Learn Linux, 302 (Mixed environments): Linux file system and share/service permissions

Understand file permissions in a Linux file system

In preparation for taking the Linux Professional Institute Certification exam LPI-302 for systems administrators, learn how Samba interacts with the Linux file system and how to manage permissions.

Share:

Sean A. Walberg, Senior Network Engineer

Photo of Sean WalbergSean Walberg is a network engineer and the author of two books on networking. He has worked in several industries, including health care and media.



06 December 2011

Also available in Chinese Russian Japanese

About this series

This series of articles helps you learn Linux systems administration tasks. You can also use the material in these articles to prepare for the Linux Professional Institute Certification level 3 (LPIC-3) exams.

See our developerWorks roadmap for LPIC-3 for a description of and link to each article in this series. The roadmap is in progress and reflects the current objectives (November 2010) for the LPIC-3 exams. As each article is completed, it is added to the roadmap.

In this article, learn about these concepts:

  • Effective use of file and directory permission control
  • Samba interaction with Linux file system permissions

This article helps you prepare for Objective 315.1 in Topic 315 of the Linux Professional Institute's (LPI) Mixed Environment Specialty exam (302). The objective has a weight of 3.

Prerequisites

To get the most from the articles in this series, you should have an advanced knowledge of Linux and a working Linux system on which you can practice the commands covered in this article.


Reviewing Linux file permissions

Samba's integration with the Linux file system relies heavily on the concept of Linux file permissions.

The basic operations

About the elective LPI-302 exam

Linux Professional Institute Certification (LPIC) is like many other certifications in that different levels are offered, with each level requiring more knowledge and experience than the previous one. The LPI-302 exam is an elective specialty exam in the third level of the LPIC hierarchy and requires an advanced level of Linux systems administration knowledge.

To get your LPIC-3 certification, you must pass the two first-level exams (101 and 102), the two second-level exams (201 and 202), and the LPIC-3 core exam (301). After you have achieved this level, you can take the elective specialty exams, such as LPI-302.

Linux has a fairly simple way of controlling access to a file. A file has two owners: The first is a user, the second is a group. Permissions are specified for the user, the group, and other (everyone else).

File permissions control three basic operations: Read, Write, and Execute. Read controls access to viewing the contents of a file or a directory. Write access allows the holder to delete or change a file or create new files in the directory. Execute access is required to run a binary or shell script or, in the context of a directory, to enter the directory.

Shell scripts are an interesting case in file permissions. A normal binary can have Execute permission but no Read permissions, and a user can run the program but not see inside it. A shell script is not executed the same way: A user must have Read access to the shell script so that it can read the script to execute it. With the Execute permission, a user can run the script using a command such as ./myscript.sh.

A Linux file permission is written as a series of octal (base 8) digits called the mode of the file. Each digit encodes the Read/Write/Execute permissions for a single group of people. The first digit applies to the user who owns the file; the second digit is for group that owns the file; the final digit is the permissions for the other group. Sometimes, you will see permissions written in four digits. In this case, the first digit encodes some special properties of the file, and the last three digits refer to the user, group, and other, as before.

To understand the encoded permissions, you must resort to binary. An octal digit can be represented by three binary bits:

  • 001. The Execute bit
  • 010. The Write bit
  • 100. The Read bit

By adding the bits together, you end up with a combined permission. A file that is readable and executable has both bits set and will have a binary permission of 101, or 5 in octal. All three bits set would be 111, which is 7 in octal. Conversely, 6 octal is 110 in binary, which is Read and Write but not Execute.

Applied to all three groups, a file mode of 644 is Read/Write for the owning user and Read-only for both the group and everyone else. The group permission takes precedence over the other permission, so a file mode of 604 would prevent the owning group from reading the file while letting everyone else read the file. Mode 640 would let the owner read and write and the owning group read, but everyone else would be shut out.

Manipulating file permissions on the command line

Build your own feed

You can build a custom RSS, Atom, or HTML feed so you will be notified as we add new articles or update content. Go to developerWorks RSS feeds. Select Linux for the zone and Articles for the type, and type Linux Professional Institute for the keywords. Then, choose your preferred feed type.

The chmod command changes the file's mode. So, the command chmod 700 foo would change the permissions of foo to 700, regardless of what it was before.

You can also set or clear permissions on the command line. Instead of providing an octal permission, you can specify a relative permission in the form of [ugoa][[+-=][rwx]. The first character is one of u, g, o, or a, which means user, group, other, or all, respectively. Then, you can choose to add (+), remove (-), or set (=) the Read/Write/Execute bits.

For example, chmod u+x foo sets the Execute bit on foo and leaves all other bits untouched. chmod g-rw something removes Read and Write permissions for the group.

Another way to use chmod is with the --reference parameter. Entering chmod --reference file1 file2 makes file2's permissions the same as file1's.

To change the file's ownership, use the chown command. For example, chown sean foo changes the ownership of foo to sean. Only root can change the owner of a file.

The chgrp command changes the group of a file. A normal user must belong to the new group.

Masking

Because the file permissions are binary in nature, you can apply some binary math to them to set or clear bits. The two binary operations applicable here are called OR and AND. Binary operations can be shown in truth tables such as the one provided in Figure 1.

Figure 1. Truth tables for OR and AND
Diagram showing a truth table for the OR and AND operators

The result of an OR operation is true (1) if either of the operands is 1. The only way to get a false (0) result is for both inputs to be false. The AND operator is the opposite: Both bits must be true for the result to be true; otherwise, the answer is false. It is important to note that the order of the operands does not matter: A OR B is the same as B OR A.

