File security

Because of its multiuser nature, it is expected that many different people will store their files on the same computer. It is understood that some files may be shared while others are private, and the operating system has a mechanism to prevent others from reading your private files.

Users and groups

The standard security paradigm on unix filesystems is based on two ideas. The first idea is that there is a single administrative user, called root, that is all-powerful. The root user can arbitrarily create and destroy files (even files owned by others). Root can read every file on a unix system.

The second idea of unix file security is group membership. Every user account is a member of one or more groups, which can be displayed by typing the groups command. Each file on a unix system has an associated owner and group, and these are used to determine how different users can access the file.

Example 3-5. Displaying an account's group memberships


$ groups
faculty

File types

The specific mechanism that provides file security (in the context of group membership) is called ``file permissions.'' Sometimes this is also referred to as the ``mode'' of the file. The ls command will report the current permissions on a file when passed the -l (minus ell) option. The first column of the output contains a set of letters that detail the type of file along with three classes of permissions: the permissions for the owner of the file, for the members of the group that the file belongs to, and for anyone.

Example 3-6. Long listing with permissions


$ ls -l
total 8
drwxr-xr-x    2 dbindner faculty      4096 Jul  8 20:38 stuff
-rw-r-----    1 dbindner faculty       186 Jul  8 20:38 test.pl

The example ls -l command above shows one directory named stuff and one regular file named test.pl. The owner of both is the dbindner account, and both belong to the group faculty.

Notice that the first letter on each output line shows the type of file, `d' for directories and `-' for regular files. Other less common designations include:

Table 3-1. File type designations

l a symbolic link (something like the shortcuts in Windows)
b block device (like a hard drive partition)
c a character device (like a sound card)
p a pipe
s a socket

It is not necessary to understand all of the file types immediately. A beginner can expect to encounter mostly regular files, directories, and (sometimes) symbolic links.

Permissions for regular files

Immediately following the file type designator are listed the permissions for owner, group, and anyone. Each set of permissions is marked by three consecutive letters: r for read, w for write, and x for execute. The permission is granted if the letter is listed, and it is denied if the letter is missing. For test.pl the owner permissions are `rw-' which indicate that the owner, dbindner, can read and write (or delete) the file. The group permissions are `r--' which designate that any member of the group faculty can read (but not change or delete) the file. The permissions for anyone else would be `---'. No one else can read or modify the file in any way.

Notice that no one can execute the file as a program. This mechanism differs from the way an operating system like Windows would behave. In Windows, whether a file can be executed or not depends on its filename extension. Under unix, the form of the filename is irrelevant. It is the permissions that differentiate executable files (programs) from other files.

The permissions of a file may be changed by the file's owner (or the system administrator) using the chmod (change mode) command. The simplest syntax accepts a number representing the new permissions/mode, and a list of files to apply the mode to. The mode is most commonly a three digit number. The first digit specifies the owner permissions, the second digit specifies the group permissions, and the third digit specifies the anyone permissions (this is the same order as in the listing).

Each individual permission has a value associated with it. Execute permission, x, is given the value 1. Write permission, w, is 2. Read permission, r, is 4. Notice how the values double as they read from right to left in the long file listing. Using these values, the current mode of the test.pl file could be correctly described as 640 (6=4+2 because the owner has rw-, 4 because the group has r--, and 0 because anyone has ---). To mark this file as an executable program available to everyone, the owner could type:

Example 3-7. Using chmod to change the mode of a file


$ chmod 755 test.pl
$ ls -l test.pl
-rwxr-xr-x    1 dbindner faculty       186 Jul  8 20:38 test.pl

Permissions for directories

The read, write, and execute permissions take on slightly different meanings for directories. The most intuitive is write permission, which allows you to create new files and delete existing files. The only nonintuitive part of write permission on directories is that it allows you to delete files you do not own (or have write permission for) since you are effectively removing them from the directory and not actually modifying the files themselves.

The read and execute permissions on a directory limit how you can list and use a directory, and are generally granted together. You need execute permission to `cd' to a directory, to use files in it, and (ironically) to produce a proper listing of its contents. You need read permission to get any listing at all of the directory's contents. Generally, if you wish someone to be able to use a directory, you give them read and execute permission. If you wish to restrict access, you remove both.

Example 3-8. Using chmod to change the mode of a directory


$ chmod 700 stuff
$ ls -ld stuff
drwx------    2 dbindner faculty      4096 Jul  8 20:38 stuff

Default permissions

The permissions that a newly created file has are a combination of default settings that can be customized by the user and settings of the program that creates the file. Mail programs, for example, universally create files with mode 600 (read and write for the owner only) because there is an assumption that email is private. A user's default preference is called their umask. All programs take into account the current umask setting when creating a new file, although both the user and programs can modify the umask.

The umask setting, like a mode, is a number with one digit each for the owner, group, and anyone masks. Sometimes it will contain four digits, but you may ignore the first digit which is usually a leading 0. Only the last three digits are important to the discussion here. Although one might expect the umask to contain the default permissions allowed, the umask value actually indicates the permissions that are disallowed by default. Common umask values are 022 (writing for group and anyone is disallowed), 002 (writing for anyone is disallowed), and 077 (all permissions are disallowed for both group and anyone). The current umask value can be displayed and modified via the umask command.

Example 3-9. Using umask to set the file creation mask


$ umask
0022
$ touch file1.txt
$ ls -l file1.txt
-rw-r--r--    1 dbindner faculty         0 Jul  9 11:49 file1.txt
$ umask 0077
$ touch file2.txt
$ ls -l file2.txt
-rw-------    1 dbindner faculty         0 Jul  9 11:50 file2.txt

Here the touch command, which is commonly used to update the timestamp of a file, is used to create two new (empty) files, the second of which is private to the owner.

The current umask setting is remembered as long as your session is active. If you exit the shell or logout, it is forgotten. To customize the umask setting for every login, place a umask command in your startup scripts. If you use the bash shell, this would be the ~/.bashrc file.