Linux: File Manager

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this lesson we're going to talk about permissions now understand that managing ownership of files and directories only represents a part of what you have to do in order to control access to the Linux file system basically ownership only specifies who owns what ownership does not say what that person can or can't do with those files or directories that they own in order to do this you have to set up and manage permissions so in this lesson we're going to talk about how permissions work and we're going to talk about how to manage permissions from the command line so let's begin by discussing how permissions function permissions basically specify what a particular user may do with the files and directories in the file system for example these permissions may allow a user to view a file but not modify it they could allow a user to open and also modify that file and save the changes permissions may even allow a user to run an executable file in fact permissions can even be configured to prevent a user from even seeing a file within a directory in the file system understand that each file and directory in your Linux file system stores the specific permissions that have been assigned to it in the mode of the file so if you hear someone refer to a file or directories mode we're talking about the permissions that have been assigned to that file or directory a list of the possible permissions that can be assigned to either a file or to a directory are listed here the first one is the read permission you'll see the read permission represented by the R symbol if you assign the read permission to a user to a file it will allow that user to open and view the file but it does not allow that user to actually modify and save changes to that file on the other hand if we were to assign the read permission for a user to a directory instead of a file then it allows the user to actually list the contents of that directory essentially it allows them to see what files and subdirectories exist within a given directory you can also assign the write permission which uses a symbol of W if you grant a user right permission to a file it allows that user to open modify and save changes to that file whereas the read permission allowed them to look at the contents of the file the right permission allows them to modify the contents of a file on the other hand if you grant the right permission to a user to a particular directory in the Linux file system then that user is allowed to either add or remove files from that directory the last permission you need to be familiar with is the execute permission and it's represented by the letter X if you grant a user the execute permission to a file then that user is allowed to execute or run that file on the other hand if you grant a user execute permission to a directory something totally different happens it just allows the user to actually enter into that directory safe with the CD command so we're pretty good thus far we have the read permission the write permission in the execute permission and each of these three different permissions can be assigned to either a file or to a directory in the file system here's where things get a little bit confusing understand that these three permissions read write and execute can be assigned to three different entities for each and every file and each and every directory in the file system the first entity is the owner the owner is the user account that has been assigned to be either a file or a directories owner so we can assign read write or execute permissions to the owner and those permissions will be applied only to that user account to no one else in addition to owner you can also assign permissions to group now the group is the group that's been assigned ownership of a particular file or directory so we can assign group read write or execute permissions as well any permissions that are assigned to group will be automatically applied to all user accounts that are members of that group and then the last one and the one that folks frequently forget from a security perspective but really shouldn't because it's very important is others now others refers to all other authenticated users on the linux system anyone who is logged in who is not the files owner or directories owner and is not a member of the group that owns a file or directory' someone who falls into this category is considered an other and you can actually assign read write and execute permissions to others as well now remember I said a minute ago that a lot of times we forget about others from a security perspective and we should not that's because you need to be very careful about what permissions you assign to others basically every user on the system in one fashion or another belongs to others therefore any permission you assign to others basically gets assigned to anybody who authenticates to the system now in some situations this can be really useful but in other cases it creates a security hole and can get you in a lot of trouble basically others should have minimal permissions assigned only enough to do what they need to do if every authenticated user on the system does not need access to a particular file or directory that don't grant the necessary permissions to others if you want to view the permissions that have been assigned to a particular file or directory' in the file system you use the LS dash L command when you do the permissions for each directory or file are displayed and they're displayed over here on the left now this first column is the mode that we talked about earlier for the particular file or directory now the very first character in the mode identifies whether it is a file or whether it's a directory or whether it's a symbolic link if you see ad as in the case for this entity in the file system then we know that it's a directory on the other hand if we see a dash then we know that this entity is a file and if you see an L the letter L lowercase L then it's a symbolic link then after that first character the next three characters identify the permissions that have been assigned to the owner of that directory or file so for the new file file the owner of that file has been granted R and W but not X that means that the owner of the file named new file has read and write permissions to that file but because there's a dash in the third spot that means that execute hasn't been assigned and that's really not a problem because this is a text file it contains data it's not an executable so it's not needed anyway but if this file were an executable then we would want the owner to be able to execute it an example of that is shown down here for the file named zombie zombie is an executable therefore the file owner needs read write and execute permissions to this file so that the file owner can not only read it and write to it but can also execute it when necessary now if you aren't sure who the owner of the file is you can jump over one column right here that tells us the name of the owning user and the next column tells us the name of the owning group in this case new files owned by the are Tracey user and is also owned by a group named are Tracey way of comparison the project underscore design dot ODT file is owned by the art tracy user but the name of the owning group is users this is important because the next three characters in a files mode are the permissions that are assigned to that owning group or the new file file the owning group which is the our Tracy group has read and write permissions to that file as well so with this particular file the user that owns the file can open the file access it modify it and save changes in addition any user that's a member of the owning group can also open the file modify it and save the changes but notice down here for the project underscore design dot ODT file the owning group only has the our permission assigned it does not have the W permission of sign whereas the