When more than one binary digit is involved, each bit is calculated separately. That is, 01 AND 11 is 01. The first digit is 0, because 0 AND 1 is 0. The second digit is 1, because 1 AND 1 is 1. To further simplify the use of binary masks in file permissions, you use the OR operator to force bits to be set and the AND operator to clear bits.

Moving back into octal, if you were to use OR in any file mode with 600, you would be setting the Read and Write bits for the owning user regardless of what the current permission was. Using AND with 775 would be clearing the Write bit for other, because the binary representation of the 5 is 101 and the Write bit is 010.


How Samba interacts with file permissions

Every connection to the Samba server runs as a separate process that is owned by the connecting user. Therefore, the Samba process is limited to the same file permissions as if the user were logged in directly to the server. It follows, then, that when the user creates a file or directory through Samba, the directory will be owned by the user. When the user changes file permissions through Windows® Explorer, these permissions are translated into a file mode, as if the user had used the chmod command.

Samba has a series of parameters that control how permissions are assigned in various situations. For parameters dealing with file permissions, you will see that there is one parameter that acts to set bits and one that clears bits. All of these parameters can be used at the share level or at the global level to affect all shares. As with other global parameters, the global behavior can be overridden at the share level.

Creating files and directories

A newly created file must have a set of permissions. Similarly, a directory created through the New Folder command in Windows Explorer must be given an initial mode. These two situations are handled by different Samba parameters.

Samba first translates the request to create a file into a file mode. It then performs an AND operation with the value of the create mask parameter that clears bits. The default mask is 0744, which effectively removes Write and Execute access from the group and other people. Following that, the force create mode command is OR-ed, with the resulting mode to set the desired bits. The default for force create mode is 000, which does not change the permissions.

Creating a directory follows the same process, except that the initial permission is AND-ed with the directory mask parameter, and then OR-ed with the force directory mode parameter. Listing 1 provides some sample configurations that change how files and directories are created.

Listing 1. Using parameters to change the permission of new files and directories
[global]
create mask = 770
force create mode = 600
directory mask = 777
force directory mode = 711

[public]
create mask = 777
force create mode = 666

The parameters in Listing 1 are split into two sections. The [global] section has parameters for both files and directories. Files will have the other bits cleared because of the final 0 in the create mask, while all the other bits will pass through because of the corresponding 7. The result will be OR-ed with 600, which ensures that people get Read and Write permissions for their own files.

Directories have their modes AND-ed with 777, which passes through all the permission bits, and then OR-ed with 711, which gives the owner Read, Write, and Execute and everyone else at least Execute. The share public has more lenient restrictions. Everyone gets at least Read and Write to the files in this share.

Modifying file and directory permissions

If you've looked at the security properties of a file inside Windows Explorer, you might have seen that you can change who has access to your files. By default, you will see permissions representative of the Linux permissions but mapped to the Microsoft® Windows NT® groups. If you change the permissions, these permissions will be remapped into Linux file permissions. Another set of parameters govern setting and clearing bits when the file permissions are changed rather than when the file is created.

The parameters used when a file's permissions change are:

  • security mask.AND-ed with the file permission
  • force security mode.OR-ed with the file permission
  • directory security mask.AND-ed with the directory permission
  • force directory security mode.OR-ed with the directory permission

Summary of mode-related parameters

Table 1 summarizes the parameters related to forcing or masking mode bits for easy identification. Remember that the bits are cleared with the mask before they are forced.

Table 1. Samba parameters for manipulating file modes
SituationSet bits (OR)Clear bits (AND)
File createdforce create modecreate mask
Directory createdforce directory modedirectory mask
Client changes permissions on a fileforce security modesecurity mask
Client changes permissions on a directoryforce directory security modedirectory security mask

Forcing user and group ownership

All of the parameters previously discussed modify the mode of the file and therefore the Read, Write, and Execute permissions of the owning user, the owning group, and everyone else. By default, the files will be owned by the creating user and the user's group. It may be desirable to have files owned by another user or group, such as a project group or a generic user. This would be most helpful in shares used by groups of people.

Samba offers two parameters—force user and force group—that force the file's owner and owning group to whatever you want. You can use these parameters globally, but they are much more practical at the share level. For example, you could configure your share with force group = projecta to make all the files belong to the projecta group.

Another form of the force group parameter prepends a plus sign (+) to the name of the group, such as force group = +admins. This plus sign is not taken literally: Rather, it tells Samba to force the group to admins only if the user already belongs to the group, such as a secondary group. People not in the admins group will continue to use their primary group for newly created files.


Summary of Samba file and directory permissions

Samba offers several parameters that affect how file permissions are calculated. These parameters take the form of an octal mask, which is AND-ed with the proposed permission to clear undesirable bits, followed by a mode that is OR-ed to set bits. You set the bits separately for files and directories, and then again for new files and permission changes, for a total of eight different parameters. Finally, you can force the user and group of a file for a given share.

Even though Samba gives you a great deal of flexibility, you should be careful about using these features, because they may run contrary to what your users are expecting to happen.

Resources

Learn

Discuss

  • Get involved in the My developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Linux on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Linux
ArticleID=779628
ArticleTitle=Learn Linux, 302 (Mixed environments): Linux file system and share/service permissions
publish-date=12062011