In this article, learn about these concepts:
- Effective use of file and directory permission control
- Samba interaction with Linux file system permissions
This article helps you prepare for Objective 315.1 in Topic 315 of the Linux Professional Institute's (LPI) Mixed Environment Specialty exam (302). The objective has a weight of 3.
To get the most from the articles in this series, you should have an advanced knowledge of Linux and a working Linux system on which you can practice the commands covered in this article.
Reviewing Linux file permissions
Samba's integration with the Linux file system relies heavily on the concept of Linux file permissions.
The basic operations
Linux has a fairly simple way of controlling access to a file. A file has two owners: The first is a user, the second is a group. Permissions are specified for the user, the group, and other (everyone else).
File permissions control three basic operations: Read, Write, and Execute. Read controls access to viewing the contents of a file or a directory. Write access allows the holder to delete or change a file or create new files in the directory. Execute access is required to run a binary or shell script or, in the context of a directory, to enter the directory.
Shell scripts are an interesting case in file permissions. A normal binary can have
Execute permission but no Read permissions, and a user can run the program
but not see inside it. A shell script is not executed the same way: A user must
have Read access to the shell script so that it can read the script to execute
it. With the Execute permission, a user can run the script using a command such
A Linux file permission is written as a series of octal (base 8) digits called the mode of the file. Each digit encodes the Read/Write/Execute permissions for a single group of people. The first digit applies to the user who owns the file; the second digit is for group that owns the file; the final digit is the permissions for the other group. Sometimes, you will see permissions written in four digits. In this case, the first digit encodes some special properties of the file, and the last three digits refer to the user, group, and other, as before.
To understand the encoded permissions, you must resort to binary. An octal digit can be represented by three binary bits:
- 001. The Execute bit
- 010. The Write bit
- 100. The Read bit
By adding the bits together, you end up with a combined permission. A file that is readable and executable has both bits set and will have a binary permission of 101, or 5 in octal. All three bits set would be 111, which is 7 in octal. Conversely, 6 octal is 110 in binary, which is Read and Write but not Execute.
Applied to all three groups, a file mode of 644 is Read/Write for the owning user and Read-only for both the group and everyone else. The group permission takes precedence over the other permission, so a file mode of 604 would prevent the owning group from reading the file while letting everyone else read the file. Mode 640 would let the owner read and write and the owning group read, but everyone else would be shut out.
Manipulating file permissions on the command line
chmod command changes the file's mode.
So, the command
chmod 700 foo would change the
permissions of foo to 700, regardless of what it was before.
You can also set or clear permissions on the command line. Instead of providing
an octal permission, you can specify a relative permission in the form of
[ugoa][[+-=][rwx]. The first character is one of
a, which means user, group, other,
or all, respectively. Then, you can choose to add (
-), or set (
the Read/Write/Execute bits.
chmod u+x foo sets the Execute bit on
foo and leaves all other bits untouched.
chmod g-rw something
removes Read and Write permissions for the group.
Another way to use
chmod is with the
--reference parameter. Entering
chmod --reference file1 file2 makes file2's permissions
the same as file1's.
To change the file's ownership, use the
command. For example,
chown sean foo changes
the ownership of foo to sean. Only root can change the owner of a file.
chgrp command changes the group of a file. A
normal user must belong to the new group.
Because the file permissions are binary in nature, you can apply some binary math
to them to set or clear bits. The two binary operations applicable here are
Binary operations can be shown in truth tables such as the one provided in
Figure 1. Truth tables for OR and AND
The result of an
OR operation is true (
if either of the operands is 1. The only way to get a false (
result is for both inputs to be false. The
is the opposite: Both bits must be true for the result to be true; otherwise, the
answer is false. It is important to note that the order of the operands does not
A OR B is the same as
B OR A.
When more than one binary digit is involved, each bit is calculated separately. That
01 AND 11 is
The first digit is 0, because
0 AND 1 is 0. The
second digit is 1, because
1 AND 1 is 1. To further
simplify the use of binary masks in file permissions, you use the
OR operator to force bits to be set and the
AND operator to clear bits.
Moving back into octal, if you were to use
OR in any
file mode with 600, you would be setting the Read and Write bits for the owning
user regardless of what the current permission was. Using
with 775 would be clearing the Write bit for other, because the binary
representation of the 5 is 101 and the Write bit is 010.
How Samba interacts with file permissions
Every connection to the Samba server runs as a separate process that is owned by the
connecting user. Therefore, the Samba process is limited to the same file
permissions as if the user were logged in directly to the server. It follows, then,
that when the user creates a file or directory through Samba, the directory will be
owned by the user. When the user changes file permissions through Windows®
Explorer, these permissions are translated into a file mode, as if the user had used the
Samba has a series of parameters that control how permissions are assigned in various situations. For parameters dealing with file permissions, you will see that there is one parameter that acts to set bits and one that clears bits. All of these parameters can be used at the share level or at the global level to affect all shares. As with other global parameters, the global behavior can be overridden at the share level.
Creating files and directories
A newly created file must have a set of permissions. Similarly, a directory created through the New Folder command in Windows Explorer must be given an initial mode. These two situations are handled by different Samba parameters.
Samba first translates the request to create a file into a file mode. It then performs
AND operation with the value of the
create mask parameter that clears bits. The default
mask is 0744, which effectively removes Write and Execute access from the group
and other people. Following that, the
force create mode
OR-ed, with the resulting mode to set the
desired bits. The default for
force create mode is 000,
which does not change the permissions.
Creating a directory follows the same process, except that the initial permission is
AND-ed with the
parameter, and then
OR-ed with the
force directory mode parameter. Listing 1
provides some sample configurations that change how files and directories are
Listing 1. Using parameters to change the permission of new files and directories
[global] create mask = 770 force create mode = 600 directory mask = 777 force directory mode = 711 [public] create mask = 777 force create mode = 666
The parameters in Listing 1 are split into two sections. The
section has parameters for both files and directories. Files will have the
other bits cleared because of the final 0 in the
while all the other bits will pass through because of the corresponding 7. The
result will be
OR-ed with 600, which ensures that
people get Read and Write permissions for their own files.
Directories have their modes
AND-ed with 777, which
passes through all the permission bits, and then
with 711, which gives the owner Read, Write, and Execute and everyone else at
least Execute. The share public has more lenient restrictions. Everyone
gets at least Read and Write to the files in this share.
Modifying file and directory permissions
If you've looked at the security properties of a file inside Windows Explorer, you might have seen that you can change who has access to your files. By default, you will see permissions representative of the Linux permissions but mapped to the Microsoft® Windows NT® groups. If you change the permissions, these permissions will be remapped into Linux file permissions. Another set of parameters govern setting and clearing bits when the file permissions are changed rather than when the file is created.
The parameters used when a file's permissions change are:
AND-ed with the file permission
force security mode.
OR-ed with the file permission
directory security mask.
AND-ed with the directory permission
force directory security mode.
OR-ed with the directory permission
Summary of mode-related parameters
Table 1 summarizes the parameters related to forcing or masking mode bits for easy identification. Remember that the bits are cleared with the mask before they are forced.
Table 1. Samba parameters for manipulating file modes
|Situation||Set bits (OR)||Clear bits (AND)|
|Client changes permissions on a file|
|Client changes permissions on a directory|
Forcing user and group ownership
All of the parameters previously discussed modify the mode of the file and therefore the Read, Write, and Execute permissions of the owning user, the owning group, and everyone else. By default, the files will be owned by the creating user and the user's group. It may be desirable to have files owned by another user or group, such as a project group or a generic user. This would be most helpful in shares used by groups of people.
Samba offers two parameters—
force group—that force the file's
owner and owning group to whatever you want. You can use these parameters
globally, but they are much more practical at the share level. For example,
you could configure your share with
force group = projecta
to make all the files belong to the projecta group.
Another form of the
force group parameter prepends
a plus sign (
+) to the name of the group, such as
force group = +admins. This plus sign is not taken
literally: Rather, it tells Samba to force the group to admins only if the user
already belongs to the group, such as a secondary group. People not in the admins
group will continue to use their primary group for newly created files.
Summary of Samba file and directory permissions
Samba offers several parameters that affect how file permissions are calculated. These
parameters take the form of an octal mask, which is
with the proposed permission to clear undesirable bits, followed by a mode that is
OR-ed to set bits. You set the bits separately for files
and directories, and then again for new files and permission changes, for a total of
eight different parameters. Finally, you can force the user and group of a file for
a given share.
Even though Samba gives you a great deal of flexibility, you should be careful about using these features, because they may run contrary to what your users are expecting to happen.
- The smb.conf man page has more examples and descriptions of the commands shown in this article.
umaskparameter is treated much the same as the
force security maskparameter. This description will help you with the binary math.
- File, Directory, and Share Access Controls provides more details on how access controls are handled in Samba with respect to what the client is doing.
- At the LPIC Program site, find detailed objectives, task lists, and sample questions for the three levels of the LPI's Linux systems administration certification. In particular, look at the LPI-302 detailed objectives.
- Review the entire LPI exam prep series on developerWorks to learn Linux fundamentals and prepare for systems administrator certification based on LPI exam objectives prior to April 2009.
- In the developerWorks Linux zone, find hundreds of how-to articles and tutorials as well as downloads, discussion forums, and a wealth of other resources for Linux developers and administrators.
- Follow developerWorks on Twitter, or subscribe to a feed of Linux tweets on developerWorks.
- Stay current with developerWorks technical events and webcasts focused on a variety of IBM products and IT industry topics.
- Attend a free developerWorks Live! briefing to get up to speed quickly on IBM products and tools as well as IT industry trends.
- Watch developerWorks on-demand demos ranging from product installation and setup demos for beginners to advanced functionality for experienced developers.
- Get involved in the My developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.