Advanced File Permission in Linux
-
Upload
grthiyagu-oracle-dba -
Category
Documents
-
view
230 -
download
0
Transcript of Advanced File Permission in Linux
-
7/29/2019 Advanced File Permission in Linux
1/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 1 of 26
Basic User Administration in Linux
To create a new user account in any Linux distribution we can use command
USERADD/ADDUSER. Adding user account can be done by just supplying the
user name along with useradd command. The SUPERUSER/ROOT user is
responsible for creating user account. Linux user account related information
is stored in /etc/shadow , /etc/passwd , and /etc/group.
USERMOD command modifies a user account i.e. adding user to existing
group. There are two types of groups. Primary ( -g) and (-G) Secondery.
When a user account is created , some extra information is associated with
account by default. To view these default values , use
GROUP=100
HOME=/home
INACTIVE=-1EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=no
Command for creating a new user without Group
# usedadd sam
$ mkdir testdir
$ touch file1
$ lsld file1 testdir
-rw-rw-r-- 1 sam sam 640 Jan 15 06:21 file1
drwxrwxr-x 2 sam sam 4096 Jan 15 06:18 testdir
-
7/29/2019 Advanced File Permission in Linux
2/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 2 of 26
In linux , when a user is created (if group name is not specified) by default
linux creates group name from the user name and also that user will be
member of that group. ( Ex : see above user account sam).
Password in Linux
User account without a password that the user account will be in locked
status. To unlock the account, need to use passwd command as root.
Setting password for user sam
# passwd sam
Changing password for user sam.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Directly supply the encrypted password
Whatever password we supply for a user account, it is encrypted and then
stored. Using useradd p option we can directly supply an encrypted
password. Encrypted password is obtained from the crypt command. This
option is not recommended because the password (encrypted password) willbe visible by users listing the processes.
Creating user account with account expiry date
# useradd user1 -e 2013-04-30
Above Ex : From 30/4/2013 the user account will be disabled [-e expire ].
To avoid disable account , we can use [f inactive ] option.
-
7/29/2019 Advanced File Permission in Linux
3/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 3 of 26
Setting account inactive state
# useradd user2 -e -f 3 2013-04-30
After password expires, system will allow the user to login for 3 days with a
warning to change his password.
Add new user [user1] to /home/oracle
Generally a normal user do not have write permission on /home/oracle
directory. If we want to read files inside /home/oracle. local user shouldbelong oracle user main directory and local user i.e . group member should
need read , write, execute permission to access /home/oracle.
Add usr1 with oinstall (-g) by default /home/oracle
# useradd -g oinstall user1 -d /home/oracle
Changing Group Permission to Read and Execute
# chmod g=r+x /home/oracle/
Listing home/oracle Permission
# ls -ld /home/oracle/
drwxr-x--- 29 oracle oinstall 4096 Jan 15 00:02 /home/oracle/Logged as usr1 and checking usr1 home path
$ whoami
usr1
$ pwd
/home/oracle
-
7/29/2019 Advanced File Permission in Linux
4/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 4 of 26
USERDEL
To remove a user from the system, we can use the userdelcommand to
delete the user's login. Command userdel -r (recursively ) option, the user's
home directory will also be removed.
# userdel
# userdel
Deletes the user (user1) account
# userdel -r
# userdel -r user1
Delete the user1 account recursively (home directory all files inside it).
# userdel -f
# userdel -f user1
deletes even the user is still log in, it will force to delete the users home dir
and files as well, this option is dangerous use with caution.
GROUPADD and GROUPDEL
Command groupadd is used to create group accounts. to the system. IF we
dont specify a group_id, Linux will assign one automatically. ID value greater
than 500 and greater than every other group. Values between 0 and 499 are
typically reserved for system accounts.
Group accounts information is maintained /etc/group and secure group
account information is maintained /etc/gshadow. We can use the
USERADD/USERMOD commands to add a user to a group.
# groupadd [creates new group]
-
7/29/2019 Advanced File Permission in Linux
5/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 5 of 26
Creating Group with Specific group_id
# groupadd apache -g 9090
# grep 9090 /etc/group
apache:x:9090:
# groupdel
Command groupdel is used to delete(remove) a group. This is an admin
command. No options for groupdel command directly give the groupname.
GROUPMOD
System administration command. Modify group information for group.
Change the old group name to new_name.
# groupmod -n
# groupadd -n apache apache1
# grep 9090 /etc/group
apache1:x:9090:
Change the old group id (9090) to new_id (9095)
# groupmod g
# groupmodg 9095 apache1
# grep 9095 /etc/group
apache1:x:9090:
Specifies a new group identification number (GID) The GID must be a non-
negative decimal integer. When the o option is used, the GID can be
duplicated.
-
7/29/2019 Advanced File Permission in Linux
6/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 6 of 26
USERMOD
Command usermod can be used to modify a users account.
Create the new home Dir for user1
# usermod -d /home/oracle user1
user1 old home path was /home/user1; now user1 would use /home/oracle/
as (-d) default home path. user1 default path will be where (-d) specifies.
Setting password Expiry date and allow the user to login for 1
# usermod -e 2013-01-16 user1
# usermod -f 1 user1
-e on which the user account will be disabled.
-f allows the user to login for n days with a warning to change the password.
Set new initial group as oinstall
# usermod -g oinstall user1
To lock users password.
# usermod -L user1
To unlock users password.
# usermod -U user1
LAST and LASTB
last displays listing of last logged in users and system last reboot time and date
$ last reboot
reboot system boot 2.6.9-42.0.0.0.1 Sun Jan 13 04:34 (2+21:33)
reboot system boot 2.6.9-42.0.0.0.1 Sat Jan 12 04:14 (3+21:53)
-
7/29/2019 Advanced File Permission in Linux
7/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 7 of 26
Command last searches back through the file /var/log/wtmp and displays a
list of all users logged in (and out) since that file was created.
$ last oracle
List all entries of oracle (user).
$ last -6
List only last 6 entries.
$ last
List all entries.
$ last -x|grep shutdown | head -1
shutdown system down 2.6.9-42.0.0.0.1 Wed Jan 16 02:14 - 02:21 (00:07)
- x: Display the system shutdown entries and run level changes.
$ lastb
Display a list of recent bad login attempts (from the /var/log/btmp file).
HISTROY
Command history displays the command # and the command for auditing
purpose. command history is a convenient tool that can use to review
previous commands
$ history
255 cd $ORACLE_HOME
256 cd dbs/
257 orapwd file=orapwtestdb password=welcome entries=3
258 exit
259 cd $ORACLE_HOME
260 cd dbs/
-
7/29/2019 Advanced File Permission in Linux
8/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 8 of 26
CHMOD CHGRP CHOWN in LINUX
All three commands are used to FILE/DIRECTORY access permission in Linux.
Every file and directory in Linux has an OWNER and a GROUP. ls
lor ls -ld
command used to check the access permission of files and directories.
drwxr-xr-x 2 oracle oinstall 4096 Jan 16 03:43 script
-rw-r--r-- 1 oracle oinstall 670 Jan 16 03:43 script.sql
Chown vs Chgrp
Command chown is used to change the owner of a files and directories.
[can change both user and group ownership]. Permissions can be changed
by the owner or root user. [.and: are interchangeable, so u can use anything].
CHOWN stands for- CHange file OWNership and group.
Checking /home/oracle path permission
# ls -ld /home/oracle/
drwxr-x--- 32 oracle oinstall 4096 Jan 16 06:04 /home/oracle/
oinstall group members only can access /home/oracle/ because others dont
have any rights to access /home/oracle path. See green color marked.
Creating user sam with oinstall Group
# useradd -g oinstall sam
# su - sam
$ groups
oinstall
-
7/29/2019 Advanced File Permission in Linux
9/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 9 of 26
Listing Permissions for script dir in /home/oracle
# pwd
/home/oracle
ls -ld script
drwxr-xr-x 2 oracle oinstall 4096 Jan 16 03:43 script
Change file ownership to user sam
# chown sam: oinstall script [or] # chown sam.oinstall script
# ls -ld script
drwxr-xr-x 2 sam oinstall 4096 Jan 16 03:43 script
Change the group of the directory
# ls -ld script
drwxr-xr-x 2 oracle oinstall 4096 Jan 16 03:43 script
# chown sam.dba script
# ls -ld script
drwxr-xr-x 2 sam dba 4096 Jan 16 03:43 script
Change both owner and group
# ls ld script
drwxr-xr-x 2 oracle oinstall 4096 Jan 16 03:43 script
We can change both Owner and group in single command.
-
7/29/2019 Advanced File Permission in Linux
10/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 10 of 26
Now script directory ownership changed to sam with apache group.
