CompTIA Linux+ XK0-005 – Unit 04 – System Administration Part 1

41. Directory Permissions

All right, so default permissions as a review. All new files permissions are six, six, six, all new directories seven, seven, seven. You can change those defaults. You can change the behavior of being open by default by using what we call the Umask. So we can control it through this little entity that is kind of a way of subtracting and that’s what’s important. The mask is going to submit tracked the permissions you don’t want people to have automatically.

42. Umask

So let’s say you had a umask that was zero two two. Well, the way a umask works is that you create this and it is a default that it’s subtracted from the default permissions. So if you think about what a umask does, and I have a umask of zero two two, and you create a new file whose permissions are six six six, you would take this literally. Write six six across the top underneath it, right? The umask value 22 subtract. Your new results would be six four four. It’s as though you literally were doing the subtraction of how you would put this in. Now, you’re not going to have a umask of 00:32. I hope I’m making some sense here. The reason I say that is that we don’t have a permission that is equivalent necessarily of a I guess we do.

I suppose you would have the right and execute. So we could take that off, but the resulting wouldn’t come out right. So you got to be careful how you apply the mask, I guess, is what I’m trying to say. Because if I subtract 00:22 from the default value, I’m left with six four four. And that makes sense to me because six stands for the read and the right column. A four means read, another four means read. But that works out for us because those are the values we have that we’re dealing with. And so, when you apply that U mask, you’ve changed the permissions.Now, because the first number was a zero, you actually didn’t change the permissions for the owner of the file, but you did change the permissions by subtracting the value of two.

Think about where that is. The value of two is the right bit. So you subtracted the right bit from the default permissions for the group, and you subtracted the right bit for the permissions of other, so that you left them only with the read. Okay? If it’s a new directory, the defaults are seven, seven, seven. Again, if your umask is 00:22, what you’ve done is you’re taking away the right permission. So think of that as the way you construct the umask is by actually constructing the mask based on those three columns, those three bits of what you’re trying to subtract or take away.

So if you wanted to take away read, that mask would be a whole lot different than the two, because two represents the right column, four represents the read column. If you wanted to take away the read, write and execute, then you’d have to subtract all seven points right, three columns in your mask. Anyway, the goal is to turn off that default. Everybody has all access type of functionality, which most operating systems have. And so you create a U mask to help change those default values. When the file or the directory has been created.

43. Demo – Viewing and Changing the Umask

Well, one of the things we look at when we’re dealing with files and looking at their permissions is that when you create a file, it has a certain set of permissions. And we kind of saw that as we made new files, we had default sets of permissions. In fact, let’s just try that real quick. We’re going to do a touch command and we’ll make a third sample file and then we’ll do that same LS command. And when I do that, you see that the third sample comes up with read, write, read, read. So why does it do that? How does it know what those permissions are? Well, one of the things we know is that we start off with all of our permissions looking at this thing called the Umask. I’m going to type in umask.

And you can see that you mask basically says that we’re going to subtract from the default permissions 00:22. Now, we haven’t quite got to what that first zero stands for. We’re going to talk about those special permissions in a bit. So I’m really focusing on just those last three as they correspond with these up here. Now this zero says that I’m going to subtract zero from the default permissions for this first mode. The two says I’m going to subtract two from this one, which means that had it had read or I’m sorry, write as its base permissions, it’s now going to have just read. And this one as well. In fact, the default permissions for this, for this text file, for something that’s not executable was supposed to be six, six, six.

Well, now that I’ve got this you mask, I’m basically saying subtract zero from the first mode, two and then two from the next two successive modes. And that’s why I came out with the default permissions of read, write, read, read. Now we can change the Umask. Let’s change the umask to zero 77. So I’m going to be actually subtracting all permissions from the group and the other column. Now, I did not put the extra zero that you saw at the existing U mask. It assumes the leading zero if you don’t put it in. In fact, if I just type umask again, you can see that the extra zero is there. Now I’m going to use touch again to create, you guessed it, the fourth sample. I’m going to do the LS LF. And now when we look at the fourth sample up here, you can see that it’s read, write.

But because of the umask, we’ve gotten rid of all permissions that would have gone with that one particular file. So that’s some of the things that are important when you’re dealing with some of the default settings and how you want the files to get their default permissions while I’m thinking about it, so I don’t cause myself any more hassle, I’m going to put the U mask back the way it was. And that’s hopefully kind of straightforward. As long as you understood the idea of the binary and those different columns, this shouldn’t be too difficult to come up with a mask to change the default permissions to level that is appropriate for your needs.

44. Special Permissions

Now, there are special permissions that you can give and those special permissions can be assigned to different entities. You have the ability, if you want to, to assign special permissions to the system user ID or to the system’s group ID, or to set this thing called a sticky bit. Now, special permissions are just that. They are designed for certain situations that seem to make sense and we’ll get in there and describe each of those as we talk about how to put them in there. Now, the system user ID represents obviously user accounts, groups for groups. The sticky bit is a little different creature. The sticky bit really has very little to do with permissions. It’s not about who can read it, who can write it, but depending on how the sticky bit is applied, can make some decisions such as special folders, like the temp folder, where anybody can put files in.

Well, by setting the sticky bit, I’m going to try to make sure that I can’t have user A do a wild card delete of every file in the temp folder when some of those may belong to other users. So the sticky bit, by setting it in that directory, says you can only delete those files that you’re the owner of. So it’s kind of not necessarily a permission, but was designed again in mind of having to have some common areas that I don’t want you to go wild and crazy with your permissions. So it’s a way of kind of overriding some of those default actions. And so we’ll get into each of those as we talk about how you would see it, how you would view it, and how you would set up these special permissions. Now, the special permissions are going to fall under the category often of the other. That’s the thing that we have haven’t yet talked about.

45. Special Permissions in the Mode

All right, so let’s talk about these special permissions, how we would see them in the mode and talk about the user ID, the group ID and the sticky bit. So in the user part of the mode, we would set the user ID special permission by specifying the permissions under execute under user. So let me back up a bit. The user user ID special permission says that if it’s set that this program, and almost always, by the way, these special permissions are with the execute permission. Now, if I have the user ID set, then that means that that particular program will run under the user ID of the owner of that file. As an example, if you wanted to change a password, something in the password file, or use that password program to make the change to the password file, it needs to run as the root user account.

So when it runs, it runs as the route. If I set a group ID specifically on a folder as an example, then every time that somebody puts an object, a file in that folder, instead of the person who created it being the owner, it’ll be the primary group of the directory that is the owner of everything put in there. Again, that goes under the execute bit and the sticky bit. I think I already talked about that controls not really permissions, but issues of deleting. If I have the sticky bit set on a directory,that means that only the owner of a file may delete a file within that directory, but those permissions show up underneath the execute bit for your permissions. So if you had read, write and execute set for a user, you would normally see in that first column in the mode Rwx for the execute. Well, if it says RWS, that means you have the execute permission, but it’s a special permission under the user column for the user ID. So that would be the issue of I just described of the SUID being set.

Likewise for a group, if under the execute column permissions instead of an X, you see an S, then that means that you’re going to see the special permission for that group, which again would be something we would apply to the directory. And if you see the T being set, the T means that the sticky bit and the other column has been set instead of an X for execute. Now, if for some reason you applied these special permissions, but you really didn’t give them the execute permission, so let me make sure we get this right. You’ve applied special permissions, but you haven’t given them the execute permission. Then when you looked at those permissions under the inode, the S’s would be capitalized, the T would be capitalized. That means the special permission was set, but you don’t have the execute permission.

46. Setting Special Permissions

Alright, so how do you apply those special permissions? Well, you use the same command, the change mode command. Now, a little bit ago we talked about using three numbers for the change mode, the first number being the user’s permissions, the second number being grouped, the third being the other. And we said if you changed it to seven seven seven, then you’re giving all permissions to users, all permissions to the group and all permissions to the other. Now technically, you need four digits. So if you only typed in seven seven seven, the assumption was the first digit zero was there by default. The zero that leading zero is the special permissions and the special permissions again are just that what you want to add on.

So let’s say you use the command ch mod and you use the permissions seven five five. The assumption is the leading zero means no special permissions. User gets a seven, group gets a five, other gets a five. If you then typed in chmod change mode to 6755. Ah, now you’ve done something. You have special permissions listed as a six. Now what does that mean? Well, we’re going to talk about that in a second, but it doesn’t mean read, write. I know a six in the other positions means read, write. That’s what we talked about. But technically the way this first number breaks down is it still has three columns. The first column is the user ID turned on the middle column, group ID turned on the last column, the sticky bit. So if you have a six, you’ve actually said that it goes one 10. We haven’t changed the way binary works.

One 10 means turn on the user ID, turn on the group ID, special permissions. Zero means no sticky bit. So you added those special permissions to the user, to the group, none for the sticky bit by adding the command change mode 6755. Now, if you don’t want to use the actual numerical values, you could use the change mode command with a U for user and say plus s. So that would add the user bit. That would be the same as having a four. You could say put in the G for the group, plus s, O for other, plus T for the sticky bit. You could do that as well through an alphabetic representation. It’s your choice of how you want to use the change mode command.

47. Demo – Viewing and Changing Special Permissions

Well, here I am back at my home directory. We’re going to, believe it or not, do some more work with our permissions. I’m going to start off with the LSF so you can remind yourself that we have the user, the group and the other set of permissions. And what we’re going to do is we’re going to add the special permissions. Now at the moment if something’s executable you can tell it because it’s got a little X for its permissions here. As far as the ability to be able to do, read, write, execute, you can see the little X. So there we go. I could finally highlight the three ones while I’m talking, show you that I can do two things at once. Now what we’re going to do is we’re going to create a new file.

So I’m going to use the touch command to create one called Special File. So there we go. Special file. And we’re going to take a look at the well, first we’re going to change the permissions of Special File so it has every single permission for everyone. And then we’ll do the LS, LF and Special File there, look at that. It’s looking to us like it wants to be an executable. And that’s what the change mod did with all sevens. It gave us the execute on each of those. Now what we’re going to do is we’re going to change the permissions. We’re going to give the group some special permissions.

Now remember that the special permissions actually should show up to us in the column, whichever mode I’m doing this for user group or other. And it should show up with the little letters like S or T. Well, if it’s the group that I’m making the changes to, then I’m going to put in G plus S. And of course, that was on the file called Special File. Okay, so there it just gave us the little error. Let me hit my up arrow. See that the nice thing about Linux is if you’re not careful with spaces and things like that, you’re going to get in some trouble and it’s easy to do. So I guess it’s okay for me to show you that I too can make those typos LS LF. And now we look at Special File and under the group we say that we have that special permission that we were talking about.

Now the stickiness that was this third column with the other, so we’ll change that for us as well. We’ll do the change mod. In this case it was the O plus T and that’s going to be for actually we need to do that for folders. So let’s quickly come out here and make a directory and we’ll create a new directory called the shared folder.Now that I’ve got that new directory, we’ll verify that it’s there folder. There it is, it is type D. So yes, we got the directory. Now I’m going to go ahead and do that change mod there. And I’m going to do the O plus T because that’s where the stickiness went to is with these directories and I’m going to do that for shared folder. Hit the enter and then take a look at those permissions again.

And now under shared folder you can see I’ve got the T. Of course, if I really wanted to, I could do the change mod for that particular folder to seven seven seven that was not special but shared folder. And again, look at those permissions LF and we still for shared folder. Here we go. Now, by changing the modes, you can see that I’ve took away the specialness and put it back to read, write, execute. So let me go change that mode back to sticky. And again we’ll do the LS LF and now I have got my sticky nest back. So now again, this is one of the things that people complain sometimes about Linux. I didn’t mean to get rid of the T, but because I said change the mode to seven seven seven, I killed off the T and that was of course my fault.

I shouldn’t have done that. But let’s try that again. Let’s see if I, if I do change that mod to seven seven seven and I come up here now and take a look at the permissions for that file. Right, you can see that I killed the T. And the thing I’m trying to share with you is that it just did what I told it to do. But let’s try that change mod with this value 1777. And we’re going to do that again with the shared folder. And now we’ll do the LS LF and notice I got the t back. That was just kind of a reminder that the other way of handing out the special permissions was using that very first character. When I used change mods seven seven seven, it assumed the first character was a zero.

And remember that this column in the very first digit of the four digits is the ones column. This was the twos, this was the four. And so if I even did the same change mod with four seven seven for the file called special file and then I looked at those permissions, then you can see that Special File also has now the stickiness that we talked about for the first column. The first column was that four, which was the owner, the user account, that was the owner. And I got the stickiness that I wanted. All right, so that is you’re changing the special permissions for the different directories and files.