- File permission execute only
- 4 Answers 4
- File Permissions in Linux / Unix: How to Read, Write & Change?
- Linux File Ownership
- User
- Group
- Other
- Linux File Permissions
- Changing file/directory permissions in Linux Using ‘chmod’ command
- Absolute(Numeric) Mode in Linux
- Symbolic Mode in Linux
- Changing Ownership and Group in Linux
- Tip
- Summary:
File permission execute only
How can I set file to be executable only to other users but not readable/writable, the reason for this I’m executing something with my username but I don’t want to give out the password. I tried :
chmod 777 testfile chmod a=x chmod ugo+x What about when executing it NOT as another user? And is this a script, or a binary program? Scripts must be read by the interpreter.
4 Answers 4
There’s a half truth to the previous statements. You can setup a script so that it’s not readable by the user, but still executable. The process is a little drawn out, but it’s doable by making an exception in /etc/sudoer so that the user can run the script as yourself temporarily without being prompted for a password. Example below:
Some script I want to share with a user:
me@OB1:~/Desktop/script/$ chmod 700 somescript.pl me@OB1:~/Desktop/script/$ ls -l somescript.pl -rwx------ 1 me me 4519 May 16 10:25 somescript.pl Make a shell script that calls ‘somescript.pl’ and save it in /bin/ :
me@OB1:/bin$ sudo cat somescript.sh [sudo] password for me: #!/bin/bash sudo -u me /home/me/Desktop/script/somescript.pl $@ OPTIONAL STEP Make a symlink to somescript.sh in /bin/:
sudo ln -s /bin/somescript.sh /bin/somescript Make sure the shell script is readable/executable to the user (no write access):
sudo chmod 755 /bin/somescript.sh me@OB1:/bin$ ls -l somescript* lrwxrwxrwx 1 root root 14 May 28 16:11 somescript -> /bin/somescript.sh -rwxr-xr-x 1 root root 184 May 28 18:45 somescript.sh Make exception in /etc/sudoer by adding these lines:
# User alias specification User_Alias SCRIPTUSER = me, someusername, anotheruser # Run script as the user 'me' without asking for password SCRIPTUSER ALL = (me) NOPASSWD: /home/me/Desktop/script/somescript.pl someuser@OB1:~$ somescript ***You can run me, but can't see my private parts!*** someuser@OB1:~$ cat /home/me/Desktop/script/somescript.pl cat: /home/me/Desktop/script/somescript.pl: Permission denied This method should be better than trying to obfuscate with Filter::Crypto or PAR::Filter::Crypto or Acme::Bleach which can be reversed engineered by a determined user. Same goes for compiling your script to binary. Let me know if you find something wrong with this method. For more advanced users you may want to remove the User_Alias section completely and replace SCRIPTUSER with ‘%groupname’. This way you can manage your script users with usermod command.
You need both read and execute permissions on a script to be able to execute it. If you can’t read the contents of the script, you aren’t able to execute it either.
tony@matrix:~$ ./hello.world hello world tony@matrix:~$ ls -l hello.world -rwxr-xr-x 1 tony tony 17 Jul 13 22:22 hello.world tony@matrix:~$ chmod 100 hello.world tony@matrix:~$ ls -l hello.world ---x------ 1 tony tony 17 Jul 13 22:22 hello.world tony@matrix:~$ ./hello.world bash: ./hello.world: Permission denied Indeed, updated to reflect that it’s true for scripts which considering the original question, is what I suspect is the case.
If you let other users execute a program, then they can know everything the program is doing, whether the program file is readable or not. All they need to do is point a debugger (or debugger-like program such as strace ). A binary executable can run if it’s executable and not readable (a script can’t, because the interpreter needs to be able to read the script), but this doesn’t give you any security.
If you want others to be able to execute your program as a black box, without letting them see exactly what the program is doing, you need to give your script elevated privileges: make it setuid to your user. Only root can use debugging tools on setuid programs. Note that writing secure setuid programs isn’t easy, and most languages aren’t suitable; see Allow setuid on shell scripts for more explanations. If you’re going to write a setuid program, I strongly recommend Perl, which has a mode (taint mode) that’s explicitly intended to make secure setuid scripts possible.
You can set file permissions with the chmod command. Both the root user and the file’s owner can set file permissions. chmod has two modes, symbolic and numeric.
First, you decide if you set permissions for the user (u), the group (g), others (o), or all of the three (a). Then, you either add a permission (+), remove it (-), or wipe out the previous permissions and add a new one (=). Next, you decide if you set the read permission (r), write permission (w), or execute permission (x). Last, you’ll tell chmod which file’s permissions you want to change.
Wipe out all the permissions but add read permission for everybody:
After the command, the file’s permissions would be -r—r—r—
Add execute permissions for group:
Now, the file’s permissions would be -r—r-xr—
Add both write and execute permissions for the file’s owner. Note how you can set more than one permission at the same time:
After this, the file permissions will be -rwxr-xr—
Remove the execute permission from both the file’s owner and group. Note, again, how you can set them both at once:
Now, the permissions are -rw-r—r—
This is a quick reference for setting file permissions in symbolic mode:
Which user? u user/owner g group o other a all What to do? + add this permission - remove this permission = set exactly this permission Which permissions? r read w write x execute File Permissions in Linux / Unix: How to Read, Write & Change?
Linux is a clone of UNIX, the multi-user operating system which can be accessed by many users simultaneously. Linux can also be used in mainframes and servers without any modifications. But this raises security concerns as an unsolicited or malign user can corrupt, change or remove crucial data. For effective security, Linux divides authorization into 2 levels.
In this Linux file commands tutorial, you will learn-
The concept of Linux File permission and ownership is crucial in Linux. Here, we will explain Linux permissions and ownership and will discuss both of them. Let us start with the Ownership.
