Overview
In this article, we will learn how to control file access through the correct use of file, directory permissions, and ownership. Learning:
● Manage access permissions for common and special files and directories
● Use access mode, such as suid, sgid, and sticky bit to maintain security
● Change file creation shielding
● Grant access permissions to group members
Unless otherwise specified, the example in this article uses the 2.6.34 kernel's Fedora 13. The results you get on other systems may be different.
This article helps you prepare objective 101 Under topic 104 in Linux Professional Institute's Junior Level Administration (LPIC-1) Exam 104.4. The target has a weight of 3.
In the previous article "setting and checking Linux disk quotas", we introduced part of the file and group ownership concepts in this article. This article will help you better understand these concepts.
Prerequisites
To make the most effective use of the articles in this series, you should have basic Linux knowledge and need to prepare a Linux system for using the commands described in this article. Sometimes the output formats of different versions of the program are different, so the results you get may not always be the same as the list and diagram shown here.
Users and groups
Now, you know that Linux is a multi-user system, and each user belongs to a main group or an additional group. You can also Log On As a user and use the su or sudo-s command to change to another user. Linux File Ownership and access authorization are closely related to user IDs and groups. Therefore, we need to review basic user and group information.
Who am I?
If you do not switch to another user, your id is at login. If you switch to another user, your user id will be included in most examples in this article. If your prompt does not contain the user id, you can use the whoami command to check your current valid id. Listing 1 shows some examples, indicating that the prompt string (from the PS1 environment variable) is different from other examples in this article. It is a useful function to include your id in the prompt string.
Listing 1. Determine a valid user id
/home/ian$ whoamitom/home/ian$ exitexit$ whoamiian
In what group do I belong?
Similarly, you can use the groups command to find out which group you are in. You can use the id command to find information about users and groups. Add a user id parameter to the groups or id to view the user id information, instead of the current user id. View the example in Listing 2. Note that the id command displays the SELinux context and basic id information without a user id.
List 2. Decision-making group members
[ian@echidna ~]$ iduid=1000(ian) gid=1000(ian) groups=1000(ian),505(development),8093(editor)context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023[ian@echidna ~]$ id ianuid=1000(ian) gid=1000(ian) groups=1000(ian),8093(editor),505(development)[ian@echidna ~]$ groupsian development editor[ian@echidna ~]$ id tomuid=1012(tom) gid=1012(tom) groups=1012(tom),505(development)[ian@echidna ~]$ groups tomtom : tom development[ian@echidna ~]$ su tomPassword:[tom@echidna ian]$ groupstom development[tom@echidna ian]$ groups ianian : ian editor development