LINUX-10 SPECIAL
ATTRIBUTES & UMASK
·
Special file attributes
·
umask
SPECIAL FILE ATTRIBUTES……………..
What we learned till now about file perms are rwx with ugo.
Beyond that “rwx” we have other perm also,
“lsattr” to view the attributes and “chattr” to change
the attributes.
[root@rhel7-server user1]# su - user1
Last login: Sun Jan 1 15:57:52
IST 2017 from 192.168.234.1 on pts/0
[user1@rhel7-server ~]$ pwd
/home/user1
[user1@rhel7-server ~]$ ls -ltr
total 0
[user1@rhel7-server ~]$ touch file1 file2 file3
[user1@rhel7-server ~]$ ls -ltr
total 0
-rw-rw-r--. 1 user1 user1 0 Jan
1 16:29 file3
-rw-rw-r--. 1 user1 user1 0 Jan
1 16:29 file2
-rw-rw-r--. 1 user1 user1 0 Jan
1 16:29 file1
[user1@rhel7-server ~]$ lsattr file1 file2 file3
---------------- file1
---------------- file2
---------------- file3
[user1@rhel7-server ~]$ rm file1
User can delete his/her file, nothing strange……..
[user1@rhel7-server ~]$ lsattr file1 file2 file3 file4
lsattr: No such file or directory while trying to stat file1
---------------- file2
---------------- file3
---------------- file4
[user1@rhel7-server ~]$ vi file4
[user1@rhel7-server ~]$ cat file4
hello
hello
hello
hello
User can edit his file, nothing strange………..
[user1@rhel7-server ~]$ xfsdump -l 0 -f /bkp/user1.dump
/dev/sda3
User can take dump of his file, nothing strange…………..
[user1@rhel7-server ~]$ chattr +i file3
chattr: Operation not permitted while setting flags on file3
So regular user is not allowed to set “chattr”
Hence, done by root
[root@rhel7-server user1]# chattr +i file3
[root@rhel7-server user1]# chattr +d file2
[root@rhel7-server user1]# chattr +a file4
[user1@rhel7-server ~]$ lsattr file1 file2 file3 file4
lsattr: No such file or directory while trying to stat file1
-----d--------- file2
----i----------- file3
-----a---------- file4
Now see, what can happen with this setting,
We had seen some conditions for a user,
1. User
can delete his/her file
[user1@rhel7-server ~]$ rm file3
rm: remove write-protected regular empty file ‘file3’? y
rm: cannot remove ‘file3’: Operation not permitted
2. User
can edit his file
[user1@rhel7-server ~]$ vi file4
"file4"
"file4" E212: Can't open file for writing
Press ENTER or type command to continue
Now check this with user “root”
[root@rhel7-server user1]# rm file3
rm: remove regular empty file ‘file3’? y
rm: cannot remove ‘file3’: Operation not permitted
[root@rhel7-server user1]# vi file4
"file4"
"file4" E212: Can't open file for writing
Press ENTER or type command to continue
What’s going on … ?
Not even root … ?
Let’s try to add something in file4 via other methods.
[root@rhel7-server user1]# echo "hi hi hi"
>file4
-bash: file4: Operation not permitted
No luck…
[root@rhel7-server user1]# echo "hi hi hi"
>>file4
Bingo ….
Can the same done by user1 … ?
[user1@rhel7-server ~]$ echo "hello hi hello"
>>file4
[user1@rhel7-server ~]$ cat file4
hello
hello
hello
hello
hi hi hi
hello hi hello
[user1@rhel7-server ~]$
Yes… user1 can also append to that file.
+a prvent editing, only append
allowed
+i immutable, even root cannot
delete it
+d can’t be dumped
These attributes can be revoked by only root,
[root@rhel7-server user1]# lsattr file1 file2 file3 file4
lsattr: No such file or directory while trying to stat file1
------d--------- file2
----i----------- file3
-----a---------- file4
[root@rhel7-server user1]#
[root@rhel7-server user1]# chattr -a file4
[root@rhel7-server user1]# chattr -i file3
[root@rhel7-server user1]# chattr -d file2
[root@rhel7-server user1]#
[root@rhel7-server user1]# lsattr file2 file3 file4
---------------- file2
---------------- file3
---------------- file4
[root@rhel7-server user1]#
Now they are normal files with regular “rwx” permissions.
UMASK…………………………..
Have you ever wondered that whenever we create a file or dir, it is
created with predefined permissions. This is not the default permission.
