LPI 101-500 – 104.5: Manage file access rights and ownership
July 20, 2023

1. Permissions, chmod

Now we come to the permissions. Every file and every directory has certain permissions which say who the sad file belongs to, who can read it, who can write it or write to it and who can execute it. With LS and the option L, we can display the corresponding permissions for the individual files and folders. So I’m here in my test directory I used Ll which is an alias for LS and the option La. And here on the left I can see my permissions on the far left. As the first character we see the letter D here for some and a minus for others. D only says that it is a directory. So all directories have a D. In the first position, where there is no D, it is not a directory but a file.

The permissions begin with a second letter here with the second letter and these are expressed in nine letters that have to be separated in to three segments with three letters each. Let’s take a closer look at the file 40 711. This one here the first character is a minus here, so it’s a file and not a directory. I will now copy the following nine characters that describe the authorizations divided into three blocks so that it is perhaps easier to understand the first block. So this one here, the first block always describes the permissions of the owner of the file. We see the owner here in the third column. So the owner of the file 40 711 is manual. This is Manual, of course because it is stored in the home directory of manner.

So every file in the home directory of manual should be the owner manual. And the second block here always describes the owner group. We also see the owner group in column 41234 here is the owner group. By default, each user is also assigned a group with the same name as his or her username. This is his main group. In this case, user manual has the main group manual. The third block, this one describes the permissions of all other users. So all users that are not manual and that not belong to the group manual. To summarize again, the first three characters are the permissions for the owner manual. In this case these authorizations are RW minus.

R stands for read, so read permissions, w stands for write, so write permissions to the fire and the third permission is A minus, which means there is no further permission here in the place of the minus, if the permission has been granted, there would be an X which stands for execute. So the right to execute a file. In this case that would make no sense because it is just a text file. You cannot execute a text file, but if this would be bash script, for example, then you need an execute permission to execute the special script. So the owner manual can read the file, can write to the file and write permissions are necessary to save this file.

The second block says R minus minus. So members of the group manual only have read access. They cannot write to the file because no W. So no write access has been set. Let’s try that out. I created a user Thomas and added him to the group manual. I will switch to Thomas right away with Sulu as minus. I am root now and now I switch to Thomas. And now I am locked in as Thomas. You see it here. I’m Thomas now and with ID I can see my group memberships. And we see thomas is in two groups in group Thomas and in group manual. So everything’s correct.

So let’s see if we can look at the Fire Cathole test and then Fire 40 711 and we see it works fine, because we can see the content of the file because we have read permissions. We are here, we have read permissions. Now we try to edit the file VI Home test file 40 711 and here you can see Read only. But let’s try a new warning, changing a read only file test, new test and so on. Now I want to save it with Wco readonly option is that this way can’t open file for writing. So it is not possible for us to save this file. We can only leave the file without saving it. So I try it with just queue. And now we are out of the file.How do we proceed to assign write rights to the group manual and thus also to the user Thomas? Here we use the chmod command which stands for Change file mode.

And with this we can set and change or change the appropriate permissions. You can use chmod both in bit notation and in October notation. We will first concentrate us on the bit notation because this is probably the most common. So I’ll exit Thomas and Root here. So I’m logged in as a manual. Again, we only have to remember the numbers for the corresponding permissions. The first permission that appears here is always R. So we are just focusing on the first, on the user permission, on the owner permission. The first one is always R. So the read permission R always has the number four. R equals four after the R follows the W for right. See it here w for right. W basically has the number two.

So w equals two. And in the third position, usually when the permission is granted, the X and the X has always the value one. With these numbers we can also express which permissions are set. So one bit is formed from each of the three authorization groups. An example the first three characters of this 547 eleven R here r W and minus. R stands for read and has the number four. W stands for right and has the number two and minus stands for zero. So we have here five four plus two, it is six. So we have the six here. And the second authorization group is R minus minus. R is four minus minus is zero. So we have here four. So six four. And here the same for all other users.

R stands for 40 zero. So in bit notation the entire permissions would be expressed as six four four. You have to know that. You have to keep that in mind for the exam, because it is a very important topic. Please just train this, just try it out a few times so that you remember. R stands for four, W for two and x so executes for one. And so you can always calculate your bit notation permission. So maybe in this case we can try it again. We have here Rwx, so R 42 and X equals one. So our first part of the bit permission is seven, because four plus two plus one is seven. And then here we have R minus x. So R is 40 and X is one. So we have four plus one is five.

