Sharing Files On Linux Security Setting

Sharing Files

As you’ve probably already figured out, creating groups is the way to share access to files on the Linux system. However, for a complete file-sharing environment, things are more complicated.

Sharing Files On Linux Security Setting 

As you’ve already seen in the “Decoding File Permissions” section, when you create a new file, Linux assigns the file permissions of the new file using your default UID and GID. To allow others access to the file, you need to either change the security permissions for the everyone security group or assign the file a different default group that contains other users.

This can be a pain in a large environment if you want to create and share documents among several people. Fortunately, there’s a simple solution for how to solve this problem.

There are three additional bits of information that Linux stores for each file and directory:

• The set user id (SUID): When a file is executed by a user, the program runs under the permissions of the file owner.
• The set group id (SGID): For a file, the program runs under the permissions of the file group. For a directory, new files created in the directory use the directory group as the default group.
• The sticky bit: The file remains (sticks) in memory after the process ends.

The SGID bit is important for sharing files. By enabling the SGID bit, you can force all new files created in a shared directory to be owned by the directory’s group and now the individual user’s group.

The SGID is set using the chmod command. It’s added to the beginning of the standard three-digit octal value (making a four-digit octal value), or you can use the symbol s in symbolic mode.

If you’re using octal mode, you’ll need to know the arrangement of the bits, shown in Table below.

The chmod SUID, SGID, and Sticky Bit Octal Values

So, to create a shared directory that always sets the directory group for all new files, all you need to do is set the SGID bit for the directory:

$ mkdir testdir
$ ls -l
drwxrwxr-x 2 rich rich 4096 Sep 20 23:12 testdir/
$ chgrp shared testdir
$ chmod g+s testdir
$ ls -l
drwxrwsr-x 2 rich shared 4096 Sep 20 23:12 testdir/
$ umask 002
$ cd testdir
$ touch testfile
$ ls -l
total 0
-rw-rw-r— 1 rich shared 0 Sep 20 23:13 testfile
$

The first step is to create a directory that you want to share using the mkdir command. Next, use the chgrp command to change the default group for the directory to a group that contains the members who need to share files (you must be a member of that group for this to work). Finally, set the SGID bit for the directory to ensure that any files created in the directory use the shared group name as the default group.

For this environment to work properly, all the group members must have their umask values set to make files writable by group members. In the preceding example, the umask is changed to 002 so the files are writable by the group.

After all that’s done, any member of the group can go to the shared directory and create a new file. As expected, the new file uses the default group of the directory, not the user account’s default group. Now any user in the shared group can access this file.

Summary

This chapter discussed the command line commands you need to know to manage the Linux security on your system. Linux uses a system of user IDs and group IDs to protect access to files, directories, and devices. Linux stores information about user accounts in the /etc/passwd file and information about groups in the /etc/group file. Each user is assigned a unique numeric user ID, along with a text login name to identify the user in the system. Groups are also assigned unique numerical group IDs and text group names. A group can contain one or more users to allowed shared access to system resources.

Several commands are available for managing user accounts and groups. The useradd command allows you to create new user accounts, and the groupadd command allows you to create new group accounts. To modify an existing user account, use the usermod command. Similarly, use the groupmod command to modify group account information.

Linux uses a complicated system of bits to determine access permissions for files and directories. Each file contains three security levels of protection: the file’s owner, a default group that has access to the file, and a level for everyone else on the system. Each security level is defined by three access bits: read, write, and execute. The combination of three bits is often referred to by the symbols rwx, for read, write, and execute. If a permission is denied, its symbol is replaced with a dash (such as r - for read-only permission).

The symbolic permissions are often referred to as octal values, with the three bits combined into one octal value and three octal values representing the three security levels.

Use the umask command to set the default security settings for files and directories created on the system. The system administrator normally sets a default umask value in the /etc/profile file, but you can use the umask command to change your umask value at any time.

Use the chmod command to change security settings for files and directories. Only the file’s owner can change permissions for a file or directory. However, the root user can change the security settings for any file or directory on the system. You can use the chown and chgrp commands to change the default owner and group of the file.

The chapter closed with a discussion on how to use the set GID bit to create a shared directory. The SGID bit forces any new files or directories created in a directory to use the default group name of the parent directory, not that of the user who created them. This provides an easy way to share files between users on the system.

Now that you’re up to speed with file permissions, it’s time to take a closer look at how to work with the actual filesystem in Linux. The next chapter shows you how to create new partitions in Linux from the command line and then how to format the new partitions so that they can be used in the Linux virtual directory.

Share this post