LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-01-2012, 10:40 AM   #1
emanresu
Member
 
Registered: Apr 2004
Distribution: Gentoo
Posts: 76

Rep: Reputation: 15
Unhappy question on higher-level directory permission settings


if I want to share a directory with some other user who do not share any group with me, do all directories above it have o+rx?

for example, if I want to share /home/my/trade-secret/publisized/declassifed.txt with all other users, it appears the directory trade-secret must also have o+rw permission set or other wise even if publisized/ has 777, users won't be able to access it.

but a more important question is, if I want to protect stuff from a certain directory and downwards, e.g.

/home/my/grandmas_recipes

is it good enough (and safe enough) to set permission o-rwx on the directory grandma_recipes/, and I dont' have to recursively set the permission on all subdirectories

I know this is a very newbie question, but strange enough, I never knew the exact answers. Thanks!
 
Old 07-01-2012, 12:36 PM   #2
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065
Perhaps an example may be of use.

I have a directory named /spares -- the name is not relevant, it could be anything. The permission mask for this directory is
Code:
drwxrwxr-x  25 root  users    4096 Feb 14 12:55 spares/
That's 775. Root owns it, any member of the users group write in that directory and any other user can read from that directory.

The entire directory looks like this:
Code:
ls -al /spares
total 164
drwxrwxr-x 25 root  users  4096 Feb 14 12:55 ./
drwxr-xr-x 24 root  root   4096 Jul  1 09:32 ../
drwxr-xr-x  2 root  root   4096 Jun 23  2008 AdvLinProg/
drwxr-xr-x  2 trona users  4096 Nov 26  2005 Album/
drwxr-xr-x  5 trona users  4096 Jun  4 19:38 Collections/
drwxr-xr-x  2 trona users  4096 Oct  2  2006 Dighton/
drwxr-xr-x  2 trona users  4096 Nov 26  2005 ThomasRonan/
drwxr-xr-x  3 trona users  4096 Sep 26  2011 backup/
drwxr-xr-x  2 trona users 12288 Jun 25  2011 book/
drwxr-xr-x  2 root  root   4096 Nov 26  2005 canhwy/
drwxr-xr-x  2 trona users  4096 Nov 26  2005 cottage/
drwxr-xr-x  2 root  root   4096 Dec  2  2007 county/
drwxr-xr-x 80 root  root   4096 May  3  2011 etc/
dr-xr-xr-x  2 root  root  12288 Dec  3  2007 gnis/
drwxr-xr-x  2 root  root   4096 Jan 15  2010 grid/
drwx------  2 root  root  16384 Mar 13  2011 lost+found/
drwxr-xr-x  2 root  root   4096 Nov 26  2005 mexhwy/
drwxr-xr-x  3 trona users 20480 Jun 29 09:58 movies/
drwxr-xr-x  2 trona users 12288 Feb  8 10:00 patches-13.0/
drwxr-xr-x 13 trona users  4096 Apr  5  2011 photo/
drwxr-xr-x  2 root  root  16384 Jun 24  2006 srtm30/
dr-xr-xr-x  2 root  root   4096 Dec 19  2009 topo/
drwxr-xr-x  2 root  root   4096 Dec  1  2007 usanhpn/
drwxr-xr-x  2 root  root   4096 Jan 13  2010 wdb/
drwxr-xr-x  6 root  root   4096 Sep  2  2011 www/
Almost all the directories have read-write for owner, read for group, read for public. The "special" directories are lost+found (the /spares directory is a mounted file system, mounted to a partition, and lost+found is automatically created, at least by ext4 file systems) and gnis, which contains geographic information, lots of it, and it doesn't need write for any user, including root just because I want it that way to protect the content from accidental overwrite (no big deal).

The owner, trona just happens to be me, so I can write in those directories; the permission mask for those directories is a good default of 755.

Why is 755 a good default? It means read-write for owner, read for group, read for public; i.e., nobody can write in it but me but everybody else can read the content.

If I wanted to keep public from reading, I'd use a mask of 750.

If I wanted to keep the group and the public from reading, I'd use a mask of 700.