owning user has both read and write permissions assigned therefore the use of the owns project underscore design dot ODT can edit the file and save changes but any user who's a member of the users group will only be able to look at the contents of the file they will not be allowed to edit it finally the last three characters in the mode are the permissions that are assigned to others which is basically any legitimately authenticated user on the system who is not the owner and is not a member of the owning group so for the new file file every user on the system has read access to this file and the same is true for the project underscore design dot ODT file all authenticated users on the system who are not the owner and not a member of the owning group will be able to look at the contents of this file remember I said earlier that you need to be very careful about managing the permissions that are assigned to others what if this document is very sensitive what if we don't want every other user on the system to be able to read its contents we might want to consider removing the art permission to prevent prying eyes from seeing what's in this file now before we go any farther you need to be aware that these permissions for each entity can also be represented numerically this is done to save space because as we saw previously specifying the 3d from permissions for each of the three different entities takes up a little bit of space to make things a little more concise we can represent permissions by a number the read permission is assigned a value of four the write permission is assigned a value of 2 and the execute permission is represented by a value of 1 now using these numbers we can then represent all of the permissions that are assigned to owner all of the permissions that are assigned to group and all of the permissions that are assigned to others with a single number all you have to do is add up the value of each permission that's been assigned in this example the owner of a file has been assigned the read and write permissions read has a value of 4 right has a value of 2 we add the two together and we get a value of 6 if you see 6 you know that the entity represented by that permission has read and write permissions and whenever you see numeric permissions identified in this way remember that the first digit represents owner the second digit represents group and the third digit represents others in this case the owning group only has the read permission assigned therefore we don't have to add anything up there's just a value of 4 same for others others has the read permission assigned so it has a value of 4 as well so the mode of the file with these permissions assigned to it can be represented more concisely by just the number 6 4 4 if we were looking at this mode in the output of the LS dash L command we would see it represented in this way RW r and R for user group and others so what do you do if the permissions that have been assigned to a file or directory' aren't correct well you can modify them using this utility right here Cho mod which stands for change mode now be aware that in order to do this you must either already be the owner of a file or directory or you must be logged in as the root user any other user will not be allowed to change the mode of a file that just stands to reason imagine the havoc you would cause if any user could go into any file and change its mode that would be a security nightmare now there are different syntaxes that can be used with Asha mod command the first one is shown here where we enter to mod and then we enter the entity we want to assign permissions to and then an equal sign and then the permissions that we want to assign to that entity followed by the name of the file or directory whose mode we want to change an example is shown down here we run Cho mod and we say u equals RW which grants the owner of the directory read/write permissions now because we used an equal sign whatever we specify here over writes what already may be in the mode for user so if the user had say rwx permissions to this file for some reason then by using u equals RW the owner would then only have read/write permissions and the execute permission would be removed we also specify that the owning group gets read/write permissions and then Oh over here refers to others and others get the read permission now this is a point of confusion right here because o makes us think of owner right well owner is not Oh owner is you others is oh don't get tripped up by that and then we specify the name of the file whose mode we want to modify now you can also use the CH Ahmad command to simply toggle one particular permission off or on using either the plus or the minus sign for a particular entity for example let's suppose that I want to turn off the write permission that we just gave to the owning group for the project underscore design dot ODT file in the previous example to do this I would enter qu mod G minus W and then the name of the file that will turn off the write permission if I'd decided later that that was the wrong thing to do and I need to turn the write permission back on for group I would enter the same command again but this time I would use a plus sign between G and W to tell the tomate command that we want to turn on the write permission for the owning group now if I wanted to toggle a permission for the owner of the file I would have used U instead of G if on the other hand I wanted to toggle permission for others I would have used an O instead of G in the command and of course if I wanted to add the read permission instead of write I would have added our I wanted to manipulate the execute permission I would have used an X instead of W there's a third syntax that you can use with the CH Ahmad command and this is one where we represent the entire mode that we want to assign to a particular file or directory' numerically to do this we enter qu mod followed by a numeric representation of the mode that we want to assign to either the file or directory in question for example here we enter qu mod and then we enter the numeric mode six60 and then the name of the file project underscore design so six60 what permissions are being assigned to the three entities well the first number is user if we have six and six we know that that's four plus two that means we have read four and write to the second digit applies to group again we have six we know that that is read four right two and then others gets 0 that means others gets nada no permissions at all now before we end I want to make you aware that you can use the - AR option with the CH Ahmad command that is extremely useful in the examples we've been working with here we've been assigning a particular mode to one file at a time there may be situations where you need to change the mode of many files within a directory structure all at once and if you had to go through and manually assign the mode to every single file and directory it would take you very long time if you want to do an entire directory structure all at once add the - our option to the command and then it will recursively apply the permissions you specify to every file in every subdirectory within the directory that you specify basically it takes care of it all at once but you use it with caution you need to make sure that every file and directory within the directory structure you specified will have exactly the same mode if their files that don't have that mode you're going to have problems because they're going to get assigned to it anyway if you use the - our option that's it for this lesson in this lesson we reviewed how permissions are used to control access to files and directories in the Linux file system we also reviewed how you can use the CH Ahmad utility in order to manage permission assignments

Info

Channel: The Linux Man

Views: 5,724

Rating: 5 out of 5

Keywords: Linux

Id: DCp4h-GVsEo

Channel Id: undefined

Length: 16min 59sec (1019 seconds)

Published: Mon Jan 15 2018