Basic - File Permissions

  This is basically based on the concept of ownerships and permissions for files & directories. The purpose of implementing permissions on files and directories is to restrict the read, write & execute access to a file or directory from unauthorized user access. So that we can provide a kind of security on files & directories.

Permissions on Unix-like operating systems are managed in three distinct classes. These classes are known as user, group, and others.

Permission Classes:
User (u) - The owner of the file.
Group (g) - Other users belongs to the group. The owner may be a member of the file's group.
Others (o)- Users who are not the owner, nor a member of the group, considered as a file's others class.

Permission Types:
Read (r) - The read permission grants the ability to read a file. When set for a directory, this permission grants the ability to read the names of files in the directory (but not to find out any further information about them such as contents, file type, size, ownership, permissions, etc.) 
Write (w) - The write permission grants the ability to modify a file. When set for a directory, this permission grants the ability to modify entries in the directory. This includes creating files, deleting files, and renaming files.
Execute (x) - The execute permission grants the ability to execute a file. This permission must be set for executable binaries (e.g. a compiled C program) or shell scripts in order to allow the operating system to run them. When set for a directory, this permission grants the ability to access file contents and metainfo if its name is known, but not list files inside the directory (unless read is set).

How to check permission ?
Just issue ls -l command to a file or directory, you will be able to see the permission associated with that file.
# ls -l test.txt
-rwxr-xr-x. 1 subrat sysadmin 2225 May  7 14:32 test.txt

Look at the first field of the output. This field is the permission associated with the file or directory. Just separate it as below, you will be able to understand.

-rwxr-xr-x
 -       rwx         r-x         r-x
   |                       |                              |                                 |
File Type   User Permission     Group Permission   Others Permission

File Types - 
-  Regular File
d  Directory File
l  Linked File

In similar way, for directory issue ls -ld command to a directory.
# ls -ld test
drwxr-xr-x. 2 subrat sysadmin 12288 May 12 11:44 test 

In the above example, for user, there is read, write & execute permission, for group, there is read & execute permission, and for others, there is read & execute permission.

Octal representation of Permissions -
The following octal numbers are being used for representing permission.
r -- 4
w -- 2
x -- 1

For e.g. You want to set permission as follows,
  For user as rwx (read, write, execute)
    User --- 4+2+1 --- 7
  For group as r-x (read, execute)
    Group --- 4+0+1 --- 5
  For others as r-- (read)
    Others --- 4+0+0 --- 4
So, the effective permission in octal will be 754.

Now we will learn how to change the permissions, ownership, group of a file or directory.

chmod

 The chmod command is used to change the access permission to a file or directory. It can be done by the owner of the file or by the user having admin privilege.

It can be done in two different ways, Normal way & Numeric way.
In Normal way, we have use the following different options,
     u=user, g=group, o=other, a=all (default)
In Numeric way, we will use the octal representation for effective permission.
       r=4, w=2, x=1
       e.g.  rwx = 4+2+1 = 7
        rw- = 4+2+0 = 6
        r-x = 4+0+1 = 5
        -wx = 0+2+1 = 3
        r-- = 4+0+0 = 4
        -w- = 0+2+0 = 2
        --x = 0+0+1 = 1
        --- = 0+0+0 = 0

Note: Using -wx option is of no meaning as because if a user do not have read permission, then what is the meaning of giving him write & execute permission.

Also we need to use the following symbols for adding & revoking access permission,
     + means add permission
  - means remove permission
  = means assign permission and remove the permission of unspecified fields

Here we go...

- Adding permissions for user/owner to file or directory.
# chmod u+r file.txt
# chmod u+w,u+x file.txt
# chmod u+r,u+w,u+x dir1

- Adding permissions for group and others to a file or directory.
# chmod g+r,o+r file.txt
# chmod g+w,o+x dir1

- Adding multiple permissions in a single line.
# chmod u+rwx,g+rx,o+x file.txt
# chmod a+r,u+wx,g+x dir1
# chmod u+rwx,go+r dir2
# chmod ug+rwx,o+rx dir3
# chmod ugo+rwx dir4

- Revoking permissions from user, group & others.
# chmod u-w,g-x file.txt
# chmod a-x,o-rw file.txt
# chmod g-w,o-rwx dir1
# chmod go-wx file.txt

The above all examples will add or remove the read, write & execute permissions to or from the existing permissions respectively of a file or directory. That means with the existing permissions, the operations will be done on file or directory accordingly & leave all other privileges as it is.

