Displaying File Information

· How to Display File Information

Display information about all the files in a directory by using the ls command.

$ ls -la

In this command,

-l	Displays the long format.
-a	Displays all files, including files that begin with a dot (.).

Each line in the display has the following information about a file:

• Type of file and its permissions
• Number of hard links
• Owner of the file
• Group of the file
• Size of the file, in bytes
• Date the file was created or the last date it was changed
• Name of the file

Example--Displaying File Information

The following example displays the partial list of the files in the /sbin directory.

$ cd /sbin $ ls -la total 7504 drwxrwxr-x 2 root sys 512 Mar 6 1994 . drwxr-xr-x 24 root root 1024 May 15 19:41 .. -r-xr-xr-x 1 bin bin 111632 Sep 27 1993 autopush -rwxr-xr-x 1 root other 258452 May 26 1993 bpgetfile -r-xr-xr-x 1 bin bin 305424 Sep 27 1993 hostconfig -r-xr-xr-x 1 bin bin 484464 Sep 27 1993 ifconfig -r-xr-xr-x 1 root sys 565204 Sep 27 1993 init -r-xr-xr-x 2 bin root 180264 Sep 27 1993 jsh -r-xr-xr-x 1 bin bin 137732 Sep 27 1993 mount -r-xr-xr-x 1 root sys 7140 Jan 1 1970 mountall

Changing File Ownership

· How to Change the Owner of a File

1. If you are not the owner of the file or directory, become root.

   Only the current owner or root can use the chown command to change the owner of a file or directory.

2. Change the owner of a file by using the chown command.

$ chown newowner filename

In this command,

newowner	Is the name of the new owner of the file or directory.
filename	Is the file or directory.

Verification--Changing the Owner of a File

$ ls -l

Example--Changing the Owner of a File

The following example sets the ownership on myfile to the user rimmer.

$ chown rimmer myfile $ ls -l myfile -rw-r--r-- 1 rimmer scifi 112640 May 5 1994 myfile.doc

· How to Change a Group Ownership of a File

1. If you are not the owner of the file or directory, become root.

   Only the current owner or root can use the chgrp command to change the group of a file or directory.

2. Change the group owner of a file by using the chgrp command.

$ chgrp group filename

In this command,

group	Is the name of the new group of the file or directory.
filename	Is the file or directory.

Verification--Changing a Group Ownership of a File

$ ls -g

Example--Changing a Group Ownership of a File

The following example sets the group ownership on myfile to the group scifi.

$ chgrp scifi myfile $ ls -lg myfile -rwxrw-rw- 1 rimmer scifi 12985 Nov 12 16:28 myfile

Changing File Permissions

The chmod command enables you to change the permissions on a file. You must be root or the owner of a file or directory to change its permissions.

You can use the chmod command to set permissions in either of two modes:

• Absolute Mode - Use numbers to represent file permissions and is the method most commonly used to set permissions. When you change permissions by using the absolute mode, represent permissions for each triplet by an octal mode number.
• Symbolic Mode - Use combinations of letters and symbols to add or remove permissions.

Table 58-1 lists the octal values for setting file permissions in absolute mode.

Table 58-1

Octal Value	File Permissions Set	Permissions Description
0	---	No permissions
1	--x	Execute permission only
2	-w-	Write permission only
3	-wx	Write and execute permissions
4	r--	Read permission only
5	r-x	Read and execute permissions
6	rw-	Read and write permissions
7	rwx	Read, write, and execute permissions

Table 58-2 lists the symbols for setting file permissions in symbolic mode. Symbols can specify whose permissions are to be set or changed, the operation to be performed, or the permissions being assigned or changed.

Table 58-2

Symbol	Function	Description
u	Who	User (owner)
g	Who	Group
o	Who	Others
a	Who	All
=	Operation	Assign
+	Operation	Add
-	Operation	Remove
r	Permission	Read
w	Permission	Write
x	Permission	Execute
l	Permission	Mandatory locking, setgid bit is on, group execution bit is off
s	Permission	setuid or setgid bit is on
S	Permission	suid bit is on, user execution bit is off
t	Permission	Sticky bit is on, execution bit for others is on
T	Permission	Sticky bit is on, execution bit for others is off

· How to Change Permissions in Absolute Mode

1. If you are not the owner of the file or directory, become root.

   Only the current owner or root can use the chmod command to change file permissions on a file or directory.

2. Change permissions in absolute mode by using the chmod command.

$ chmod nnn filename

In this command,

nnn	Specifies the octal values that change permissions on the file or directory. See Table 58-1 on page 1204 for the list of valid octal values.
filename	Is the file or directory.

Verification--Changing Permissions in Absolute Mode

$ ls -l

Example--Changing Permissions in Absolute Mode

The following example sets rwxr-xr-x permissions on myfile.

$ chmod 755 myfile

· How to Change Permissions in Symbolic Mode

1. If you are not the owner of the file or directory, become root.

   Only the current owner or root can use the chmod command to change file permissions on a file or directory.

2. Change permissions in symbolic mode by using the chmod command.

$ chmod who operator perms filename

In this command,

who operator perms Specifies the symbols that change the permissions on the

file or directory. who specifies whose permissions are changed, operator specifies the operation to perform, and perms specifies what permissions are changed.

See Table 58-2 on page 1205 for the list of valid symbols.

filename....Is the file or directory.

Verification--Changing Permissions in Symbolic Mode

$ ls -l

Examples--Changing Permissions in Symbolic Mode

The following example takes away read permission from others.

$ chmod o-r filea

The following example adds read and execute permissions for user, group, and others.

$ chmod a+rx fileb

The following example assigns read, write, and execute permissions to group.

$ chmod g=rwx filec

Setting and Searching for Special Permissions

You can set special permissions on a file in absolute or symbolic modes. In absolute mode, you set special permissions by adding a new octal value to the left of the permission triplet. Table 58-3 lists the octal values to set special permissions on a file.

Table 58-3

Octal Value	Special Permissions Set
1	Sticky bit
2	setguid
4	setuid

Table 58-2 on page 1205 lists the symbols to change the special permissions in symbolic mode.

· How to Set Special Permissions in Absolute Mode

1. If you are not the owner of the file or directory, become root.

   Only the current owner or root can use the chmod command to change the special permissions on a file or directory.

2. Change special permissions in absolute mode by using the chmod command.

$ chmod nnnn filename

In this command,

nnnn	Specifies the octal values that change the permissions on the file or directory. The first octal value on the left sets the special permissions on the file. See Table 58-3 on page 1208 for the list of valid octal values for the special permissions.
filename	Is the file or directory.

Verification--Setting Special Permissions in Absolute Mode

$ ls -l

Examples--Setting Special Permissions in Absolute Mode

The following example sets setuid permission on the dbprog file.

$ chmod 4555 dbprog $ ls -l dbprog -r-sr-xr-x 1 db staff 12095 May 6 09:29 dbprog

The following example sets setgid permission on the dbprog2 file.

$ chmod 2551 dbprog2 $ ls -l dbprog2 -r-xr-s--x 1 db dbstaff 24576 May 6 09:30 dbprog

The following example sets sticky bit permission on the pubdir directory.

$ chmod 1777 pubdir

· How to Find Files With setuid Permissions Set

1. Become root.

2. Find files with setuid permissions set by using the find command.

# find directory -user root -perm -4000 -exec ls -ldb {}\; >/tmp/filename

In this command,

find directory	Checks all mounted paths starting at the specified directory, which can be root (/), /sys, /bin, or /mail.
-user root	Displays files only owned by root.
-perm -4000	Displays files only with permissions set to 4000.
-exec ls -ldb	Displays the output of the find command in
>/tmp/filename	Writes results to this file.

3. Display the results in /tmp/filename.

   If you need background information about setuid, see "setuid Permission" on page 1162.

Example--Finding Files With setuid Permissions Set

# find / -user root -perm -4000 -exec ls -ldb { }\; > /tmp/ckprm # cat /tmp/ckprm -r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at -r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab ---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct -r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir -r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin -r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched (1) ---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh -r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df -rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp -r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd -r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su #

(1) An unauthorized user (rar) has made a personal copy of /usr/bin/sh, and has set the permissions as setuid to root. This means that rar can execute /usr/rar/bin/sh and become the privileged user.If you want to save this output for future reference, move the file out of the /tmp directory.