So, if you wanted to keep everybody but you out of grandma_recipes, you'd do
Code:
chmod 700 grandma_recipes
If you wanted to let the group (say, users) read but not write, you'd do
Code:
chmod 750 grandma_recipes
And if you wanted to let anybody in the group or public read but not write
Code:
chmod 755 grandma_recipes
The numbers are a little easier to remember than the batches of characters, methinks; others will not agree, without doubt.

Now, that's directories. Files are a different story.

You make a file executable with
Code:
chmod 755 file_name
You own it, you can write, group can read, public can read with
Code:
chmod 644 file_name
You own it, you can write, group can write, public can read with
Code:
chmod 660 file_name
You own it, anybody can write
Code:
chmod 666 file_name
That's called Attila the Hun permissions, ravage and pillage.

And, last but not least, you own it and everybody can read only
Code:
chmod 444 file_name
In both cases -- directory and file -- the first digit is owner, the second is group and the third is public.

When you initially create a directory or file, the system-wide umask value sets the permission mask; a pretty standard, widely-used value for umask is display with
Code:
usmask
0022
Read the manual page for more information about umask (particularly how to determine the value 0022).

That sets newly-created directories 755 and file 644 and is a pretty good default for all files and directories you may create. After creating something you can restrict or add permissions as described above, but, generally, a value of 0022 is just about right in most cases.

Hope this helps some.

Last edited by tronayne; 07-01-2012 at 12:41 PM. Reason: Typo, typo, typo!
 
1 members found this post helpful.
Old 07-01-2012, 12:43 PM   #3
towheedm
Member
 
Registered: Sep 2011
Location: Trinidad & Tobago
Distribution: Debian Stretch
Posts: 612

Rep: Reputation: 125Reputation: 125
These might also help you:
http://mywiki.wooledge.org/Permissions
http://www.grymoire.com/Unix/Permissions.html
 
Old 07-01-2012, 03:48 PM   #4
emanresu
Member
 
Registered: Apr 2004
Distribution: Gentoo
Posts: 76

Original Poster
Rep: Reputation: 15
thank you so much for the long and detailed explanation on file and directory permissions, tronayne. likewise, i also find the numbers easier to remember than characters in most cases, except when I want to do a batch job of enabling and/or disable certain permissions, but the existing permissions are different on the dirs and files, then the ugoa+/-rwx is much better since they preserve the existing permissions.

so take the grandma's recipe case as an example again. say my grandma has a million-dollar worth of chicken noodle soup recipe which resides in the directory:

/home/my/grandmas_recipes/chicken_noodle_soup/ingredients.txt

and chicken_noodle_soup/ has permission 755 by default as well as the file ingredients.txt

if I set grandmas_recipes/ to 700, without setting chicken_noodle_soup/ to 700 (so it remains in 755), will others be able to read the ingredients.txt file and steal the recipe?
 
Old 07-01-2012, 04:03 PM   #5
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065
Quote:
Originally Posted by emanresu View Post
if I set grandmas_recipes/ to 700, without setting chicken_noodle_soup/ to 700 (so it remains in 755), will others be able to read the ingredients.txt file and steal the recipe?
Nope.

But, keep it even simpler, set all the directories to 755 (the default when created) and set ingredients.txt to 400 (or 600) will accomplish what you want. At 600, the owner (I'm assuming you) will be able to read and write and nobody else will be able to access it; they'll be able to see the file name but will get
Code:
cat ingredients.txt
cat: ingredients.txt: Permission denied
if they try to do anything with it.

Hope this helps some.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What constitutes a level 3 or higher danger level with psad? abefroman Linux - Software 2 04-16-2008 09:18 AM
a good book for a higher level wbsquared Linux - Newbie 3 02-04-2006 05:52 AM
Mandrake 9.2 Security Level 4 (Higher) tumana Linux - Security 4 04-13-2004 04:48 AM
Mandrake 9.2 Security Level 4 (Higher) tumana Linux - Newbie 0 03-15-2004 02:16 AM
higher access level for a user? herc Linux - General 2 12-29-2003 11:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration