A short course in permissions
From FBSD_tips
DRAFT INCOMPLETE DRAFT INCOMPLETE DRAFT INCOMPLETE
Contents |
[edit] Intro
The FreeBSD filesytem (like other typical unix filesystems) is structured as a tree with a single root, this is unlike windows which has one or more hierarchies identified by letters. Any additional hard disks are partitioned, formatted and their filesystems are mounted, or grafted onto an existing directory in this single tree. There are two main ways to arbitrate access to the directories and files in the filesystem: 1) setting the mode bits of the files and directories and 2) Access Control Lists.
[edit] File modes
Every file and directory in the filesystem has a primary owner and a primary group ID (number) associated with it. These owners and groups are mapped by the system to names using /etc/passwd and /etc/groups, respectively.
Each file and directory has 3 modes of access associated with it, coresponding to three groups of rights granted to a 1) the owner, a 2) the group and 3) all others.
ls can output the values in a human readable format.
Test (/root) > ls -l xorg.conf.new drwxr-xr-x 2 root wheel 512 May 23 23:25 bin -rw-r--r-- 1 root wheel 5115 Jul 25 09:32 xorg.conf.new || | | | | || | | | group || | | owner || | read, write, execute for others || read, write, execute for group |read, write, execute for user mode
The mode indicates the type of entry in the filesystem. '-' means it is a file, 'd' is a directory, the ls man page will give the full list of posibilities. Thr groups of modes are in order, 1) 'r' for read, 2) 'w' for write and 3) 'x' for execute. A dash '-' means no such right exists.
Modes are set with the chmod command. Either numeric or symbolic symantecs can be used. The symbolic form is easier to understand. For instance, to remove the group read permission you would use this form:
Test (/root) > chmod g-r xorg.conf.new Test (/root) > ls -l xorg.conf.new -rw----r-- 1 root wheel 5115 Jul 25 09:32 xorg.conf.new
Note that the 'r' has disapeared from the group triplet.
If you want users to be able to search directories for executables, you must apply the executable and read bit to the 'other' permissions, as in the following example :
Test (/root) > chmod o+rx bin Test (/root) > ls -ld bin drwxr-xr-x 2 root wheel 512 May 23 23:25 bin
[edit] Directories
Directories have the same set of permissions that files have however the 'x' or execute bit means something different for them, it is search. The execute bit on a directory allows a process to traverse the directory to go to subdirectories below it.
[edit] examples
As root I will create a directory and put something in it, as a user i can see both. You can see that by default directories have the execute bit set.
Root@(/usr) > mkdir test Root@(/usr) > ls -l total 2 drwxr-xr-x 2 root wheel 512 Oct 29 00:28 test Root@(/usr) > uname > test/uname.txt Root@(/usr) > ls -l test/ total 2 -rw-r--r-- 1 root wheel 8 Oct 29 00:32 uname.txt
Now, as user 'test', note that it doesn't let us delete.
Test@(/home/test) > ls -l /usr total 2 drwxr-xr-x 2 root wheel 512 Oct 29 00:32 test Test@(/home/test) > ls -l /usr/test/ total 2 -rw-r--r-- 1 root wheel 8 Oct 29 00:32 uname.txt Test@(/home/test) > rm /usr/test/uname.txt override rw-r--r-- root/wheel for /usr/test/uname.txt? y rm: /usr/test/uname.txt: Permission denied
I'll put a script there now as root :
Root@(/usr) > echo "uname" > test/uname.sh Root@(/usr) > chmod +x test/uname.sh
As test :
Test@(/home/test) > export PATH=$PATH:/usr/test/ Test@(/home/test) > uname.sh FreeBSD Test@(/home/test) >
Now I will remove the search for other from the directory As root :
Root@(/usr) > chmod o-x test/ Root@(/usr) > ls -l total 2 drwxr-xr-- 2 root wheel 512 Oct 29 00:46 test
As test :
Test@(/home/test) > uname.sh bash: /usr/test/uname.sh: Permission denied
Now only root and wheel members can run exe file in that directory. The user test can be a member of a 'secondary group to gain priviledges as well, add the user to the /etc/group file for wheel :
wheel:*:0:root,test
And now you can run the shell script again :
Test@(/home/test) > uname.sh FreeBSD
[edit] ACLS
The system of UID/GID association with the both the object being accessed and the user accessing it along with secondary groups membership is quite workable with a small number of users and well defined roles for group mapping. It doesn't handle exception cases very well however and can get quite tedious with large numbers of user, groups and intricate filessystem hierarchies. In such situations Access Control Lists can represent quite an advantage.
ACLs are enabled in GENERIC kernels. ACLs are 'object-centric' that is, they assign any number of arbitrary rights TO THE OBJECT being accessed
