[For beginners] Simple explanation of permissions
This is Nakagawa from the System Solutions Department.
The other day, I received an inquiry about permissions, so
in this article I researched the information myself and summarized it.
What is permission?
Ownership of directories and files on Linux is determined.
Permissions the rights to manipulate directories and files .
Although it is also called access rights, in this article we will unify it with permissions.
Permissions are determined by authority, target users, and notation as shown below.
authority | Character representation of privileges | Numerical representation of authority | user |
---|---|---|---|
Read permission | r | 4 | owning user |
write permission | w | 2 | Users belonging to the owning group |
execution privilege | x | 1 | Other users |
No authority | - | 0 |
Check permissions
Let's actually check the permissions.
You can check this by running ls -l on the target directory/file.
As an example, let's check the /home/lpic/index.html file.
ls -l /home/lpic/index.html total 8 -rw------ 1 lpic linux 16 Jan 14 01:16 index.html drwx------ 2 lpic linux 4096 Jan 14 01:17 test
Let me explain the meaning of authority.
ls -l /home/lpic/index.html -rw------ 1 lpic linux 16 Jan 14 01:16 /home/lpic/index.html
The leftmost item in the execution results of the ls command corresponds to permissions.
By default, it is a total of 10 characters, and the part excluding the first character displays the privileges for each user.
Privileges of the owner user (lpic) = rw-
⇒You can display the file using the cat command, etc., or edit the contents using the vi command.
Owning group (linux) privileges =---
⇒Files cannot be viewed, edited, or accessed.
Other users' privileges =---
⇒Cannot view, edit, or access files.
Next, let's take a look at the /home/lpic/test directory.
To check a single directory, use the ls command with the -ld option.
ls -ld /home/lpic/test drwx------ 2 lpic linux 4096 Jan 14 01:17 test
Since the target is a directory, the first character of the permission is displayed as "d".
The meaning of the permissions for the test directory is as follows:
Owner user (lpic) privileges = rwx
⇒ Can display a list of files in the directory, create files, and access files in the directory.
Owner group (linux) privileges =---
⇒ Cannot display a list of files in the directory, create or delete files, or access files.
Other users' privileges =---
⇒ Cannot display the list of files in the directory, create/delete files, or access files.
Operate as the owner user
Try operating it as a user with actual privileges.
Cat the index file as an lpic user with read permission.
[lpic@loclhost ~ ]$ cat /home/lpic/index.html Thu Jan 18 11:08:57 JST 2018
List the test directory as an lpic user with read permissions.
[lpic@loclhost ~ ]$ ls -ld /home/lpic/test/ drwx------ 2 lpic linux 4096 Jan 14 01:17 /home/lpic/test/
As an lpic user with read permissions, navigate to the test directory.
[lpic@loclhost ~ ]$ cd /home/lpic/test/ [lpic@loclhost test ]$
⇒All execution results were successful!
Operate as a non-owner user
Next, let's see what happens when you run it as a user without privileges.
Cat the index file as the lpic2 user who does not have read permissions.
[lpic2@loclhost ~ ]$ cat /home/lpic/index.html cat: /home/lpic/index.html: Permission denied
List the test directory as the lpic2 user without write permissions.
[lpic2@loclhost ~ ]$ ls -ld /home/lpic/test/ ls: cannot access /home/lpic/test/: Permission denied
Change to the test directory as the lpic2 user who does not have execution privileges.
[lpic2@loclhost ~ ]$ cd /home/lpic/test/ bash: cd: /home/lpic/test/: Permission denied
⇒Since you do not have permission, "Permission denied" will be returned.
To operate as a user other than the owning user and group
There are several ways to enable lpic2 users to interact with lpic2.
- Change the owner of the target directory/file.
・After changing the permissions of the owning group, add the lpic2 user to the owning group.
・Change the permissions of the target directory/file. etc.
When performing such tasks, it is often necessary to change the permissions of the target environment.
Let's actually run it.
First, run the chmod command as a user who can manipulate the index.html file.
Please note that
operations cannot be performed unless other users are granted permissions to the upper directory of the target file (in this case /home/lpic).
[lpic@loclhost ~ ]$ chmod 707 /home/lpic/ [lpic@loclhost ~ ]$ chmod 706 /home/lpic/index.html
The chmod command is a command that allows you to change permissions.
If you add the -R option, the changes can be reflected in the files under the target directory as well, but it
does not grant execution permission, so this time I changed it each time.
Let's take a look at the changed permissions.
[lpic@loclhost ~ ]$ ls -l /home/lpic/ total 8 -rw----rw- 1 lpic linux 29 Jan 18 11:08 index.html drw----rw- 2 lpic linux 4096 Jan 14 01:17 test
Cat index.html as lpic2 user.
[lpic2@loclhost ~ ]$ cat /home/lpic/index.html Thu Jan 18 11:08:57 JST 2018
This time I was able to display the contents of the file.
This means that the permissions were changed correctly.
lastly
If the permissions are not granted correctly, an example of the possible impact is that
if the file published on the browser does not have read permission for general (other) users, a
``Forbidden (403 error)'' will be returned even if the file is accessed. It's possible.
However,
settings that allow anyone to edit and execute important files such as configuration files are not a good idea from a security perspective.
When operating a server, setting appropriate permissions for each file
will help you create a safer and more optimal site.
I would like to deepen my understanding of permissions as a means of providing the site that our customers are aiming for or stable server operation
I would like to summarize the contents related to this article