8 hours 30 minutes
Hello and welcome to 104.5.
We're talking about file permissions and ownership.
We see a list of commands here, but we're gonna go into a few other commands as well just because they're related to this.
Now when the administrator of a UNIX system or linen system wants to
enforce policies about
running comedians as route or preventing people from deleting files, they've got quite a few options
that are built in.
And so we need to understand how this works.
We'll also look at the parameter you mask,
which lets you define the default permissions when follows and directors are created.
And we'll look at some of the advantages of dealing with
users at the group level instead of at the individual level.
So the petition string for a file.
If I run the L s command dash l for long listing,
you're probably familiar with this type of format.
And what this shows us is the current permissions string,
and this is in. This could be specified in two different ways and Octel format or in character for Matt.
I usually prefer to use Octel mode just because I have been
using that from from when I first learned
you know, the the late eighties.
But some people prefer to use the letters because it's less confusing. They don't wanna have to do Octel math in their head, so it's totally understandable
if you want, if you like one way versus the other.
So we've got the three characters here
right now. These permissions would be read as 664
four for the read bit, too, for the right bit.
Uh, the execute bit is here. This one's not set.
Same thing for the second grouping and the third grouping,
this first grouping is the owner,
So the owner of the file currently has read write permissions. The group also has read, write permissions
and everyone else or other
has read permissions.
This a leading
dash here is
present because this is a file. If it was a directory, there would be a letter D there
that shows us
at a glance whether we're looking at a follower directory.
The next item is the
the number of links, and we see that here.
This file only has one wink. It's a single file of well well, look at links in a later section. If I create soft links or hard links, this number will update accordingly.
The next field is the owner of the file. It's owned by user one in this case and followed by the group user. One belongs to the users group.
The next field is the size, so this file is currently 1099 bites,
and then I have a date and time stamp.
So January 1st at 3 30 in the afternoon, this file was created. Finally, the last item is the name,
whether it's the name of a file or directory,
that's that's what we'll see there.
So the two main commands are change mode and change. Owner
and I've got some examples here showing
how this could be done.
These are examples using the letters using character mode.
So in this case, change mode, you Dash X
would remove the execute herbal bit
from the user
so we can think of it as user minus the execute herbal bit
and the second example I've got
So we've got user group and other other means everybody else
in this case I'm adding the re bit to the other
section of the permissions for this particular file.
If I run this third example, change mode plus W,
this implies the user group and other all the same time. So I would be adding
the right bit to all three of those perimeters are permission settings.
Both the, uh
change mode and change owner Comedians also support Rikers in. That's what the Capital R is here,
so I can recursive Lee
add the reed bit to the group for everything that's in this particular directory.
That's really powerful Win
when you've got a need to change large numbers of files in a directory structure and you don't want to go in independently
individually, rather, and change these things separately.
Then we move on to the to the change owner command.
Most people pronounce this mode or Chone.
That's up to you. How you like to say that people should know what you're talking about.
When you mentioned Shamoto Joan
Now the ownership
Uh, we have several different modes here. I can run Chone with the user name and the file name
that just changes the owner of that file.
There's also a shortcut where I can specify the user name and the group named together as we see in the second example. So here I'm changing the user
of the off my file to user one and the group to users.
And just like Che Modi can run that shone command recursive lee
so I can set the user in the group
recursive lee on a particular directory tree.
This is very handy for dealing with large numbers of files in directories as I as I mentioned earlier,
our next topic is the set You i d and set group I d.
When? When we need a regular user to be able to run a command with the privileges of route,
we can set this bit in order to,
uh, facilitate that. That means that a regular user can run the file or run the program, run the script, whatever it might be
with the the permissions of route,
This could be done at the at the user level with S u i. D. And at the group level with SG i d. So set the user I d set the group i d.
It's very handy when you need to ah, give users the privilege to run certain commands, but you don't want to give them full root privilege,
Uh, and that that can obviously begin become difficult to manage.
So using these features
lets us, uh,
effectively give that capability on a limited basis.
It's a little bit more rigid than using something like Sue Do where I could specify a particular command that I want someone to be able to run
here. I'm defining at the file level instead of at a system config file level.
Now two other commands
that are related thio to this kind of feature. Our change attributes and list attributes
or chatter and Lasater. That's how I normally say it. You can pick your own method, of course,
so I can change the attributes of a file.
