permissions for file access
chmod
chmod -R 755 * (does a recursive change)
unanswered question: why does the command chmod -g file not remove the suid and instead revoke read privileges for all those with a dib on the file?
unanswered permission: how to stop the world from copying a file if they have read permission on it
- chmod a+x
- changes "all" of user,group,other
- chmod g=
- zeroes out field 2
- chmod o=r
- changes third field to read-only
- chmod u+x
- chmod g+x
- chmod +ax-w
- chmod a+x
- changes to third bit all executable
- chmod go+wt smtpauth.conf
-
setguid,setuid,etc.
- setuid, also called "suid"
seen as an "s" in the last position (of the "owner" permission listing sessions) under the "ls" command. That is, the owner instead of having "x" permission, has "s" permission.
the file's executable permissions are set to run with an alternate user
"This describes set-user-id permissions on the file. When the set user ID access mode is set in the owner permissions, and the file is executable, processes which run it are granted access to system resources based on user who owns the file, as opposed to the user who created the process. This is the cause of many "buffer overflow" exploits." (source: here
- setgid
seen as a "s" in the spot where the group's "executable" (permissions or not?) is listed, after running the "ls" command
the file's executable permissions are set to run with an alternate group
- sticky bit
the executable permission of the whole world is listed as a "t" instead of as an x
all the files in the directory are affected by the sticky bit when it is set on the directory
"The "sticky bit" also has a different meaning when applied to directories than when applied to files. If the sticky bit is set on a directory, then a user may only delete files that the he owns or for which he has explicit write permission granted, even when he has write access to the directory. " (source: here)
when it is set on a directory the owner (of the directory/file) (or superuser) is the only person who can remove or rename that file
To set these, run the chmod command with 4 numbers instead of the usual three, that is:
chmod 2### filename (suid)
chmod 4### filename (sgid)
chmod 1### filename (t)
file permissions for activities
- need have +x to have directory access
[root@www root]# ls -la /usr/lib/perl5/5.8.0/athlon-linux-thread-multi/DB_File.pm
-r-xr-xr-x 1 root root 63373 Mar 9 07:05 /usr/lib/perl5/5.8.0/athlon-linux-thread-multi/DB_File.pm
[root@www root]#
in the above, I can still write as root if I use vi and w!
- the following is a problem one has when trying to change to a group when one is not a member of that group: example:
ls -lah
drwxrwxrwx 5 joe joe 4096 Mar 3 00:16 sent-mail
[joe@www Mail]$ chgrp mail sent-mail/
chgrp: changing group of `sent-mail/': Operation not permitted
[joe@www Mail]$ chgrp mail sent-mail/ -R
chgrp: changing group of `sent-mail/': Operation not permitted
chgrp: changing group of `sent-mail//new': Operation not permitted
chgrp: changing group of `sent-mail//cur': Operation not permitted
chgrp: changing group of `sent-mail//tmp': Operation not permitted
[joe@www Mail]$ sudo chgrp mail sent-mail/ -R
[joe@www Mail]$
-
return to top
