Linux and UNIX File Security

Linux file security is quite simplistic in design, yet quite effective in controlling access to files and directories.

Directories and the files which are stored in them are arranged in a hierarchical tree structure. Access can be controlled for both the files and the directories allowing a very flexible level of access.

File Security Model

In Linux, every file and every directory are owned by a single user on that system. Each file and directory also has a security group associated with it that has access rights to the file or directory. If a user is not the directory or file owner nor assigned to the security group for the file, that user is classified as other and may still have certain rights to access the file.

Each of the three file access categories, owner, group, and other, has a set of three access permissions associated with it. The access permissions are read, write, and execute.

A user may belong to more than one group. Regardless of how many groups a user belongs to if permissions are granted on a file or directory to one of the user’s groups they will have the granted level of access. You can check what groups a user belongs to with the groups command.

$ groups tclark
tclark : authors users

The groups command is called with one argument, the username you want to investigate. As you can see in the output above the output lists the username and all the groups they belong to. In this output tclark belongs to the groups authors and users.

From the information previously presented about file and directory commands, using the –l option with the ls command will display the file and directory permissions as well as the owner and group as demonstrated below:

Viewing permissions, owner and group


The ls –l command is the best way to view file and directory ownership and permissions. Now let’s look at what each of these permissions do.

File Permissions

File permissions are represented by positions two through ten of the ls –l display. The nine character positions consist of three groups of three characters. Each three character group indicates read (r), write (w), and execute (x) permissions.

The three groups indicate permissions for the owner, group, and other users respectively.

Breakdown of the permissions listing


In the example above, both the owner and the group have read (r) and write (w) permissions for the file, while other users have only read (r) permission.

The example below indicates read, write, and execute (rwx) permissions for the owner, read and execute (r-x) permissions for the group, and no permissions for other users (—).

Another permission listing breakdown


The alphabetic permission indicators are commonly assigned numeric values according to the scheme shown in the table below:

Alpha Numeric Permission
0 No permission granted
x 1 Execute permission granted
w 2 Write permission granted
r 4 Read permission granted

Then, each three character permission group can be assigned a number from zero to seven calculated by adding together the three individual numeric permissions granted. For example, if the owner has read, write, and execute permissions, the owner’s permissions can be represented by the single digit 7 (4+2+1). If the group has read and execute permissions, that can be represented by the single digit 5 (4+0+1). If other users have no permissions, that can be represented by the single digit 0 (0+0+0). These three numbers would then be listed in the order of owner, group, other, in this case 750 as a way to definitively describe the permissions on this file.

There are some additional abbreviations that can be used with commands that manipulate permissions. These abbreviations are:

  • u: user owner’s permissions
  • g: group’s permissions
  • o: other’s permissions

These abbreviations can also be used to change permissions on files. As we will see later, they will allow you to manipulate one level of the permissions (perhaps just the permissions granted to group) without changing the others.

Of course just being able to read these permissions isn’t enough… we want to be able to manipulate them. Stay tuned for more on that in the near future.

Easy Linux CommandsFor more tips like this check out my book Easy Linux Commands, only $19.95 from Rampant TechPress.

Buy it now!


unix, linux, system administration, sysadmin, hidden files, config files

Hidden config files in Linux and UNIX

There are some files within the home directory that are ordinarily hidden. Hidden files have names that begin with a period; hence, they have been given the nickname of dot files. Hidden files are not displayed by the ls command unless the –a option is used in the format of ls –a.

The table below lists some of the more common dot files that users should know about. This is by no means a totally comprehensive list. Additional dot files can be found in the user’s home directory; however, some searches may not find some of the files listed here. The files found are dependent upon the applications installed on the server, the utilities that are in use and the command shell that is being used. Since the default shell for Linux is the bash shell, the home directory typically contains the bash related scripts indicated below.

File

Description

.bash_history

For users of the bash shell, a file containing up to 500 of the most recent commands available for recall using the up and
down arrow keys.

.bash_logout

Script that is run by the bash shell when the user logs out of the system

.bash_profile

Initialization script that is run by the bash shell upon login in order to setup variables and aliases. When bash
is started as the default login shell, it looks for the .bash_profile file in the user’s home directory; if not found, it looks for .bash_login.
If there is no .bash_login file, it then looks for a .profile file.

.bashrc

Initialization script executed whenever the bash shell is started in some way other than a login shell. It is better to put
system-wide functions and aliases in /etc/bashrc, which will be presented later in the book.

.gtkrc

GTK initialization file. GTK+
is a multi-platform toolkit for creating graphical user interfaces, used by a
large number of applications. It is the toolkit used by the GNU
project’s GNOME desktop.

.login

The initialization script that is run whenever a user
login occurs.

.logout

The script that is automatically run whenever a user
logout occurs.

.profile

Put default system-wide environment variables in /etc/profile.

.viminfo

Initialization file for the Vim text editor that is
compatible with vi.

.wm_style

Specifys the default window manager if one is not
specified in startx

.Xdefaults & .Xresources

Initialization files for Xterm resources for the user.
Application program behavior can be changed by modifying these files.

.xinitrc

The initialization file used when running startx, which can be used to activate applications and run a particular window manager.

.xsession

This file is executed when a user logs in to an X-terminal
and is used to automatically load the window manager and applications.

Easy Linux CommandsFor more tips like this check out my book Easy Linux Commands, only $19.95 from Rampant TechPress.

Buy it now!


unix, linux, system administration, sysadmin, hidden files, config files