B’coz we know that default permissions are,
777 for DIR
666 for FILE
Great… Let’s check it.
[root@rhel7-server ~]# touch testfile1
[root@rhel7-server ~]# ls -ltr testfile1
-rw-r--r--. 1 root root 0 Jan
2 11:04 testfile1
[root@rhel7-server ~]# mkdir testdir1
[root@rhel7-server ~]# ls -ld testdir1
drwxr-xr-x. 2 root root 6 Jan
2 11:05 testdir1
ohhh… the active permissions are not as per default value…
Why …?
It is because of “umask” which is controlling the effective
permission of files and directories whenever they are created.
How … ?
/etc/profile & /etc/bashrc
[root@rhel7-server ~]# grep umask /etc/profile
# By default, we want umask to get set. This sets it for login shell
umask 002
umask 022
[root@rhel7-server ~]# grep umask /etc/bashrc
# By default, we want umask
to get set. This sets it for non-login shell.
umask 002
umask 022
Ooooopsss….
2 umask … ?
What does it mean…
Might be they are different for regular user and root…??
Let’s see…
FOR ROOT….
[root@rhel7-server ~]# touch testfile1
[root@rhel7-server ~]# ls -ltr testfile1
-rw-r--r--. 1 root root 0 Jan
2 11:04 testfile1
[root@rhel7-server ~]# mkdir testdir1
[root@rhel7-server ~]# ls -ld testdir1
drwxr-xr-x. 2 root root 6 Jan
2 11:05 testdir1
[root@rhel7-server ~]# umask
0022
FOR REGULAR USER…..
[root@rhel7-server ~]# su – raman
Last login: Sun Jan 1 15:20:47
IST 2017 on pts/1
[raman@rhel7-server ~]$ touch testfile1
[raman@rhel7-server ~]$ mkdir testdir1
[raman@rhel7-server ~]$ ls -ltr testfile1
-rw-rw-r--. 1 raman raman 0 Jan
2 11:10 testfile1
[raman@rhel7-server ~]$ ls -ld testdir1
drwxrwxr-x. 2 raman raman 6 Jan
2 11:10 testdir1
[raman@rhel7-server ~]$ umask
0002
Yes… they are different for regular and root user.
Now, what does they mean…?
0022 / 0002
Octal value : Permission
0 : read, write and execute
1 : read and write
2 : read and execute
3 : read only
4 : write and execute
5 : write only
6 : execute only
7 : no permissions
The 4 values are as…
0 - Special permission (Sticky Bit, SUID or SGID)
0 - User Owner Permission
2 - Group Owner Permission
2 - Other User's Permission
How they affect the effective permissions…??
Default dir permission is 777 and umask is 0022 for root and 0002 for
regular user
Effective permission would be
777-022=755 (drwxr-xr-x) for root
777-002=775 (drwxrwxr-x) for regular user
Default file permission is 666 and umask is 0022 for root and 0002
for regular user
Effective permission would be
666-022=644 (-rw-r--r--) for root
666-002=664 (-rw-rw-r--) for regular user
How to change it temporarily…??
raman@rhel7-server ~]$ umask 077
[raman@rhel7-server ~]$ touch testfile1
[raman@rhel7-server ~]$ mkdir testdir1
[raman@rhel7-server ~]$ ls -ltr testfile1
-rw-------. 1 raman raman 0 Jan
2 11:28 testfile1
[raman@rhel7-server ~]$ ls -ld testdir1
drwx------. 2 raman raman 6 Jan
2 11:28 testdir1
[raman@rhel7-server ~]$ grep umask /etc/bashrc
# By default, we want umask
to get set. This sets it for non-login shell.
umask 002
umask 022
[raman@rhel7-server ~]$ grep umask /etc/profile
# By default, we want umask to get set. This sets it for login shell
umask 002
umask 022
Now the new permissions are 700 for dir and 600 for files, applicable
only for that session, we can see that there is no effect on “umask” value at
/etc/profile and /etc/bashrc.
Let’s logout and login to check umask.
[raman@rhel7-server ~]$ exit
Logout
[root@rhel7-server ~]# su - raman
Last login: Mon Jan 2 11:17:18
IST 2017 on pts/0
[raman@rhel7-server ~]$ touch testfile2
[raman@rhel7-server ~]$ ls -ltr testfile2
-rw-rw-r--. 1 raman raman 0 Jan
2 11:34 testfile2
[raman@rhel7-server ~]$
It is restored to its global value.
