6.3. Red Hat Enterprise Linux-Specific Information
6.3.1. User Accounts, Groups, and Permissions
r— Indicates that a given category of user can read a file.
w— Indicates that a given category of user can write to a file.
x— Indicates that a given category of user can execute the contents of a file.
-) indicates that no access is permitted.
- owner — The owner of the file or application.
- group — The group that owns the file or application.
- everyone — All users with access to the system.
ls -l. For example, if the user
juancreates an executable file named
foo, the output of the command
ls -l foowould appear like this:
-rwxrwxr-x 1 juan juan 0 Sep 26 12:25 foo
rwx. This first set of symbols define owner access — in this example, the owner
juanhas full access, and may read, write, and execute the file. The next set of
rwxsymbols define group access (again, with full access), while the last set of symbols define the types of access permitted for all other users. Here, all other users may read and execute the file, but may not modify it in any way.
juanlaunches an application, the application runs using user
juan's context. However, in some cases the application may need a more privileged level of access in order to accomplish a task. Such applications include those that edit system settings or log in users. For this reason, special permissions have been created.
- setuid — used only for binary files (applications), this permission indicates that the file is to be executed with the permissions of the owner of the file, and not with the permissions of the user executing the file (which is the case without setuid). This is indicated by the character
sin the place of the
xin the owner category. If the owner of the file does not have execute permissions, a capital
Sreflects this fact.
- setgid — used primarily for binary files (applications), this permission indicates that the file is executed with the permissions of the group owning the file and not with the permissions of the group of the user executing the file (which is the case without setgid).If applied to a directory, all files created within the directory are owned by the group owning the directory, and not by the group of the user creating the file. The setgid permission is indicated by the character
sin place of the
xin the group category. If the group owning the file or directory does not have execute permissions, a capital
Sreflects this fact.
- sticky bit — used primarily on directories, this bit dictates that a file created in the directory can be removed only by the user that created the file. It is indicated by the character
tin place of the
xin the everyone category. If the everyone category does not have execute permissions, the
Tis capitalized to reflect this fact.Under Red Hat Enterprise Linux, the sticky bit is set by default on the
/tmp/directory for exactly this reason.
188.8.131.52. Usernames and UIDs, Groups and GIDs
/etc/groupfiles on a file server and a user's workstation differ in the UIDs or GIDs they contain, improper application of permissions can lead to security issues.
juanhas a UID of 500 on a desktop computer, files
juancreates on a file server will be created with owner UID 500. However, if user
boblogs in locally to the file server (or even some other computer), and
bob's account also has a UID of 500,
bobwill have full access to
juan's files, and vice versa.
rootuser, and are treated specially by Red Hat Enterprise Linux — all access is automatically granted.