CSE203 Linux Programming

Understanding Linux File

Permissions

Dr S.Rajarajan
SoC
 Linux Security
• The Linux system follows the Unix method of file
permissions, allowing individual users and groups access to
files based on a set of security settings for each file and
directory.
• The core of the Linux security system is the user account.
• Each individual who accesses a Linux system should have a
unique user account assigned.
• The users’ permissions to objects on the system depend on
the user account they log in with
 UID
• User permissions are tracked using a user ID (often called a
UID), which is assigned to an account when it’s created.
• The UID is a numerical value, unique for each user.
• However, you don’t log in to a Linux system using your UID.
• Instead, you use a login name.
• The login name is an alphanumeric text string of eight
characters or fewer that the user uses to log in to the system
(along with an associated password).
• The Linux system uses special files and utilities to track and
manage user accounts on the system
• The root user acc is the administrator for the Linux system
and is always assigned UID 0.
• To find a user's UID or GID in Unix, use the id command
• $ id -u username

• To find a user's GID, at the Unix prompt, enter:

• $ id -g username
• If you want to find out all the groups a user belongs to,
instead enter:
• $ id -G username
 The /etc/passwd file
• The Linux system uses a special file to match the login
name to a corresponding UID value.
• This file is the /etc/passwd file. The /etc/passwd file
contains several pieces of information about the user.
• The /etc/passwd file contains information, such as:
– User name
– Encrypted password
– user's ID (UID)
– User's group ID number (GID)
– Full name of the user (GECOS)
– User home directory
– Login shell
 System accounts
• The Linux system creates lots of user accounts for various
functions that aren’t actual users.
• These are called system accounts.
• A system account is a special account that services running
on the system use to gain access to resources on the system.
• All services that run in background mode need to be logged
in to the Linux system under a system user account.
 Need for System accounts
• Before security became a big issue, these services often just
logged in using the root user account.
• Unfortunately, if an unauthorized person broke into one of
these services, he instantly gained access to the system as
the root user.
• To prevent this, now just about every service that runs in
background on a Linux server has its own user account to
log in with.
• This way, if a troublemaker compromises a service, he still
can’t necessarily get access to the whole system
 UID range
• Linux reserves UIDs below 500 for system accounts.
• Some services even require specific UIDs to work properly
• When you create accounts for normal users, most Linux
systems assign the first available UID starting at 500
• The Linux Standard Base Core Specification defines
the following ranges for user IDs (UIDs):
– 0–99: System users, which are statically allocated and
don't have a login shell
– 100–999: Application users, which are dynamically
allocated by application programs
– 1000 and above: Regular users, with an upper limit
that depends on several factors
 Passwords
• The password field in the /etc/passwd file is set to an x.

