When working with Linux you sometimes get a message like ‘Permission denied’ and you will often go online to try to fix it or use something like ‘sudo chmod -R 777’ or ‘chmod 777’ to solve it. decisively, but did you really understand the above sentences? This article will help you understand those commands. To better understand the article you should recall or learn some knowledge such as
- Convert decimal to binary or vice versa
- Addition of a binary number
- Operations & between two binary numbers
1. Introduction of access rights
Permissions are attributes of files and directories. It shows what rights each user object (owner – owner, group – group, other user – other) has (read – read, write – write, execute – execute) on files and directories. Linux uses 9 bits for this, the first 3 bits indicate the read, write, and execute permissions of the owner, the next 3 bits indicate the permissions of the group, the last 3 bits indicate the rights of the other. For example, 111110100 or rwxrw-r– indicates that the owner has all three permissions, the group can read and write but is not enforced, the other is read only. In instructions, 3 bits determine the right for a user object to be represented by an integer (values 0 through 7), the right is represented by three consecutive integers. For example, 764 is a representation of rwxrw-r– above.
2. Permissions for newly created files and folders
With the newly created files and folders, permissions are determined based on base permission and user mask .
Base permission is set, cannot be changed
- For regular files the BS value is 666 (111 111 110) (rw-rw-rw-)
- For directories (special files) the BS value is 777 (111 111 111) (rwxrwxrwx)
The user mask will obscure some bits in Base Permission to create official access to the file (similar to the mechanism of the subnet mask). Specifically, access rights are calculated using “Base permission” & “complementary representation of a user mask”. For example, Base Permission is 666 (110110110 when converting to binary), so if the user mask value is 022 (the binary form is 000010010 => its 1’s complement type, then change 1-> 0, 0-> 1 should be 111101101) then the official access rights of the file will be:
110 110 110 & 111 101 101 = 110 100 100 = 644 (rw-r–r–)
You can quickly access files and folders with the following formulas:
1 2 3 | Permit of file = 666 - umask Permit of directory = 777 - umask |
The default user mask value for regular users is 002
With this mask, the default permissions for the folder are 775 and the file is 664
The default mask value for root is 022
With this mask, the default permissions for the folder are 755 and the file is 644
Use the umask program to change the user mask. Files and directories created after the umask command will be affected by the new mask value.
3. Change the permissions of files and directories that already exist
You can use the umask program to change the user mask, then use the touch program to update the file’s rights to the new user mask. Below is an example illustrating how the user mask value determines the permissions on file.txt.
1 2 3 4 5 6 | umask 077 touch test_file.txt ls -l test_file.txt > -rw——- 1 uit uit 0 2020-02-01 11:10 test_file.txt |
Note: The umask mechanism makes it impossible to create files with execute rights. Since the Base permission of the file is always 666, the bits corresponding to the execute permission are equal to 0, so regardless of the mask value, the file’s permissions are not executed.
Another way to change the permissions of an existing file and directory is to use chmod. Using chmod can add executable rights to files and directories.
chmod [OPTION] MODE FILE
Inside:
- The most common OPTION is -R or –recursive (recursive) when you want to apply permissions to all files and subfolders.
- MODE indicates what user rights (u: user owned; g: group; o: other, a: all) are granted / revoked / assigned (+ – =) what permissions (rwxXst or [0-7] + )
- File is the file or folder you want to change permissions
Now we can understand why we need to use chmod when there is a ‘File deny permission’ error, and why is -R. Let’s find out a few more examples:
- Add files1.txt file write permissions for existing users:
chmod u+w file1.txt - Add sufficient permissions for all user objects:
chmod a+rwx file1.txtorchmod +777 file1.txt - Obtain all three rights of the other user:
chmod 770 file1.tx - Obtain user rights to the group:
chmod gx file1.txt
4. Change the owner of the file and directory
The person who created the file or directory is the default owner of the file or directory. Ownership of files or directories also belongs to owning group. The owner or root can change the owner of files and directories using the chown program.
chown [OPTION] [OWNER][:[GROUP]] FILE
For example:
- Replace owner of / lab for root:
chown root /lab - Replace owner of / lab for root, and transfer ownership to staff group:
chown root:staff /lab - Replace owner of / lab with files and subdirectories for root:
chown -hR root /lab
5. SUID, SGID, Sticky bit
In addition to the 9 basic bits that define owner, group, and other rwx rights, Linux uses 3 other bits to define permissions on files and directories. These bits are SUID, SGID and Sticky respectively. In commands, an additional integer between 0 and 7 is used to identify these three rights. For example, in the command
1 2 | chmod 6750 file1.txt |
number 6 (binary is 110) in the SUID determination right, SGID is enabled, sticky is not enabled.
The meaning of the three bits SUID, SGID, Sticky is explained in turn as follows.
SUID ( S et owner U ser ID up on execution)
Typically, when a program / file / command runs, it uses the permissions of the current user, or the user that runs it. If SUID is set, the program will use owner rights, not current user rights. For example, the owner of / etc / passwd, / etc / shadow is root. Ordinary users do not have permission to write these files. If these files do not have SUID permission set, the user will run an error with the passwd command, because they cannot open and write to / etc / shadow. Conversely, when these files are set to SUID permission, ordinary users can also run the passwd command.
For example
- Set the file’s SUID permission for the current user:
chmod u+s file1.txtorchmod 4750 file1.txt - Remove the SUID permission from the file for the current user:
chmod us file1.txt - To find files with SUID rights, run:
find / -perm +4000 - Check the SUID bit is enabled by running:
ls -l files.txt
When SUID is enabled, the owner’s x bit is displayed as s if the owner has execution rights. If the owner does not have permission to execute, the owner’s x is displayed as S. For example, -rwSrw-r– means that the SUID bit is enabled but the owner’s x is not, -rwsrw-r– This means that the SUID bit is enabled and that the owner’s x is turned on, rwxrw-r– means that the SUID bit is not enabled and the owner has permission to execute it.
SGID (Set Group ID up on execution)
Similar to SUID, but replace owner as group. If SGID is set, the program will use the permissions of the group, not the current user.
Use chmod to set SGID permissions for the file as the following examples: chmod g+s file1.txt or chmod 2750 file1.txt
Remove SGID permission, as in the following example: chmod gs file1.txt
To find files with SGID rights, run the command: find / -perm +2000
Check if the SGID bit is enabled by running: ls -l files.txt
When SGID is enabled, the x bit of the group is displayed as s if the group has executable rights. If the group does not have permission to execute, the group’s x bit is displayed as S. For example, -rwxrwSr– means that the SGID bit is enabled but the group’s x bit is not enabled, -rwxrwsr– means the bit The SGID is enabled and the group’s x bit is enabled, rwxrwxr– meaning the SGID bit is not enabled and the owner has permission to execute it.
Sticky bit
Sticky bits apply to directories. If this bit is enabled, only the owner and root can delete the contents of the directory. Use this bit to configure a setting that prevents users from deleting other people’s data.
For example:
- Turn on sticky bit on / important:
chmod o+t /importantorchmod +t /importantorchmod 1757 /important - Turn off sticky bit on / lab:
chmod ot /importantfolder - To find files with sticky permissions, run the command:
find / -perm +1000
Check whether the sticky bit is enabled by running: ls -l files.txt
When sticky is turned on, the x bit of other is displayed as t if other people have permission to execute. If other doesn’t have execution rights, the other’s x bit is displayed as T. For example, -rwxrw-rT means that sticky has been turned on but the other’s x is not enabled.
6. Access Control List
ACLs are another way of determining permissions on files and directories. They allow assigning rights to any user or group, not even corresponding to owner or owning group. ACLs support the ReiserFS, Ext2, Ext3, JFS, XFS file systems. A file or directory may have multiple ACLs.
Use ls -dl to check permissions:
1 2 3 4 | $ <span class="token function">ls</span> -dl mydir/ <span class="token operator">></span> drwxr-xr-x 2 quanta quanta 4096 2007-12-29 22:53 mydir/ |
Check the starting status of the ACL:
1 2 3 4 5 6 7 8 | $ getfacl mydir/ <span class="token comment"># file: mydir</span> <span class="token comment"># owner: quanta</span> <span class="token comment"># group: quanta</span> user::rwx group::r-x other::--- |
Assign read, write, enforce permissions to user kitty and group friends:
1 2 | $ setfacl -m user:kitty:rwx,group:friends:rwx mydir/ |
The -m option will prompt setfacl to edit an existing ACL.
