e023856b-a59e-4dbb-940d-86c57313e0d1
/
dcd9fedd-5509-4f32-8754-e48177608f7d
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dcd9fedd-5509-4f32-8754-e48.../docs/05_permissions.md

266 lines
7.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Step 5 — Permissions & Ownership (Ubuntu 24)
> **Type along** exactly as shown. This step is written for absolute beginners and assumes no prior Linux experience.
> **Estimated time:** ~1015 minutes
---
## What youll learn
- How to **read** Linux permissions and ownership
- How to **change** permissions with `chmod` (symbolic & octal)
- How to change **owner** and **group** with `chown` / `chgrp`
- How **directory** permissions differ from **file** permissions
- How **umask** affects default permissions
- (Optional) What **setuid**, **setgid**, and **sticky** bits do
- (Optional) How to use **ACLs** for finegrained access
> **Setup:** Continue using your practice area (recommended):
> ```bash
> mkdir -p ~/playground && cd ~/playground
> ```
---
## 0) Primer: Users, Groups, and the `rwx` model
Linux tracks access for three classes:
- **u** (user/owner) — typically who created the file
- **g** (group) — collaborators who share a group
- **o** (others) — everyone else
Each class can have:
- **r** (read)
- **w** (write)
- **x** (execute for files / *enter* for directories)
**Example:**
```
-rw-r----- 1 alice devs 42 Sep 8 12:00 notes.txt
```
- Leading `-` = regular **file** (use `d` for directory)
- `rw-` (user), `r--` (group), `---` (others)
- Owner = `alice`, Group = `devs`
> **Tip:** For **directories**, `x` means you can *enter* the directory and access filenames inside. Without `x`, even if you have `r`, you can list names but may not open files.
---
## 1) View permissions & ownership
Create a couple of files and a directory:
```bash
printf 'hello\n' > hello.txt
printf '#!/usr/bin/env bash\necho hi\n' > hello.sh
mkdir project
```
Show long listing:
```bash
ls -l hello.txt hello.sh project
```
Show numeric (octal) permissions and type:
```bash
stat -c '%A %a %U:%G %n' hello.txt hello.sh project
```
See your user and groups:
```bash
id
# or
groups
```
**Expected:** Youll see owner = your username, group = your primary group, and default perms (e.g., `644` for files, `755` for new directories on many systems).
---
## 2) Change permissions with `chmod`
`chmod` can use **symbolic** or **octal** modes.
### A) Symbolic mode
Add **execute** for owner on the script, remove execute for others:
```bash
chmod u+x,o-x hello.sh
ls -l hello.sh
```
Set **exact** bits (owner `rw`, group `r`, others `-`):
```bash
chmod u=rw,g=r,o= hello.txt
ls -l hello.txt
```
Give **group** write on directory for collaboration:
```bash
chmod g+w project
ls -ld project
```
### B) Octal mode
- `r=4`, `w=2`, `x=1` → Sum them per class: `u g o`
Make a common script mode `755` (rwx r-x r-x):
```bash
chmod 755 hello.sh
stat -c '%A %a %n' hello.sh
```
Set a private file `600` (rw- --- ---):
```bash
chmod 600 hello.txt
stat -c '%A %a %n' hello.txt
```
### C) Recurse (be careful!)
Apply to all items beneath a directory:
```bash
mkdir -p project/sub
touch project/sub/todo.txt
chmod -R g+rw project
```
> **Warning:** Recursive changes can break apps. Prefer targeted changes.
---
## 3) Ownership: `chown` and `chgrp`
Ownership is stored as **user:group**.
Change owner (requires privileges if not your own):
```bash
# Example only; may require sudo depending on target user
sudo chown $USER:$USER hello.txt
```
Change **group** when collaborating:
```bash
# switch group ownership to e.g. `devs` (must be a group youre in)
sudo chgrp devs project || echo "Try a group you belong to"
ls -ld project
```
Change owner:group recursively (careful):
```bash
# Example change group across a tree
sudo chown -R :devs project
```
> **Rule of thumb:** Use `chgrp` to hand a folder to a **team group**, then use directory permissions to control access.
---
## 4) Executable scripts: shebang & run
Make sure the script starts with a **shebang** line and is executable:
```bash
head -n1 hello.sh
chmod u+x hello.sh
./hello.sh
```
If you see `Permission denied`, check `ls -l hello.sh` and ensure the containing directory has `x`.
---
## 5) Defaults with `umask`
`umask` subtracts permissions from new files/directories.
Show current umask:
```bash
umask
```
Make a new file/dir and check modes:
```bash
printf 'tmp\n' > new.txt
mkdir newdir
stat -c '%a %n' new.txt newdir
```
Temporarily set a stricter umask for this shell (e.g., disallow “others”):
```bash
umask 007
printf 'secret\n' > secret.txt
stat -c '%a %n' secret.txt
```
> **Typical defaults:** Files start from `666` (rw rw rw) and directories from `777` (rwx rwx rwx), then your `umask` removes bits.
---
## 6) Special bits (advanced)
### setuid (`4xxx` on files)
- Executed with the file **owners** privileges.
- Common on system tools like `passwd`.
> **Dont set setuid on your own scripts**; its risky and often ignored for scripts.
### setgid (`2xxx` on files/dirs)
- On **directories**, new files inherit the directorys **group**, improving collaboration.
Enable setgid on a shared project folder:
```bash
sudo chgrp devs project
sudo chmod g+ws project # the 's' shows setgid on the group bit
ls -ld project
```
New files in `project/` will have group `devs` automatically.
### sticky bit (`1xxx` on dirs)
- On directories like `/tmp`, users can only delete **their own** files even if the dir is world-writable.
Add sticky to a shared drop folder:
```bash
mkdir -p shared_drop
chmod 1777 shared_drop
ls -ld shared_drop
```
---
## 7) ACLs (Access Control Lists) — optional
ACLs allow peruser or pergroup overrides beyond the basic `u/g/o` model.
Inspect ACLs:
```bash
getfacl hello.txt || echo "Install acl package if missing"
```
Grant **alice** read/write:
```bash
setfacl -m u:alice:rw hello.txt
getfacl hello.txt | sed -n '1,20p'
```
Set a **default ACL** on a directory (applies to new files):
```bash
setfacl -m d:u:alice:rwx project
getfacl project | sed -n '1,50p'
```
Remove an entry or clear all:
```bash
setfacl -x u:alice hello.txt
setfacl -b hello.txt # wipe all ACLs
```
> **Note:** On Ubuntu, ACL support is usually enabled by default. If commands are missing: `sudo apt update && sudo apt install -y acl`.
---
## 8) Practice tasks (do these now)
1) Make `hello.sh` executable for **owner only**, and run it.
*Hint:* `chmod 700 hello.sh`
2) Make `hello.txt` readable by **group**, but **no access** for others. Verify with `stat`.
3) Create `project/docs/` and ensure the **group** keeps inheriting on new files.
*Hint:* `chmod g+ws project` and set group ownership.
4) Create a shared `shared_drop/` so **anyone** can write but only delete their own files.
*Hint:* `chmod 1777 shared_drop`
5) (Optional) Give a specific teammate **rw** on `hello.txt` using **ACLs**, then remove it.
---
## Troubleshooting
- **Permission denied**: Check both the **file** and its **directory** for execute (`x`) where needed.
- **Operation not permitted**: Ownership changes or privileged bits may require `sudo`.
- **Script wont run**: Ensure `#!/usr/bin/env bash` shebang and `chmod +x`. Also check the mount isnt `noexec`.
- **Group changes dont “stick”**: Use **setgid** on the directory and correct group ownership.
- **ACLs ignored?** Ensure filesystem supports ACLs and the tools are installed.
---
## Quick Quiz (1 minute)
- What does the **x** bit mean on a **directory**?
- Translate `-rwxr-x---` to octal.
- Which command changes just the **group** of a file?
- What does **setgid** on a directory do?
- How does `umask` affect new files?
**Answers:** enter/traverse; `750`; `chgrp`; new files inherit the directorys group; it subtracts bits from default perms.
---
## Next Step
Continue to **Step 6 — System Info & Monitoring** to learn how to inspect CPU, memory, disk, and logs effectively.
Reference in New Issue View Git Blame Copy Permalink