LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   question on higher-level directory permission settings (https://www.linuxquestions.org/questions/linux-newbie-8/question-on-higher-level-directory-permission-settings-4175414285/)

emanresu 07-01-2012 09:40 AM
question on higher-level directory permission settings
 
if I want to share a directory with some other user who do not share any group with me, do all directories above it have o+rx?

for example, if I want to share /home/my/trade-secret/publisized/declassifed.txt with all other users, it appears the directory trade-secret must also have o+rw permission set or other wise even if publisized/ has 777, users won't be able to access it.

but a more important question is, if I want to protect stuff from a certain directory and downwards, e.g.

/home/my/grandmas_recipes

is it good enough (and safe enough) to set permission o-rwx on the directory grandma_recipes/, and I dont' have to recursively set the permission on all subdirectories

I know this is a very newbie question, but strange enough, I never knew the exact answers. Thanks!

tronayne 07-01-2012 11:36 AM
Perhaps an example may be of use.

I have a directory named /spares -- the name is not relevant, it could be anything. The permission mask for this directory is
Code:
drwxrwxr-x  25 root  users    4096 Feb 14 12:55 spares/
That's 775. Root owns it, any member of the users group write in that directory and any other user can read from that directory.

The entire directory looks like this:
Code:
ls -al /spares
total 164
drwxrwxr-x 25 root  users  4096 Feb 14 12:55 ./
drwxr-xr-x 24 root  root  4096 Jul  1 09:32 ../
drwxr-xr-x  2 root  root  4096 Jun 23  2008 AdvLinProg/
drwxr-xr-x  2 trona users  4096 Nov 26  2005 Album/
drwxr-xr-x  5 trona users  4096 Jun  4 19:38 Collections/
drwxr-xr-x  2 trona users  4096 Oct  2  2006 Dighton/
drwxr-xr-x  2 trona users  4096 Nov 26  2005 ThomasRonan/
drwxr-xr-x  3 trona users  4096 Sep 26  2011 backup/
drwxr-xr-x  2 trona users 12288 Jun 25  2011 book/
drwxr-xr-x  2 root  root  4096 Nov 26  2005 canhwy/
drwxr-xr-x  2 trona users  4096 Nov 26  2005 cottage/
drwxr-xr-x  2 root  root  4096 Dec  2  2007 county/
drwxr-xr-x 80 root  root  4096 May  3  2011 etc/
dr-xr-xr-x  2 root  root  12288 Dec  3  2007 gnis/
drwxr-xr-x  2 root  root  4096 Jan 15  2010 grid/
drwx------  2 root  root  16384 Mar 13  2011 lost+found/
drwxr-xr-x  2 root  root  4096 Nov 26  2005 mexhwy/
drwxr-xr-x  3 trona users 20480 Jun 29 09:58 movies/
drwxr-xr-x  2 trona users 12288 Feb  8 10:00 patches-13.0/
drwxr-xr-x 13 trona users  4096 Apr  5  2011 photo/
drwxr-xr-x  2 root  root  16384 Jun 24  2006 srtm30/
dr-xr-xr-x  2 root  root  4096 Dec 19  2009 topo/
drwxr-xr-x  2 root  root  4096 Dec  1  2007 usanhpn/
drwxr-xr-x  2 root  root  4096 Jan 13  2010 wdb/
drwxr-xr-x  6 root  root  4096 Sep  2  2011 www/
Almost all the directories have read-write for owner, read for group, read for public. The "special" directories are lost+found (the /spares directory is a mounted file system, mounted to a partition, and lost+found is automatically created, at least by ext4 file systems) and gnis, which contains geographic information, lots of it, and it doesn't need write for any user, including root just because I want it that way to protect the content from accidental overwrite (no big deal).

The owner, trona just happens to be me, so I can write in those directories; the permission mask for those directories is a good default of 755.

Why is 755 a good default? It means read-write for owner, read for group, read for public; i.e., nobody can write in it but me but everybody else can read the content.

If I wanted to keep public from reading, I'd use a mask of 750.

If I wanted to keep the group and the public from reading, I'd use a mask of 700.

So, if you wanted to keep everybody but you out of grandma_recipes, you'd do
Code:
chmod 700 grandma_recipes
If you wanted to let the group (say, users) read but not write, you'd do
Code:
chmod 750 grandma_recipes
And if you wanted to let anybody in the group or public read but not write
Code:
chmod 755 grandma_recipes
The numbers are a little easier to remember than the batches of characters, methinks; others will not agree, without doubt.

Now, that's directories. Files are a different story.

You make a file executable with
Code:
chmod 755 file_name
You own it, you can write, group can read, public can read with
Code:
chmod 644 file_name
You own it, you can write, group can write, public can read with
Code:
chmod 660 file_name
You own it, anybody can write
Code:
chmod 666 file_name
That's called Attila the Hun permissions, ravage and pillage.

And, last but not least, you own it and everybody can read only
Code:
chmod 444 file_name
In both cases -- directory and file -- the first digit is owner, the second is group and the third is public.

When you initially create a directory or file, the system-wide umask value sets the permission mask; a pretty standard, widely-used value for umask is display with
Code:
usmask
0022
Read the manual page for more information about umask (particularly how to determine the value 0022).

That sets newly-created directories 755 and file 644 and is a pretty good default for all files and directories you may create. After creating something you can restrict or add permissions as described above, but, generally, a value of 0022 is just about right in most cases.

Hope this helps some.

towheedm 07-01-2012 11:43 AM
These might also help you:
http://mywiki.wooledge.org/Permissions
http://www.grymoire.com/Unix/Permissions.html

emanresu 07-01-2012 02:48 PM
thank you so much for the long and detailed explanation on file and directory permissions, tronayne. likewise, i also find the numbers easier to remember than characters in most cases, except when I want to do a batch job of enabling and/or disable certain permissions, but the existing permissions are different on the dirs and files, then the ugoa+/-rwx is much better since they preserve the existing permissions.

so take the grandma's recipe case as an example again. say my grandma has a million-dollar worth of chicken noodle soup recipe which resides in the directory:

/home/my/grandmas_recipes/chicken_noodle_soup/ingredients.txt

and chicken_noodle_soup/ has permission 755 by default as well as the file ingredients.txt

if I set grandmas_recipes/ to 700, without setting chicken_noodle_soup/ to 700 (so it remains in 755), will others be able to read the ingredients.txt file and steal the recipe?

tronayne 07-01-2012 03:03 PM
Quote:
Originally Posted by emanresu (Post 4716541)
if I set grandmas_recipes/ to 700, without setting chicken_noodle_soup/ to 700 (so it remains in 755), will others be able to read the ingredients.txt file and steal the recipe?
Nope.

But, keep it even simpler, set all the directories to 755 (the default when created) and set ingredients.txt to 400 (or 600) will accomplish what you want. At 600, the owner (I'm assuming you) will be able to read and write and nobody else will be able to access it; they'll be able to see the file name but will get
Code:
cat ingredients.txt
cat: ingredients.txt: Permission denied
if they try to do anything with it.

Hope this helps some.


All times are GMT -5. The time now is 08:27 AM.