Sponsored Content
Full Discussion: Unix File Permissions
Top Forums UNIX for Beginners Questions & Answers Answers to Frequently Asked Questions Tips and Tutorials Unix File Permissions Post 302137556 by Perderabo on Tuesday 25th of September 2007 06:42:39 PM
Old 09-25-2007
Changing The Inode of a File

We have discussed how write permission controls the ability to change the data in a file. But how about changing the permission bits, the owner, the group, and even the timestamps? No one can change anything on a CD and an NFS server can overrule an NFS client. In the following discussion, I will assume a local read-write filesystem and that the user called "root" has appropriate special administrative privileges for the file system in question.

chmod -- Changing The File Permissions

To change the file permissions at all, you must be the owner of the file or you must be the root user. The root user can change any permission bit. This may not be true of the owner. The one bit that the owner may not be able to switch on is the SGID bit.

To turn on that bit, the owner must be a member of the group that the file is in. If this restriction was not in place, a user could simply create an SGID program to give himself access to files controlled by groups other than those to which he belongs. Remember that, as we mentioned above, the SGID bit has been often overloaded into also being used for file locking. A version of Unix may or may not allow a file owner to switch on the SGID bit of a file in a different group if no execute bit is set.

Simply turning on an execute bit may result in the SUID and SGID bits being cleared (even for root). This is a security feature to ensure that the user intends for the SUID and SGID bits to be set. The user can switch them back on explicitly. Or the user can simply explicitly set all the bit at once. Also be aware that writing to a file may, on some versions of Unix, clear the SUID and SGID bits. See below for the effect of changing the owner or group of a file.

chown -- Changing The File Owner

Originally, Unix allowed a file owner to give away a file. A file's owner could change the owner to someone else. There was no way for a non-root user to undo this operation. When Unix split into a Berkeley/AT&T versions, the USG (Unix Support Group, part of AT&T) versions of Unix tended to inherit this behavior. Meanwhile BSD (Berkeley Software Distribution, part of University of California, Berkeley) removed chown from non-root users. BSD had implemented disk quotas which could limit how much disk space a user could have in a filesystem. Naughty users could give away large files to sneek past the quotas.

Today, it is not easy to say if a non-root can chown a file. Many versions of Unix allow both behaviors. HP-UX has a setprivgroup facility that can control whether or not members of a particular group can invoke chown. Solaris has a global paramter rstchown which can be set to allow global chown. Setting this parameter also disables a change-group limitation described below (without affecting the SGID limitations described above). Recent Linux version have a CAP_CHOWN capability to control this feature. You will need to consult your documentation for other versions of Unix. And you will need to consult your System Administrator to see how your particular system is configured.

The default with most OS's is for chown to be restricted to root only. And there is a consensus that it should stay this way for security considerations. If a non-root user does change the owner of a file and any execute bit is on, the SUID and SGID bits must be cleared. This may or may not happen with root.

chown, chgrp -- Changing The File Group

The chown command can (with any modern, Posix compliant version of Unix) also attempt a group change. And there is a chgrp command. Both of these invoke the chown() system call to change a group. The fact that a common system call is involved helps explain why some OS versions jointly enforce or relax restrictions on non-root users for both owner and group changes.

A non-root user can change the group of file he owns to a group of which he is a member. Posix prohibits a non-root user from changing a files group to a group of which he is not a member. But some OS's lift this restriction if the restriction against changing a file's owner has been lifted.

If the group is changed by a non-root user and one or execute bits are set, the SUID and SGID bits are cleared.

touch -- Changing The File Timestamps

When the touch command is used to change the timestamps of an existing file, it invokes either the old utime() or the new utimes() system call. To change the timestamp on an existing file, you must own the file or be root. Also, you must have write permission on the file or be root.
These 4 Users Gave Thanks to Perderabo For This Post:
 

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Unix permissions

I am currently running jsp pages on unix server. At the top of my page is the import statement: <%@ page import="survey.*"%>. This imports the survey folder which i have placed in the same directory as my jsp page- jsp-servlet. However, when i try to run the page, its gives me an error saying that... (2 Replies)
Discussion started by: moukoko
2 Replies

2. UNIX for Advanced & Expert Users

UNIX File Permissions

Hello, What does the following mean in terms of file permissions. -rw-rwSrw- 1 owner group 999 May 25 2004 file_name What does the "S" stand for. Thanks in advance for your input. :) (3 Replies)
Discussion started by: jerardfjay
3 Replies

3. Solaris

Unix permissions

Is anyone aware of a tool that would produce a report or an extract file of all users, the files thry are allowed to access and their associated rights permitted (Read,Write etc.) (0 Replies)
Discussion started by: mobershaw
0 Replies

4. UNIX for Dummies Questions & Answers

Unix permissions for a newbie

Okay, this may turn out to be something quite simple, but I haven't found the answer so far: 1) Is it possible to retrieve a list of user(ID) file permissions? and then... 2) What is the most efficient way to create an alert/error message when/if those file permissions are denied? ... (2 Replies)
Discussion started by: hades1013
2 Replies

5. Shell Programming and Scripting

Unix File Permissions

I want to change one of my Dir permissions to drwx--S--- Can you tell me which number i have to use. Thanks in Advance (4 Replies)
Discussion started by: veeru
4 Replies

6. UNIX for Dummies Questions & Answers

Unix Permissions

We have a user group ‘norkgrp’ which is having 2 users ‘norkadm’ and ‘oracle’. Further we have a directory ‘fstf_blobs’ where ‘norkadm’ is the owner and ‘norkgrp’ is the group owner. The permission is set as 770. $ ls -lrt drwxrwx--- 2 norkadm norkgrp 1024 Jun 24 05:03 fstf_blobs We... (5 Replies)
Discussion started by: varunrbs
5 Replies

7. Solaris

Unix file, folder permissions, security auditing tools.

I want to periodically check if ASCII password/config files on Unix have 400 or 600 access. Folders and files are owned by designated group and user. Folders and Files do not have world write access. Are there any tools/scripts available for this kind of auditing that I can use on Solaris? (7 Replies)
Discussion started by: kchinnam
7 Replies

8. Shell Programming and Scripting

ksh; Change file permissions, update file, change permissions back?

Hi, I am creating a ksh script to search for a string of text inside files within a directory tree. Some of these file are going to be read/execute only. I know to use chmod to change the permissions of the file, but I want to preserve the original permissions after writing to the file. How can I... (3 Replies)
Discussion started by: right_coaster
3 Replies
All times are GMT -4. The time now is 03:27 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy