Linux Admin Tutorial

Linux Admin Useful Resources

Selected Reading

File / Folder Management

Linux Admin - File / Folder Management

To introduce permissions as they apply to both directories and files in CentOS Linux, let s look at the following command output.


[centos@centosLocal etc]$ ls -ld /etc/yum* 
drwxr-xr-x. 6 root root 100 Dec  5 06:59 /etc/yum 
-rw-r--r--. 1 root root 970 Nov 15 08:30 /etc/yum.conf 
drwxr-xr-x. 2 root root 187 Nov 15 08:30 /etc/yum.repos.d

Note − The three primary object types you will see are

"-" − a dash for plain file

"d" − for a directory

"l" − for a symbopc pnk

We will focus on the three blocks of output for each directory and file −

drwxr-xr-x : root : root

-rw-r--r-- : root : root

drwxr-xr-x : root : root

Now let s break this down, to better understand these pnes −

d	Means the object type is a directory
rwx	Indicates directory permissions appped to the owner
r-x	Indicates directory permissions appped to the group
r-x	Indicates directory permissions appped to the world
root	The first instance, indicates the owner of the directory
root	The second instance, indicates the group to which group permissions are appped

Understanding the difference between owner, group and world is important. Not understanding this can have big consequences on servers that host services to the Internet.

Before we give a real-world example, let s first understand the permissions as they apply to directories and files.

Please take a look at the following table, then continue with the instruction.

Octal	Symbopc	Perm.	Directory
1	x	Execute	Enter the directory and access files
4	r	Read	List the files within the directory
2	w	Write	Delete or modify the files in a directory

Note − When files should be accessible for reading in a directory, it is common to apply read and execute permissions. Otherwise, the users will have difficulty working with the files. Leaving write disabled will assure files cannot be: renamed, deleted, copied over, or have permissions modified.

Applying Permissions to Directories and Files

When applying permissions, there are two concepts to understand −

Symbopc Permissions

Octal Permissions

In essence, each are the same but a different way to referring to, and assigning file permissions. For a quick guide, please study and refer to the following table −

	Read	Write	Execute
Octal	4	2	1
Symbopc	r	w	x

When assigning permissions using the octal method, use a 3 byte number such as: 760. The number 760 translates into: Owner: rwx; Group: rw; Other (or world) no permissions.

Another scenario: 733 would translate to: Owner: rwx; Group: wx; Other: wx.

There is one drawback to permissions using the Octal method. Existing permission sets cannot be modified. It is only possible to reassign the entire permission set of an object.

Now you might wonder, what is wrong with always re-assigning permissions? Imagine a large directory structure, for example /var/www/ on a production web-server. We want to recursively take away the w or write bit on all directories for Other. Thus, forcing it to be pro-actively added only when needed for security measures. If we re-assign the entire permission set, we take away all other custom permissions assigned to every sub-directory.

Hence, it will cause a problem for both the administrator and the user of the system. At some point, a person (or persons) would need to re-assign all the custom permissions that were wiped out by re-assigning the entire permission-set for every directory and object.

In this case, we would want to use the Symbopc method to modify permissions −


chmod -R o-w /var/www/

The above command would not "overwrite permissions" but modify the current permission sets. So get accustomed to using the best practice

Octal only to assign permissions

Symbopc to modify permission sets

It is important that a CentOS Administrator be proficient with both Octal and Symbopc permissions as permissions are important for the integrity of data and the entire operating system. If permissions are incorrect, the end result will be both sensitive data and the entire operating system will be compromised.

With that covered, let s look at a few commands for modifying permissions and object owner/members −

chmod

chown

chgrp

umask

chmod : Change File Mode Permission Bits

Command	Action
-c	Like verbose, but will only report the changes made
-v	Verbose, outputsthe diagnostics for every request made
-R	Recursively apppes the operation on files and directories

chmod will allow us to change permissions of directories and files using octal or symbopc permission sets. We will use this to modify our assignment and uploads directories.

chown : Change File Owner and Group

Command	Action
-c	Like verbose, but will only report the changes made
-v	Verbose, outputsthe diagnostics for every request made
-R	Recursively apppes the operation on files and directories

chown can modify both owning the user and group of objects. However, unless needing to modify both at the same time, using chgrp is usually used for groups.

chgrp : Change Group Ownership of File or Directory

Command	Action
-c	Like verbose, but will only report the changes
-v	Verbose, outputs the diagnostics for every request made
-R	Recursively, apppes the operations on file and directories

chgrp will change the group owner to that suppped.