Click here if the video is not accessible
Linux File Ownership
Every file and directory on your Unix/Linux system is assigned 3 types of owner, given below.
User
A user is the owner of the file. By default, the person who created a file becomes its owner. Hence, a user is also sometimes called an owner.
Group
A user- group can contain multiple users. All users belonging to a group will have the same Linux group permissions access to the file. Suppose you have a project where a number of people require access to a file. Instead of manually assigning permissions to each user, you could add all users to a group, and assign group permission to file such that only this group members and no one else can read or modify the files.
Other
Any other user who has access to a file. This person has neither created the file, nor he belongs to a usergroup who could own the file. Practically, it means everybody else. Hence, when you set the permission for others, it is also referred as set permissions for the world.
Now, the big question arises how does Linux distinguish between these three user types so that a user ‘A’ cannot affect a file which contains some other user ‘B’s’ vital information/data. It is like you do not want your colleague, who works on your Linux computer, to view your images. This is where Permissions set in, and they define user behavior.
Let us understand the Permission system on Linux.
Linux File Permissions
Every file and directory in your UNIX/Linux system has following 3 permissions defined for all the 3 owners discussed above.
- Read: This permission give you the authority to open and read a file. Read permission on a directory gives you the ability to lists its content.
- Write: The write permission gives you the authority to modify the contents of a file. The write permission on a directory gives you the authority to add, remove and rename files stored in the directory. Consider a scenario where you have to write permission on file but do not have write permission on the directory where the file is stored. You will be able to modify the file contents. But you will not be able to rename, move or remove the file from the directory.
- Execute: In Windows, an executable program usually has an extension “.exe” and which you can easily run. In Unix/Linux, you cannot run a program unless the execute permission is set. If the execute permission is not set, you might still be able to see/modify the program code(provided read & write permissions are set), but not run it.
Let’s see file permissions in Linux with examples:
ls – l on terminal gives
Here, we have highlighted ‘-rw-rw-r–‘and this weird looking code is the one that tells us about the Unix permissions given to the owner, user group and the world.
Here, the first ‘–‘ implies that we have selected a file.p>
Else, if it were a directory, d would have been shown.
The characters are pretty easy to remember.
r = read permission
w = write permission
x = execute permission
– = no permission
Let us look at it this way.
The first part of the code is ‘rw-‘. This suggests that the owner ‘Home’ can:
- Read the file
- Write or edit the file
- He cannot execute the file since the execute bit is set to ‘-‘.
By design, many Linux distributions like Fedora, CentOS, Ubuntu, etc. will add users to a group of the same group name as the user name. Thus, a user ‘tom’ is added to a group named ‘tom’.
The second part is ‘rw-‘. It for the user group ‘Home’ and group-members can:
The third part is for the world which means any user. It says ‘r–‘. This means the user can only:
.png)
Changing file/directory permissions in Linux Using ‘chmod’ command
Say you do not want your colleague to see your personal images. This can be achieved by changing file permissions.
We can use the ‘chmod’ command which stands for ‘change mode’. Using the command, we can set permissions (read, write, execute) on a file/directory for the owner, group and the world.
chmod permissions filename
There are 2 ways to use the command –
Absolute(Numeric) Mode in Linux
In this mode, file permissions are not represented as characters but a three-digit octal number.
The table below gives numbers for all for permissions types.
| Number | Permission Type | Symbol |
|---|---|---|
| 0 | No Permission | — |
| 1 | Execute | –x |
| 2 | Write | -w- |
| 3 | Execute + Write | -wx |
| 4 | Read | r– |
| 5 | Read + Execute | r-x |
| 6 | Read +Write | rw- |
| 7 | Read + Write +Execute | rwx |
Let’s see the chmod permissions command in action.
.png)
In the above-given terminal window, we have changed the permissions of the file ‘sample to ‘764’.
.png)
‘764’ absolute code says the following:
- Owner can read, write and execute
- Usergroup can read and write
- World can only read
This is shown as ‘-rwxrw-r–
This is how you can change user permissions in Linux on file by assigning an absolute number.
Symbolic Mode in Linux
In the Absolute mode, you change permissions for all 3 owners. In the symbolic mode, you can modify permissions of a specific owner. It makes use of mathematical symbols to modify the Unix file permissions.
| Operator | Description |
|---|---|
| + | Adds a permission to a file or directory |
| – | Removes the permission |
| = | Sets the permission and overrides the permissions set earlier. |
The various owners are represented as –
| User Denotations | |
|---|---|
| u | user/owner |
| g | group |
| o | other |
| a | all |
We will not be using permissions in numbers like 755 but characters like rwx. Let’s look into an example
.png)
Changing Ownership and Group in Linux
For changing the ownership of a file/directory, you can use the following command:
In case you want to change the user as well as group for a file or directory use the command
.png)
In case you want to change group-owner only, use the command
chgrp group_name filename
‘chgrp’ stands for change group.
Tip
- The file /etc/group contains all the groups defined in the system
- You can use the command “groups” to find all the groups you are a member of
Summary:
- Linux being a multi-user system uses permissions and ownership for security.
- There are three user types on a Linux system viz. User, Group and Other
- Linux divides the file permissions into read, write and execute denoted by r,w, and x
- The permissions on a file can be changed by ‘chmod’ command which can be further divided into Absolute and Symbolic mode
- The ‘chown’ command can change the ownership of a file/directory. Use the following commands: chown user file or chown user:group file
- The ‘chgrp’ command can change the group ownership chrgrp group filename
- What does x – eXecuting a directory mean? A: Being allowed to “enter” a dir and gain possible access to sub-dirs.