There are many claims about Linux. Is it more secure than Windows? Or is it just more complicated? Although they are widespread in the server area, open source systems haven’t really made their way to PCs. What actually lies behind the cost-effective alternative? Is using a Linux operating system right for you? We’ve got the answers to these questions and more.
Introduction to Linux directory rights
Linux is one of the most popular choices for web server operators. One feature that all Unix derivatives share is that files and directories are assigned certain access rights. With Linux, users have the ability to change such settings by activating the command line program, ‘chmod’.
What is chmod?
Short for ‘change mode’, chmod was developed in the early 1970s at the same time as AT&T’s first version of Unix. In Unix-like multi-user operating systems, chmod is responsible for assigning and changing access rights in file systems that are supported by Unix rights management. This also applies to all standard file systems in conventional Linux derivatives intended for server operation support. Chmod supports two different systems: the symbolic notation by means of letters as well as allocation of data rights through digit-based octal codes. Changing access rights with this command can only be carried out by the file owner or the root user. Executing the following procedures should always conform to the following syntax:
|$ chmod options mode file|
The command chmod can be followed by options. This element allows further options of the chmod command to be defined. The element mode represents the so-called umask that is applied to the file (which can also be a directory). This mask contains the information responsible for determining whether or not a user class should receive new access rights or be removed of the rights that they currently own.
According to the Unix file system, each file on a given Linux server has individual access rights; the same also applies to directories. Managing such access rights is supported through three user classes:
- User: Generally, any user that creates a file in a Unix data system is automatically defined as that file’s ‘user’. Ownership can also be retroactively changed by entering the command ‘chown’. Regarding the symbolic notation, the user class ‘user’ then receives the letter ‘u’.
- Group: The user class ‘group’ combines different user accounts on the server. In Unix-like systems, every users’ account is automatically assigned to a group. Assigning users to additional groups still remains possible, however. Group assignment can be configured by both the owner as well as the root user by using the command, ‘chgrp’.
- Others: The user class ‘others’ encompasses all users that are neither file owners nor members of a group with access rights. The user class ‘others’ is denoted by the shorthand symbolic notation ‘o’.
Commands relating to all user classes (i.e., user, group, and other) are represented in symbolic notation with ‘a’.
The Unix file system is able to process three basic access rights. Each of the user classes mentioned above can be assigned different rights by the file owner:
- Read: The access right ‘read’ gives users reading rights to a file. When dealing with a directory, its content can then be read. It is not possible, however, to view file rights with ‘read’. The symbolic notation for the command is represented with the letter ‘r’, and for this reason is referred to as ‘r bit’.
- Write: Users with the access right ‘write’ are able to change the content of single files. If ‘write’ has been assigned to a directory, the user is then able to create files and subdirectories. Following the pattern as seen above, write permission is represented with ‘w’. This is why it is also called a ‘w bit’.
- Execute: Users that have been assigned the access right ‘execute’ are authorized to run files as programs or move these into a directory in order to change subdirectories or other files. The execute right is assigned the letter ‘x’ in symbolic notation. It’s also known as ‘x bit’.
When assigning access rights, it’s important to make sure that authorizations in the Unix file system are not further transmitted. Access rights that were defined to the directory are not automatically passed on to files that are created in a directory. Instead, individual data rights are derived from the program’s umask through which the respective file was generated.
Access display in the terminal
user@computer:~$ ls -l
drwxrw-r-- 0 exampleuser examplegroup 0000 2016-01-01 examplefolder
The following character block may be of particular interest for aspects related to data rights:
This encodes the file type as well as the access rights for the three user classes. The first character displays the type of file that is in question. The string as seen above begins with a d. This is because it deals with the file type ‘directory’. What follows is three blocks of code, each with three characters. Each of these three slots stands for a user class and is sequenced per default (owner, group, others). The letters are abbreviations for the symbolic notation of the various access rights:
|Meaning:||d = directory||owner||group||other|
|r = read||r = read||r = read|
|w = write||w = write||-|
|x = execute||-||-|
The file rights for the directory ‘example folder’ are thus defined as follows: the file owner is able to move inside the directory (r), has writing rights (w), and the execution right (x), allowing files in the directory to be listed. Members of the group, ‘example group’, have reading and writing privileges. All other users are only able to open files found in the directory and subdirectory, (r), provided that they know the exact file name. At this point, it is important to take into account that the defined access rights only apply to the folder – not the subfolders or the data therein. Access rights for files within this folder can look much different:
-rw------- 0 exampleuser examplegroup 0000 2016-01-01 example.txt
The initial hyphen (-) in this block of code is indicative of an ordinary file and not one related to a directory or a link. Owners are provided both reading and writing rights with the notation rw-. Given that this command deals with a text file and not a program, the execution right would be useless and is represented with a hyphen (-). Hyphens are also found in the blocks representing the user classes ‘group’ and ‘others’; this categorization prohibits any access to the example file.
Making changes to the access rights with the terminal
Chmod is used to change these rights in Linux. Access rights to directories or files in the Unix file system can be fitted to one or all user classes. The root user or file owner just needs to enter the corresponding command, including the umask and file name, into the terminal as follows:
$ chmod options mode file
The umask can either be created in symbolic or octal notation.
umasks created according to symbolic notation make use of the following operands. These are responsible for connecting user classes to file rights:
|+||The operand ‘+’ assigns user classes new file rights. Only affected data rights are overwritten.|
|-||The operand ‘-’ removes file rights from a user class.|
|=||Should the file rights of a user class be reset, then the operand ‘=‘ is used.|
The following chmod command modifies the mock file, ‘example.txt’, so that the owner as well other users (group, other) also receive writing and reading rights:
$ chmod ugo+rw example.txt
Referencing all the user classes is a possible alternative:
$ chmod a+rw example.txt
When called in the terminal, the file ‘example.txt’ would display the following rights instead of its original rights:
|Access rights prior to change:||chmod command:||Access rights after change:|
|user: read, write||a = all||user: read, write|
|group: no rights||+ = add access rights||group: read, write|
|other: no rights||r = read||other: read, write|
|w = write|
While easy for users to read, symbolic notation can be cumbersome when regularly used. For this reason, many administrators rely on octal notation for allocating access rights. This method employs a three-figure digit sequence in which each digit represents one of the server’s user classes. Octal notation also follows the standard sequence as laid out per defaul:
|Digit 1||Corresponds to the user class ‘user’.|
|Digit 2||Corresponds to the user class ‘group’.|
|Digit 3||Corresponds to the user class ‘others’.|
Which access rights are assigned to the individual user classes is determined by the value of each digit. This is calculated by the sum of the individual values that the corresponding rights are assigned to:
The following value combinations also result from this allocation:
|all access rights||7|
Octal notation can also be visualized with the quoted file ‘example.txt’. Prior to changing the access with the command ‘chmod’ the directory listing reads as follows:
-rw------- 0 exampleuser examplegroup 0000 2016-01-01 example.txt
Only the owner (user) is granted the access rights ‘read’ (r) and write (w). All other users have no rights enabling access to the file. The following line is used assuming it is the owner’s intention to also give the group ‘examplegroup’ reading rights:
$ chmod 640 example.txt
With the value ‘6’ placed at the first position of the umask, the owner receives the same access rights as before: 4 (read) + 2 (write). The umask’s second value gives the access rights to the group: 4 (read). Other users are not provided with any rights, which corresponds to the value ‘0’.
In case the user class ‘others’ is also to be equipped with reading rights, the following code is run:
$ chmod 644 example.txt
The value ‘4’ placed in the third position of the octal code defines the reading rights for the other users on the server.
Options of chmod commands
Whether users opt for numeric or symbolic notation, there are always many options for allocating access rights. These alternatives are added in the command line between the command and the umask:
|-R||recursive||Access rights changes refer to all files and sub directories within a given folder.|
|-v||verbose||A diagnosis for all the processed files is issued after the shell command.|
|-c||changes||A diagnosis for all the changed files is issued after the shell command.|
|-f||silent||Error reports are supressed|
The following example command changes access rights recursively for all subdirectories and files as well as for the folder itself:
$ chmod -R 744 examplefolder
The following applies to all files and subfolders in the directory ‘examplefolder’: the owner receives full access rights (7); group members and other users only have reading access (4).
The advantage of the Unix file system lies in its simple structures. By using multi-user operating systems, complex problems of daily work are solvable with minimal effort. Additionally, this approach is intuitive to use and is easy for computer systems to process. Those who do not feel comfortable with their abilities to allocate access rights in the terminal can alternatively rely on file managers. Common FTP programs generally offer a graphic user interface.