File security

File protection with chmod


chmod 400 file - To protect a file against accidental overwriting.
chmod 500 directory - To protect yourself from accidentally removing, renaming or moving files from this directory.
chmod 600 file - A private file only changeable by the user who entered this command.
chmod 644 file - A publicly readable file that can only be changed by the issuing user.
chmod 660 file - Users belonging to your group can change this file, others don't have any access to it at all.
chmod 700 file - Protects a file against any access from other users, while the issuing user still has full access.
chmod 755 directory - For files that should be readable and executable by others, but only changeable by the issuing user.
chmod 775 file - Standard file sharing mode for a group.
chmod 777 file - Everybody can do everything to this file.

Logging on to another group

When you type id on the command line, you get a list of all the groups that you can possibly belong to. When initially connecting to a Gentoo system, a user will normally belong to the users group (the primary group for most users). To create new files that will belong to the groups other than the group users, a user can use the newgrp command to log into any of these groups. For example, to create files that are owned by the group audio, type:

$ newgrp audio

without having to use chgrp.

Sticky bit mode

When applied to a directory, it means a user can only change files in this directory when s/he is the user owner of the file or when the file has appropriate permissions. This feature is used on directories like /var/tmp, that have to be accessible for everyone, but where it is not appropriate for users to change or delete each other's data. The sticky bit is indicated by a t at the end of the file permission field:

$ ls -ld /var/tmp
drwxrwxrwt  9 root root 280 Aug  1 16:58 /var/tmp

The sticky bit is set using the command chmod o+t directory.

SGID (set group ID) on a directory

This is the standard way of sharing files in UNIX. Every file created in the directory will have the same group owner as the directory itself (while normal behavior would be that new files are owned by the users who create them). This way, users don't need to worry about file ownership when sharing directories:

$ mkdir ~/music
$ chgrp audio ~/music
$ chmod 775 ~/music

This will enable other users who belong to the audio group to write to the directory. But the files created will belong to the users group instead of the audio group. The solution is to set the SGID bit and all files subsequently placed there will have the group id of the directory automatically:

$ chmod g+s ~/music

Note: Files that are being moved to an SGID directory but were created elsewhere keep their original user and group owner.