I saw:
chmod o-rwx somefile
This will remove read/write/execute permissions from other users (doesn't include users within your group).
How can I remove write permission only for current user?
Permissions in linux are given for user (who is the owner of the file), group (which is the group of the owner of file by default (though youcan change using chgrp command)) and others. Every file has 3 permissions for each of these categories (Read, Write and Execute), which are represented by setting or unsetting of corresponding bits. So, permissions range from 0 to 7, where 0 is no permission, 1 is x, 2 is w, 3 is wx, 4 is r, 5 is rx, 6 is rw and 7 is rwx.
So, use chmod abc filename where a/b/c are numbers in range 0-7 for user, group and others respectively.
Related
Scenario 1:
I have 2 users, each has a different primary group.
For user1, the primary group is group1 with GID 501.
For user2, the primary group is group2 with GID 502.
I edited /etc/passwd so that user1 now has GID 600.
However, I forgot to create a new group with GID 600 (and I did not edit /etc/group either).
What's surprising me is that even though I never created a group with GID 600 (and thus there's no such group in /etc/group)- everything works as if such a group exists:
Examples:
1) After user1 creates a new file- test.txt, User2 can't r/w that file.
2) When running ls -l I can see that test.txt belongs to GID 600.
What am I missing? Why does it work even though there's inconsistency between /etc/passwd and /etc/group?
Scenario 2:
Say I have a group with GID 1000.
When running useradd -c "name" test2 -g 1000, and then groups test2, I can see that test2's primary group is 1000.
However, in /etc/group all I see is test_group:x:1000:, meaning test2 isn't a member of test_group.
Moreover, after running useradd -c "name" test3, I do have test3:x:8093: in /etc/group.
Can you explain why it's happening?
Thanks.
Non programming question, expect downvotes... you should ask on superuser or unix.se
That said, there is no mapping of UID numbers to GID numbers that require them to have the same values. Think about what happens when you add a few users, then create a group or two for them to share, then add a few more users. The "next available" GID/UID pair don't match in value, but that doesn't matter.
When you are looking at a user's primary group, they aren't listed in the groups file as being a member because their primary group info is in the passwd file.
Remember to find files/directories that have no owning user or group if you manually change a UID number or GID number, and fix as appropriate.
Also, when it comes to UID numbers and GID numbers there is 0 (root) and everything else - no special meaning to them. By consensus, "system user" type accounts are low, and most distributions start creating "normal" users with a UID/GID of 1000
I know that permission are set using Chmod but I am having a hard time understating how to convert an octal number into a permission.
for example
640 does this mean that the user has rw-r----x
permission? Becuase 4+2=6 and 4 = w and 0 = - ?
I understand that 777 is wide open because the user has full control fo the file 4+2+1 = 7 rwx
permission the group has rwx and the second group has rwx permission
If I were to answer this question my answer would be. rw-r----x What am I doing wrong?
There are 3 digits. The first digit is the user permissions, the second digit is the group permissions, the third digit is everyone else's permissions.
Every digit is formed by adding a subset of of 4 (read), 2 (write), 1 (execute).
Thus 6 4 0 means the user (6) is allowed to read and write (4 + 2), the group (4) is allowed to read (4), and everyone else (0) has no permissions.
x is 1, therefore the third triad is read as "1". 0 would have the third triad be ---.
Maybe a picture would be easier:
Linux File Permissions
..I would post it here but I don't have the rep
Some Examples:
We want the User to be able to read, write and execute the file, the group to have read access and no access for everyone else:
chmod 740 test_dir
We want the everyone to have full access to read, write and execute:
chmod 777 test_dir
I know there's 0,1,5,6 and 7 for each category of user
e.g. 755, 644, 600 etc
how many combinations can we have?
also, there's this u+755... what is this about really?
There are 4 user-manipulable permissions locations (special permissions [setuid, setgid, sticky], user owner, group owner, other), and each can have one of 8 values.
8 ** 4 = 4096
The 3 numbers denote owner/group/world
Each of them has read/write/execute bits. You are setting these when it comes to the 3 numbers.
So, 000 becomes
owner group world
rwx rwx rwx
000 000 000
777 (which allows everyone to read, write and execute the file) becomes
owner group world
rwx rwx rwx
111 111 111
644 allows owner to read/write. Group and world to only read.
owner group world
rwx rwx rwx
110 100 100
And so on..
