File Permissions
 

I am trying to learn how to set up Authentication Keys to log in to my server.

Could someone please explain what the following code does...
Thanks,


Rob

Two good links:
http://linuxcommand.org/lts0070.php
http://www.linux.com/learn/tutorials...le-permissions

Hi there,

okay, let's have a look.

Does that take you anywhere?

[X] Doc CPU

Thanks for the links.

Care to help me figure out the first line a little quicker?


Rob

"Quicker" means more to the point, ignoring excess information.
What happens when someone next time says
would you know what that meant?

Take some time, read through and understand the information in the links. That way you won't have to ask every time something new shows up

type into a terminal
To gain a more complete understanding of the two commands.

As for the chown question

the syntax goes like this:

Thanks for trying to help.

I'm new to all of this, and will read up on things, but am trying to figure out a tutorial I was reading quicker so I can call my web host and know what I'm talking about when they modify things!

What does the -R mean?

When you say "change owner and group of all files" is the a change FROM ____ TO ____?

I don't understand what example_ser:example_user .ssh means?

See where I am confused?


Why typically would you use 700 on a directory, but 600 on a file in the directory?


How do I know if authorized_keys is a directory or file? (I see lots of tutorials online on this topic and so make it sound like it is a directory whereas others make it sound like a file?!


A little!


Rob

Please see my questions above.

My confusion is mostly in the first line. And I will read up more, but first I need to understand Line 1. (I get the permissions stuff mostly.)

Sincerely,


Rob

It does a recursive change, so the changes are applied to the .ssh directory and all of its subdirectories and files

FROM whatever they used to be, TO example_user:example_user

example_user:example_user are the new user:group respectively. .ssh is the directory being changed
So it's changing the owner of the .ssh directory (and all subdirectories/files) to example_user, and also changing the group to example_user. The syntax is:
chown -arguments user:group file

The number is octal, it represents the bitwise addition of the permissions you want to set.
1 = execute
2 = write
4 = read

Add up the permissions you want, and you get a number between 0-7. The first number is the permission for the file/dir's owner, the second number is for any members of the file/dir's group, the third number is for everyone else. The difference between "6" and "7" is execute permission. Directories require execute permissions to navigate them, files only need execute permissions in order to execute them (programs, scripts, etc.).


It's a file. You can always run "ls -l ~/.ssh/authorized_keys". If the very first character in the output is a "d", eg: "drwx------" then it's a directory, otherwise (eg: "-rw-------") it's not.

Got it.


So if I had this...
...then that would make "Rob" the user and "Rob" the group owners of the ".ssh" directory, right?

Does that mean that "Rob" the user has to be in "Rob" the group for this to work? (Could Rob *not* be in the "Rob" group?)

For a single VPS where the only people with access is me and my web host, do I even need to introduce the concept of Groups?



Yeah, I knew that part.


So if a Directory was 700 then you could never enter into it, right?

And if a File was 600, you could read and write to it, but not run it, right? (So why would you want to do that? When would execution be bad?)


Can you also tell because there isn't a trailing /

Like this is a directory, right?

And this would be a file, right?

Thanks,


Rob

If the directory is 700, and you own the folder then you can enter it and write to it. But members of the folders group and everyone else cannot.
To navigate a directory, it must have a execute and read bit set. Technically, 733 is valid. This will only permit writing to the directory, but the owner can read and write in the directory.

Execution is bad when the file that you run contains code you don't want run. e.g. spyware.
It best practice to not have execute bits on pictures, videos, documents, etc because they have no need to be permitted to execute code.

Yes

No, you can set them independently. You can also use
chown Rob .ssh
chgrp Rob .ssh
To perform the two steps separately, "chown Rob:Rob .ssh" is just a shortcut.

Probably not

700 means you can enter, read, and write if you're the owner. If it were 600, then you wouldn't be able to work with the directory.

Yes

You never want a non-executable file to be given execute permissions. It's a security problem and bad form. It's also something that Windows does constantly, and is part of the reason why it's so ridiculously vulnerable to spyware and viruses.

That only works in one direction. ~/.ssh/ can only point to the directory .ssh, but ~/.ssh could point to either a file or a directory. In other words, the trailing slash means "this is a directory", but lack of a trailing slash does not mean it must be a file.

I meant to say that if a directory was 600 then even the owner couldn't look inside it, right? (Would everyone be locked out of it forever?!)


So you are saying that you "read" a picture or document or video or song, but you don't need to "execute" them?


Rob

Everyone would be locked out until the owner changed the permissions back to 700.

Correct

Wow, that is interesting! I never realized that is how Linux does things.

Thanks!


Rob

I would suggest reading the following links to get a nice overview of the linux filesystem
http://www.tldp.org/LDP/intro-linux/...ect_03_01.html
http://en.tldp.org/HOWTO/Unix-and-In...WTO/index.html

A basic idea of linux (I think *nix in general) is that everything is a file. For example, you can view information about your cpu by going to /proc/cpuinfo.
More or less, directories are files that reference other files.
While this might seem like a odd idea, in practice it becomes a very efficent method of organizing information and giving useful features.

For example, you can point output to the black hole of /dev/null, fill a file full of binary 0's from /dev/zero, and gain random information from /dev/random and /dev/urandom (the latter not being "true" random)

Yes. But, since you (or whomever) owns the directory, they can change permissions of the directory. This would restore (change) the access to whatever it is set as.