# chown sam.apache script
# ls -ld script
drwxr-xr-x 2 sam apache 4096 Jan 16 03:43 script
Changing ownership of multiple files to sam user
# pwd
/home/oracle/script
# ls -al
-rw-r--r-- 1 root root 248 Jan 16 06:02 file1
-rw-r--r-- 1 root root 254 Jan 16 06:02 file2
-rw-r--r-- 1 root root 465 Jan 16 06:02 file3
-rw-r--r-- 1 root root 640 Jan 16 06:02 file4
Changing ownership for files from root to sam
# chown sam /home/oracle/script/{file1,file2,file3} or
# chown sam /home/oracle/script/file1 /home/oracle/script/file2
/home/oracle/script/file3
-rw-r--r-- 1 sam root 248 Jan 16 06:02 file1
-rw-r--r-- 1 sam root 254 Jan 16 06:02 file2
-rw-r--r-- 1 sam root 465 Jan 16 06:02 file3
-rw-r--r-- 1 root root 640 Jan 16 06:02 fle4Using R Recursively change ownership of directory and their contents. i.e
to all files we can change ownership
-
7/29/2019 Advanced File Permission in Linux
11/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 11 of 26
Changing ownership using R (Recursively)
/home/oracle/script
# lsal
-rw-r--r-- 1 sam root 248 Jan 16 06:02 file1
-rw-r--r-- 1 sam root 254 Jan 16 06:02 file2
-rw-r--r-- 1 sam root 465 Jan 16 06:02 file3
-rw-r--r-- 1 root root 640 Jan 16 06:02 fle4
Changing ownership from sam to root
# chown root -R /home/oracle/script
# chown root -f /home/oracle/script
/home/oracle/script
# lsal
-rw-r--r-- 1 root root 248 Jan 16 06:02 file1
-rw-r--r-- 1 root root 254 Jan 16 06:02 file2
-rw-r--r-- 1 root root 465 Jan 16 06:02 file3
-rw-r--r-- 1 root root 640 Jan 16 06:02 fle4
-f - To change the ownership permissions forcefully/silent/quiet.
Change the owner of a file : root to sam
-rwxrwx--- 1 root root 1304 Nov 2 09:56 space.sh
# chown filename
# chown sam space.sh
-rwxrwx--- 1 sam root 1304 Nov 2 09:56 space.sh
-
7/29/2019 Advanced File Permission in Linux
12/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 12 of 26
Points to REMEMBER
-R means include all subdirectories.
ls l - To check ownership of a file or directory
command chown is used to change the ownership of a file/folder. We can
change even multiple files/folders at a time to a specified user/group.
CHGRP
chgrp - Change group ownership
Command chgrp is used to change the group of the file or directory. The Root
user only can change the group of the file or directory. In simple terms,
Changing the group of one or more FILES/DIRECTORIES to new group.
Changing group ownership recursively
# chgrp -R /path/
# chgrp -R root /home/san/
Changing the group specifically to a single file
/home/sam/sample
$ ls -l
-rw-r--r-- 1 san oinstall 260 Jan 16 11:15 f1
-rw-r--r-- 1 sam oinstall 340 Jan 16 11:15 f2
-rw-r--r-- 1 sam oinstall 468 Jan 16 11:15 f3
-rw-r--r-- 1 sam oinstall 568 Jan 16 11:15 f4
-rw-r--r-- 1 sam oinstall 862 Jan 16 11:15 f5
drwxr-xr-x 2 sam oinstall 4096 Jan 16 11:15 lsn
-
7/29/2019 Advanced File Permission in Linux
13/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 13 of 26
Changing group from oinstall to root for f1 and f2
# chgrp root /home/sam/sample/f1# chgrp root /home/sam/sample/f2
# chgrp root /home/sam/sample/{f1,f2}
# chgrp root /home/sam/sample/f1 /home/sam/sample/f2
/home/sam/sample
$ ls -l
-rw-r--r-- 1 san root 260 Jan 16 11:15 f1
-rw-r--r-- 1 sam root 340 Jan 16 11:15 f2
-rw-r--r-- 1 sam oinstall 468 Jan 16 11:15 f3
-rw-r--r-- 1 sam oinstall 568 Jan 16 11:15 f4
-rw-r--r-- 1 sam oinstall 862 Jan 16 11:15 f5
drwxr-xr-x 2 sam oinstall 4096 Jan 16 11:15 lsn
Changing file f5 from oinstall to apache
chgrp c
to print [reporting] verbose , when a change is made.