There's several different attributes to choose from. One of them is the immutable bit. That's why I have the dash I or Plus I hear
if I, uh,
make a file immutable, that means that it cannot be changed and I'll demonstrate that here and just a little bit.
I could also use Dash I to remove that immutable bit.
Once I set immutable.
I can't remove the file I can't edit it. I can't at a pendant. E data.
There's another attribute called
Are Using the a character. I can make the file a pen doble
or non dependable,
and we'll see how that works here in just a moment.
Okay, so let me clear my screen.
All right. First,
let's create a file. We'll just call it my file
and I'm going Thio
do a lot of ups along listing on just my file and we see that I have 644 permissions that's related to my new mask, which will talk about here in a moment.
what I can do is, let's say I want to add
the executed will bit just for the owner.
Right now. The owner is route
and the group is route because that's why I'm logged in as when I created the file.
So I'm gonna type change mode or to mode,
and this will be for the
And I'm gonna do a plus X command for my file.
Now I'll hit up arrow list that again
and you'll notice that the user now has the executed will be upset.
So I did this with using the characters
I could also do something similar. I could
run change mode
plus W as I talked about on the slide for my file.
I didn't specify user group or other, so it'll change it for everybody.
It'll change for all three areas.
All right, that didn't work as I expected. Let's try that again.
I will. This time l specify. It's specifically use your group another plus W.
And if I look at the file
now, I've got those big set.
I thought this. I thought this would work as is, but maybe I made a mistake with that. No problem.
Learning Lennox is like learning anything else. We had a little bit of trial and error once in a while. It's not not anything to be worried about.
So now I could, I could say at the owner has read, write and execute permissions. The group has read and write
and other or everybody else has reading, right?
I can remove these by just changing the plus sign to a minus sign.
So if I wanted to get rid of that right permission,
I run this command
changing plus W two minus w.
And now you'll notice that the right bit is removed from the user group. Another
very, very interesting
and easy to do.
I prefer using the octo method. So if I wanted to make this file back to, um
755 right, that means
read right, execute for the owner, read and execute for the group and reading Execute for everybody else. I can run the change mode Command 755
And if I look at my file,
there's my seven
four for the read, too, for the right one for the out for the Execute That's four plus two plus one, which is seven
and then five gives me four plus one, which is reading, execute and five again for reading. Execute for other.
This is really up to you.
What's your preference?
Allow people like the letters just cause it seems more straightforward. But
that's really up to what you like to do now,
in order to show the
the recursive nature. What I can do is I'll make ah Siri's of directories. I'll use the Dash P option
and we'll call this minder one
my dirt to my dirt three.
And if I were in the tree command on minder one.
It shows me those directories.
If I run a list a long listing on my dear one
it only shows me the top level directory. If I do this again with a wild card,
I can see,
minder to and minder three as well.
Right now they have 755 permissions and I can see who the owners are.
So let's let's demonstrate some recursive techniques here.
Let's say I don't want 755 I want to have 6441 Restrict these
directories a little bit so I can run the change mode. Command
recursive Lee with the Dash Capital R
and I'll use 644 because that's my preference to use the
the Octo format.
And then I specify
Now if I run,
I don't want that.
So now I can see I did a long listing on My dear Star
and I can see my dear two is 644
and I could also
run that on the third directory down below.
I just added another slash for the next director in a wild card. That's a shortcut,
and I can see that I've got 644 permissions on minder three as well.
Now maybe I want to change some ownership. Everything is owned by route.
do this recursive Lee, as old as well.
I could change the ownership of my file to user one for the owner and user, one for the group.
Now we see that that just happened. There's my owner and group,
but maybe I've got a bunch of files in the directory tree like this minor one mind or two in mind or three. So it would be easier than
with a capital R for Rikers in,
and I could do the same thing, user One for the owner user, one for the group
and just specify minder with a wild card.
So now I can see that minder three is user one.
look inside my dir one I see minder to which is also user one user one.
So we see that the Rikers in works. It goes down as many levels as the directory structure contains.
Very, very useful.
All right, so now let's look at the change attributes and list attributes commands.
Uh, I already explained a little bit about the immutable bit and
the upend a bit. But will travel actually demonstrate here that this really does work the way that we expect it to?
So there's my file. My file is currently empty. It's owned by User One.
Now I want to If I look, if I run the list attributes command
for my file. Right now
all the attributes are empty. There's nothing special set.
Let's first demonstrate the immutable bit so I can run the change Attributes command
Plus I because I'm adding the bit.
So I've added the bit and I listed again
and we can see now the immutable bit is set.
I can also run a change attributes Commander chatter
adding the upend a bit.
Now I've got the A there.
I'm gonna remove the upend it really quick.
So go back up to that command
and change this back to a dash A which removes the that.
So when the file is an immutable mode,
I cannot remove it. Aiken, try to run. Remove force command.
Forced to remove
operation is not permitted
if I try to send data to this file,
so redirect the echo Command
Also permission denied.
I'll add the pen bit back in
still doesn't let me do it because
the file is still has the immutable bit set.
So I can't depend date until I remove that so I can run chatter
dash I to remove.
I still can't do it. Let's let's let's figure out why
it's only the a bit upset.
Oh, the reason why is because I'm not using the appendix character I'm actually using.
I was using a creation character.
Here we go.
Remember, a double greater than sign depends a single greater than creates a follower touches a file.
So now if I look at my file,
we can see that it does have,
uh, five bytes of data
four for four bites for the for the word and probably a new line character
So that shows me that
I can control whether file could be written to or not. I can control whether it can be deleted or not.
And like the Chone and Jamaat commands, I can also run these
so I could change attributes.
I'll add the immutable whoops I had the immutable bit
I want to run this recursive lee
so here I ran
chatter, Plus I with Ryker jh in
on anything called my dirt.
Now I can list the attributes
not only showed me the two levels down from where I was minor one in mind here, too.
List at tribute also has a dash a option which lets me
list all the files, even the ones that look like they're directories. So obviously minder to underneath Minder also had the immutable bit set.
That's what Rikers in does. It goes down the directory tree
and changes everything underneath it.
Okay, so let's talk a little bit about the sticky bit
and the S u i d e g u i d
The sticky bits. A nice feature of Lennox or UNIX that allows us to suspect specify that only the owner of a file can delete or rename that file.
You should be ableto see very easily why? This is a useful feature.
In fact, if if I set this
sticky bit for a directory like temp,
this is a really good example. Why would want to do this?
If I have multiple users on my system,
all of them are probably gonna be using the temp director at some point for
for its intended purpose, which is to temporarily store things that you're working on.
Maybe you don't want to clutter up other folders. So you, you dumb things attempt log files sometimes go there when you're testing software. And so on
all those files, I want to be able to enforce the fact that only the user
who owns the file can rename it or delete it.
So I can do that at the directory level or the file level, and we'll see what that looks like here in just a moment.
Then we have s u I D and G u Y earth. Sorry as G i. D.
This is controlled with the chair mode. Can't command as well. I just add the s flag or remove it
at the user level and at the group level.
And what this allows me to do is,
uh, designate certain programs that I want
users or groups of users to run with the privileges of route.
You have to be very careful with this, very selective.
But there might be something like a kicking off a backup script or
running a script that adds a printer to your workstation. Things like this that normally would require root privilege. But we want to be able to let users do them on their own.
It's a little bit different than using Su do, of course, because it's controlled at the file level or at the group.
Uh, sorry at the user level or at the group level,
which I can do also with suitor. But
I have to specify the exact command. I want someone to be able to run with pseudo here. I control it at the file level, which is a nice little bit of extra flexibility.
so let's let's pretend we're creating a binary program will call it my probe my program,
and we can look and see what its current positions arts at 644 which is a default,
Uh, when we talk about you masking a little bit, this will make more sense
as far as default permissions go.
So if I want to set the sticky bit, I run mode,
lusty that growing again.
And if I look at the program now,
I can see that the sticky bit is set.
So now on Lee, the owner or root can rename or delete this file.
It's a nice little bit of extra protection
we can add to our programs.
I can remove the sticky bit Just is easily by
using Dash T.
Now it's gone.
Now let's see. I want to
allow regular users or a group of users to run my program
What I can do is run the change mode command mode,
so I need to specify the user. Here we go
and we can see now that the shell changes the color of the file.
That's a nice feature of Bash
that it will color code directories, files and files with the set your idea or sent G I. D. Bit.
And there it is. The owner
has the set.
You i d. Bet
I could do this for the group as well.
Change mode G plus us for my program
Trouble typing today.
Now I've got my owner with set your I D and the group with set G I. D.
So whatever owner and group uh, assigned to this file,
they will have the privileges of route when they run the program.
