Friday, September 27, 2024

Linux Admin - File / Folder Management

 To introduce permissions as they apply to both directories and files in CentOS Linux, let's look at the following command output.


[centos@centosLocal etc]$ ls -ld /etc/yum* 
drwxr-xr-x. 6 root root 100 Dec  5 06:59 /etc/yum 
-rw-r--r--. 1 root root 970 Nov 15 08:30 /etc/yum.conf 
drwxr-xr-x. 2 root root 187 Nov 15 08:30 /etc/yum.repos.d

Note − The three primary object types you will see are

  • "-" − a dash for plain file

  • "d" − for a directory

  • "l" − for a symbolic link

We will focus on the three blocks of output for each directory and file −

  • drwxr-xr-x : root : root
  • -rw-r--r-- : root : root
  • drwxr-xr-x : root : root

Now let's break this down, to better understand these lines −

dMeans the object type is a directory
rwxIndicates directory permissions applied to the owner
r-xIndicates directory permissions applied to the group
r-xIndicates directory permissions applied to the world
rootThe first instance, indicates the owner of the directory
rootThe second instance, indicates the group to which group permissions are applied

Understanding the difference between ownergroup and world is important. Not understanding this can have big consequences on servers that host services to the Internet.

Before we give a real-world example, let's first understand the permissions as they apply to directories and files.

Please take a look at the following table, then continue with the instruction.

OctalSymbolicPerm.Directory
1xExecuteEnter the directory and access files
4rReadList the files within the directory
2wWriteDelete or modify the files in a directory

Note − When files should be accessible for reading in a directory, it is common to apply read and execute permissions. Otherwise, the users will have difficulty working with the files. Leaving write disabled will assure files cannot be: renamed, deleted, copied over, or have permissions modified.

Applying Permissions to Directories and Files

When applying permissions, there are two concepts to understand −

  • Symbolic Permissions
  • Octal Permissions

In essence, each are the same but a different way to referring to, and assigning file permissions. For a quick guide, please study and refer to the following table −

ReadWriteExecute
Octal421
Symbolicrwx

When assigning permissions using the octal method, use a 3 byte number such as: 760. The number 760 translates into: Owner: rwx; Group: rw; Other (or world) no permissions.

Another scenario: 733 would translate to: Owner: rwx; Group: wx; Other: wx.

There is one drawback to permissions using the Octal method. Existing permission sets cannot be modified. It is only possible to reassign the entire permission set of an object.

Now you might wonder, what is wrong with always re-assigning permissions? Imagine a large directory structure, for example /var/www/ on a production web-server. We want to recursively take away the w or write bit on all directories for Other. Thus, forcing it to be pro-actively added only when needed for security measures. If we re-assign the entire permission set, we take away all other custom permissions assigned to every sub-directory.

Hence, it will cause a problem for both the administrator and the user of the system. At some point, a person (or persons) would need to re-assign all the custom permissions that were wiped out by re-assigning the entire permission-set for every directory and object.

In this case, we would want to use the Symbolic method to modify permissions −

chmod -R o-w /var/www/

The above command would not "overwrite permissions" but modify the current permission sets. So get accustomed to using the best practice

  • Octal only to assign permissions
  • Symbolic to modify permission sets

It is important that a CentOS Administrator be proficient with both Octal and Symbolic permissions as permissions are important for the integrity of data and the entire operating system. If permissions are incorrect, the end result will be both sensitive data and the entire operating system will be compromised.

With that covered, let's look at a few commands for modifying permissions and object owner/members −

  • chmod
  • chown
  • chgrp
  • umask

chmod : Change File Mode Permission Bits

CommandAction
-cLike verbose, but will only report the changes made
-vVerbose, outputsthe diagnostics for every request made
-RRecursively applies the operation on files and directories

chmod will allow us to change permissions of directories and files using octal or symbolic permission sets. We will use this to modify our assignment and uploads directories.

chown : Change File Owner and Group

CommandAction
-cLike verbose, but will only report the changes made
-vVerbose, outputsthe diagnostics for every request made
-RRecursively applies the operation on files and directories

chown can modify both owning the user and group of objects. However, unless needing to modify both at the same time, using chgrp is usually used for groups.

chgrp : Change Group Ownership of File or Directory

CommandAction
-cLike verbose, but will only report the changes
-vVerbose, outputs the diagnostics for every request made
-RRecursively, applies the operations on file and directories

chgrp will change the group owner to that supplied.

Real-world practice

Let's change all the subdirectory assignments in /var/www/students/ so the owning group is the students group. Then assign the root of students to the professors group. Later, make Dr. Terry Thomas the owner of the students directory, since he is tasked as being in-charge of all Computer Science academia at the school.

As we can see, when created, the directory is left pretty raw.

[root@centosLocal ~]# ls -ld /var/www/students/ 
drwxr-xr-x. 4 root root 40 Jan  9 22:03 /var/www/students/

[root@centosLocal ~]# ls -l /var/www/students/ 
total 0 
drwxr-xr-x. 2 root root 6 Jan  9 22:03 assignments 
drwxr-xr-x. 2 root root 6 Jan  9 22:03 uploads 

[root@centosLocal ~]#

As Administrators we never want to give our root credentials out to anyone. But at the same time, we need to allow users the ability to do their job. So let's allow Dr. Terry Thomas to take more control of the file structure and limit what students can do.

[root@centosLocal ~]# chown -R drterryt:professors /var/www/students/ 
[root@centosLocal ~]# ls -ld /var/www/students/ 
drwxr-xr-x. 4 drterryt professors 40 Jan  9 22:03 /var/www/students/

[root@centosLocal ~]# ls -ls /var/www/students/ 
total 0 
0 drwxr-xr-x. 2 drterryt professors 6 Jan  9 22:03 assignments 
0 drwxr-xr-x. 2 drterryt professors 6 Jan  9 22:03 uploads

[root@centosLocal ~]#

Now, each directory and subdirectory has an owner of drterryt and the owning group is professors. Since the assignments directory is for students to turn assigned work in, let's take away the ability to list and modify files from the students group.

[root@centosLocal ~]# chgrp students /var/www/students/assignments/ && chmod 
736 /var/www/students/assignments/

[root@centosLocal assignments]# ls -ld /var/www/students/assignments/ 
drwx-wxrw-. 2 drterryt students 44 Jan  9 23:14 /var/www/students/assignments/

[root@centosLocal assignments]#

Students can copy assignments to the assignments directory. But they cannot list contents of the directory, copy over current files, or modify files in the assignments directory. Thus, it just allows the students to submit completed assignments. The CentOS filesystem will provide a date-stamp of when assignments turned in.

As the assignments directory owner −

[drterryt@centosLocal assignments]$ whoami 
drterryt

[drterryt@centosLocal assignments]$ ls -ld /var/www/students/assignment 
drwx-wxrw-. 2 drterryt students 44 Jan  9 23:14 /var/www/students/assignments/

[drterryt@centosLocal assignments]$ ls -l /var/www/students/assignments/ 
total 4 
-rw-r--r--. 1 adama  students  0 Jan  9 23:14 myassign.txt 
-rw-r--r--. 1 tammyr students 16 Jan  9 23:18 terryt.txt

[drterryt@centosLocal assignments]$

We can see, the directory owner can list files as well as modify and remove files.

umask Command: Supplies the Default Modes for File and Directory Permissions As They are Created

umask is an important command that supplies the default modes for File and Directory Permissions as they are created.

umask permissions use unary, negated logic.

PermissionOperation
0Read, write, execute
1Read and write
2Read and execute
3Read only
4Read and execute
5Write only
6Execute only
7No permissions
[adama@centosLocal umask_tests]$ ls -l ./ 
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myDir 
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myFile.txt

[adama@centosLocal umask_tests]$ whoami 
adama

[adama@centosLocal umask_tests]$ umask 
0022

[adama@centosLocal umask_tests]$

Now, let’s change the umask for our current user, and make a new file and directory.

[adama@centosLocal umask_tests]$ umask 077

[adama@centosLocal umask_tests]$ touch mynewfile.txt

[adama@centosLocal umask_tests]$ mkdir myNewDir

[adama@centosLocal umask_tests]$ ls -l 
total 0 
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myDir 
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myFile.txt 
drwx------. 2 adama students 6 Jan 10 00:35 myNewDir 
-rw-------. 1 adama students 0 Jan 10 00:35 mynewfile.txt

As we can see, newly created files are a little more restrictive than before.

umask for users must should be changed in either −

  • /etc/profile
  • ~/bashrc
[root@centosLocal centos]# su adama 
[adama@centosLocal centos]$ umask 
0022 
[adama@centosLocal centos]$

Generally, the default umask in CentOS will be okay. When we run into trouble with a default of 0022, is usually when different departments belonging to different groups need to collaborate on projects.

This is where the role of a system administrator comes in, to balance the operations and design of the CentOS operating system.

No comments:

Post a Comment