In total, there are 8 bits, which can be turned on/off, giving you 8^3. In addition, there are the special modes Sticky bit, SUID and SGID, and their various combinations, further giving you 8 possibilities.
the unix privileges on directories is categorised by [User][Group][Other] each of these have the options of [Read][Write][Execute]
so the form is [User]{RWX},[Group]{RWX},[Other]{RWX}
so the permissions are [U]RWX [G]RWX [O]RWX so if you are familiar with the binary representation of decimal numbers you can understand that
755 would be decoded to [U]111 [G]101 [O]101 so this means [U]RWX [G]R-X [O]R-X
600 would be decoded to [U]110 [G]000 [O]000 so this means [U]RW- [G]--- [O]---
644 would be decoded to [U]110 [G]100 [O]100 so this means [U]RW- [G]R-- [O]R--
and about the available combinations are 2^9= 512 available permissions
where 2 is the number of available choices (0,1) that could be placed in one of the 9 available places
[U]123 [G]456 [O]789 in the general form.
you can check this link for further details and tutorial.
Every file and directory has their certial set of permissions on User (who owns the files), Group (Group is to which that user belongs and all the users belongs to this group will fall in this category) and Others ( rest of the users and group present inside the system).
Now each of these categories (User/Group/Others) can have combination of Read, Write or Execute permissions.
Read - 4
Write -2
Execute - 1
So if a file has [read,write, execute] permissions for User and [read,execute] permission for Group and Others both then it is denoted as
chmod 755 filename
also, chmod u+rwx, g+rx, o+rx filename
Now if you just want to give USER (the first category) permissions on the file as [read,write] then it will be like :-
chmod u+rw filename.
I don't think the command (chmod u+755 filename) you have written is correct.
I'm trying to create a log file at the start of my program.
I need to check if a /log directory exists if it doesn't create the directory then move on to creating the log file.
Well I tried to use os.Mkdir (as well as os.MkdirAll), but no matter what value I put into the second parameter I get a locked out folder with no permissions. What value should this be in order to get a read / write for user folder? I thought it would be 0x700 but it doesn't seem to work.
Thanks!
You can use octal notation directly:
os.Mkdir("dirname", 0700)
Permission Bits
+-----+---+--------------------------+
| rwx | 7 | Read, write and execute |
| rw- | 6 | Read, write |
| r-x | 5 | Read, and execute |
| r-- | 4 | Read, |
| -wx | 3 | Write and execute |
| -w- | 2 | Write |
| --x | 1 | Execute |
| --- | 0 | no permissions |
+------------------------------------+
+------------+------+-------+
| Permission | Octal| Field |
+------------+------+-------+
| rwx------ | 0700 | User |
| ---rwx--- | 0070 | Group |
| ------rwx | 0007 | Other |
+------------+------+-------+
A Unix Permission Primer
Common Permission Usages
0755 Commonly used on web servers. The owner can read, write, execute. Everyone else can read and execute but not modify the file.
0777 Everyone can read write and execute. On a web server, it is not advisable to use ‘777’ permission for your files and folders, as it allows anyone to add malicious code to your server.
0644 Only the owner can read and write. Everyone else can only read. No one can execute the file.
0655 Only the owner can read and write, but not execute the file. Everyone else can read and execute, but cannot modify the file.
www.maketecheasier.com/file-permissions-what-does-chmod-777-means/
Directory Permissions on Linux
When applying permissions to directories on Linux, the permission bits have different meanings than on regular files. (source)
Read bit The user can read the file names contained in the directory.
Write bit The user can {add,rename,delete} files names IF the execute bit is set too.
Execute bit The user can enter the directory and access the files inside.
https://unix.stackexchange.com/a/21252
Permissions Calculator
A handy permissions calculator.
#Daniel's statement in his answer is not really correct, and also it talks about a decimal number and then uses an octal one, as #SashaCrofter correctly pointed out in his comment.
In reality, it doesn't matter what form your permission value is in as long as it represents sensible Unix permissions.
Since permission bits on POSIX file systems come in triples of bits — three bits for owner, group and others access, plus three bits of modifiers (such as sticky bits), — it's customary to use octal numbers to represent permissions as each digit in an octal number represents a three-bit value.
Hence, when you use 0700 in Go code, the leading 0 is stripped and is only there to tell the parser it sees an octal number literal, and the following three letters stand for the owner, group and others permissions, in this order. Should you, say, want to also set the group sticky bit as well as making the file system object group-readable and executable, you'd specify 02750 and so on.
Note that the actual permissions the file system object acquires is further modulated by the active umask of the process which creates the object.
To get more grip on these topics, it's best to read the chmod manual pages and general literature on Unix-like operating systems.
