File Access

• Welcome to linuxzoo
  • Essential Linux
    • Unix Security
      • File Access

Access to Unix files are governed by ownership and permissions. If you create a file, you are automatically the owner of that file, and can set the permissions for that file to give or deny access to other users of the system.

There are three different levels of permission:

1. r - read permission: allows users to read the contents of a file
2. w - write permission: allows users to change the contents of a file
3. x - execute permission: signifies a program or script file and allows users to execute (run) the file.

File permissions can be set for three different levels of ownership:

1. u - user - The user who created the file its its owner.
2. g - group - A group to which you are assigned, usually made up of those users engaged in similar activities, and who need to share files among themselves.
3. o - others - All other users on the system.

Thus you can set read, write, and execute permissions for the three classes of ownership:

-rxwrwxrwx.
  |   \  \ \___________
  |    \  \__          \
  |     |    \          \
owner  group  other    alternative access method indicator

For example, to see the permissions, owner name, and group name on 'myfile' type the following:

% ls -l myfile
-rwxrw-r--.      1     john    staff   567   Nov 18 12:26  myfile
    |            |       |       |      |       |           |
(permissions) (links) (owner) (group) (bytes) (date)      (filename)

The first dash on the left indicates the type of data that this entry represents. In this case 'myfile' is described as a simple file since the leading character is a '-' (if 'myfile' was a directory you would see a 'd' rather than a '-'). The next nine positions indicate read, write, and execute permissions for owner, group, and other. If a permission is not allowed, a '-' appears in the place of the letter.

In the example (-rwxrw-r--), owner (john) has read, write, and execute permissions (rwx); the group (staff) has read and write permissions (rw-); while other has only read permission (r--).

The trailing "." after the permissions in the example "-rwxrw-r--." indicates that an alternative access method exists. This character can be

1. " " (space) This indicates no alternative access method exists.
2. "." (dot) This indicates that a SELinux security context exists.
3. "+" (plus) This indicates that more than one alternative access method exists.

> touch test
> setfacl .m user:root:rwx test
> ls -l test
-rw-rw-r--+ 1 gordon gordon 0 Aug 30 15:25 test
> getfacl test
	user::rw-
	user:root:rwx
	group::rw-
	mask::rw-
	other::r--

Here the file "test" has been given an additional File Access Control List which gives the user "root" "rwx" access to the file. This additional access method is flagged up with a "+" in the "ls" command.

Another access method which is common in Linux flavours like RedHat and Fedora is SELinux. This secures processes by restricting what they can do using pre-defined rules. For instance, the web server is configured in Fedora to only publish files to the web which are in the context "httpd_user_context_t". You can see the context using "-Z" in the "ls" command:

touch test
> ls -Z test
-rw-rw-r--. gordon users  unconfined_u:object_r:httpd_user_content_t:s0 test

Additional access methods is a complex subject in itself, and will be discussed later on in the material. For now, just ignore the trailing "." in the permissions.

File types

% ls -l myfile
-rwxrw-r--.      1     john    staff   567   Nov 18 12:26  myfile
    |            |       |       |      |       |           |
(permissions) (links) (owner) (group) (bytes) (date)      (filename)

As the leading character in the example was a "-" this indicates that "myfile" is a simple file. Some possibilities include:

• - means a normal file
• d means directory
• c means a character device (mouse, keyboard)
• b means a block device (ide disk, scsi disk)

Linuxzoo created by Gordon Russell.
@ Copyright 2004-2023 Edinburgh Napier University