2018-10-29

filesystem permissions

permission systems

there are two common permission systems, with the second available as an extension of the first

three-value permissions

permission information is an association of three values to a file

value-uid, value-gid, value-other -> file

a file can have one user (uid) and one group (gid) related permission.

in regard to the quantity of users the permissions can be valid for

one-user, some-users, all-users

the individual values are themselves composed of three other values

(read write execute)
value-uid:one-user:(read:yes write:yes execute:no)
value-group:some-users:(read:yes write:yes execute:no)
value-other:all-users:(read:yes write:no execute:no)

this system is usually available for filesystems that support it. when a file is created, the permissions are set by the creating program and modified by the kernel using "umasks" of processes.

access control lists

(path (uid/gid/other/default value) ...)

instead of being limited to permissions only for three groups to a file, it is possible to assign permission values for specific different users, groups and other users as well as default permissions. the maximum permissions are always limited by the still active three-value permissions. this system is activated at filesystem mount with a mount option

application

general

the retrieval of the effective permissions to a file for a process from the user perspective can be seen as a function with the following signature

path current-process-uid current-process-gid -> file-permissions-for-process

directories

directories are files that contain entries which associate file-names to file inodes. to read from a directory means to read only the file names of entries. access means translation from file names to file inodes. access is controlled via the execute permission. because of this, the "execute" permission can be called "access" for directories

notation

letters

r w x
read write execute

usually written like this with "-" for omitted places

rwx r-x r-x

octal

100 100 001
4 2 1
read write execute

usually summed for each position

example

755
(+ 4 2 1) (+ 4 1) (+ 4 1)
111 101 101

needs fewer characters than the letter notation

example patterns

files not shared with other users

permissions for non-directories

owner: rw-
group: ---
other: ---

permissions for directories

owner: rwx
group: ---
other: ---

in octal notation this would be 600 and 700

files shared with a group

permissions for non-directories

owner: rw-
group: r--
other: ---

permissions for directories

owner: rwx
group: r-x
other: ---

in octal base: 640 and 750

ensuring permissions

create a script that executes the commands to setup the file-permissions and execute the script at appropriate times, maybe regularly without a script, changes to permissions could stay undiscovered and be a security risk or make other problems or have to be reset manually

utilities

ls

can display permissions of files in directories (the current directory if unspecified). example: ls -l

chmod

"change mode" - changes permissions of files. example: chmod 600 /tmp

chown

"change owner" - changes owner and group of files. example: chown username:groupname /tmp

for security, only the root user can change the owner

on some systems like gnu/linux, symlinks can have an owner and group. chown -h username:groupname mysymlink

getfactl

displays access control list permissions, acl. example: getfacl *

setfacl

sets acl permissions. example: setfacl -m u:username:rw path

find

filters and displays files in directory trees. can be used to set permissions selectively. example: find -type f |xargs -n 1 -d \n chmod 600

umask

sets the current process' umask, sub-processes usually inherit it. it is specified as a subtraction from full permission (777). example: umask 133