Information Technology College of HoChiMinh city
Faculty of Information Technology

Course: Fundamentals of Linux OS

Unit 4

File Security
Lecturer: Võ Tấn Dũng

/>

Objectives
Upon completion of this module, you should be able to:
• Display file permissions
• Define permission types (read, write, and execute)
• Set and change file permissions using symbolic and
octal notation
• Display the umask value of a file or directory

VÕ TẤN DŨNG


Linux security
overview

VÕ TẤN DŨNG


Security Overview
• The primary function of a system’s security feature is to deny

access to unauthorized users.
• Keeping computer information secure is important to the user
and the system administrator. By protecting their files and
accounts from unauthorized use, users are also protecting their
job and reputation.
• Standard Linux environment security features include user
passwords, which restrict access to the system; file and
directory protection with permissions; files that control remote
logins and commands on individual workstations; and other
features that enable system administrators to check for security
breaches.

VÕ TẤN DŨNG


Two default levels of security
The Linux operating system has two default levels of
security:
• First, users must supply a login ID and password in
order to access a Linux workstation.

• Second, files and directories are automatically
protected by permissions when they are created.

VÕ TẤN DŨNG


Super user
• Linux provides a special user account called root that has total
access to the system. This account’s user is also called the

superuser.
• All permissions placed on files and directories can be
overridden by the root user.
• The superuser account is used to run system administration
commands and to edit important system files such as the
password file.

VÕ TẤN DŨNG


Permission Categories
The ls -l command displays the following permissions:
-

File type – This includes directories and ordinary files.
User (owner) – The user who created the file or directory
Group – Class of users defined by the system administrator
Others (public) – All other users

VÕ TẤN DŨNG


How file and directory access
is determined
UID and GID
• All files and directories have a user identifier (UID) and group
identifier (GID) number associated with them.
• The kernel uses these numbers to identify ownership of files,
rather than the user or group name familiar to the user.


$ ls -an
drwxr-xr-x 2 101 10 512 May 24 17:25 mickey
-rw-r--r-- 1 101 10 0 May 24 17:25 .profile

VÕ TẤN DŨNG


Permissions and corresponding
symbols

VÕ TẤN DŨNG


Changing Permissions
Using chmod command
- with symbolic mode
- with octal (absolute) mode

Using umask filter

VÕ TẤN DŨNG


Symbolic mode and octal mode
The chmod command is used by a file’s owner (or superuser) to
change file permissions.
The two modes of operation with the chmod command are
symbolic and octal.
• Symbolic mode uses combinations of letters and symbols
to add or remove permissions from various categories of

users.
• Octal mode uses octal numbers to represent file
permissions. Octal mode is also referred to as absolute or
numeric mode.

VÕ TẤN DŨNG


Symbolic Mode

Command Format
chmod mode filename

VÕ TẤN DŨNG


Changing permissions with
symbolic mode
• Remove group read permission
$ ls -l dante
-rw-r--r-- 1 user2 staff 2 Jun 11 1:44 dante
$ chmod g-r dante
$ ls -l dante
-rw----r-- 1 user2 staff 2 Jun 11 1:44 dante

• Deny read permission to others
$ chmod o-r dante
$ ls -l dante
-rw------- 1 user2 staff 2 Jun 11 1:44 dante


VÕ TẤN DŨNG


Changing permissions with
symbolic mode (cont.)
• Add execute permission for owner, and read permission for
group and others
$ chmod u+x,go+r dante
$ ls -l dante
-rwxr--r-- 1 user2 staff 2 Jun 11 1:44 dante
Attention: There is no space after u+x and before go+r, although
there is a comma between them.

• Set permissions to read and write for everyone
$ chmod a=rw dante
$ ls -l dante
-rw-rw-rw- 1 user2 staff 2 Jun 11 1:44 dante

VÕ TẤN DŨNG


Octal (Absolute) Mode
• Octal mode is based on the base eight numbering system
(0–7 are the available numerals).

VÕ TẤN DŨNG


Octal values for permission sets


VÕ TẤN DŨNG


Combined values and permissions

VÕ TẤN DŨNG


Default permissions: 644 and 755
• The first position defines the user (owner) permissions, the
second position defines the group, and the last position defines
others.
• Default permissions on files are 644, and default permissions
on directories are 755.

VÕ TẤN DŨNG


Changing permission with octal
mode
Command Format
chmod octal_mode filename

• Example:
Give user, group, and others a read and execute access:

$ ls -l dante
rw-rw-rw- 1 user2 staff 2 Jun 11 11:54
dante
$ chmod 555 dante

$ ls -l dante
-r-xr-xr-x 1 user2 staff 2 Jun 11 11:54
dante
VÕ TẤN DŨNG


Changing permission with octal
mode (cont.)
Example:
• Change user and group permissions to include write access:

$ chmod 775 dante
$ ls -l dante
-rwxrwxr-x 1 user2 staff 2 Jun 11 11:54 dante
• Change group permission to read and execute:

$ chmod 755 dante
$ ls -l dante
-rwxr-xr-x 1 user2 staff 2 Jun 11 11:54 dante

VÕ TẤN DŨNG


The umask filter
The umask filter determines the default permissions for files and
directories. The permissions are assigned during the creation of
new files and directories.

Example: Displaying Your umask
$ umask

022
• Depending up the shell, the umask value will display differently
as either 0022, 022, or 22.

VÕ TẤN DŨNG


Default Permissions by umask
• The default permissions which will be assigned to a newly
created file or directory are determined by the application of the
umask filter against the maximum system assignable file (666)
and directory (777) permissions.

For files, the octal value 666 means:
42-42-42rw-rw-rwFor directories, the octal value 777
means:
421421421
rwxrwxrwx
VÕ TẤN DŨNG


Calculate the default permission
of a new file from umask
• With a given value of default umask filter how the system
determining what the default permissions will be when
creating new files

VÕ TẤN DŨNG



Calculate the default permission
of a new directory from umask
• With a given value of default umask filter how the system
determining what the default permissions will be when
creating new directories.

VÕ TẤN DŨNG


Changing the umask value
• The umask value can be changed at the command line by
the umask command.
Example: Verify the current umask.
$ umask
022
Example: Change the umask value to 027 and verify.
$ umask 027
$ umask
027

• The umask value is set in the kernel but an alternate value
can be placed in /etc/profile by the system administrator.

• The new umask value will be lost when you log out of the
system unless the umask command is placed in the .profile
file.
VÕ TẤN DŨNG