That's a very powerful feature, so we have to make sure we're very careful about how it's used and under what circumstances.
Maybe one allow people to run a script to launch a backup of their personal files
or at a printer.
Anything like that is a good candidate for this.
Sometimes certain system utilities are are allowed.
Or maybe our preferred for the set your idea or sent G I. D. Bid as well.
It just depends on the preferences of the administrator.
All right, so
let's have a look at you Mask.
Now you mask is a cover confusing concept. When people first see this,
they often have a hard time
understanding exactly why we need this.
But the function, basically is to define the default permissions for new files and new directories.
You could do this with Digits, the Octel mode, or we can do it with with characters
in the case of a U Mass. Actually prefer characters versus setting permissions for files with the Octa mode.
Essentially, if I set a bit with you mask, it removes that bit or prevents it from being
added. Two new files and new directories.
So in the octo mode,
if I've got a zero, that means that no bits will be set. If I have a two,
that means that the right bit will not be set. If I have a one
that means the executed, it will not be sent. If it's a four, it's the reed bit that won't be set
again. This sounds very confusing. So what I'll do is show examples using
the character mode instead, because that's a little bit simpler to to deal with.
All right, let's create my file, too,
and we can see that my
actually I was playing with the U Mass. Earlier, So it's actually wrong. Right now,
I'm going to set my you mask
for the user.
I'll say, I want it to be
for the group. I would like it to be read
other. I will also make it read.
Now if I run the U Mass command,
I get 0133
Let's let's break this down for a second.
if you think about the Octel mode read right, execute hoursworth. Four w is worth two X is worth one.
So because I have a one here, that means execute for user's will not be set when I create new 1000 directories
and then I have three. And for the group,
that means that on Lee
uh, the four. If I had
if I create new followed or directory on Lee the read
that will be set
because I'm I'm not using the to for the right bit. And I'm not using the one for the execute bit.
So if I had those two up together, that gives me a three.
Which means that those two bits, because it's our w X in that order,
are not sat. Same thing for the for other.
Looking at it with the numbers is a little bit confusing. So luckily, we have the dash Capital s option.
This shows it more clearly.
read, Write will be set by default for the group. Reed will be set and for the owner,
Reed will be set.
Now, if I touch a new file
and do a listing,
we can see that my 644 permissions are there by default.
I'll change the you mask again
just to show that this really doesn't work. Let's say I want to make
all my new files readable by everybody, but only readable so
I could do, I could write Yu gi Oh, oops
That's a shortcut. I don't have to specify.
U equals G equals O equals.
If I run, you mask Dash s again.
I see all my attributes are set to read only
so I'll create a new file.
If I write overwrite my old file
now you'll notice that I still got the original permissions here.
It's because that file already existed. So if I create a new one,
that one gets the new you mask setting.
So typically the you mask is defined in the users log in profile. It could be also a global setting,
but it could be changed on a per user basis if that makes more sense for your administrative tasks.
And earlier we saw how the Chone Command and changed group command. Actually, we didn't look at change group. We saw that Shone command could be used.
I can specify the owner
as a user
or the user with the group.
If I if I leave the user often, I just use colon
users. That's the equivalent of just saying change group users so I could use the champ. The Chone Command to deal with user and group permissions
as a just need your way to have more flexibility.
Otherwise, if I run changed group to users, then it just changes the group only
Joan, Let's we change you Owner and group change group on Lee the group
And like many of the other commands we saw already I can use the dash capital are for Riker Shin.
All right, so we've seen a bunch of good commands and this
we learned how to run
commands to change the mode of the filing of the permissions,
how to change the ownership and also the group.
We also saw how to list the attributes of a file and change the attributes of a file, which is pretty important
when we want to do things like make a file immutable,
make a bigot depend on Lee.
We also looked at the the ascent you, adi and set G I d bits and the sticky bit.
So a bunch of different features there to think about
during your administrative tasks.
Next, we're gonna talk about
symbolic links and hard links, otherwise known as soft and hard links.
And we'll see why that's such a useful feature of the shell.
All right, thanks. See you then.
CompTIA Security+ 501
Empower yourself as a security professional by gaining the fundamental knowledge for securing a network ...
CompTIA A+ 220-1001
This CompTIA A+ training covers the 220-1001 exam components needed to earn the CompTIA A+ ...
12 CEU/CPE Hours Available
Certificate of Completion Offered