• In the old days of Linux, the /etc/passwd file contained an

encrypted version of the user’s password.
• However, because lots of programs need to access the
/etc/passwd file for user information, this became a security
problem.
• With the advent of software that could easily decrypt
encrypted passwords, the bad guys had a field day trying to
break user passwords stored in the /etc/passwd file.
 Shadow file
• Now, most Linux systems hold user passwords in a separate file
(called the shadow file, located at /etc/shadow).
• The shadow file stores the hashed passphrase (or “hash”)
format for Linux user account
• This shadow file is directly accessible only to the root user and
special programs (such as the login program)
• The /etc/passwd file is a standard text file.
• You can use any text editor to manually perform user
management functions (such as adding, modifying, or
removing user accounts) directly in the /etc/passwd file.
• However, this is an extremely dangerous practice.
• If the /etc/passwd file becomes corrupt, the system can’t
read it, and it prevents anyone (even the root user) from
logging in.
• Instead, it’s safer to use the standard Linux user
management utilities to perform all user management
functions.
 The /etc/shadow file
• The /etc/shadow file provides more control over how the
Linux system manages passwords.
• Only the root user has access to the /etc/shadow file,
making it more secure than the /etc/passwd file.
• The /etc/shadow file contains one record for each user
account on the system.
• A record looks like this:
1. Username : A valid account name, which exist on the system.
2. Password : Your encrypted password is in hash format. The
password should be minimum 15-20 characters long including
special characters, digits, lower case alphabetic and more.
Usually password format is set to $id$salt$hashed, The $id is the
algorithm prefix used On GNU/Linux as follows
– $1$ is MD5
– $2a$ is Blowfish
– $2y$ is Blowfish
– $5$ is SHA-256
– $6$ is SHA-512
– $y$ is yescrypt
3. Last password change (lastchanged) : The date of the last password
change, expressed as the number of days since Jan 1, 1970 (Unix
time). The value 0 has a special meaning, which is that the user should
change her password the next time she will log in the system. An
empty field means that password aging features are disabled.
4. Minimum : The minimum number of days required between
password changes i.e. the number of days left before the user is
allowed to change her password again. An empty field and value 0
mean that there are no minimum password age.
5. Maximum : The maximum number of days the password is valid,
after that user is forced to change her password again.
6. Warn : The number of days before password is to expire that user is
warned that his/her password must be changed
7. Inactive : The number of days after password expires that account is
disabled.
8. Expire : The date of expiration of the account, expressed as the
number of days since Jan 1, 1970.
• Using the shadow password system, the Linux system has
much finer control over user passwords.
• It can control how often a user must change his or her
password and when to disable the account if the
password hasn’t been changed.
 useradd - Adding a new user
• The primary tool used to add new users to your Linux system
is useradd
• This command provides an easy way to create a new user
account and set up the user’s HOME directory structure all at
once.
• The useradd command uses a combination of system default
values and command line parameters to define a user
account.
• The new user account will be entered into the system files as
needed, the home directory will be created, and initial files
copied, depending on the command line options.
• The system defaults are set in the /etc/default/useradd
• To see the system default values used on your Linux distribution,
enter the useradd command with the -D parameter:
• $ /usr/sbin/useradd -D
• GROUP=100
• HOME=/home
• INACTIVE=-1
• EXPIRE=
• SHELL=/bin/bash
• SKEL=/etc/skel
• CREATE_MAIL_SPOOL=yes
• #
• When invoked with the -D option, useradd will either
display the current default values, or, with appropriate