Review the ACL with the getfacl command:
1 2 3 4 5 6 7 8 9 10 11 | $ getfacl mydir/ <span class="token comment"># file: mydir</span> <span class="token comment"># owner: quanta</span> <span class="token comment"># group: quanta</span> user::rwx user:kitty:rwx group::r-x group:friends:rwx mask::rwx other::--- |
In addition to entries for user kitty and group friends, a mask entry is also created. The mask defines the most effective access for all group entries.
Now try to use chmod to remove the write permission of the group, the output of the ls command shows that the mask bits have been adjusted with chmod:
1 2 3 4 5 6 7 8 9 10 11 12 | $ sudo chmod g-w mydir/ $ getfacl mydir/ # file: mydir # owner: quanta # group: quanta user::rwx user:kitty:rwx #effective:r-x group::r-x group:friends:rwx #effective:r-x mask::r-x other::--- |
Default ACLs Default ACLs affect subfolders as well as files. In other words, subdirectories and files inherit the default ACL of the parent directory.
Consider the following example:
Add a default ACLs to a mydir directory:
1 2 | $ setfacl -d -m group:friends:r-x mydir/ |
The -d option will prompt setfacl to make an “edit” on the default ACLs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | $ getfacl mydir/ # file: mydir # owner: quanta # group: quanta user::rwx user:kitty:rwx #effective:r-x group::r-x group:friends:rwx #effective:r-x mask::r-x other::--- default:user::rwx default:group::r-x default:group:friends:r-x default:mask::r-x default:other::--- |
getfacl will return both ACL and default ACL access .
If you create a subdirectory in mydir, this subdirectory inherits the default ACL from mydir :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | $ mkdir mydir/mysubdir $ getfacl mydir/mysubdir/ # file: mydir/mysubdir # owner: quanta # group: quanta user::rwx group::r-x group:friends:r-x mask::r-x other::--- default:user::rwx default:group::r-x default:group:friends:r-x default:mask::r-x default:other::--- |
mysubdir ‘s ACL access accurately reflects mydir’s AC efault .
If creating a file in mydir, this file inherits the default ACL from mydir:
1 2 3 4 5 6 7 8 9 10 11 12 13 | $ touch mydir/myfile $ ls -l mydir/myfile -rw-r-----+ 1 quanta quanta 0 2008-01-07 00:59 mydir/myfile $ getfacl mydir/myfile # file: mydir/myfile # owner: quanta # group: quanta user::rw- group::r-x #effective:r-- group:friends:r-x #effective:r-- mask::r-- other::--- |
For example, suppose that / public is a shared folder for everyone in the company, set up so that anyone in any group can read the file and move into this directory, but only Users in the quantri group can write to files in this directory.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | mkdir /public chmod 777 /public groupadd quantri setfacl -d --set u::rx,g::rx,o::rx,g:quantri:rwx,m:rwx /public getfacl /public useradd user1; useradd user2; usermod -G quantri user1 su user2 cd /public touch user2_file.txt echo "Them noi dung" > user2_file.tx exit su user1 cd /public echo "Them noi dung" > user2_file.txt -> permit denie |
As another example, suppose the file mark.doc is in the / data directory with standard access rights set but the administrator needs two more ACL permissions for this file (the dev user has read and write permissions and the group has rights). read). Please set exactly the above two rights for the mark.doc file. If I want to set ACL permissions to be available when I boot on / dev / hda1, what should I do?
1 2 3 4 5 6 7 8 9 10 11 | useradd dev useradd qa setfacl -m u:dev:rw,g:qa:r,m:rwx /public/mark.doc getfacl /public/mark.doc su k50 echo "Them noi dung" > /public/mark.doc exit su k50d cat /public/mark.doc echo "Them noi dung" > /public/mark.doc |
6. Access on the file is made up of several common commands
- Cp command: When copied to a new location, the official access of the file is calculated using the formula shown above with the mask value at the target location. In case the file name is the same and you decide to overwrite, the access rights of the file at the destination location will be reserved. Use the -p option in the cp command to get access to the source file.
- Tar command: When decompressing files, the tar command takes access of each file as the basic access right for that file.