If we want a permanent change then we need to edit the values in
/etc/profile and /etc/bashrc
[root@rhel7-server ~]# vi /etc/profile
Umask set to 077
[raman@rhel7-server ~]$ touch test2
[raman@rhel7-server ~]$ ls -ltr test2
-rw-------. 1 raman raman 0 Jan
2 11:50 test2
[raman@rhel7-server ~]$ mkdir test3
[raman@rhel7-server ~]$ ls -ld test3
drwx------. 2 raman raman 6 Jan
2 11:51 test3
Let’s check it with other value and different user’s.
[root@rhel7-server ~]# vi /etc/profile
umask 033
[root@rhel7-server ~]# . /etc/profile
[raman@rhel7-server ~]$ mkdir test4
[raman@rhel7-server ~]$ touch test5
[raman@rhel7-server ~]$ ls -ld test4
drwxr--r--. 2 raman raman 6 Jan
2 11:53 test4
[raman@rhel7-server ~]$ ls -ltr test5
-rw-r--r--. 1 raman raman 0 Jan
2 11:53 test5
[root@rhel7-server ~]# su - user1
Last login: Sun Jan 1 16:29:12
IST 2017 on pts/2
[user1@rhel7-server ~]$ mkdir test4
[user1@rhel7-server ~]$ touch test5
[user1@rhel7-server ~]$ ls -ld test4
drwxr--r--. 2 user1 user1 6 Jan
2 11:54 test4
[user1@rhel7-server ~]$ ls -ltr test5
-rw-r--r--. 1 user1 user1 0 Jan
2 11:54 test5
[user1@rhel7-server ~]$
See the differences in permissions.
One more very interesting aspect is with “login shell” and “non-login
shell”
Let’s see the impact on permissions by these,
Regular user is “user1”
NON-LOGIN SHELL……..
No change at /etc/bashrc
[root@rhel7-server ~]# su user1
[user1@rhel7-server
root]$ touch f1
touch: cannot touch ‘f1’: Permission denied
[user1@rhel7-server root]$ cd /home/user1
[user1@rhel7-server ~]$ touch f1
[user1@rhel7-server ~]$ mkdir f2
[user1@rhel7-server ~]$ ls -lrt f1
-rw-rw-r--. 1 user1 user1 0 Jan 2 12:05 f1
[user1@rhel7-server ~]$ ls -ld f2
drwxrwxr-x. 2 user1 user1 6 Jan 2 12:05 f2
[user1@rhel7-server ~]$ echo $0
bash ççç see the change in shell
umask set to 044 at /etc/bashrc
[root@rhel7-server ~]# vi /etc/bashrc
umask 044
[root@rhel7-server ~]# . /etc/bashrc
[root@rhel7-server ~]# su user1
[user1@rhel7-server ~]$ touch f3
[user1@rhel7-server ~]$ mkdir f4
[user1@rhel7-server ~]$ ls -lrt f3
-rw--w--w-. 1 user1 user1 0 Jan 2 12:08 f3
[user1@rhel7-server ~]$ ls -ld f4
drwx-wx-wx. 2 user1 user1 6 Jan 2 12:08 f4
[user1@rhel7-server ~]$ echo $0
bash ççç see the change in shell
[user1@rhel7-server ~]$ exit
exit
LOGIN SHELL………………..
Umask value changed to 033 at /etc/profile
[root@rhel7-server ~]# su - user1
Last login: Mon Jan 2 12:07:51
IST 2017 on pts/0
[user1@rhel7-server ~]$ touch f1
[user1@rhel7-server ~]$ mkdir f2
[user1@rhel7-server ~]$ ls -ltr f1
-rw-r--r--. 1 user1 user1 0 Jan 2 12:09 f1
[user1@rhel7-server ~]$ ls -ld f2
drwxr--r--. 2 user1 user1 6 Jan 2 12:09 f2
[user1@rhel7-server ~]$ grep umask /etc/bashrc
# By default, we want umask
to get set. This sets it for non-login shell.
umask 044
umask 022
[user1@rhel7-server ~]$ grep umask /etc/profile
# By default, we want umask to get set. This sets it for login shell
umask 033
umask 022
[user1@rhel7-server ~]$ echo $0
-bash ççç see the change in shell
[user1@rhel7-server ~]$
Please refer following links for better under-stability of login
shell vs non login shells
Thanks to author of both links for excellent explanation
No comments:
Post a Comment