Time
8 hours 30 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
Hello and welcome to 104.5.
00:05
We're talking about file permissions and ownership.
00:10
We see a list of commands here, but we're gonna go into a few other commands as well just because they're related to this.
00:17
This topic.
00:20
Now when the administrator of a UNIX system or linen system wants to
00:25
enforce policies about
00:28
file access,
00:30
directory access,
00:33
running comedians as route or preventing people from deleting files, they've got quite a few options
00:40
that are built in.
00:42
And so we need to understand how this works.
00:45
We'll also look at the parameter you mask,
00:50
which lets you define the default permissions when follows and directors are created.
00:58
And we'll look at some of the advantages of dealing with
01:00
users at the group level instead of at the individual level.
01:07
So the petition string for a file.
01:11
If I run the L s command dash l for long listing,
01:15
you're probably familiar with this type of format.
01:19
And what this shows us is the current permissions string,
01:25
and this is in. This could be specified in two different ways and Octel format or in character for Matt.
01:33
I usually prefer to use Octel mode just because I have been
01:38
using that from from when I first learned
01:40
back in,
01:42
you know, the the late eighties.
01:46
But some people prefer to use the letters because it's less confusing. They don't wanna have to do Octel math in their head, so it's totally understandable
01:53
if you want, if you like one way versus the other.
01:59
So we've got the three characters here
02:01
right now. These permissions would be read as 664
02:07
four for the read bit, too, for the right bit.
02:10
Uh, the execute bit is here. This one's not set.
02:15
Same thing for the second grouping and the third grouping,
02:19
this first grouping is the owner,
02:21
So the owner of the file currently has read write permissions. The group also has read, write permissions
02:27
and everyone else or other
02:30
has read permissions.
02:32
This a leading
02:35
dash here is
02:37
present because this is a file. If it was a directory, there would be a letter D there
02:42
that shows us
02:44
at a glance whether we're looking at a follower directory.
02:49
The next item is the
02:53
the number of links, and we see that here.
02:55
This file only has one wink. It's a single file of well well, look at links in a later section. If I create soft links or hard links, this number will update accordingly.
03:07
The next field is the owner of the file. It's owned by user one in this case and followed by the group user. One belongs to the users group.
03:21
The next field is the size, so this file is currently 1099 bites,
03:25
and then I have a date and time stamp.
03:30
So January 1st at 3 30 in the afternoon, this file was created. Finally, the last item is the name,
03:38
whether it's the name of a file or directory,
03:39
that's that's what we'll see there.
03:44
So the two main commands are change mode and change. Owner
03:50
and I've got some examples here showing
03:52
how this could be done.
03:54
These are examples using the letters using character mode.
03:59
So in this case, change mode, you Dash X
04:02
would remove the execute herbal bit
04:05
from the user
04:08
so we can think of it as user minus the execute herbal bit
04:12
and the second example I've got
04:14
other.
04:15
So we've got user group and other other means everybody else
04:19
in this case I'm adding the re bit to the other
04:25
section of the permissions for this particular file.
04:29
If I run this third example, change mode plus W,
04:33
this implies the user group and other all the same time. So I would be adding
04:41
the right bit to all three of those perimeters are permission settings.
04:47
Both the, uh
04:49
change mode and change owner Comedians also support Rikers in. That's what the Capital R is here,
04:57
so I can recursive Lee
04:59
add the reed bit to the group for everything that's in this particular directory.
05:04
That's really powerful Win
05:06
when you've got a need to change large numbers of files in a directory structure and you don't want to go in independently
05:16
individually, rather, and change these things separately.
05:21
Then we move on to the to the change owner command.
05:26
Most people pronounce this mode or Chone.
05:29
That's up to you. How you like to say that people should know what you're talking about.
05:33
When you mentioned Shamoto Joan
05:38
Now the ownership
05:40
Uh, we have several different modes here. I can run Chone with the user name and the file name
05:46
that just changes the owner of that file.
05:49
There's also a shortcut where I can specify the user name and the group named together as we see in the second example. So here I'm changing the user
05:58
of the off my file to user one and the group to users.
06:02
And just like Che Modi can run that shone command recursive lee
06:08
so I can set the user in the group
06:11
recursive lee on a particular directory tree.
06:15
This is very handy for dealing with large numbers of files in directories as I as I mentioned earlier,
06:26
our next topic is the set You i d and set group I d.
