Octal | Symbolic | Perm. | Directory |
1 | x | Execute | Enter the directory and access files |
4 | r | Read | List the files within the directory |
2 | w | Write | Delete or modify the files in a directory |
Note − When files should be accessible for reading in a directory, it is common to apply read and execute permissions. Otherwise, the users will have difficulty working with the files. Leaving write disabled will assure files cannot be: renamed, deleted, copied over, or have permissions modified.
Applying Permissions to Directories and Files
When applying for permissions, there are two concepts to understand −
- Symbolic Permissions
- Octal Permissions
In essence, each is the same but a different way of referring to and assigning file permissions. For a quick guide, please study and refer to the following table −
Read | Write | Execute | |
Octal | 4 | 2 | 1 |
Symbolic | r | w | x |
When assigning permissions using the octal method, use a 3-byte number such as 760. The number 760 translates into Owner: rwx; Group: rw; Other (or world) no permissions.
Another scenario: 733 would translate to Owner: rwx; Group: wx; Other: wx.
There is one drawback to permissions using the Octal method. Existing permission sets cannot be modified. It is only possible to reassign the entire permission set of an object.
Now you might wonder, what is wrong with always re-assigning permissions? Imagine a large directory structure, for example /var/www/ on a production web-server. We want to recursively take away the w or write a bit on all directories for Other. Thus, forcing it to be pro-actively added only when needed for security measures. If we re-assign the entire permission set, we take away all other custom permissions assigned to every sub-directory.
Hence, it will cause a problem for both the administrator and the user of the system. At some point, a person (or persons) would need to re-assign all the custom permissions that were wiped out by re-assigning the entire permission set for every directory and object.
In this case, we would want to use the Symbolic method to modify permissions −
chmod -R o-w /var/www/
The above command would not “overwrite permissions” but modify the current permission sets. So get accustomed to using the best practice
- Octal only to assign permissions
- Symbolic to modify permission sets
It is important that a CentOS Administrator be proficient with both Octal and Symbolic permissions as permissions are important for the integrity of data and the entire operating system. If permissions are incorrect, the end result will be both sensitive data and the entire operating system will be compromised.
With that covered, let’s look at a few commands for modifying permissions and object owner/members −
- chmod
- chown
- chgrp
- umask
chmod : Change File Mode Permission Bits
Command | Action |
-c | Like verbose, but will only report the changes made |
-v | Verbose, outputs the diagnostics for every request made |
-R | Recursively applies the operation on files and directories |
chmod will allow us to change permissions of directories and files using octal or symbolic permission sets. We will use this to modify our assignment and uploads directories.
chown : Change File Owner and Group
Command | Action |
-c | Like verbose, but will only report the changes made |
-v | Verbose, outputs the diagnostics for every request made |
-R | Recursively applies the operation on files and directories |
chown can modify both owning the user and group of objects. However, unless needing to modify both at the same time, using chgrp is usually used for groups.
chgrp : Change Group Ownership of File or Directory
Command | Action |
-c | Like verbose, but will only report the changes |
-v | Verbose, outputs the diagnostics for every request made |
-R | Recursively, applies the operations on file and directories |
chgrp will change the group owner to that supplied.
Real-world practice
Let’s change all the subdirectory assignments in /var/www/students/ so the owning group is the student’s group. Then assign the root of students to the professor’s group. Later, make Dr. Terry Thomas the owner of the student’s directory, since he is tasked as being in charge of all Computer Science academia at the school.
As we can see, when created, the directory is left pretty raw.
[root@centosLocal ~]# ls -ld /var/www/students/
drwxr-xr-x. 4 root root 40 Jan 9 22:03 /var/www/students/
[root@centosLocal ~]# ls -l /var/www/students/
total 0
drwxr-xr-x. 2 root root 6 Jan 9 22:03 assignments
drwxr-xr-x. 2 root root 6 Jan 9 22:03 uploads
[root@centosLocal ~]#
As Administrators, we never want to give our root credentials out to anyone. But at the same time, we need to allow users the ability to do their job. So let’s allow Dr. Terry Thomas to take more control of the file structure and limit what students can do.
[root@centosLocal ~]# chown -R drterryt:professors /var/www/students/
[root@centosLocal ~]# ls -ld /var/www/students/
drwxr-xr-x. 4 drterryt professors 40 Jan 9 22:03 /var/www/students/
[root@centosLocal ~]# ls -ls /var/www/students/
total 0
0 drwxr-xr-x. 2 drterryt professors 6 Jan 9 22:03 assignments
0 drwxr-xr-x. 2 drterryt professors 6 Jan 9 22:03 uploads
[root@centosLocal ~]#
Now, each directory and subdirectory has an owner of the artery and the owning group is professors. Since the assignments directory is for students to turn assigned work in, let’s take away the ability to list and modify files from the student’s group.
[root@centosLocal ~]# chgrp students /var/www/students/assignments/ && chmod
736 /var/www/students/assignments/
[root@centosLocal assignments]# ls -ld /var/www/students/assignments/
drwx-wxrw-. 2 drterryt students 44 Jan 9 23:14 /var/www/students/assignments/
[root@centosLocal assignments]#
Students can copy assignments to the assignments directory. But they cannot list contents of the directory, copy over current files, or modify files in the assignments directory. Thus, it just allows the students to submit completed assignments. The CentOS filesystem will provide a date-stamp of when assignments are turned in.
As the assignments directory owner −
[drterryt@centosLocal assignments]$ whoami
drterryt
[drterryt@centosLocal assignments]$ ls -ld /var/www/students/assignment
drwx-wxrw-. 2 drterryt students 44 Jan 9 23:14 /var/www/students/assignments/
[drterryt@centosLocal assignments]$ ls -l /var/www/students/assignments/
total 4
-rw-r--r--. 1 adama students 0 Jan 9 23:14 myassign.txt
-rw-r--r--. 1 tammyr students 16 Jan 9 23:18 terryt.txt
[drterryt@centosLocal assignments]$
We can see, the directory owner can list files as well as modify and remove files.
umask Command: Supplies the Default Modes for File and Directory Permissions As They are Created
umask is an important command that supplies the default modes for File and Directory Permissions as they are created.
umask permissions use unary, negated logic.
Permission | Operation |
0 | Read, write, execute |
1 | Read and write |
2 | Read and execute |
3 | Read-only |
4 | Read and execute |
5 | Write only |
6 | Execute only |
7 | No permissions |
[adama@centosLocal umask_tests]$ ls -l ./
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myDir
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myFile.txt
[adama@centosLocal umask_tests]$ whoami
adama
[adama@centosLocal umask_tests]$ umask
0022
[adama@centosLocal umask_tests]$
Now, let’s change the umask for our current user, and make a new file and directory.
[adama@centosLocal umask_tests]$ umask 077
[adama@centosLocal umask_tests]$ touch mynewfile.txt
[adama@centosLocal umask_tests]$ mkdir myNewDir
[adama@centosLocal umask_tests]$ ls -l
total 0
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myDir
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myFile.txt
drwx------. 2 adama students 6 Jan 10 00:35 myNewDir
-rw-------. 1 adama students 0 Jan 10 00:35 mynewfile.txt
As we can see, newly created files are a little more restrictive than before.
umask for users must be changed in either −
- /etc/profile
- ~/bashrc
[root@centosLocal centos]# su adama
[adama@centosLocal centos]$ umask
0022
[adama@centosLocal centos]$
Generally, the default umask in CentOS will be okay. When we run into trouble with a default of 0022, is usually when different departments belonging to different groups need to collaborate on projects.
This is where the role of a system administrator comes in, to balance the operations and design of the CentOS operating system.