Unix Permissions

Legend

Parts of this exercise are annotated with the following icons:

• A task you MUST perform to complete the exercise
• An optional step that you may perform to make sure that everything is working correctly, or to set up additional tools that are not required but can help you
• The end of the exercise
• The architecture of the software you ran or deployed during this exercise.
• Troubleshooting tips: how to fix common problems you might encounter

Setup

Create a new alice user:

$> sudo useradd --create-home --shell /bin/bash alice

Tip

You can also use the equivalent short versions of these options:

$> sudo useradd -m -s /bin/bash alice

Make sure other users can access and list the contents of alice’s home directory:

$> sudo chmod o+rx /home/alice

The exercise

• Create a file named file.txt in alice’s home directory that is readable by alice but not by you.

Solution

# Switch to alice.
$> sudo su - alice
# Create the file (it will belong to alice and the alice group).
$> touch file.txt
# Switch back to your user.
$> exit
# Remove read permissions for other users (including yours).
$> sudo chmod o-r /home/alice/file.txt

Another solution

# Create the file as root (it will belong to root and the root group).
$> sudo touch /home/alice/file.txt
# Give the file to alice.
$> sudo chown alice /home/alice/file.txt
# Remove read permissions for other users (including yours).
$> sudo chmod o-r /home/alice/file.txt

Setting the permissions in octal mode

$> sudo chmod 640 /home/alice/file.txt

• Create a directory named for_alice in the system’s temporary directory (/tmp). The alice user must be able to traverse this directory, but not list its contents or create new files in it.

Solution

# Create the directory.
$> sudo mkdir /tmp/for_alice
# Give the directory to your user and alice's group.
$> sudo chown jde:alice /tmp/for_alice
# Specify that the group can only traverse the directory
# and (optionally) that other users have no permissions.
$> sudo chmod g=x,o-rwx /tmp/for_alice

Setting the permissions in octal mode

$> sudo chmod 710 /tmp/for_alice

• The directory must contain a readable.txt file that alice can read from, but not write to.

Solution

Solution with access by other users

# Move into the directory.
$> cd /tmp/for_alice
# Simply create the file. It will be readable by everyone by default.
$> echo "Hello, I'm readable" > readable.txt

Without access by other users

# Give the file to alice's group (which should have read access by default).
$> sudo chown jde:alice readable.txt
# Remove all permissions for other users.
$> sudo chmod o-rwx readable.txt

Setting the permissions in octal mode

$> sudo chmod 640 readable.txt

• The directory must contain a writable.txt file that alice can read from and write to.

Solution

Solution with access by other users

$> cd /tmp/for_alice
# Create the file.
$> echo "Hello, I'm writable" > writable.txt
# Add the write permission to other users.
$> sudo chmod o+w writable.txt

Without access by other users

# Give the file to alice's group.
$> sudo chown jde:alice writable.txt
# Add the write permission to the group and (optionally)
# remove all permissions for other users.
$> sudo chmod g+w,o-rwx writable.txt

Setting the permissions in octal mode

$> sudo chmod 660 writable.txt

Optional: check if it works

You should not be able to read the file in alice’s home directory:

$> cat /home/alice/file.txt
cat: /home/alice/file.txt: Permission denied

Temporarily log in as alice (using your administrative privileges and the su command, as in switch user):

$> sudo su --login alice

Tip

When you are done, you can go back to being you with the exit command. Your command line prompt should remind you who you are. When in doubt, use the whoami command.

More information

The --login option can also be abbreviated to -l or even simply - (yes, the people who designed Unix were lazy enough that they did not even want to type one more letter).

You should be able to read the file in the home directory:

$> cat /home/alice/file.txt

You should not be able to list the for_alice directory:

$> ls /tmp/for_alice
ls: cannot open directory '/tmp/for_alice/': Permission denied

You should not be able to create a file in the for_alice directory:

$> echo Hello > /tmp/for_alice/file.txt
-bash: /tmp/for_alice/file.txt: Permission denied

You should be able to read the readable.txt file in the for_alice directory:

$> cat /tmp/for_alice/readable.txt

You should not be able to modify the readable.txt file in the for_alice directory:

$> echo "Hello, I'm Alice" >> /tmp/for_alice/readable.txt
-bash: /tmp/for_alice/readable.txt: Permission denied

You should be able to write to and read from the writable.txt file in the for_alice directory:

$> echo "Hello, I'm Alice" >> /tmp/for_alice/writable.txt

$> cat /tmp/for_alice/writable.txt
Hello, I'm Alice

More information

As a reminder, in Bash, >> means to redirect the standard output of a command into a file and to append to the end of that file. If you wanted to overwrite the whole contents of the file, you could use > instead.

What have I done?

You have learned to open or restrict access to files in a Unix system by judicious use of the chown and chmod commands to change ownership and/or permissions.

You have also practiced using some of the other Unix file-related commands you have learned about so far.