06:31
When? When we need a regular user to be able to run a command with the privileges of route,
06:38
we can set this bit in order to,
06:42
uh, facilitate that. That means that a regular user can run the file or run the program, run the script, whatever it might be
06:49
with the the permissions of route,
06:54
This could be done at the at the user level with S u i. D. And at the group level with SG i d. So set the user I d set the group i d.
07:03
It's very handy when you need to ah, give users the privilege to run certain commands, but you don't want to give them full root privilege,
07:11
Uh, and that that can obviously begin become difficult to manage.
07:16
So using these features
07:19
lets us, uh,
07:20
but
07:21
effectively give that capability on a limited basis.
07:27
It's a little bit more rigid than using something like Sue Do where I could specify a particular command that I want someone to be able to run
07:34
here. I'm defining at the file level instead of at a system config file level.
07:43
Now two other commands
07:46
that are related thio to this kind of feature. Our change attributes and list attributes
07:51
or chatter and Lasater. That's how I normally say it. You can pick your own method, of course,
07:59
so I can change the attributes of a file.
08:03
There's several different attributes to choose from. One of them is the immutable bit. That's why I have the dash I or Plus I hear
08:13
if I, uh,
08:15
make a file immutable, that means that it cannot be changed and I'll demonstrate that here and just a little bit.
08:22
I could also use Dash I to remove that immutable bit.
08:26
Once I set immutable.
08:28
I can't remove the file I can't edit it. I can't at a pendant. E data.
08:35
There's another attribute called
08:39
Are Using the a character. I can make the file a pen doble
08:43
or non dependable,
08:46
and we'll see how that works here in just a moment.
08:56
Okay, so let me clear my screen.
09:00
Oops.
09:03
All right. First,
09:05
let's create a file. We'll just call it my file
09:11
and I'm going Thio
09:13
do a lot of ups along listing on just my file and we see that I have 644 permissions that's related to my new mask, which will talk about here in a moment.
09:24
No,
09:26
what I can do is, let's say I want to add
09:30
the executed will bit just for the owner.
09:33
Right now. The owner is route
09:35
and the group is route because that's why I'm logged in as when I created the file.
09:39
So I'm gonna type change mode or to mode,
09:45
and this will be for the
09:48
the user.
09:50
And I'm gonna do a plus X command for my file.
09:54
Now I'll hit up arrow list that again
09:58
and you'll notice that the user now has the executed will be upset.
10:03
So I did this with using the characters
10:07
I could also do something similar. I could
10:11
run change mode
10:13
plus W as I talked about on the slide for my file.
10:18
I didn't specify user group or other, so it'll change it for everybody.
10:24
It'll change for all three areas.
10:31
All right, that didn't work as I expected. Let's try that again.
10:35
I will. This time l specify. It's specifically use your group another plus W.
10:45
And if I look at the file
10:46
now, I've got those big set.
10:48
I thought this. I thought this would work as is, but maybe I made a mistake with that. No problem.
10:54
Learning Lennox is like learning anything else. We had a little bit of trial and error once in a while. It's not not anything to be worried about.
11:03
So now I could, I could say at the owner has read, write and execute permissions. The group has read and write
11:09
and other or everybody else has reading, right?
11:13
I can remove these by just changing the plus sign to a minus sign.
11:18
So if I wanted to get rid of that right permission,
11:20
I run this command
11:22
changing plus W two minus w.
11:26
And now you'll notice that the right bit is removed from the user group. Another
11:35
very, very interesting
11:37
and easy to do.
11:39
I prefer using the octo method. So if I wanted to make this file back to, um
11:46
755 right, that means
11:48
read right, execute for the owner, read and execute for the group and reading Execute for everybody else. I can run the change mode Command 755
11:58
My file.
12:01
And if I look at my file,
12:05
there's my seven
12:07
four for the read, too, for the right one for the out for the Execute That's four plus two plus one, which is seven
12:13
and then five gives me four plus one, which is reading, execute and five again for reading. Execute for other.
12:20
This is really up to you.
12:22
What's your preference?
12:24
Allow people like the letters just cause it seems more straightforward. But
12:28
that's really up to what you like to do now,
12:33
Uh,
12:33
in order to show the
12:35
the recursive nature. What I can do is I'll make ah Siri's of directories. I'll use the Dash P option
12:43
and we'll call this minder one
12:46
my dirt to my dirt three.
12:52
And if I were in the tree command on minder one.