privilege, update the default values from the command
line.
• The previous example shows the following default values:
• ■ The new user is added to a common group with group ID
100.
• ■ The new user has a HOME account created in the
directory /home/loginname.
• ■ The account can’t be disabled when the password
expires.
• ■ The new account uses the bash shell as the default shell.
• ■ The system copies the contents of the /etc/skel directory
to the user’s HOME directory.
• ■ The system creates a file in the mail directory for the
user account to receive mail.
 User account template to copy default files
• The useradd command allows an administrator to create a
default HOME directory configuration and then uses that as
a template to create the new user’s HOME directory.
• This allows you to place default files for the system in every
new user’s HOME directory automatically.
• Directory /etc/skel/ (skel is derived from the “skeleton”) is
used to initiate home directory when a user is first created.
• Below is a sample /etc/default/useradd file which defines
the skel directory.
# cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
• The /etc/skel directory has the following files:
• $ ls -al /etc/skel
• total 32
• drwxr-xr-x 2 root root 4096 2010-04-29 08:26 .
• drwxr-xr-x 135 root root 12288 2010-09-23 18:49 ..
• -rw-r--r-- 1 root root 220 2010-04-18 21:51 .bash_logout
• -rw-r--r-- 1 root root 3103 2010-04-18 21:51 .bashrc
• -rw-r--r-- 1 root root 179 2010-03-26 08:31
examples.desktop
• -rw-r--r-- 1 root root 675 2010-04-18 21:51 .profile
• $
• These are the standard startup files for the bash shell
environment.
• The system automatically copies these default files into
every user’s HOME directory you create.
• You can test this by creating a new user account using the
default system parameters and then looking at the HOME
directory for the new user
 How to Create a User with a different Home
directory
• By default, the ‘useradd‘ command creates a user’s home
directory under the ‘/home‘ directory with the username
• However, this behavior can be changed by using the '-
d' option along with the location of the new home
directory
• To give a home directory path for new users, we use the
following command in Linux.
• $ sudo useradd -d /home/test_user test_user
• By default, the useradd command doesn’t create a HOME
directory, but the –m command line option tells it to
create the HOME directory.
• $ useradd -m test
• As you can see in the example, the useradd command
created the new HOME directory, using the files contained
in the /etc/skel directory.
• If you want to override a default value or behavior when
creating a new user, you can do that with command line
parameters.
• # useradd -m –d /var/www/raj test
• # ls -al /home/test
• total 24
• drwxr-xr-x 2 test test 4096 2010-09-23 19:01 .
• drwxr-xr-x 4 root root 4096 2010-09-23 19:01 ..
• -rw-r--r-- 1 test test 220 2010-04-18 21:51 .bash_logout
• -rw-r--r-- 1 test test 3103 2010-04-18 21:51 .bashrc
• -rw-r--r-- 1 test test 179 2010-03-26 08:31 examples.desktop
• -rw-r--r-- 1 test test 675 2010-04-18 21:51 .profile
• #
1. -c, –comment: This option allows you to add a comment or
description for the user account. It is typically used to
provide additional information about the user.
Example: useradd -c "John Doe" john
2. -m, –create-home: This option creates a home directory
for the user. The home directory is a central location where
the user can store their files and personalize their
environment.
Example: useradd -m john
3. -g, –gid: This option specifies the primary group for the
user. The primary group is a group that the user is a
member of by default.
Example: useradd -g developers john
4. -s, –shell: This option sets the default shell for the user.
The shell is the command interpreter that allows the
user to interact with the system.
Example: useradd -s /bin/bash john
5. -u, –uid: This option assigns a specific user ID (UID) to
the user. The UID is a unique numerical identifier that
distinguishes one user from another on the system.
Example: useradd -u 1001 john
• You can change the system default new user values by
using the -D parameter, along with a parameter
representing the value you need to change
 Changing the default values
• useradd when invoked without the -D option, creates a
new user account using the values specified on the
command line and the default values from the system.
• When invoked with the -D option, useradd will update the
default values from the command line.
• # useradd -D -s /bin/tsch
• # useradd -D
• GROUP=100
• HOME=/home
• INACTIVE=-1
• EXPIRE=.
• EXPIRE=
• SHELL=/bin/tsch
• SKEL=/etc/skel
• CREATE_MAIL_SPOOL=yes
• Now, the useradd command uses the tsch shell as the
default login shell for all new user accounts you create.
 Removing a user
• If you want to remove a user from the system, the userdel
command is what you need.
• By default, the userdel command removes only the user
information from the /etc/passwd file.
• If you use the -r parameter, userdel removes the user’s
HOME directory, along with the user’s mail directory.
• However, other files owned by the deleted user account
may still be on the system.
• This can be a problem in some environments
• Here’s an example of using the userdel command to
remove an existing user account:
• $/usr/sbin/userdel -r test
• $ ls -al /home/test
• ls: cannot access /home/test: No such file or directory
• $
• After using the -r parameter, the user’s old /home/test
directory no longer exists.
 Modifying a user
• Linux provides a few different utilities for modifying the
information for existing user accounts.
• Each of these utilities provides a specific function for changing
information about user accounts.
 usermod
• The usermod command is the most robust of the user account
modification utilities
• It provides options for changing most of the fields in the
/etc/passwd file
• To do that, you just need to use the command line parameter
that corresponds to the value you want to change.
• The parameters are mostly the same as the useradd parameters
(such as -c to change the comment field, -e to change the
expiration date, and -g to change the default login group)
• However, a couple of additional parameters come in handy
• ■ -l changes the login name of the user account.
• ■ -L locks the account so the user can’t log in.
• ■ -p changes the password for the account.
• ■ -U unlocks the account so the user can log in
 Change password
• passwd and chpasswd
• A quick way to change just the password for a user is the
passwd command:
• $ passwd test
• Changing password for user test.
• New UNIX password:
• Retype new UNIX password:
• passwd: all authentication tokens updated successfully.
• $
• If you just use the passwd command by itself, it changes
your own password.
• Any user in the system can change his or her own
password, but only the root user can change someone
else’s password
• The -e option is a handy way to force a user to change the
password on the next log in.
• If you ever need to do a mass password change for lots of
users on the system, the chpasswd command can be a
lifesaver.
• The chpasswd command reads a list of login name and
password pairs (separated by a colon) from the standard
input, automatically encrypts the password, and sets it
for the user account.
• You can also use the redirection command to redirect a
file of userid:password pairs into the command
• $ chpasswd < users.txt #
 chsh, chfn, and chage
• The chsh, chfn, and chage utilities are specialized for specific
account modification functions.
• The chsh command allows you to quickly change the default
login shell for a user.
• The chfn command provides a standard method for storing
information in the comments field in the /etc/passwd file.
• The chage date values can be expressed using one of two
methods: ■ A date in YYYY-MM-DD format ■ A numerical value
representing the number of days since January 1, 1970
 Using Linux Groups
• User accounts are great for controlling security for
individual users, but they aren’t so good at allowing groups
of users to share resources.
• To accomplish this, the Linux system uses another security
concept, called groups.
• Group permissions allow multiple users to share a common
set of permissions for an object on the system, such as a
file, directory, or device
• Linux distributions differ somewhat on how they handle
default group memberships.
• Some Linux distributions create just one group that
contains all the user accounts as members.
• You need to be careful if your Linux distribution does this,
because your files may be readable by all other users on
the system.
• Other distributions create a separate group account for
each user to provide a little more security.
• Each group has a unique GID, which, like UIDs, is a unique
numerical value on the system.
• Along with the GID, each group has a unique group name.
You can use some group utilities to create and manage your
own groups on the Linux system
• The /etc/group file
• Just like user accounts, group information is stored in a file
on the system.
• The /etc/ group file contains information about each group
used on the system.
• These are examples from a typical /etc/group file on a Linux
system:
• root:x:0:root
• bin:x:1:root,bin,daemon
• daemon:x:2:root,bin,daemon
• sys:x:3:root,bin,adm
• adm:x:4:root,adm,daemon
• rich:x:500:
• mama:x:501:
• katie:x:502:
• jessica:x:503:
• mysql:x:27:
• test:x:504:
• Like UIDs, GIDs are assigned using a special format.
• Groups used for system accounts are assigned GIDs below 500,
and user groups are assigned GIDs starting at 500.
• The /etc/ group file uses four fields:
• ■ The group name
• ■ The group password
• ■ The GID
• ■ The list of user accounts that belong to the group
• The group password allows a non-group member to temporarily
become a member of the group by using the password.
• This feature is not used all that commonly, but it does exist
• You should never add users to groups by editing the
/etc/group file.
• Instead, use the usermod command to add a user account
to a group
• Before you can add users to different groups, you must
create the groups.
 Creating new groups
• The groupadd command allows you to create new groups on your
system:
• $/usr/sbin/groupadd shared
• $ tail /etc/group //display the last ten lines of one or more files
– haldaemon:x:68:
– xfs:x:43:
– gdm:x:42:
– rich:x:500:
– mama:x:501:
– shared:x:505:
– $
• When you create a new group, no users are assigned to it by
default.
• To add new users, use the usermod command
• # /usr/sbin/usermod -G shared rich
• # /usr/sbin/usermod -G shared test
• # tail /etc/group
• haldaemon:x:68:
• test:x:504:
• shared:x:505:rich, test
• The shared group now has two members, test and rich.
• The -G parameter in usermod appends the new group to
the list of groups for the user account
• If you change the user groups for an account that is
currently logged into the system, the user must log out and
then log back in for the group changes to take effect.
• Be careful when assigning groups for user accounts.
• If you use the -g parameter, the group name you specify
replaces the default group for the user account.
• The -G parameter adds the group to the list of groups the
user belongs to, keeping the default group intact.
 Modifying groups
• The groupmod command allows you to change the GID (using
the -g parameter) or the group name (using the -n parameter)
of an existing group:
• $ /usr/sbin/groupmod -n sharing shared
• $ tail /etc/group
• mysql:x:27:
• test:x:504:
• sharing:x:505:test,rich
• $
• When changing the name of a group, the GID and group
members remain the same, only the group name changes
 Decoding File Permissions
• This section describes how to decipher the permissions and
where they come from.
Using file permission symbols
• the ls command allows you to see the file permissions for files,
directories, and devices on the Linux system:
• $ ls -l
• total 68
• -rw-rw-r-- 1 rich rich 50 2010-09-13 07:49 file1.gz
• -rw-rw-r-- 1 rich rich 23 2010-09-13 07:50 file2
• The first field in the output listing is a code that describes
the permissions for the files and directories.
• The first character in the field defines the type of the object:
– - for files
– d for directories
– l for links
– c for character devices
– b for block devices
– n for network devices
• After that, you see three sets of three characters.

• The three sets relate the three levels of security for the object:
• ■ The owner of the object
• ■ The group that owns the object
• ■ All others on the system
• Each set of three characters defines an access permission
triplet:
• ■ r for read permission for the object
• ■ w for write permission for the object
• ■ x for execute permission for the object
• If a permission is denied, a dash appears in the location.
• -rwxrwxr-x 1 rich rich 4882 2010-09-18 13:58 myprog
• The file myprog has the following sets of permissions:
• ■ read, write and execute for the file owner (set to the
login name rich)
• ■ read, write and execute for the file group owner (set to
the group name rich)
• ■ read and execute for everyone else on the system
 Default file permissions
• You may be wondering about where these file permissions
come from.
• The answer is umask
• The umask command sets the default permissions for any
file or directory you create:
• $ touch newfile
• $ ls -al newfile
• -rw-r--r-- 1 rich rich 0 Sep 20 19:16 newfile
• $
• The touch command created the file using the default
permissions assigned to my user account.
• The umask command shows and sets the default permissions:
• $ umask
• 0022
• $
• The first digit represents a special security feature called the
sticky bit.
• The next three digits represent the octal values of the umask
for a file or directory
• The umask value is just that, a mask.
• It masks out the permissions you don’t want to give to the
security level
• You can specify a different default umask setting using the
umask command:
• $ umask 026
• By setting the umask value to 026, the default file
permissions become 640, so the new file now is restricted to
read-only for the group members, and everyone else on the
system has no permissions to the file.
 Changing Security Settings
• Changing permissions
• The chmod command allows you to change the security
settings for files and directories.
• The format of the chmod command is:
• chmod options mode file
• $ chmod 760 newfile
• $ ls -l newfile
• -rwxrw---- 1 rich rich
 umask
• On Unix-like operating systems, the umask command
returns, or sets, the value of the system's file mode creation
mask.
• On Linux and other Unix-like operating systems, new files are
created with a default set of permissions.
• Specifically, a new file's permissions may be restricted in a
specific way by applying a permissions "mask" called
the umask.
• The umask command is used to set this mask, or to show
you its current value.
• Syntax
• umask [-S] [mask]
• Options
• -S Accept a symbolic representation of a mask, or return
one.
• mask If a valid mask is specified, the umask is set to this
value.
• If no mask is specified, the current umask value is returned.
 Classes of users
• As you may know, each file on your system has associated
with it a set of permissions used to protect files: a file's
permissions determine which users may access that file, and
what type of access they have to it.
• There are three general classes of users:
• The user who owns the file ("User").
• Users belonging to the file's defined ownership group
("Group").
• Everyone else ("Other").
• In turn, for each of these classes of user, there are three
types of file access:
• The ability to look at the contents of the file ("Read").
• The ability to change the contents of the file ("Write").
• The ability to run the contents of the file as a program on
the system ("Execute").
• So, for each of the three classes of user, there are three
types of access.
• Taken together, this information makes up the
file's permissions.
 How are permissions represented?
• There are two ways to represent a file's permissions:
symbolically (using symbols like "r" for read, "w" for write,
and "x" for execute) or with an octal numeric value.
• For example, when you list the contents of a directory at
the command line using the ls command as follows:
• ls –l
• you will see (among other information) the file permission
information for each file.
• Here, it is represented symbolically, which looks like the
following example:
• -rwxr-xr--
 - rwx r-x r--
• There are ten symbols here.
• The first dash ("-") means that this is a regular file, in other
words, not a directory (or a device, or any other special kind
of file).
• The remaining nine symbols represent the permissions: rwxr-
xr--.
• These nine symbols are actually three sets with three
symbols each, and represent the respective specific
permissions, from left to right
 Specifying the file creation mask using
symbols
• The general symbolic form of a mask is as follows:
• [user class symbol(s)][permissions operator][permission
symbol(s)][,]...
• user class symbol may be one or more of the following:
• u – user, g – group, o – other(anyone else), a- all
• permission symbol is any combination
of r (read), w (write), or x (execute), as described above.
• Permissions operator
• + allow the specified file permissions to be enabled for the
specified user classes (permissions that are not specified
are unchanged in the mask).
• - prohibit the specified file permissions from being
enabled for the specified user classes (permissions that
are not specified are unchanged in the mask).
• =allow the specified file permissions to be enabled for the
specified user classes (permissions not specified will be
prohibited by the mask during file creation).
• So, for example, the following umask command:
• umask u+w
• sets the mask so that when files are created, they have
permissions which allow write permission for the user (file
owner).
• The rest of the file's permissions would be unchanged from
the operating system default.
• Multiple changes can be specified by separating multiple
sets of symbolic notation with commas (but not spaces!).
• For example: umask u-x, g=r, o+w
• This command sets the mask so that when subsequent
files are created, they have permissions that:
• 1. prohibit the execute permission from being set for the
file's owner (user), while leaving the rest of the owner
permissions unchanged;
• 2. enable read permission for the group, while prohibiting
write and execute permission for the group;
• 3. enable write permission for others, while leaving the rest
of the other permissions unchanged.
• Note that if you use the equals operator ("="), any
permissions not specified will be specifically prohibited.
• For example, the command:
• umask a=
• Sets the file creation mask so that new files are inaccessible
to everyone.
 Specifying the file creation mask using
numeric representation
• The file creation mask can also be represented numerically,
using octal values (the digits from 0 to 7).
• When using octal numeric representation, certain numbers
represent certain permissions, and these numbers are added
or subtracted from each other to represent the final,
combined permissions value.
• Specifically, the numbers 1, 2, and 4 represent the following
permissions:
• These numbers are used because any combination of
these three numbers will be unique.
• The following table illustrates their unique combinations:

001

010

011

100

101

110

111
• For each class of user, one digit can represent their
permissions; using the example above, we could represent
the symbolic permission of rwx r-x r-- using the three-digit
octal number 754.
• The order of the digits is always the
same: User, Group, Other.
 The other permission digit
• In octal representations of file permissions, there are actually
four digits.
• The three important digits we've discussed are the last three
digits.
• The first digit is a special file permission indicator, and for
this discussion can be considered always to be zero.
• So from here on out, when we discuss file permission 777, it
may also be referred to as 0777
 How does the umask actually work?
• The umask masks permissions by restricting them by a
certain value.
• Essentially, each digit of the umask is "subtracted" from the
OS's default value to arrive at the default value you define.
• It's not really subtraction; technically, the mask is negated
(its bitwise compliment is taken) and this value is then
applied to the default permissions using a logical
AND operation.
• The result is that the umask tells the operating system
which permission bits to "turn off" when it creates a file
• In Linux, the default permissions value is 666 for a regular
file, and 777 for a directory.
• When creating a new file or directory, the kernel takes this
default value, "subtracts" the umask value, and gives the
new files the resulting permissions
• So if we set umask value as 022, then any new files will, by
default, have the permission of rw- r-- r– (666-022=644)
• Likewise, any new directories will, by default, be created
with the permissions 755 (777 – 022=733)
• To view your system's current umask value, enter the
command:
• umask
• which returns your system's umask as a four-digit octal
number, for example: 0002
• To view this as a symbolic representation, use the -S flag:
• umask –S
• Which returns the same value symbolically, for example:
• u=rw-,g=rw-,o=r- -? 666-002= 664 = 110 110 100
• mkdir test
• ls –ltrd test
• d rwx rwx r-x
• 777-002 = 775 = 111 111 101
• where u stands for user, g stands for group, and o stands
for other.
• This is telling us that if we create a new file, it has the
default permissions 664, which is 666 (the default
permissions for files) masked by 002 (our umask value).
• touch testfile
• ls -l testfile
• -rw-rw-r-- 1 myusername myusername 0 Jan 7 14:29
testfile
• The owner and group may read or write the file, and others
may only read it - 0
• Now let's change the umask to remove write permission
from group and others
• To set a umask of 022, use the command:
• umask 022
• This is the same as running umask 0022; if you specify only
three digits, the first digit will be assumed to be zero.
• As expected, the new file has permissions -rw-r--r–
• The number "2“(010) permission (write permission) will be
"filtered" from the system’s default permissions of 666 and
777 (hence the name “mask.”)
• umask 022
• From now on, the system will now assign the default
permissions of 644 and 755 on new files and directories.
• Simply put, to calculate the permission bits for a new file or
directory, we just subtract the umask value from the default
value, like so.
• 666 - 022 = 644 (110 100 100)
• 777 - 022 = 755 (111 101 101)
• How to remove the read and write permission from
others and make the files inaccessible to others ?
• umask 026 – 000 010 110
 Odd to even conversion
• When we use the umask value that results in odd digits in
the resultant file permission value, the odd digits are
converted into even by incrementing them by one
• For example, $ umask 15 = 666 – 15 = 651
• The 5 and 1 are changed into 6 and 2 resulting in 662 as the
file permission.
• So the files created will have the permissions as follows:
• Owner: RW, Group: RW, Others: W
• The aim of the modification is to prevent execution
permission
• Only through chmod u+x one can acquire the execute
permission for a particular file
• Note that for directories, no such conversions done, only
for files this is followed
• And now let's create a new file:
• touch testfile2
• And now let's view its directory listing, with the first file we
created, using the asterisk wildcard ("*") to view all files
whose name start with "testfile":
• ls -l testfile*
• -rw-r----- 1 myusername myusername 0 Jan 7 14:29 testfile -
rw-r--r-- 1 myusername myusername 0 Jan 7 14:39 testfile2
• umask 777 or umask 666-> 000 000 000
• Make new files inaccessible to everyone - no one can
read, write, or execute them.
• umask 000->110 110 110
• Make new files completely accessible (read and write) to
absolutely everyone.
• However, this is a bad idea. Don't do this
• A umask of 022 allows only you to write data, but anyone
can read data( 666-22= 644 = 110 100 100).
• A umask of 077 is good for a completely private system. No
other user can read or write your data if umask is set to 077
(666-077= 589 = 110 000 000) .
• A umask of 002 is good when you share data with other
users in the same group(666-002=664=110 110 100).
• Members of your group can create and modify data files;
those outside your group can read data file, but cannot
modify it.
• Set your umask to 007 to completely exclude users who are
not group members(666-007=659= 110 101 000)
• umask 033 ?
• 666 – 33 = 633 = 644 ( odd to even)
• -rw-r--r-- (000 011 011)
• umask 013
• 666-13 = 653 = 664
• -rw-rw-r-- (000 001 011)
#!/bin/bash

# Setting umask
umask 0026

# Creating a directory and file

mkdir my_secure_dir
touch my_secure_dir/my_secure_file

# Displaying the permissions

ls -ld my_secure_dir my_secure_dir/my_secure_file
 Changing ownership
• Sometimes, you need to change the owner of a file, such as
when someone leaves an organization or a developer creates
an application that needs to be owned by a system account
• Linux provides two commands for doing that.
• The chown command makes it easy to change the owner of a
file, and the chgrp command allows you to change the default
group of a file.
• The format of the chown command is:
• $ chown -R [USER][:GROUP] File 0r Directory
• You can specify either the login name or the numeric UID
for the new owner of the file:
• # chown dan newfile
• # ls -l newfile
• -rw-rw-r-- 1 dan rich
• The chown command also allows you to change both the
user and group of a file:
• You can just change the default group for a file:
• $ chown :rich newfile
• $ ls -l newfile
• -rw-rw-r-- 1 dan rich

• For simultaneous change in both of the owner and group of

a file
• $ chown dan:shared newfile
• $ ls -l newfile
• -rw-rw-r-- 1 dan shared
• The chgrp command provides an easy way to change just
the default group for a file or directory:
• $ chgrp shared newfile
• $ ls -l newfile
• -rw-rw-r-- 1 rich shared
 How to Use Recursive Chown
• Recursive chown is useful if you want to change the
permissions for all the sub-directories and files inside a
directory
• $ chown -R [USER][:GROUP] Directory
• $ chown -R newowner /home/TestPermissions/
 Sharing Files
• Creating groups is the way to share access to files on the
Linux system.
• However, for a complete file-sharing environment, things
are more complicated.
• As you’ve already seen, when you create a new file, Linux
assigns the file permissions of the new file using your
default UID and GID.
• To allow others access to the file, you need to either change
the security permissions for the group or assign the file a
different default group that contains other users
• This can be a pain in a large environment if you want to create
and share documents among several people.
• Fortunately, there’s a simple solution for how to solve this
problem.
• There are three additional bits of information that Linux stores
for each file and directory:
• ■ The set user id (SUID): When a file is executed by a user, the
program runs under the permissions of the file owner.
• ■ The set group id (SGID): For a file, the program runs under the
permissions of the file group. For a directory, new files created in
the directory use the directory group as the default group.
• ■ The sticky bit: The file remains (sticks) in memory after the
process ends
• The SGID bit is important for sharing files.
• By enabling the SGID bit, you can force all new files created
in a shared directory to be owned by the directory’s group
and now the individual user’s group.
• The SGID is set using the chmod command.
• It’s added to the beginning of the standard three-digit octal
value (making a four-digit octal value), or you can use the
symbol s in symbolic mode.
• So, to create a shared directory that always sets the
directory group for all new files, all you need to do is set the
SGID bit for the directory:
• $ chgrp shared testdir
• $ chmod g+s testdir
• Use the chgrp command to change the default group for the
directory to a group that contains the members who need to
share files (you must be a member of that group for this to
work).
• Finally, set the SGID bit for the directory to ensure that any
files created in the directory use the shared group name as
the default group.
• After all that’s done, any member of the group can go to the
shared directory and create a new file.
• As expected, the new file uses the default group of the
directory, not the user account’s default group.
• Now any user in the shared group can access this file.