You can reset the umask to 0. I would call this as the first thing in my main file
syscall.Umask(0)
Example
_ = os.MkdirAll("/tmp/dirs/1", 0664)
syscall.Umask(0)
_ = os.MkdirAll("/tmp/dirs/2", 0664)
Result
/tmp/dirs$ stat -c '%A %a %n' *
drw-r--r-- 644 1
drw-rw-r-- 664 2
Besides the other answers, remember that on Unix and Linux style operating systems, all programs run with a umask setting. The umask, which in many cases defaults to 022 or sometimes 002, is the set of permissions that the system will automatically remove from file and directory creation requests.
What this means is that most programs–there are several exceptions to this rule—should use mode 0666 for creating files and mode 0777 for creating directories. The user's configuration, recorded in the running process, says which of these permissions to take away. If the user's setting is 022, and we create a file with mode 0666, the actual setting we get is rw-r--r--: read and write for the user, read-only for the group, and read-only for others.
If a user wishes to extend writability to their group, they need only set their umask to 2: now they take away write permission for others, but leave it for their group. New files are now created with mode rw-rw-r--. The program does not change: it still uses 0666 for its mode. But the files are created with mode 0664.
Similarly, if you call os.Mkdir or os.MkdirAll with 0777, the umask will take away the unwanted permissions, leaving you with the right permissions.
But I mentioned that there are exceptions. These include programs that make copies of sensitive information meant only for the user: these should generally use mode 0700 for directories and 0600 for files. They may include long-running servers that act as a system user rather than any one individual ... although those servers could be run with a correct umask, in which case, 0777 or 0666 is fine.
You must apply some judgment here. Programs that are especially security-conscious, such as ssh or similar, may wish to use limited permissions, and may even want to check (with os.Lstat or similar) that permissions are appropriately tight on important directories.
(Note that the umask does not apply to os.Chmod calls. Here you choose the mode directly.)
One way to make sure that you're setting the kind of permissions you want, without figuring out the complex calculations in octal, is to use the very convenient FileMode constants in package os:
https://golang.org/pkg/os/#FileMode
I usually use os.ModePerm (which is actually coded as 0777) for fully permissive directories, such as those required for caches or temporary files, but your mileage may vary. To set the additional bits (sticky, etc.), which, as #kostix has noted, has to deal with the issue of octal representation of flags in Go, you can always use something like:
if err := os.MkdirAll("my/tmp/dir", os.ModeSticky|os.ModePerm); err != nil {
... handle error ...
}
Go playground
As always, it's worth mentioning again that these permissions are 'filtered' by whatever umask has been set.
Hi I'm working in a Linux environment and I'm trying to write a command that will take a path as input and output a list of all users with read access to that file/directory.
For example, if file /a/b/c is owned by userid, u, and groupid, g, with some permissions, I want this command to identify the permissions of /a and /a/b and then calculate all the users who can read c. In particular, I'm having trouble when groups get involved.
I am trying to separate identifying read access based off group into cases:
1) g matches the gid of c's parent's gid, gp, (or grandparent, etc..), in which case, any member of g can read c if gp has permission: 040, or less restrictive.
2) g is different than c's parent's gid, gp. Two subcases:
...a) userid m is a member of g (for all m in g (m does not own c)) and owns c's parent, p. Then m can read c if p has permission: 400, or less restrictive.
...b) userid m is a member of g (for all m in c's gid (m does not own c)) and does not own c's parent, p. Then m can read c if p has permission: 004 or less restrictive.
3) u owns p, in which case p needs permissions 400 or less restrictive.
By the way, I have root access on this system. I imagine I'll have to make a series of cats to /etc/group and /etc/passwd and grep for relevant info, which is fine. Also, we can consider 'stat's free in this environment (it's part of a bigger project where we already have this info).
I guess what I'm looking for is an existing solution, pseudo code, or someone to help me brainstorm an algorithm and other considerations that I'm missing. Feel free to ask clarifying questions if necessary - I know this pseudo logic here isn't the easiest to read. Thanks guys.
I think your best solution is the following:
1.) Determine permission of c.
if(b does not have a minimum of world execute bit settings) i.e. 711
return error; ( or owner && root)
// you can easily extend this check to recursively work back to /
if (c has global read permissions)
return everyone;
else if (c has group read permissions)
determine group name && return all members of said group
else (return owner && root)
2.) determining the members of said group can be done using getent. for instance:
getent group - returns all groups on the system
getent passwd - returns all users
3.) permissions can be determined with 'stat c' or something similar.
cating is flawed; use getent instead. Don't forget to check ACLs.