And the same here, four plus one is five. So in bitch notation, this would be seven five five. So please train this for the exam. Okay, so now we have to ensure that the owner group also has right access to the file. The owner group is the second authorization group. At the moment there is only an R for read. The W for right is missing. The W has the number two. So we are adding the two to the second picture. Here we have four. We have to add the right permission. It is two. So we have to add two, and then it would be six. So we had here we would have here six six four. Hope that is understandable. So accordingly, the bit notation for the desired state is six six four and no longer six four four.

With chmod and the bit value, you can now change the permission. So chmod 64 and then fire 40 711. And you see here, now we have six six four. And before we had six four four. And yeah, now we should try it again with Thomas, because the group Manuel has now also write permissions. So let me log in as Thomas again. And I tried again home test 40 711, the new tests and it worked. It seemed to work. I would do the tests with Catholm test, fire 40 711. And here we see a new test. So the saving was successfully. So we set the W to the user group by making six six four out of six four four and set the right bit accordingly. Thomas now have the authorization to save this file.

2. Sticky Bit, SETUID, SETGID

How does it all work with directories? Actually exactly the same, because directories are only files, and in the Linux language everything is a file. There are also WR and x for directories. The bit values four, two and one are also given here. The meanings of WR and x are only related to directories. The read authorization for a directory then means that you can look into the folder and see the names of the files and sub directories, but no further data such as owner or permissions. The write permission in a directory mean that files can be created in subdirectories and these can also be deleted. Properties of files and directories can also be changed.

The execution authorization for directories means that you can change to this directory and also view the owner and authorizations here. In the home drive the owner has all permissions in all directories. So let’s have a look maybe at the pictures directory. Here we see the first three permissions. These are the permissions for the owner of the directory. So for me in this case, and we have basically all permissions. So Rwx, how does it look in root for us? The last three characters of each permission would be interesting because they apply to all others or all other users. So except the owner and owner group. Owner and group are only root here.

And accordingly we would find ourselves in the last three authorization characters. So in these last three, at first glance the lost and found directory looks like we don’t have any rights. So let’s try to switch to this folder CD lost and found yes and no authorization. It doesn’t work and we can’t get in. I would go back to my home drive and instead of using the bit notation, we can also change the permissions with a symbolic notation. Suppose we want to assign the ch mod value seven five five to 547 eleven, so it’s a little bit clearer. Okay, this file is currently using the chmod value of six six four. We can do that with the command now chmod and then for example, seven five five and then file 4711, as showed you in the last lesson.

The other possibility would be chmod u equals rwx comma g equals RX and O equals RX and then the file 40 711. The U here stands for user and is understood in this context as the owner of the file. The G stands for group, so the owner group and the O stands for others, so for everyone else. And now you can see we have new ch bot value rwx RX. So the same. Exactly. That what we wanted. Rwx RX in contrast to permissions, which we can see with LS at the option L, we do not write a minus for any missing permissions so here, but simply leave it out. If, as in this case, for example, group and others are the same, then we can also use an abbreviated notation.

It would look like ch mod and then U equals RW and then G for group and O for others equals RX and then fire 40 711. This also works and you can see here Rwrx. It is also possible to add missing authorizations with a plus sign. For example, we would like to give the group authorization write permissions. So in this case we would use chmod and then group plus W for write permissions. And then 547 eleven. And you can see now we have group write permissions. Okay, let’s get back to the bit notation. We have now seen numbers like six four four or seven five five or seven seven correctly. We should actually use these notations with zero six four and 0755 or zero seven seven, because there are still three special permissions that would be assigned using this first number.

Since these permissions are not used as often as all the others, the first number is omitted for many. What are these three special permissions? First we have the so called sticky bit, which can be found in the temp directory and then grab temp. And if you look at the permissions here, I’ll give you a few seconds, you should immediately notice something, namely the very last digit. Here, at this point in the area that stands for all other users, we find a small T, which is the symbol for the sticky bit. It also means that the last X would actually be the right to execute. If the execution right was not originally set, and we had a minus instead of X, then the sticky bit would appear in a capital letter.

So a capital T. Because the T is now in a small letter, then we know that normally there would be an X here. The sticky bit ensures that in the folder on which it is applied, to which everyone has full access, each user can only delete his own data and not others with the temp directory. This makes sense, of course, since this folder is often used to copy files back and forth to edit or test them.And if everybody here could erase everything, there would often be problems. How is the sticky bit set now? The sticky bit is the number one in the first digit. So we would for example, use like this chmod and then 1755 and maybe test. And here you can see that the previous X here become a T.