# chgrp c apache /home/sam/sample/f5
changed group of `/home/sam/sample/f5' to apache
# ls -l
-rw-r--r-- 1 sam apache 862 Jan 16 11:15 f5
If -c not specified , system wont print any message when changes made.
-
7/29/2019 Advanced File Permission in Linux
14/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 14 of 26
FILES and DIRECTORIES Permission in LINUX
FILE BASE PERMISSION : 666
DIR BASE PERMISSION : 777
777 (rwx rwx rwx)
No restrictions on permission. Anybody may do anything i.e. may list files ,
create new files in the directory and delete files in the directory.
755 (rwxr-xr-x)
The owner may read, write, and execute the file. All others may read and
execute the file [cant create files and directories] and also cannot delete
anything. This setting is common for dir that we wish to share with others.
700 (rwx------)
The owner has full access . Owner can read, write, and execute the file.
Nobody else has any rights.
666 (rw-rw-rw-)
All users may read and write the file.
644 (rw-rr)
The owner can read and write a file, and all others may only read the file. This
setting for files that everyone may read , but only the owner may change.
600 (rw-------)
The owner may read and write a file. All others have no rights.
-
7/29/2019 Advanced File Permission in Linux
15/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 15 of 26
CHMOD
CHMOD stands for CHange MODe.
Command chmod is used to change access permissions to files and
directories. i.e. changing the permissions of a file or directories.
TYPES of FILE Permission
read : Permitted to open and read the contents of file.
write : Permitted to write (overwrite) or modify the file.
execute : Permitted to execute the file as a program/script.
Types of DIRECTORY Permission
read : Permitted to read the contents of dir ( view files & sub-dir)
write : Permitted to write into the dir (creating files and sub-dir)
execute : Permitted to enter into that directory "Change Directory" (cd).
Numeric values for the read(r), write(w) and execute(x)
read : 4
write : 2
execute : 1
So , 7 comes from read + write + execute (4+2+1)=7
OPCODE , Permissions
+ : Add Permission
- : Remove permission
= : Assign Permission
ls l command used to see permissions of FILE and DIRECTORY.
-
7/29/2019 Advanced File Permission in Linux
16/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 16 of 26
Symbolic Representation of Three different roles
u is for user
g is for group
o is for others
a is for all of the above (an abbreviation for ugo)
Example of how a file/dir may be listed (ls l)
drwxr-xr-x 2 oracle oinstall 4096 Jan 16 07:14 script
-rw-r--r-- 1 oracle oinstall 690 Jan 16 20:50 script.sql
If first letter starts with d It is a Directory
If first letter starts with/(l,b,c,p,s,m,n) It is a File.
Next 9 Characters are broken down into 3 groups of 3 characters.
First three are the permission of the owner.
Middle three are permissions for the group.
Last three are the permissions for everyone.
Sample Permission Settings for FILE/DIRECTORY (ugo)
1 2 3 4 5 6 7 8 9 10
FILE User permissions Group Permissions Other Permissions
Type Read write execute read write Execute read write execute
drwxrwxrwx = read, write and executable for owner, group and all others
-rwxrwx- - - = read, write and executable for owner, group only
-rw-rw-rw-
= read and write for owner, group and all others
-rwx- - - - - - = read, write and executable for owner only
-
7/29/2019 Advanced File Permission in Linux
17/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 17 of 26
Adding Single Permission to a File/Dir
$ chmod u+x
$ chmod u+r sample.sh
$ ls ld sample.sh
-r-------- 1 oracle oinstall 640 Jan 17 00:05 sample.sh
Add Multiple Permission to a File/Dir
$chmod u=r+w,g=r+x,o+r sample.sh
$ ls -ld sample.sh
-rw-r-xr-- 1 oracle oinstall 640 Jan 17 00:05 sample.sh
Remove Permission from a File/Dir
$ chmod g-r-x,o-r sample.sh
$ ls -ld sample.sh
-rw------- 1 oracle oinstall 640 Jan 17 00:05 sample.sh
Change Permission for all roles on a file/Dir
$ chmod a+r+w+x sample.sh
$ ls -ld sample.sh
-rwxrwxrwx 1 oracle oinstall 640 Jan 17 00:05 sample.sh
Make permission for a file same as another file (using reference)
$ ls -ld sample*
-rw-r--r-- 1 oracle oinstall 640 Jan 17 01:08 sample1.sh
-rwxrwxrwx 1 oracle oinstall 640 Jan 17 00:05 sample.sh
-
7/29/2019 Advanced File Permission in Linux
18/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 18 of 26
If we want to change a file permission same as another file, use the reference
option In this example, file permission will be set exactly same
as permission.
$ chmod --reference=sample.sh sample1.sh
$ ls -ld sample*
-rwxrwxrwx 1 oracle oinstall 640 Jan 17 01:08 sample1.sh
-rwxrwxrwx 1 oracle oinstall 640 Jan 17 00:05 sample.sh
Here , sample1.sh file permission set exactly same as sample.sh permission.
Using REFERENCE option.
Applying Permission to all the FILES/SUB-DIR (recursively)
- R - To change the permission recursively.
/home/oracle
# tree test/
test /
f1f2test1
f1 f2test2 f1 f2test3
3 directories, 8 files (will be 755 permission)
# chmod -R 755 /home/oracle/test/
# chmod -R u=r+w+x,g=r+x,o=r+x /home/oracle/test/
-
7/29/2019 Advanced File Permission in Linux
19/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 19 of 26
POINTS TO REMEMBER
chown : Change the ownership of the file/dir (need to be root to use)
chgrp : Change "Group Ownership" of a file or directory.
chmod : Change the "access rights" to the file or directory.
Directory Default Permission is 755.
Directory Base Permission is 777.
Umask would be 022 (777 755)
Directory
Default Permission is 755.
File Base Permission is 644.
Umask would be 022 (666 644)
read=4; write=2; execute=1;
Octal Representation for Permissions
Setting (r w) to user and( r ) to group and others.
$ chmod 644 sample.sql
$ chmod u=r+w,g+r,o=r sample.sql
Setting (rx) to user and ( 0 ) to group , and r (4 ) to others.
$ chmod 504 script.sh
$ chmod u=r+x,g=0,o=r script.sh
Setting (rw) to user and (r) to group, and (0 ) to others.
$ chmod 604 samp.sql
$ chmod u+r+w,g=r,o=0 samp.sql
Octal representation cmds are background colored to identify separately.
-
7/29/2019 Advanced File Permission in Linux
20/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 20 of 26
STICKY BIT
The STICKY BIT is primarily used on shared directories to prevent users
from renaming or deleting . Other users [cannot delete or rename the files (or)
sub - directories] within that directory.
The STICKY BIT is represented by the letter t in the last character with the
other permissions. If STICKY BIT is enabled on a directory , only the owner
and the super user (root) can delete / rename the files or directories within
that directory.
Identifying Sticky Permissions.
$ ls -ld /var/tmp
drwxrwxrwt 3 root root 4096 Dec 24 03:40 /var/tmp
"t" that tells us that the sticky bit is set.
"t" refers to when the execute permissions are ON.
"T" refers to when the execute permissions are OFF.
/tmp, which must be publicly writable, but should deny users permission to
delete or rename it.
Sticky Bit Setup
Command chmod to set the sticky bit. If we need OCTAL numbers in
[chmod] command put 1 prefix before specifying directory privilege.
i.e. $ chmod 1757 .
Here in 1757, 1 indicates STICKY BIT set, 7 for full permissions for owner,
5 for (r- x) permissions for group, and full permissions for others.
-
7/29/2019 Advanced File Permission in Linux
21/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 21 of 26
Setting Sticky bit to directory (Option -1)
/home/rose$ mkdir shell_script shell_sample
$ ls -l
drwxr-xr-x 2 rose oragroup 4096 Jan 17 10:45 shell_script
drwxr-xr-x 2 rose oragroup 4096 Jan 17 10:45 shell_sample
Difference between t vs T
$ chmod 1 757 shell_scripts
$ chmod 1 750 shell_samples
$ ls -ld shell_scripts shell_samples
drwxr-xrwt 2 rose oragroup 4096 Jan 17 10:45 shell_scripts
drwxr-xrwT 2 rose oragroup 4096 Jan 17 10:45 shell_samples
Setting Sticky bit to directory (Option -2)
/home/rose
$ tree
.sample_scripts
shell_script
shell_samples
test_dir
file1
file2
fille3
4 directories, 3 files
-
7/29/2019 Advanced File Permission in Linux
22/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 22 of 26
Enable Sticky bit to test_dir
$ mkdir test_dir
$ chmod 757 test_dir/
$ chmod +t test_dir/
$ ls -l
drwxr-xrwt 2 rose oragroup 4096 Jan 17 11:37 test_dir
Creating fies under test_dir [ rose]
$ cd test_dir/
$ touch file1 file2 file3
$ ls -l
-rw-r--r-- 1 rose oragroup 128 Jan 18 00:40 file1
-rw-r--r-- 1 rose oragroup 264 Jan 18 00:40 file2
-rw-r--r-- 1 rose oragroup 187 Jan 18 00:00 file3
Connecting oracle user to access /home/rose/testdir
/home/oracle
oracle@localhost-]$ lsld /home/rose/test_dir/
drwxr-xrwt 2 rose oragroup 4096 Jan 18 01:07 /home/rose/test_dir/
$ cd home/rose/test_dir/
$ ls -l
-rw-r--r-- 1 rose oragroup 128 Jan 18 00:40 file1
-rw-r--r-- 1 rose oragroup 264 Jan 18 00:40 file2
-rw-r--r-- 1 rose oragroup 187 Jan 18 00:00 file3
-
7/29/2019 Advanced File Permission in Linux
23/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 23 of 26
Now oracle user can access test_dir and their contents. Lets check how
sticky bit works here ..