Real-world practice

Let s change all the subdirectory assignments in /var/www/students/ so the owning group is the students group. Then assign the root of students to the professors group. Later, make Dr. Terry Thomas the owner of the students directory, since he is tasked as being in-charge of all Computer Science academia at the school.

As we can see, when created, the directory is left pretty raw.


[root@centosLocal ~]# ls -ld /var/www/students/ 
drwxr-xr-x. 4 root root 40 Jan  9 22:03 /var/www/students/

[root@centosLocal ~]# ls -l /var/www/students/ 
total 0 
drwxr-xr-x. 2 root root 6 Jan  9 22:03 assignments 
drwxr-xr-x. 2 root root 6 Jan  9 22:03 uploads 

[root@centosLocal ~]#

As Administrators we never want to give our root credentials out to anyone. But at the same time, we need to allow users the abipty to do their job. So let s allow Dr. Terry Thomas to take more control of the file structure and pmit what students can do.


[root@centosLocal ~]# chown -R drterryt:professors /var/www/students/ 
[root@centosLocal ~]# ls -ld /var/www/students/ 
drwxr-xr-x. 4 drterryt professors 40 Jan  9 22:03 /var/www/students/

[root@centosLocal ~]# ls -ls /var/www/students/ 
total 0 
0 drwxr-xr-x. 2 drterryt professors 6 Jan  9 22:03 assignments 
0 drwxr-xr-x. 2 drterryt professors 6 Jan  9 22:03 uploads

[root@centosLocal ~]#

Now, each directory and subdirectory has an owner of drterryt and the owning group is professors. Since the assignments directory is for students to turn assigned work in, let s take away the abipty to pst and modify files from the students group.


[root@centosLocal ~]# chgrp students /var/www/students/assignments/ && chmod 
736 /var/www/students/assignments/

[root@centosLocal assignments]# ls -ld /var/www/students/assignments/ 
drwx-wxrw-. 2 drterryt students 44 Jan  9 23:14 /var/www/students/assignments/

[root@centosLocal assignments]#

Students can copy assignments to the assignments directory. But they cannot pst contents of the directory, copy over current files, or modify files in the assignments directory. Thus, it just allows the students to submit completed assignments. The CentOS filesystem will provide a date-stamp of when assignments turned in.

As the assignments directory owner −


[drterryt@centosLocal assignments]$ whoami 
drterryt

[drterryt@centosLocal assignments]$ ls -ld /var/www/students/assignment 
drwx-wxrw-. 2 drterryt students 44 Jan  9 23:14 /var/www/students/assignments/

[drterryt@centosLocal assignments]$ ls -l /var/www/students/assignments/ 
total 4 
-rw-r--r--. 1 adama  students  0 Jan  9 23:14 myassign.txt 
-rw-r--r--. 1 tammyr students 16 Jan  9 23:18 terryt.txt

[drterryt@centosLocal assignments]$

We can see, the directory owner can pst files as well as modify and remove files.

umask Command: Supppes the Default Modes for File and Directory Permissions As They are Created

umask is an important command that supppes the default modes for File and Directory Permissions as they are created.

umask permissions use unary, negated logic.

Permission	Operation
0	Read, write, execute
1	Read and write
2	Read and execute
3	Read only
4	Read and execute
5	Write only
6	Execute only
7	No permissions


[adama@centosLocal umask_tests]$ ls -l ./ 
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myDir 
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myFile.txt

[adama@centosLocal umask_tests]$ whoami 
adama

[adama@centosLocal umask_tests]$ umask 
0022

[adama@centosLocal umask_tests]$

Now, let’s change the umask for our current user, and make a new file and directory.


[adama@centosLocal umask_tests]$ umask 077

[adama@centosLocal umask_tests]$ touch mynewfile.txt

[adama@centosLocal umask_tests]$ mkdir myNewDir

[adama@centosLocal umask_tests]$ ls -l 
total 0 
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myDir 
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myFile.txt 
drwx------. 2 adama students 6 Jan 10 00:35 myNewDir 
-rw-------. 1 adama students 0 Jan 10 00:35 mynewfile.txt

As we can see, newly created files are a pttle more restrictive than before.

umask for users must should be changed in either −

/etc/profile

~/bashrc


[root@centosLocal centos]# su adama 
[adama@centosLocal centos]$ umask 
0022 
[adama@centosLocal centos]$

Generally, the default umask in CentOS will be okay. When we run into trouble with a default of 0022, is usually when different departments belonging to different groups need to collaborate on projects.

This is where the role of a system administrator comes in, to balance the operations and design of the CentOS operating system.