There is also another way, it won't look for the existing permission. It will simply overwrite the new permission you want to apply to a file or directory. This can be done with '=' operator.

# chmod ug=rwx,o=rx file1
# ls -l file1
-rwxrwxr-x. 1 subrat sysadmin 73740 Apr  9 06:42 file1

# chmod a=rwx file1
# ls -l file1
-rwxrwxrwx. 1 subrat sysadmin 73740 Apr  9 06:42 file1

This also can be done using the numeric way as follows,

# chmod 777 file2
# ls -l file2
-rwxrwxrwx. 1 subrat subrat 3324 Apr  9 06:43 file2

# chmod 755 scripts/
# ls -ld scripts/
drwxr-xr-x. 2 root root 4096 May 12 12:54 scripts/

Note: For directory at least provide the execute permission if you want others to enter to your directory.

- Apply permission to multiple files or directory in a single line.
# chmod 751 file1 file2 file3
# ls -l file1 file2 file3
-rwxr-x--x. 1 subrat sysadmin 73740 Apr  9 06:42 file1
-rwxr-x--x. 1 subrat sysadmin  3324 Apr  9 06:43 file2
-rwxr-x--x. 1 root   root      3744 Apr 10 09:40 file3
 
- To provide the recursive privileges for the directory, sub-directories & the files.
# chmod -R 755 scripts/

Basic - User Information & Activities on Server.

finger

The finger command displays information about the system users. We can view all information about user if we know the user account login name.

- To view details about a particular user.
# finger subrat
Login: subrat                         Name: Subrat Nayak
Directory: /home/subrat               Shell: /bin/bash
On since Mon Apr  1 18:45 (IST) on :0 (messages off)
On since Mon Apr  1 18:46 (IST) on pts/0 from :0.0
New mail received Fri May  1 10:33 2014 (IST)
Unread since Sat Apr  19 12:59 2014 (IST)
No Plan.

- To view login details & idle status about an user.
# finger -s root
Login     Name  Tty   Idle  Login Time   Office     Office Phone
root      root  *1    2d    Mon 13:45
root      root  *2    1d    Wed 19:53
root      root  *3          Thu 08:20
root      root  *ta   2     Fri 21:43
root      root  *tb   2     Sat 05:44

who

The who command shows currently who is logged on to the system. This is a useful command because it can check how many users currently logged in the system, who they are & what they are doing.

[root@subrat ~]# who
root    pts/0        2014-05-02 06:22 (subrat.com)
subrat  pts/1        2014-05-02 07:29 (subrat.com)
dinesh  pts/2        2014-04-30 19:17 (subrat.com)

- To view the date & time of last system boot.
[root@subrat ~]# who -b
         system boot  2014-04-19 15:12

- To view the system's current runlevel.
[root@subrat ~]# who -r
         run-level 3  2014-04-19 15:12

- To lists users logged in. After the login time, the who command prints the number of hours & minutes that the user has been idle.
[root@subrat ~]# who -u
root    pts/0     2014-05-02 06:22    .       17634 (subrat.com)
subrat  pts/1     2014-05-02 07:29  00:11     18109 (subrat.com)
dinesh  pts/2     2014-04-30 19:17   old      13276 (subrat.com)

Note: . means the user was active in the last minute.
         old means the user has been idle for more than 24 hours.

- To view all login names & the number of users logged on.
[root@subrat ~]# who -q
root subrat dinesh
# users=3

- To view only hostname & user associated with stdin. It the same as running who am i command.
[root@subrat ~]# who -m
root    pts/0        2014-05-02 06:22 (subrat.com)

- To list only the entries that correspond to processes via which the system is waiting for a user to login. The user name is always LOGIN.
[root@subrat ~]# who -l
LOGIN    tty2         2014-04-19 15:12              1214 id=2
LOGIN    tty1         2014-04-19 15:12              1212 id=1
LOGIN    tty3         2014-04-19 15:12              1216 id=3
LOGIN    tty4         2014-04-19 15:12              1218 id=4
LOGIN    tty5         2014-04-19 15:12              1222 id=5
LOGIN    tty6         2014-04-19 15:12              1224 id=6

w

The w command shows who is logged on in Linux system and what they are doing. Its function is identical to the who command but the w command output provides more detail than who command. Somehow, the first line is the output of uptime command which has explained in other post.

[root@subrat ~]# w
07:30:21 up 12 days, 16:18, 2 users, load average: 0.03, 0.00, 0.00
USER     TTY      FROM    LOGIN@  IDLE   JCPU   PCPU  WHAT
root     pts/0    subrat  06:22   0.00s  0.26s  0.23s sshd: root
subrat   pts/1    subrat  07:29   28.00s 0.02s  0.02s -bash
 
[root@subrat ~]# w -l
07:45:54 up 12 days, 16:34,  2 users, load average: 0.03, 0.00, 0.00
USER     TTY     FROM  LOGIN@   IDLE   JCPU   PCPU WHAT
root    pts/0   subrat 06:22   0.00s  0.27s  0.23s sshd: root
subrat  pts/1   subrat 07:29   16:01  0.02s  0.02s -bash
 
- To view login details without header.
[root@subrat ~]# w -h
root   pts/0  subrat 06:22   0.00s  0.27s  0.23s sshd: root
subrat pts/1  subrat 07:29   16:30  0.02s  0.02s -bash

whoami

The whoami command displays the user name (i.e., login name) of the owner of the current login session. After switch to other user, it will show the switched user's login name.

 root@subrat ~]# whoami
root
[root@subrat ~]# su - dinesh
[dinesh@subrat ~]$ whoami
dinesh

who am i

The who am i command allows you to display the login name, terminal name, & time of the login for that terminal. It is terminal dependent. After switch to user, unlike whoami, it will display the logged in user's information only, not about the switched user's information.

[root@subrat ~]# whoami
root
[root@subrat ~]# who am i
root    pts/0        2014-05-02 06:22 (subrat.com)
[root@subrat ~]# su - dinesh
[dinesh@subrat ~]$ whoami
dinesh
[dinesh@subrat ~]$ who am i
root    pts/0        2014-05-02 06:22 (subrat.com)
 
logname

The logname command displays the login name of the user who has loged in to that terminal. It is terminal dependent. After switch user, it won't display the switched user login name rather than the logged in user's name.

[root@subrat ~]# logname
root
[root@subrat ~]# su - dinesh
[dinesh@subrat]$ logname
root

users

The users command is used to display the user names of users currently logged in to the current host.
[root@subrat ~]# users
dinesh root subrat

id

The id command is used to display the system identifications of a specified user. We can find the information like user's UID, user's GID, all the secondary groups an user belongs to.

- To display the currently logged in user's UID, GID & other secondary groups associated with the user.
[root@subrat ~]# id
uid=0(root) gid=0(root) groups=0(root),2(daemon),3(sys),4(tty),5(operator),8(procview),12(everyone)

- To display the UID of currently logged in user.
[root@subrat ~]# id -u
0

- To display the GID of currenlty logged in user.
[root@subrat ~]# id -g
0

- To display all the secondary groups, the currenlty logged in user associated with.
[root@subrat ~]# id -G
2 3 4 5 8 12

- To display all the secondary groups names instead of ID, the currenlty logged in user associated with.
[root@subrat ~]# id -nG
daemon sys tty operator procview everyone

- To display the UID, GID & other groups associated of a particular user.
[root@subrat ~]# id subrat
uid=512(subrat) gid=512(subrat) groups=512(subrat),523(unix),531(sysadmin)

- To display the UID of a particular user.
[root@subrat ~]# id -u subrat
512

- To display the username instead of UID of a particular user.
[root@subrat ~]# id -nu subrat
subrat

- To display the GID of a particular user.
[root@subrat ~]# id -g subrat
512

- To display the GID of a particular user.
[root@subrat ~]# id -ng subrat
subrat

- To display all the secondary groups ID, an user associated with.
[root@subrat ~]# id -G subrat
523 531

- To display all the secondary groups name instead of ID, an user associated with.
[root@subrat ~]# id -nG subrat
unix sysadmin

groups

The groups command displays the groups a user is in.

- To display the currently logged in user's groups.
[root@subrat ~]# groups
root : root daemon sys tty operator procview everyone

- To display the groups of a particular user.
[root@subrat ~]# groups subrat
subrat : subrat unix sysadmin

members

The members command is used to list the usernames of the users belongs to a particular group.

[root@subrat ~]# members sysadmin
subrat kiran alert operator portaladmin

lid

The lid command is used to list the usernames and user ids of the users belongs to a particular group.

[root@subrat ~]# lid -g sysadmin
subrat(uid=512)
kiran(uid=534)
alert(uid=567)
operator(uid=900)
portaladmin(uid=902)

last

The last command is used to listing the last times a user logged in on server. It keeps the information from the first boot of the server.
[root@subrat.com ~]# last | less
[root@subrat.com ~]# last
subrat   pts/1        subrat.com       Fri May  2 07:29   still logged in
root     pts/0        subrat.com       Fri May  2 06:22   still logged in
...
...
dinesh   pts/0        subrat.com       Thu Apr 24 10:10 - 11:39  (01:28)
subrat   pts/1        subrat.com       Wed Apr 23 09:27 - 12:05  (02:37)
root     pts/0        subrat.com       Sat Apr 19 15:13 - 15:42  (00:28)
reboot   system boot  2.6.32-431.el6.x Sat Apr 19 15:12 - 11:00 (12+19:48)
...
...
reboot   system boot  2.6.32-358.el6.x Sun Dec 22 17:38 - 12:00  (18:21)

- To display the login details of a particular user.
[root@subrat.com ~]# last subrat
subrat   pts/1      subrat.com  Fri May  2 07:29   still logged in
subrat   pts/1      subrat.com  Mon Apr 14 11:01 - 13:07  (02:05)
subrat   pts/2      subrat.com  Wed Apr  9 14:20 - 14:42  (00:21)
subrat   pts/1      subrat.com  Wed Apr  9 13:54 - 14:22  (00:28)
subrat   pts/0      subrat.com  Wed Apr  9 13:33 - 13:39  (00:06)
...
...

- To hide the hostname field.
[root@subrat ~]# last -R subrat
subrat   pts/1        Fri May  2 07:29   still logged in
subrat   pts/1        Mon Apr 14 11:01 - 13:07  (02:05)
subrat   pts/2        Wed Apr  9 14:20 - 14:42  (00:21)
subrat   pts/1        Wed Apr  9 13:54 - 14:22  (00:28)
...
...

- To display the complete login & logout times.
[root@subrat ~]# last -F
subrat   pts/1    subrat.com Fri May  2 07:29:53 2014   still logged in
root     pts/0    subrat.com Fri May  2 06:22:59 2014   still logged in
dinesh   pts/0    subrat.com Mon Apr 28 12:46:20 2014 - Mon Apr 28 12:54:23 2014  (00:08)
subrat   pts/0    subrat.com Mon Apr 28 08:50:53 2014 - Mon Apr 28 10:45:33 2014  (01:54)
...
...

- To find users last logged in/out time from a specified time to back.
Use: last -t YYYYMMDDHHMMSS
[root@subrat ~]# last -t 20140314110100
dinesh   pts/2        subrat.com  Fri Mar  7 10:02 - 11:20  (01:17)
subrat   pts/1        subrat.com  Fri Mar  7 09:36 - 11:45  (02:08)
...
...
root     pts/0        subrat.com  Sun Dec 22 17:41 - 18:35  (00:54)
reboot   system boot  2.6.32-358. Sun Dec 22 17:38 - 12:00  (18:21)

- To display last shutdown time.
[root@subrat.com ~]# last -x shutdown
shutdown system down  2.6.32-431.1.2.e Sat Apr 19 15:12 - 15:12  (00:00)
shutdown system down  2.6.32-431.1.2.e Thu Feb 13 12:00 - 12:01  (00:01)
...
...
shutdown system down  2.6.32-358.el6.x Mon Dec 23 21:09 - 12:00 (51+14:51)