Cisco ASA and PIX Firewall Handbook

In Chapter 7, "Understanding File Properties," you learned the basics of file ownership and permissions in Linux. You also learned to use the chmod command at the command line to change file permissions using the symbols (letters) r, w, and x for read, write, and execute.

The basic set of read, write, and execute permissions and the basic file ownership behavior work well for most situations. However, Linux does provide a way for administrators to change the ownerships of existing files, as well as an additional set of permissions properties for more unique situations, which can provide finer-grained control over the ways in which files and directories behave.

Changing File Ownership

The chown command can be used to change the user and/or group ownership of an existing file. This capability can be useful if, for example, you want to make a file you created readable to other members of a group of which you are a member. By changing the file's group ownership and permissions, you can make the file readable by members of the group while remaining secure with regard to other users of the system.

To use the chown command to change ownership for an existing file or directory, call chown as follows:

chown user.group file

Replace user with the name of the user who should be given ownership of the file and group with the name of the group that should be given ownership of the file. Replace file with the name of the file whose ownership is to be changed. For example, to change the group ownership of a file called myfile.txt to the programmers group, you issue the following command:

[you@workstation20 ~]$ chown you.programmers myfile.txt [you@workstation20 ~]$

Using chmod in Numeric Mode

In Chapter 7, you learned that each file or directory in a Linux system is governed by three sets of read, write, and execute switches. When considered from left to right as they are usually written, these sets of switches belong to the file's owning user, the file's owning group, and everyone else, in that order. For example, the following permissions string represents a normal file that is readable, writable, and executable by everyone:

-rwxrwxrwx

In the symbolic mode of the chmod command, you use symbols such as u, g, o, r, w, and x arranged in various patterns as arguments to change these permissions. The numeric mode of chmod works somewhat differently. To call chmod in numeric mode, you use the following format:

chmod NNN file

Each N must be a numeric digit. The first N represents the permissions for the owning user of the file; the second N, for the owning group; and the third N, for everyone else. Each N has a value of zero (0) for no permissions or a single-digit sum created from the values in Table 31.1 to indicate the absolute permissions that are to be assigned.

For example, to assign full read, write, and execute permissions for all users to a file called myfile.txt, you enter the following:

[you@workstation20 ~]$ chmod 777 myfile.txt [you@workstation20 ~]$

Table 30.2 shows a number of additional examples for numeric strings, which can be provided to chmod, and their symbolic meanings.

Although the symbolic mode of chmod is typically preferred by beginners, most longtime Linux or Unix users prefer to use the numeric mode for its simplicity and brevity.

Understanding Special Permissions

As you use Linux, you will from time to time encounter several additional types of permissions values in the output of long directory listings. Understanding these special permissions is important because they significantly alter the way in which programs or directories behave:

• A letter s appearing in a file's user permissions' execute position indicates that when this program is run, it is granted access to files and system resources as though it had been called by its owning user, rather than by the user who actually called it. Files with this permission switch set are called SUID (Set User ID) executables.

• A letter s appearing in a file's group permissions' execute position indicates that when this program is run, it is granted access to files and system resources as though it had been called by a member of its owning group, rather than by the group of the user who actually called it. Files with this permission switch set are called SGID (Set Group ID) executables.

• A letter t appearing in the last position of a directory's permissions indicates that users who are allowed to write to this directory are allowed to remove only files or directories for which they are the owning user. This permission switch is known simply as the sticky bit.

The SUID and SGID bits are rarely used; the sticky bit is used more often, usually to create a public storage area in which users can create and remove their own files. You can assign the SUID, SGID, and sticky bits to file or directory permissions using chmod's numeric mode by including an extra digit at the beginning of the numeric permissions code supplied to chmod as an argument. The values used in this optional first digit are shown in Table 30.3.

Table 30.4 provides some sample numeric codes for chmod that use special permissions, along with resulting descriptions.

To assign the SUID or SGID properties to an executable file, you must be either the owner of the file or a member of the file's owning group, respectivelyor the root user. The SUID and SGID properties are rarely used.