12:56
It shows me those directories.
13:00
No,
13:01
If I run a list a long listing on my dear one
13:07
it only shows me the top level directory. If I do this again with a wild card,
13:13
I can see,
13:15
uh,
13:16
minder to and minder three as well.
13:20
Right now they have 755 permissions and I can see who the owners are.
13:24
So let's let's demonstrate some recursive techniques here.
13:28
Let's say I don't want 755 I want to have 6441 Restrict these
13:33
directories a little bit so I can run the change mode. Command
13:37
recursive Lee with the Dash Capital R
13:39
and I'll use 644 because that's my preference to use the
13:46
the Octo format.
13:48
And then I specify
13:52
my directory.
13:54
Now if I run,
13:54
I don't want that.
14:05
So now I can see I did a long listing on My dear Star
14:09
and I can see my dear two is 644
14:16
and I could also
14:18
run that on the third directory down below.
14:22
I just added another slash for the next director in a wild card. That's a shortcut,
14:26
and I can see that I've got 644 permissions on minder three as well.
14:33
Now maybe I want to change some ownership. Everything is owned by route.
14:35
So
14:37
I could
14:37
do this recursive Lee, as old as well.
14:41
I could change the ownership of my file to user one for the owner and user, one for the group.
14:54
Now we see that that just happened. There's my owner and group,
14:58
but maybe I've got a bunch of files in the directory tree like this minor one mind or two in mind or three. So it would be easier than
15:05
to Joan
15:07
with a capital R for Rikers in,
15:09
and I could do the same thing, user One for the owner user, one for the group
15:18
and just specify minder with a wild card.
15:31
So now I can see that minder three is user one.
15:35
If I
15:37
look inside my dir one I see minder to which is also user one user one.
15:45
So we see that the Rikers in works. It goes down as many levels as the directory structure contains.
15:52
Very, very useful.
16:02
All right, so now let's look at the change attributes and list attributes commands.
16:08
Uh, I already explained a little bit about the immutable bit and
16:14
the upend a bit. But will travel actually demonstrate here that this really does work the way that we expect it to?
16:25
So there's my file. My file is currently empty. It's owned by User One.
16:30
Now I want to If I look, if I run the list attributes command
16:36
for my file. Right now
16:38
all the attributes are empty. There's nothing special set.
16:44
Let's first demonstrate the immutable bit so I can run the change Attributes command
16:49
Plus I because I'm adding the bit.
16:57
So I've added the bit and I listed again
17:00
and we can see now the immutable bit is set.
17:04
I can also run a change attributes Commander chatter
17:11
adding the upend a bit.
17:19
Now I've got the A there.
17:23
I'm gonna remove the upend it really quick.
17:26
So go back up to that command
17:30
and change this back to a dash A which removes the that.
17:36
So when the file is an immutable mode,
17:38
I cannot remove it. Aiken, try to run. Remove force command.
17:44
Forced to remove
17:45
operation is not permitted
17:48
if I try to send data to this file,
17:52
so redirect the echo Command
17:56
Also permission denied.
18:03
I'll add the pen bit back in
18:11
still doesn't let me do it because
18:14
the file is still has the immutable bit set.
18:17
So I can't depend date until I remove that so I can run chatter
18:22
dash I to remove.
18:30
I still can't do it. Let's let's let's figure out why
18:36
it's only the a bit upset.
18:40
Oh, the reason why is because I'm not using the appendix character I'm actually using.
18:45
I was using a creation character.
18:49
Here we go.
18:51
Remember, a double greater than sign depends a single greater than creates a follower touches a file.
18:57
So now if I look at my file,
19:00
we can see that it does have,
19:03
uh, five bytes of data
19:06
four for four bites for the for the word and probably a new line character
19:11
is there.
19:14
So that shows me that
19:15
I can control whether file could be written to or not. I can control whether it can be deleted or not.
19:21
And like the Chone and Jamaat commands, I can also run these
19:26
these commands
19:27
recursive lee
19:30
so I could change attributes.
19:33
I'll add the immutable whoops I had the immutable bit
19:37
for
19:40
I want to run this recursive lee
19:45
so here I ran
19:48
chatter, Plus I with Ryker jh in
19:51
on anything called my dirt.
19:56
Now I can list the attributes
20:00
from Eider
20:04
not only showed me the two levels down from where I was minor one in mind here, too.
20:11
List at tribute also has a dash a option which lets me
20:19
list all the files, even the ones that look like they're directories. So obviously minder to underneath Minder also had the immutable bit set.
20:30
That's what Rikers in does. It goes down the directory tree
20:33
and changes everything underneath it.
20:40
Okay, so let's talk a little bit about the sticky bit
20:42
and the S u i d e g u i d
20:47
The sticky bits. A nice feature of Lennox or UNIX that allows us to suspect specify that only the owner of a file can delete or rename that file.
20:57
You should be ableto see very easily why? This is a useful feature.
21:02
In fact, if if I set this
21:06
sticky bit for a directory like temp,
21:07
this is a really good example. Why would want to do this?
21:11
If I have multiple users on my system,
21:15
all of them are probably gonna be using the temp director at some point for
21:18
for its intended purpose, which is to temporarily store things that you're working on.
21:23
Maybe you don't want to clutter up other folders. So you, you dumb things attempt log files sometimes go there when you're testing software. And so on
21:32
all those files, I want to be able to enforce the fact that only the user
21:37
who owns the file can rename it or delete it.
21:40
So I can do that at the directory level or the file level, and we'll see what that looks like here in just a moment.
21:47
Then we have s u I D and G u Y earth. Sorry as G i. D.
21:52
This is controlled with the chair mode. Can't command as well. I just add the s flag or remove it
21:57
at the user level and at the group level.
22:00
And what this allows me to do is,
22:04
uh, designate certain programs that I want
22:08
users or groups of users to run with the privileges of route.
22:14
You have to be very careful with this, very selective.
22:17
But there might be something like a kicking off a backup script or
22:21
running a script that adds a printer to your workstation. Things like this that normally would require root privilege. But we want to be able to let users do them on their own.
22:30
It's a little bit different than using Su do, of course, because it's controlled at the file level or at the group.
22:37
Uh, sorry at the user level or at the group level,
22:40
which I can do also with suitor. But
22:42
I have to specify the exact command. I want someone to be able to run with pseudo here. I control it at the file level, which is a nice little bit of extra flexibility.
22:52
Okay,
22:53
so let's let's pretend we're creating a binary program will call it my probe my program,
23:03
and we can look and see what its current positions arts at 644 which is a default,
23:07
Uh, when we talk about you masking a little bit, this will make more sense
23:12
as far as default permissions go.
23:15
So if I want to set the sticky bit, I run mode,
23:19
lusty that growing again.
23:25
And if I look at the program now,
23:27
I can see that the sticky bit is set.
23:30
So now on Lee, the owner or root can rename or delete this file.
23:36
It's a nice little bit of extra protection
23:38
we can add to our programs.
23:41
I can remove the sticky bit Just is easily by
23:47
using Dash T.
23:51
Now it's gone.
23:52
Now let's see. I want to
23:56
allow regular users or a group of users to run my program
24:02
as route.
24:03
What I can do is run the change mode command mode,
24:11
so I need to specify the user. Here we go
24:18
and we can see now that the shell changes the color of the file.
24:22
That's a nice feature of Bash
24:25
that it will color code directories, files and files with the set your idea or sent G I. D. Bit.
24:30
And there it is. The owner
24:33
has the set.
24:36
You i d. Bet
24:37
I could do this for the group as well.
24:40
Change mode G plus us for my program
24:45
Trouble typing today.
24:49
Now I've got my owner with set your I D and the group with set G I. D.
24:56
So whatever owner and group uh, assigned to this file,
25:02
they will have the privileges of route when they run the program.
25:04
That's a very powerful feature, so we have to make sure we're very careful about how it's used and under what circumstances.
25:11
Maybe one allow people to run a script to launch a backup of their personal files
25:18
or at a printer.
25:19
Anything like that is a good candidate for this.
25:23
Sometimes certain system utilities are are allowed.
25:27
Or maybe our preferred for the set your idea or sent G I. D. Bid as well.
25:33
It just depends on the preferences of the administrator.
25:40
All right, so
25:41
let's have a look at you Mask.
25:45
Now you mask is a cover confusing concept. When people first see this,
25:48
they often have a hard time
25:52
understanding exactly why we need this.
25:55
But the function, basically is to define the default permissions for new files and new directories.
26:04
You could do this with Digits, the Octel mode, or we can do it with with characters
26:11
in the case of a U Mass. Actually prefer characters versus setting permissions for files with the Octa mode.
26:18
Essentially, if I set a bit with you mask, it removes that bit or prevents it from being
26:26
added. Two new files and new directories.
26:29
So in the octo mode,
26:30
if I've got a zero, that means that no bits will be set. If I have a two,
26:36
that means that the right bit will not be set. If I have a one
26:40
that means the executed, it will not be sent. If it's a four, it's the reed bit that won't be set
26:47
again. This sounds very confusing. So what I'll do is show examples using
26:53
the character mode instead, because that's a little bit simpler to to deal with.
27:00
All right, let's create my file, too,
27:07
and we can see that my
27:10
actually I was playing with the U Mass. Earlier, So it's actually wrong. Right now,
27:15
I'm going to set my you mask
27:18
for the user.
27:19
I'll say, I want it to be
27:22
read right
27:23
for the group. I would like it to be read
27:26
and for
27:27
other. I will also make it read.
27:33
Now if I run the U Mass command,
27:34
I get 0133
27:37
Let's let's break this down for a second.
27:41
So
27:41
the one
27:44
if you think about the Octel mode read right, execute hoursworth. Four w is worth two X is worth one.
27:52
So because I have a one here, that means execute for user's will not be set when I create new 1000 directories
28:03
and then I have three. And for the group,
28:07
that means that on Lee
28:10
uh, the four. If I had
28:14
if I create new followed or directory on Lee the read
28:17
that will be set
28:18
because I'm I'm not using the to for the right bit. And I'm not using the one for the execute bit.
28:26
So if I had those two up together, that gives me a three.
28:29
Which means that those two bits, because it's our w X in that order,
28:33
are not sat. Same thing for the for other.
28:37
Looking at it with the numbers is a little bit confusing. So luckily, we have the dash Capital s option.
28:45
This shows it more clearly.
28:47
Users
28:48
read, Write will be set by default for the group. Reed will be set and for the owner,
28:53
Reed will be set.
28:56
Now, if I touch a new file
29:02
and do a listing,
29:03
we can see that my 644 permissions are there by default.
29:08
I'll change the you mask again
29:11
just to show that this really doesn't work. Let's say I want to make
29:15
all my new files readable by everybody, but only readable so
29:21
I could do, I could write Yu gi Oh, oops
29:25
equals R.
29:27
That's a shortcut. I don't have to specify.
29:32
U equals G equals O equals.
29:34
If I run, you mask Dash s again.
29:37
I see all my attributes are set to read only
29:41
so I'll create a new file.
29:44
If I write overwrite my old file
29:48
now you'll notice that I still got the original permissions here.
29:53
It's because that file already existed. So if I create a new one,
30:02
that one gets the new you mask setting.
30:04
So typically the you mask is defined in the users log in profile. It could be also a global setting,
30:11
but it could be changed on a per user basis if that makes more sense for your administrative tasks.
30:22
And earlier we saw how the Chone Command and changed group command. Actually, we didn't look at change group. We saw that Shone command could be used.
30:30
I can specify the owner
30:33
as a user
30:36
or the user with the group.
30:38
If I if I leave the user often, I just use colon
30:42
users. That's the equivalent of just saying change group users so I could use the champ. The Chone Command to deal with user and group permissions
30:52
as a just need your way to have more flexibility.
30:56
Otherwise, if I run changed group to users, then it just changes the group only
31:02
Joan, Let's we change you Owner and group change group on Lee the group
31:07
And like many of the other commands we saw already I can use the dash capital are for Riker Shin.
31:15
All right, so we've seen a bunch of good commands and this
31:18
section
31:19
we learned how to run
31:22
commands to change the mode of the filing of the permissions,
31:25
how to change the ownership and also the group.
31:30
We also saw how to list the attributes of a file and change the attributes of a file, which is pretty important
31:36
when we want to do things like make a file immutable,
31:38
make a bigot depend on Lee.
31:44
We also looked at the the ascent you, adi and set G I d bits and the sticky bit.
31:51
So a bunch of different features there to think about
31:53
during your administrative tasks.
31:56
Next, we're gonna talk about
31:57
symbolic links and hard links, otherwise known as soft and hard links.
32:02
And we'll see why that's such a useful feature of the shell.
32:06
All right, thanks. See you then.

Up Next

CompTIA Linux+

Our self-paced online CompTIA Linux+ course prepares students with the knowledge to become a certified Linux+ expert, spanning a curriculum that covers Linux maintenance tasks, user assistance and installation and configuration.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor