How to Protect Files and Directories in Linux
One important aspect of securing the host is protecting important system files - and the
directories on your Linux system that contain these files. In Linux, you can protect the
files through file ownership and the permission settings that control who can read, write,
or (in the case of executable programs) execute the file.
The default Linux file security is controlled through the following settings for each file or directory:
• User ownership
• Group ownership
• Read, write, execute permissions for the owner
• Read, write, execute permissions for the group
• Read, write, execute permissions for others (everyone else)
How to view ownerships and permissions in Linux
You can see settings related to ownership and permissions for a file when you look at a detailed
listing with the ls -l command. For example, in Ubuntu, type the following command to see
the detailed listing of the /etc/inittab file:
ls -l /etc/inittab
The resulting listing looks something like this:
-rw-r--r-- 1 root root 1666 Feb 16 07:57 /etc/inittab
The first set of characters describes the file permissions for user, group, and others. The third
and fourth fields show the user and group that own this file. In this case, user and group names are the same: root.
How to change file ownerships in Linux
You can set the user and group ownerships with the chown command. If the file /dev/hda
should be owned by the user root and the group disk, you type the following command as
root to set up this ownership:
chown root.disk /dev/hda
To change the group ownership alone, use the chgrp command. Here's how you can change the
group ownership of a file from whatever it was earlier to the group named accounting:
chgrp accounting ledger.out
How to change file permissions in Linux
Use the chmod command to set the file permissions. To use chmod effectively, you have
to specify the permission settings. One way is to concatenate one or more letters from each column of
the table below, in the order shown in the table (Who/Action/Permission).
|File Permission Codes|
|a(all)||s(set user ID)|| |
To give everyone read and write access to all files in a directory, type chmod a+rw *.
To permit everyone to execute a specific file, type chmod a+x filename.
Another way to specify a permission setting is to use a three-digit sequence of numbers. In a detailed
listing, the read, write, and execute permission settings for the user, group, and others appear as the sequence
with dashes in place of letters for disallowed operations. Think of rwxrwxrwx as being three occurrences
of the string rwx. Now assign the values r=4, w=2, and x=1. To get the value of the sequence rwx, simply add
the values of r, w, and x. Thus, rwx = 7.
With this formula, you can assign a three-digit value to any permission setting. If the user can read and
write the file but everyone else can only read the file, for example, the permission setting is rw-r--r--,
and the value is 644. Thus, if you want all files in a directory to be readable by everyone but writable only
by the user, use the following command:
chmod 644 *