The sticky bit has now been set successfully, which means again as a reminder that from now on each user can only delete his own files and no other files. Let’s take a look at another example. I would now like to edit the Tar directory. I would like to edit the Tar directory twice to make it clear again with a small and capital T. First I withdraw the execution wides for others from the directory. So I use chmod O for others and then minus x tar and here year, we can see that there is no right to execute for others anymore. Now we set the sticky bit without changing the other permissions. So the current permissions we have are seven seven four. So we would set the sticky bit as follows chmod. 1774 and then Tar.

And we see that the sticky bit is now capitalized, because the directory has no execution rights set for others. Of course, it could also be added in other expressions. For example, with chmod o plus t car, that would also work. We come to the next special right. This would be the so called Set UID bit. So set user ID bit if the Set UID bit is set to executable files, the corresponding program is always started with the rights of the file owner. This is done, for example, if a user without root rights is to be enabled to start a program that needs root rights to start, and instead of assigning root rights to the user, even though he’s not an administrator, the Set UID bit can be set. The Set UID bit has the number four.

So if I want to give the file test as age the Set UID bit, I use the following command chmod four and then seven seven five. Because at the moment we have seven seven five here, I missed the tests age, of course, and the Setuad EBIT can now be recognized by the lower case S in the owner permissions. As with the sticky bit, the t puts the S in the last place instead of the X. In addition, if the X was not previously available, the S would be displayed in uppercase. The letter would ensure that Set UID bit is ignored even though it is set. The Set UID bit should only be set with great caution, because especially if the owner is root and a normal user receives root rights for the corresponding program, a bug in the software could result in a huge security gap.

The last special write is the Set gid bit. So the Set group ID similar to Set UID, the Set gid bit applies to files, causes a user to execute the program with the permissions of the respective owner group. In contrast to the sticky bit and the Set UID bit, the Set gid bit can also be used on a directory. When used on directories, the Set gid bit has the function that the corresponding group is inherited by newly added folders and files. The Set gid bit has the number two and is set accordingly with, for example, chmod. 2777 tests sh. And in the case of the Set gld bit, the bit is also displayed as an S in the permissions, but this time in the group permissions.

3. chown, chgrp

Turning to ownership, we’ve talked a lot about what the permissions of the file or directory owner or owner group looked like. Who is the owner and who is the owner group can be easily identified with Lsl or Ll in my case. And here the first name is is always the owner and the second name is always the owner group. How can we change the owner or owner group of a file with the command ch own, which stands for change owner. And this command can change both the owner and the owner group. So let’s change the owner of file 40 711 to the user Thomas. Ch own has to be executed with pseudo rights. So pseudochone Thomas colon Thomas and then file 40 711. Now the file 40 711 has a new owner Thomas and a new owner group also Thomas.

Of course, you can only change one thing in this case. For example, pseudo ch own and then colon manuel and then file 40 711. And now we see here that the file still has the owner Thomas, but the owner group Manuel owner and owner group can or owner and owner group are always separated from each other with a colon after ch own. So I see here owner colon, owner group. So if like now, only the owner group should be changed, do not write anything in front of the colon here the owner is missing. You can see it here because the owner should not be changed. After the colon you put the appropriate group. And if you only want to change the owner and not the group, you would write it as follows chips pseudo chone one and then file 40 711.

And now we see that we have the permissions again from before. So Monroe is the user, the owner and Manra is the owner group here. Okay, now let’s try another thing. Maybe we have here the regx folder and if we apply cho to a directory, so we say that Thomas and the Thomas group should own the directory regx, we could do it with pseudocomas Thomas and then regex. And it worked the way we wanted it to. And here Thomas Thomas. And now we switch to the regex folder and you see the output here we notice that the here we notice that the parent directory now has a new owner and a new owner group. So Thomas and Thomas. But the files within the directory do not.

For this we would have to use the R option. R stands for recursive. So let’s try it again with pseudo ch own r and then again thomas thomas and then the directory regex. And now you can see we only have one file here. And this file has now the owner Thomas and the owner group Thomas. Before it was Manra and Manor. So just for explanation, this period here means that is the actual directory. So the directory regex and the two periods is the parent directory of regex. So the directory manual in this case and of course the directory manual has still the owner manual and the owner group manual. Instead of using ch own, you can also use the chgrp command which stands for change group to change the owner group and only the owner group.