Using ACLs

ACL entries are the way to define an ACL on a file, and they are set through the ACL commands. ACL entries consist of the following fields separated by colons:

entry_type:[uid|gid]:perms

In an ACL entry,

entry_type	Is a type of ACL entry on which to set file permissions. For example, entry_type can be user (the owner of a file) or mask (the ACL mask).
uid	Is the user name or identification number.
gid	Is the group name or identification number.
perms	Represents the permissions that are set on entry_type. perms can be indicated by the symbolic characters rwx or a number (the same permissions numbers used with the chmod command).

The following example shows an ACL entry that sets read/write permissions for the user nathan.

user:nathan:rw-

ACL Entries for Files

Table 58-4 lists the valid ACL entries. The first three ACL entries provide the basic UNIX file protection.

Table 58-4

ACL Entry	Meaning
u[ser]::perms	The owner's permissions.
g[roup]::perms	Permissions for the owner's group.
o[ther]:perms	Permissions for users other than the owner or members of the owner's group.
m[ask]:perms	The ACL mask. The mask entry indicates the maximum permissions allowed for users (other than the owner) and for groups. The mask is a quick way to change permissions on all the users and groups. For example, the mask:r-- mask entry indicates that users and groups cannot have more than read permissions, even though they may have write/execute permissions.
u[ser]:uid:perms	Permissions for a specific user.
g[roup]:gid:perms	Permissions for a specific group.

ACL Entries for Directories

In addition to the ACL entries described in Table 58-4, you can set default ACL entries on a directory that will apply to files created within the directory. Files created in a directory that has default ACL entries will have the same ACL entries as the default ACL entries. Table 58-5 lists the default ACL entries for directories.

When you set default ACL entries for specific users and groups on a directory for the first time, you must also set default ACL entries for the owner, owner's group, others, and the mask (these are required and are the first four default ACL entries in Table 58-5).

Table 58-5

Default ACL Entry	Meaning
d[efault]:u[ser]::perms	Default owner's permissions.
d[efault]:g[roup]::perms	Default permissions for the owner's group.
d[efault]:o[ther]:perms	Default permissions for users other than the owner or members of the owner's group.
d[efault]:m[ask]:perms	Default ACL mask.
d[efault]:u[ser]:uid:perms	Default permissions for a specific user.
d[efault]:g[roup]:gid:perms	Default permissions for a specific group.

· How to Set ACL Entries on a File

Set ACL entries on a file by using the setfacl command.

$ setfacl -s user::perms,group::perms,other:perms,mask:perms,acl_entry_list filename1 [filename2...]

In this command,

-s	Replaces the entire ACL with the new ACL entries, if an ACL already exists on the file.
user::perms	Specifies the owner's permissions.
group::perms	Specifies the permissions for the owner's group.
other:perms	Specifies the permissions for users other than the owner or members of the owner's group.
mask:perms	Specifies the permissions for the ACL mask. The mask indicates the maximum permissions allowed for users (other than the owner) and for groups.
acl_entry_list	Is the list of one or more ACL entries to set for specific users and groups on the file or directory. You can also set default ACL entries on a directory. Table 58-4 and Table 58-5 show the valid ACL entries.
filename	Is the file or directory on which to set the ACL entries.

Verification--Setting ACL Entries on a File

To verify that an ACL was set on the file, see "How to Check If a File Has an ACL" on page 1217. To verify which ACL entries were set on the file, use the getfacl command.

$ getfacl filename

Examples--Setting ACL Entries on a File

The following example sets the user permissions to read/write, group permissions to read only, and other permissions to none on the ch1.doc file. In addition, the user george is given read/write permissions on the file, and the ACL mask permissions is set to read/write, which means no user or group can have execute permissions.