User oracle trying to remove all files under test_dir
[oracle@testorcl test_dir] $ rm -rf fi*
rm: cannot remove file1': Operation not permitted
rm: cannot remove file2': Operation not permitted
rm: cannot remove file3': Operation not permitted
User oracle trying to move all files under test_dir to /home/rose
$ [oracle@testorcl test_dir] $ mv file* /home/rose/
mv: cannot move file1' to `/home/rose/file1': Operation not permitted
mv: cannot move file2' to `/home/rose/file2': Operation not permitted
mv: cannot move file3' to `/home/rose/file3': Operation not permitted
User oracle trying to remove test_dir
$ cd ..
oracle@testorcl rose] rm -rf test_dir/
rm: cannot remove test_dir//file3': Operation not permitted
rm: cannot remove test_dir//file2': Operation not permitted
rm: cannot remove test_dir//file1': Operation not permitted
All three operations are failed because stick bit is enabled on test_dir. Other
users cant remove or move[rename] on test_dir and their contents. This is
good example for sticky bit enables on directory [/test_dir] to prevent
ordinary users from deleting or moving.
-
7/29/2019 Advanced File Permission in Linux
24/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 24 of 26
As i said , owner and the super user (root) can delete / rename the files or
directories even sticky bit enabled. Lets check.
Super user (#- root) is deleted test_dir contents.
# rm -rf /home/rose/test_dir/f*
# cd /home/rose/test_dir/
# ls -l
total 0
Dir owner (rose) removed test_dir
/home/rose
$ rmrf test_dir/
$ ls -ld test_dir
ls: test_dir: No such file or directory
POINTS TO NOTE :
Can set sticky bit for files ?
Yes, but most of the time it is not required. Setting the sticky bit on a file is
pretty much useless, and it doesnt do anything
To remove sticky bit on a FILE/DIRECTORY.
Should use t option. $ chmod t
There are Three special attributes other than the common (r/w/x)
drwxrwxrwt - Sticky Bits - chmod 1777
drwsrwxrwx - SUID set - chmod 4777
drwxrwsrwx - SGID set - chmod 2777
-
7/29/2019 Advanced File Permission in Linux
25/26
Advanced File Permissions in Linux - ( STICKY BIT )
Successful People in life seem to like LINUX Page 25 of 26
Advanced File Permission in Linux
SUID OR SETUID :
suid and sgid on FILES
change user ID on execution.
Program runs as the equivalent user ID to whatever the SUID is set to. Set it to
root , and a normal user can run the program with root-level rights.
SGID OR SETGID :
sgid on DIRECTORIES
change group ID on execution.
Program runs with permissions of the GROUP. If the group has root privileges,
and the group is set to be root, then anyone in that group can run the program
with those rights.
Simple Example
SUID : If we run a program and the program tries to access files/dir. whatever
it will use your user and group id for permissions.If you don't have access to a
file, the program won't have it as well. However if suid is set for the executable
the user id of the owner is used when executed. Same for groupandsgid.
SGID : sgid on DIRECTORIES; When we create a file or directory the result will
have user and group id. However, if the directory where you create has sgid
set, the new file or directory will inherit the group id of the directory it is
created in instead of your group id. New directories will inherit the sgid as well
-
7/29/2019 Advanced File Permission in Linux
26/26
Advanced File Permissions in Linux - ( STICKY BIT )