Access Permissions   «Prev  Next»
Lesson 9

Unix File Ownership Conclusion

Because access to practically every resource on the system is managed through the access permissions, this knowledge is crucial to your success as a UNIX system administrator. You are now able to:
  1. Describe the central role that files play in the UNIX environment
  2. List the principles of file and directory ownership
  3. Set user and group ownership
  4. Explain how UNIX grants access to files and directories
  5. Set file and directory access permissions

What are access control primitives of a UNIX system?

If you are a UNIX system administrator or just interested in computer security, you might have heard about access control primitives. But what are they exactly? In this module, we explored the basics of access control primitives of a UNIX system, including their definition, types, and examples.

Access control primitives (ACPs) are the building blocks of access control mechanisms in UNIX systems. They define how users and processes are granted or denied access to resources such as files, directories, devices, and network services. ACPs are implemented by the operating system's kernel and are used by higher-level security systems such as access control lists (ACLs) and security policies.

Types of Access Control Primitives

There are three types of access control primitives in a UNIX system: ownership, permissions, and capabilities.
  1. Ownership: Ownership is the simplest form of access control. It refers to the user and group who own a file or directory. Every file and directory in a UNIX system has an owner and a group. The owner is the user who created the file or directory, while the group is a set of users who share the same access rights. Owners can change the permissions and ownership of their files, while only the root user can change the ownership of system files.
  2. Permissions: Permissions are a more granular form of access control. They define what actions can be performed on a file or directory by its owner, group, and others. There are three types of permissions: read, write, and execute. Read permission allows a user to view the contents of a file, write permission allows a user to modify or delete the file, and execute permission allows a user to run the file as a program or script. Permissions can be set using octal or symbolic notation, and can be modified using the chmod command.
  3. Capabilities: Capabilities are a more advanced form of access control. They allow processes to perform privileged operations without having root privileges. Capabilities can be assigned to individual executables or shared libraries, and can be viewed and modified using the getcap and setcap commands. Capabilities include privileges such as opening raw sockets, binding to privileged ports, and loading kernel modules.

Example 1: File Ownership and Permissions
Suppose we have a file called "secret.txt" that contains sensitive information. We want to restrict access to this file to only the user "alice" and members of the group "finance". We can set the ownership and permissions of the file as follows: 
$ chown alice:finance secret.txt
$ chmod 640 secret.txt

This sets the owner to "alice" and the group to "finance", and gives the owner read and write permission, the group read permission, and others no permission.

Example 2: Capabilities
Suppose we have a program called "packet-sniffer" that needs to capture network packets. However, capturing packets requires root privileges, which we don't want to give to the program. We can assign the "CAP_NET_RAW" capability to the program as follows: 
$ setcap cap_net_raw+ep packet-sniffer

This allows the program to capture network packets without having root privileges.
Access control primitives are essential for ensuring the security and integrity of a UNIX system. By understanding how ownership, permissions, and capabilities work, you can control who has access to your system's resources and what they can do with them. Remember to always use the principle of least privilege, and only give users and processes the access

Unix Operating System

Key terms

In this module, we used the following terms:
  1. access mode: The access mode is the first column of an ls -l listing. The access mode is composed of a file type followed by the user permissions, group permissions, and other permissions.
  2. access permission bits: Access permission bits are a series of 9 bits that describe various file permissions. The first 3 access permission bits describe the read, write, and execute permissions for the file's user. The second 3 bits describe the read, write, and execute permissions for the file's group. The final 3 bits describe the read, write, and execute permissions for others.
  3. group: A group allows an arbitrary set of users to share files. When a user is a member of the file's group, the user will have that file's group permissions.
  4. group permission: Group permissions are the second set of read/write/execute permissions in an access mode. Group permissions apply to users that are members of the file's group.
  5. other permission: Other permissions are the third set of read/write/execute permissions in an access mode. Other permissions apply to everyone besides the file owner and the group members.
  6. owner: The file owner is typically the user who created the file. You can change permissions only on files you own.
  7. Permission type: A permission type grants users a particular type of access. The three basic permission types are r (read), w (write), and x (execute).
  8. save text permission: Setting the save text permission bit (indicated by t) on an executable file is supposed to tell the kernel to leave a program in memory after it terminates. This use is now largely obsolete. The save text permission on a directory means something slightly different. When this permission bit is set on a directory, a user may delete a file only if he or she has write permission (w) for that file, even if he or she has write permission on the directory.
  9. SGID permission: The SGID permission sets a process's group ID on execution.
  10. SUID permission: The SUID permission sets a process of a user ID on execution.
  11. user permission: User permissions are the first set of read/write/execute permissions in an access mode. User permissions apply to the file owner.

Commands

In this module, we discussed the following commands:
Command Purpose
ls Lists file or directory. With no arguments, ls lists the current directory.
chgrp Changes the group of a file.
chown Changes the owner of a file.
umask Sets the default permission for a new file.
chmod Changes the access mode of a file.

File Ownership Access Permissions- Quiz

Click the Quiz link below to take a multiple-choice quiz covering what you learned in this module.
File Ownership Access Permissions- Quiz