$ setfacl -s user::rw-,group::r--,other:---,mask:rw-,user:george:rw- ch1.doc $ ls -l total 124 -rw-r-----+ 1 nathan sysadmin 34816 Nov 11 14:16 ch1.doc -rw-r--r-- 1 nathan sysadmin 20167 Nov 11 14:16 ch2.doc -rw-r--r-- 1 nathan sysadmin 8192 Nov 11 14:16 notes $ getfacl ch1.doc # file: ch1.doc # owner: nathan # group: sysadmin user::rw- user:george:rw- #effective:rw- group::r-- #effective:r-- mask:rw- other:---

The following example sets the user permissions to read/write/execute, group permissions to read only, and other permissions to none on the ch2.doc file. In addition, users in the sysadmin group are given read/write permissions on the file, and the ACL mask permissions is set to read/write.

$ setfacl -s u::7,g::4,o:0,g:sysadmin:6,m:6 ch2.doc

· How to Check If a File Has an ACL

Check if a file has an ACL by using the ls command.

$ ls -l filename

In this command,

filename.....Is the file or directory that you want to check.

A '+' to the right of the mode field indicates the file has an ACL.

Example--Checking If a File Has an ACL

The following example shows that ch1.doc has an ACL.

$ ls -l ch1.doc -rwxr-----+ 1 nathan sysadmin 167 Nov 11 11:13 ch1.doc

· How to Add or Modify ACL Entries on a File

Add or modify ACL entries on a file by using the setfacl command.

$ setfacl -m acl_entry_list filename1 [filename2...]

In this command,

acl_entry_list	Is the list of one or more ACL entries to add or modify on the file or directory. You can also add or modify default ACL entries on a directory. Table 58-4 and Table 58-5 show the valid ACL entries.
filename	Is the file or directory on which to add or modify ACL entries.

Verification--Adding or Modifying ACL Entries on a File

To verify that the ACL entries were added or modified on the file, use the getfacl command.

$ getfacl filename

Examples--Adding or Modifying ACL Entries on a File

The following example adds read/write permissions for the user george on the ch3.doc file.

$ setfacl -m user:george:6 ch3.doc

The following example adds default ACL entries for the book directory, which already has a default entry specified for the owner of the directory, for the group owner of the directory, and for others. The users in the staff group are given read permissions and the required default mask is set to read/write.

$ setfacl -m default:group:staff:4,default:mask:6 book

· How to Delete ACL Entries From a File

Delete ACL entries from a file by using the setfacl command.

$ setfacl -d acl_entry_list filename1 [filename2...]

In this command,

acl_entry_list	Is the list of ACL entries (without specifying the permissions) to delete from the file or directory. You can only delete ACL entries and default ACL entries for specific users and groups. Table 58-4 and Table 58-5 show the valid ACL entries.
filename	Is the file or directory from which to delete the ACL entries.

Alternately, you can use the -s option of setfacl to delete all the ACL entries on a file and replace them with the new ACL entries specified.

Verification--Deleting ACL Entries From a File

To verify that the ACL entries were deleted from the file, use the getfacl command.

$ getfacl filename

Example--Deleting ACL Entries From a File

The following example deletes the ACL entry for the user george from the ch3.doc file.

$ setfacl -d user:george ch3.doc

· How to Display ACL Entries for a File

Display ACL entries for a file by using the getfacl command.

$ getfacl [-a | -d] filename1 [filename2...]

In this command,

-a	Displays the file name, owner, group, and ACL entries for the specified file or directory.
-d	Displays the file name, owner, group, and default ACL entries for the specified directory.
filename	Is the file or directory for which to display the ACL entries.

If you specify multiple file names on the command line, the ACL entries are separated by a blank line.

Examples--Displaying ACL Entries for a File

The following example shows all the ACL entries for the ch1.doc file. The #effective: note beside the user and group entries indicates what the permissions are after being modified by the ACL mask.

$ getfacl ch1.doc # file: ch1.doc # owner: nathan # group: sysadmin user::rw- user:george:rw- #effective:rw- group::r-- #effective:r-- mask:rw- other:---

The following example shows the default ACL entries for the book directory.

$ getfacl -d book # file: book # owner: nathan # group: sysadmin default:user::rw- default:user:george:r-- default:group::rw- default:mask:rw- default:other:r--