With this command you can only change the group and nothing else. So an example studiochgrp change group the option R. And then I would use Manuel and the directory regex. And we see here that the regex group has now changed. So it is manner again. But the owner was not changed. So it’s important to know chgrp the command chgrp only can change the owner group and not the owner. So let’s switch to the regex folder and here you can see it on the file the owner has remained the same, it’s still Thomas and only the group has changed to Manuel. To repeat if we want to change an owner or an owner group we can use Chown which can change both and there is also the chgrp command which can only be used to change the owner group.

4. umask

Last but not least, the Umask is missing. It is a mask or Stancer that is used to modify standard permissions. Normally, the newly created files would be given permissions six six six, or in other words, read and write permissions both for the owner, for the owner group as well as for everyone else. By default, directories would have permission 777. So full control. This can be changed with the help of the U mask. With Umask and the option P, we can display the current Umask value. So umask, with the option P and in this case, the U mask value is zero 00:22. I just said that the permissions for files would be created with six six six or zero six six. From this value we subtract the U mask value.

So we mentally put these values below one another and subtract the individual values. So, just to show it here, six, six six and 22. And now we have to subtract every single number with the one below it. So in this case it would be six four four. This means that when a new file is created, it automatically receives the permission six four four. Let’s check whether this is correct. I will first create a new folder so that it is clearer. And we will now create a file touch test file. And look at the provisions. We have six four four here. So the R stands for four, the W four two, so six. And then six, four four. What about directories? The standard would be 0777. So let’s do our math again.

Zero, seven seven. And we have our Umask here with zero 00:22. And we subtract again with zero minus seven minus zero is seven, seven minus two is five. Seven minus two is five two. Okay, let’s create a directory mkdr test. And here too, we have the permissions seven five five. Of course, we can also change the Umas value. Let’s for example, use the value 26. So just the command umask. We check that with umask p. And now we have the U mask value 0026. And we start calculating again. How about a file? Zero six six is the default value. And then our new U mask value is 0026. And we have six minus zero is six. Six minus two is four, and six minus six is zero.

So this means that if we were to create a file now, it would have been or it would have to be given six for zero permission. Let’s try out touch, testify to. And you can see here the read permission for all others has therefore lapsed. What about directories at this value? So we have the standard value for directories is 777, and our new Umas value is we do all math again. Then we have seven, five one. Let’s create a directory again. Mkdl test two. And we have the permissions seven five one here. I think that’s clear now. But what happens if we use the value, the umas value instead of zero, zero to six. Let’s try it out. Umask 27, umask p. So in case of the directory, the calculation would look like this. 077-00-2750.

That means the x authorization for others would be lost. So with with the umask value 0026, we had X permission for others. And with umas 27, we don’t have ex permission anymore. Okay, what is with files? Let’s look again with files six, six, six and the new umas value 00:27. And we do our mass again. Zero, six, four, minus one. The last digit, six minus seven, would theoretically result in minus one. Since there is no minus one in permissions, the system simply treats it as zero. So the actual result would here be while the authorization changes for directories, it remains unchanged for files because it is the same permission value as with the umask 26.

We can now test that. I’ve already set the umask, as you saw before. And let’s make a directory mkdot test three. And touch test fire three. Okay, we have here the file, see the permissions. We can confirm that it is the same permission as the test two. And we can also confirm that the directory test three was created with the permission seven 50. So everything like we wanted it to be. You can also look at the current umask value with a capital S. So umask capital S, these are then the values that will be applied to directories. If you omit the X here, that would be the value for the files. If we have now set our own umas value, it is not valid for all time, but only until we have restarted the terminal.

So we check it out umask p. And we currently have a umask value of zero 00:27. Now I close the terminal and open it again with umaskp. And now we are back to umask value two. So this is the standard setting in my case. I know I showed you before the examples with the start umask 22, because I thought it would be a better understanding. But the standard umask value in my case is 0002. So if the value is to be changed permanently, this must be done in the etsy login devs file. So let’s look at login devs. And let’s find the umask value here now. And here we find the U mask value is 00:22, which we would have to change here.

Then it would always be changed by default. So important, if the value user groups groups Nap is set to yes, then that will modify this UMass default value for private user groups. So the UID, it’s the same as gid and username is the same as the primary group name. For these, the user permissions will be used as group permissions. For example, 22 here will become zero zero two. So, just for a short explanation why, you can see here 00:22, and my standard U mask value with umasked and the option P is two, but I think that is not important for the exam, just for explanation.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!