Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Unix File Permissions
Top Forums UNIX for Beginners Questions & Answers Answers to Frequently Asked Questions Tips and Tutorials Unix File Permissions Post 73792 by Perderabo on Saturday 4th of June 2005 11:41:46 AM
Old 06-04-2005
A Closer Look at the Permission Bits on Symbolic Links
Symbolic links have evolved over the years. At first, a symbolic link was followed only when opening a file. So:
touch datafile
ln -s datafile slink
chmod 700 slink
did not protect the file called "datafile". This was a security problem. Today that "chmod 700 slink" will change the permissions on datafile. "chown fred datafile" will also change datafile and leave slink alone.

Symbolic Links Must have an Owner

There is a way to change the owner of a symbolic link. It is "chown -h slink". This will change slink and leave datafile alone. The original reason why symbolic links need an owner is a feature called "quotas". Quotas allows the system administration to limit the disk space used by a user. A symbolic link consumes a small amount of disk resources so it must be charged to the appropiate user. We now have a second reason: sticky directories. We need to know who can remove a symbolic link from a sticky directory.

In addition to an owner, Posix requires that symbolic link have a size. That is all that you can depend on. Symbolic links may not even have any permission bits.

Permission Bits Are Required by Posix to be Ignored

On Solaris and Linux, newly created symbolic links are 777 and this is not affected by umask. I could not not find any way to turn the bits off. On HP-UX, symbolic links are also created with 777, but umask does affect this. So:
umask 777
ln -s datafile slink
creates a symbolic link with all of the bits turns off. This had no effect at all on what I could do with datafile. And symbolic link (with a mode of 0) to directories also worked fine.

BSD Has a Way to Change the Permission Bits on a Symbolic Link

The various BSD distros all have a "chmod -h" which is like the required "chown -h". Using this command I tested symbolic links on FreeBSD and found that they ignore permission bits as well. The "chmod -h" command is implemented using a lchmod() system call. (BSD even has a lutimes() system call and a "touch -h" command to invoke it.) So far, so good. Nothing here is violating the Posix standard.

NetBSD May be Violating the Posix Standard

According to the NetBSD symlink man page: "The readlink(2) system call requires read permissions on the symbolic link." readlink() is the system call used by ls to display the target of a symbolic link. So with something like this:
Code:
lrwxrwxrwx   1 fred       users            8 May 24 11:15 slink -> datafile

that datafile was obtained with readlink(). I don't have access to a NetBSD system for testing so I could not verify this.

HP-UX Transition Links

When HP rewrote HP-UX to conform to System V Release 4, the location of lots of files changed. As one example, my favorite shell moved from /bin/ksh to /usr/bin/ksh. Some people still use /bin/ksh and that will work (for now) because of a symbolic link:
Code:
$ ls -lds /bin
   0 lr-xr-xr-t   1 root       sys              8 Oct  1  2003 /bin -> /usr/bin

How is HP turning on that sticky bit? The lchmod() system call has been borrowed from BSD. This is an undocumented feature of HP-UX. HP's idea is that they can be sure that a sticky symlink was not created by any users because users do not know about lchmod. Using lchmod() to turn on the sticky bit does not change the properties of the symlink in any way. The only difference is that HP's tl tools will be willing to operate on the symlink.

But here is what the HP-UX faq has to say: "Transition links are a bit faster, because the linked-to filename is stored in the inode itself, instead of using an allocation unit to store the link." While that statement is not exactly false, it is terribly misleading. HP-UX simply supports fast symlinks. If the referenced file name is short enough, it is stored directly in the inode. The transition links happen to be short enough. I have seen some people use lchmod() to turn on the sticky bit of a symlink in an effort to speed things up. It does not work like that.

Transition links are starting to disappear. People who have not switched from /bin/ksh to /usr/bin/ksh may one day get a rude surprise. Below are some links to HP's website.

Maintaining Transition Links
Transition Links Commands (Deprecated)
Transition Links (Deprecated)
Last edited by Perderabo; 06-04-2005 at 04:43 PM..
These 3 Users Gave Thanks to Perderabo For This Post:
clx Neo shekhar_4_u
 

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Unix permissions

I am currently running jsp pages on unix server. At the top of my page is the import statement: <%@ page import="survey.*"%>. This imports the survey folder which i have placed in the same directory as my jsp page- jsp-servlet. However, when i try to run the page, its gives me an error saying that... (2 Replies)
Discussion started by: moukoko
2 Replies

2. UNIX for Advanced & Expert Users

UNIX File Permissions

Hello, What does the following mean in terms of file permissions. -rw-rwSrw- 1 owner group 999 May 25 2004 file_name What does the "S" stand for. Thanks in advance for your input. :) (3 Replies)
Discussion started by: jerardfjay
3 Replies

3. Solaris

Unix permissions

Is anyone aware of a tool that would produce a report or an extract file of all users, the files thry are allowed to access and their associated rights permitted (Read,Write etc.) (0 Replies)
Discussion started by: mobershaw
0 Replies

4. UNIX for Dummies Questions & Answers

Unix permissions for a newbie

Okay, this may turn out to be something quite simple, but I haven't found the answer so far: 1) Is it possible to retrieve a list of user(ID) file permissions? and then... 2) What is the most efficient way to create an alert/error message when/if those file permissions are denied? ... (2 Replies)
Discussion started by: hades1013
2 Replies

5. Shell Programming and Scripting

Unix File Permissions

I want to change one of my Dir permissions to drwx--S--- Can you tell me which number i have to use. Thanks in Advance (4 Replies)
Discussion started by: veeru
4 Replies

6. UNIX for Dummies Questions & Answers

Unix Permissions

We have a user group ‘norkgrp’ which is having 2 users ‘norkadm’ and ‘oracle’. Further we have a directory ‘fstf_blobs’ where ‘norkadm’ is the owner and ‘norkgrp’ is the group owner. The permission is set as 770. $ ls -lrt drwxrwx--- 2 norkadm norkgrp 1024 Jun 24 05:03 fstf_blobs We... (5 Replies)
Discussion started by: varunrbs
5 Replies

7. Solaris

Unix file, folder permissions, security auditing tools.

I want to periodically check if ASCII password/config files on Unix have 400 or 600 access. Folders and files are owned by designated group and user. Folders and Files do not have world write access. Are there any tools/scripts available for this kind of auditing that I can use on Solaris? (7 Replies)
Discussion started by: kchinnam
7 Replies

8. Shell Programming and Scripting

ksh; Change file permissions, update file, change permissions back?

Hi, I am creating a ksh script to search for a string of text inside files within a directory tree. Some of these file are going to be read/execute only. I know to use chmod to change the permissions of the file, but I want to preserve the original permissions after writing to the file. How can I... (3 Replies)
Discussion started by: right_coaster
3 Replies
All times are GMT -4. The time now is 05:17 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy