Web lists-archives.com

Re: File permission confusion [Debian 9.1 with MATE]




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Richard Owlett wrote:
> [...]
> I need a tutorial. Man pages are unsatisfactory. Sort of like giving 
> someone a dictionary and expecting them to become competent writers.

In brief:
chmod - change "mode" bits (i.e. read / write / execute) based on
whether a user is the owner, part of the owning group, or neither.  Skip
to `CHMOD' for more detail (or scroll down about 6-7 lines)

chattr - change "attribute" bits (i.e. make it immutable, only allow
appends, many other things - see the manpage for all possibilities).
Skip to `CHATTR' for more detail (or scroll down about 65-70  lines)


CHMOD:
The output of ls -l shows these mode bits in the leftmost column.  The
format is [directory flag] [owner permissions] [group permissions]
[other permissions]; for example "-rwxr-xr--" for a non-directory file
that

 - the owner can read from, write to, or execute
 - the owning group can read from, or execute
 - anyone else can read

Note that "write" permissions on a file only really comes into play when
you're messing with a file in an editor (e.g. vim, emacs, nano,
whatever).  It does not necessarily prevent one from doing something
like:

   -rw-r----- [...] somefile.txt
   $ mv anotherfile.txt somefile.txt

Because you're not modifying "the file", but rather its parent
directory.  It's a very, very fine distinction, to be sure.

For directories, it's a little more ... nuanced.  A directory with
"dwrxr-xrw-" for example means

 - the owner can read directory contents ("ls"), write new files to /
   delete old files from the directory, and execute (cd into) it.
 - the group can list the directory contents, cd into it; and (if
   file-level permissions allow) read files; the group CANNOT create new
   files, delete files, etc.
 - Everyone else can do absolutely nothing, since they're not allowed to
   execute any commands on the directory.

Now, there are also some "special" bits for chmod, such as the setuid /
setgid bit, or the sticky bit.

Setting the setuid / setgid bit on a file means that when an executable
file is run, it is run with the user (or group) permissions.  For
example, the ping command:

  -rwsr-xr-x 1 root root [...] /bin/ping

this means that ANYONE running the 'ping' command will invoke it with
the permissions of the owner (i.e. root), rather than whatever
permissions their user may have.  This is required as `ping' needs to
send (and receive) packets on a network interface (and only root can do
that).


The "Sticky Bit" is a file and directory flag that means pretty much the
same thing, but again, there is a fine distinction when set on a
directory.

 - files having the sticky bit can only be renamed / deleted by the
   owning person (user ID)
 - directories having the sticky bit can only be renamed / deleted by
   the owning person (user ID) OR the owner of the directory itself.

Note that root supercedes all of these restrictions - root can cd into
non-executable directories, root can alter files with the sticky bit
set, and so on.


CHATTR:
This one gets fun - and may be more what you're looking for in terms of
making the files "unchangeable by anyone".  

Instead of modes (permissions), attributes on the file are metadata that
tell the filesystem itself what is allowed to happen with a file, and
these supercede modes.

If you're coming from a Windows background, you'll probably recognize
the attributes:

 - Archive -- File was edited since last backup operation.  Include with
   the next backup run.
 - Hidden -- Hidden file, do not show in Windows Explorer / DOS `dir'
   command (unless option set).  Equivalent to a dotfile in Linux
 - System -- "Special" hidden file, do not show in Windows Explorer /
   DOS `dir' command (unless option set).  No real linux equivalent that
   I can think of.
 - Read-Only -- File cannot be altered, unless application *explicitly*
   asks (probably run by Administrator).  Linux equivalent is chattr +i
   (set file to be immutable).
 - Compressed - NTFS filesystem only.  "Compress filesystem to save
   space" or whatever it was.
 - Encrypted - file is encrypted by the file system on save (IIRC,
   NTFS-only)
 - Not Indexed - Tell Windows Search to not index the file / directory.


The chattr manpage lists out everything that it lets you do. There are
quite a number of options (14+ at a quick glance), some of which you'll
find correspond to the Windows / DOS ones above.

> I used "linux tutorial chmod chattr" [w/o quotes] in both DuckDuckGo and 
> Google. Many were as much use as the dictionary.

Nah, most (all) of those so-called tutorials completely fail at being
tutorials.  A dictionary at least always fulfills its stated function
(at least when considering words agreed upon as words, rather than
slang, etc.).

If anything, I'd bet the Arch wiki's page[1], coupled with any external
links (e.g. wikipedia) would be what kind of information you're after
(although, they may be a bit light on the "tutorial" aspect for you --
but I've yet to be led astray by their examples).


[1] https://wiki.archlinux.org/index.php/File_permissions_and_attributes

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJaSnnCAAoJEI4R3fMSeaKBjGgH/iSOsNiGTlGd/WZCDoOuwC2O
wSEVhueHjYvDo/F/lbu02z7H2ppRS7uE9tmnnmTtdkHYRFdEK/IQWoCNH/1DZ3Lm
hhp/J7EP/98k7XCfN8XT/LEimEPNiDYl5HswqEmPHqCF8v4uIBrTa/3Zhv0smM8h
h+zTH1AkDLBq9QD5FcA4t0n5FVn7bluTLxMzzeojqUAzpThDIDhTl6NF63j3gFEC
aa8Vm4QNM1+RmUi+RhEQani7G1+XCrturFxAMsVTyoAHJDGFfDDc2jjnyCCF76EQ
1LdU33Vi59lErSvA+vzzkNqXbRUY+bMz7c+nTtW1AF21/rsm3PM7L41oeJDyeE0=
=32l8
-----END PGP SIGNATURE-----

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281