The free software NTFS Permissions Tool simplifies the modification of file permissions greatly. The program displays permissions of files and folders that you drag into its interface in a comfortable easy manner. Even better, controls to modify permissions are directly available on that screen.

The tool lists the path and type of the object, permissions, accounts and the current owner of each item. Both the account and owner can be changed by selecting a different from the pulldown menu.

Permissions can be set to allow, read only or deny in the main interface.

A double-click on a file or folder brings up the item’s advanced permission settings with possibilities to change detailed permissions. This menu resembles the security menu when you change security permissions in Windows Explorer.

You can allow and deny specific access rights, from reading attributes to writing data or creating files. Actions can be applied to the selected object, or in case it is a folder to subfolders and files as well.

It is possible to create permission backups which may be handy for restoration purposes later on, or to run the same set of permission changes on an identical system.

You can use the file menu to add folders or files, in case you do not like to work with drag and drop operations. The Security menu offers advanced editing controls, for instance to copy permissions or security settings.

NTFS Permissions Tools is a handy tool for users who either need to change permissions on a regular basis, or users who need to change a lot of permissions and security changes once. The main advantage over Window’s built-in permission and security tool is accessibility and ease of use. It takes less time to change permissions and security settings.

The program can be downloaded from the developer website. I suggest you use this download host to download the file. Make sure you verify the file at a service like Virustotal.com before you run it on your system. The program itself is offered as a 32-bit and 64-bit version. It looks like a portable software on first glance but may use the Microsoft .NET Framework. (via)

In this article I am going to show you more than one way to do this: Using permissions, using zip, and using encryption. Hopefully, in the end, you will have a method that suits your needs and your abilities.

The tools

Most likely you already have all of the tools you need installed. There could be a slight chance that gpg is not installed. To find out issue the command which gpg. This command should return the version of gpg you have installed. You should also know (as if you don’t already know) that these tasks will all be completed from the command line. So open up your favorite terminal and get ready to type.

Permissions

Since we’re talking about Linux, keeping other users from seeing your files/folders is actually quite simple. All you need to do is make sure the read permissions for other and group are not set. So let’s say you create a folder in your home directory called ~/TEST. By default the permissions on that folder will be:

drwxr-xr-x

This means that anyone in your group and all others can read and execute from within that directory. Let’s remove those permissions. To do so issue the command:

chmod -R go-rx TEST

Now the only user that can read, write, or execute from within your TEST directory is you. There is one problem with that – the root user will still have access to that folder. Or anyone with your user password for that matter. So let’s take this one step further.

Zip

You may not have known this, but you can encrypt a zipped file. Let’s say you don’t want any user on the system seeing the contents of that particular folder. To do that with the zip command is easy. The only issue with this is the folder will now be in zipped form and the only way for you to view the contents is to unzip it. That’s simple to do as well. But let’s zip and encrypt using the same folder ~/TEST. To zip and encrypt this folder you would issue the command:

zip -e -r TEST TEST

You will be prompted for a password for the encryption. The above command would complete with an encrypted TEST.zip file and leave the TEST folder behind. You would then want to delete that folder so no one could see the contents. To unzip that same folder issue the command:

unzip TEST

You will then be prompted for the same password you gave for the encryption. Once you successfully enter the password the file will be unzipped.

Nautilus

There is a very simple way to encrypt files from within the Nautilus file manager. To do this you will need to install the following:

• seahorse
• seahorse-plugins

Seahorse is an encryption front-end for the GNOME desktop. More than likely seahorse is already installed, but seahorse is not. To install seahorse-plugins open up your Add/Remove Software tool, search for “seahorse” (no quotes), mark both for installation (if seahorse is already installed only mark seahorse-plugins), and click Apply to install.

Once this is install you will need to log out and log back in to apply the changes to Nautilus. After you have logged back in open up Nautilus and right click on a file or folder. You should now see, in the action menu, an entry for Encryption. You can either encrypt a single file or folder. You will, of course, have to already have created your gpg key in order to do this. But don’t worry, you can create your gpg key from within Seahorse. Upon encrypting a file or folder, the only people that can  see the contents of that file or folder will be those with your encryption key.

Final thoughts

There are so many ways to protect your files/folders in Linux. Some of the above methods are much more secure than others, but each method will get you to where you want to be – safe.

In this article you will learn how to install and use ACL to further enchance your file permissions on a Linux system.

Installation

Let’s install ACL on a Ubuntu system. Since this is a command line tool, we’ll do the installation from the command line. And since ACL will be found in the standard repository, you won’t have to monkey with your /etc/apt/sources.list file. From the command line enter the following:

sudo apt-get install acl

Type your user password, hit the Enter key and the install, and the installation will begin and end fairly quickly. You are now ready to start with ACL.

Using ACL

Before you use the commands for ACL you actually have to mount your partition such that ACL is available. By default this is not the case. In order to set this you have to edit your /etc/fstab file. Open that file up and look for the line that mounts your data partition. In my case, this line is:

UUID=c7812a34-3ec1-4451-aace-02d122b6c454 /   ext4  errors=remount-ro 0 1

You need to edit this line to look something like:

UUID=c7812a34-3ec1-4451-aace-02d122b6c454 /   ext4 errors=remount-ro,acl 0 1

After you make this edit, save the file and then either issue the command:

sudo mount -o remount,acl /

or reboot your machine.

There are two commands you will use for ACL:

• setfacl – Set file access control list.
• getfacl – Get file access control list.

You can probably guess that the first command sets the the ACL and the second lists the ACL for the file.

Using ACL

So let’s say you have the file test and you want only two users on your system to be able to read that file, jlwallen and wookie. You want to exclude all users in the group jlwallen as well.  What you want to do is use the setfacl command like so (as the user jlwallen):

setfacl -m u:wookie:rw- test

Now when you run the command:

getfacl test

you will see something like:

# file: test

# owner: jlwallen

# group: jlwallen

user::rw-

user:wookie:rw-

group::r–

mask::rw-

other::r–

As you can see both users jlwallen and wookie can read and write to the file test, whereas all others can only read the file.

You can verify that a file has had ACL modifications done to it by using the ls command like so:

ls -l test

which should produce results like:

-rw-rw-r–+ jlwallen jlwallen

What gives this away is the “+” character.

Final thoughts

Although this is just a cursory glance as using ACL, it will get you started with gaining even further control of the security of your Linux files. We’ll revisit ACL later and take the security of Linux files even further.

In this article I will introduce you to Linux file permissions and how to manipulate them. I will show you how to manipulate permissions from both the command line as well as the GNOME gui Nautilus.

Breaking down the permissions

When you do a long list (ls -l ) in a directory you will see listings like:

drwxr-xr-x  jlwallen  jlwallen  12288  2009-12-22  16:26  Documents

What we want to concentrate on right now is the first bit, drwxr-xr-x. This string of characters lists the full permissions of the file or directory. It is also important to know the next two strings (in this case both are jlwallen) are the user and group associated with the file.

Let’s go back to the permissions string. The first character, d, means the listing is a directory. Now, instead of looking at the next portion of the string as a single group, think of it as three groups:

• rwx
• r-x
• r-x

The first set of three characters in a permissions listing always marks the permissions of the owner of the file (in this case, jlwallen). The letter o is associated with owner. The next set of three marks the permissions of all users that belong to the group associated with the file (in this case, again, it’s jlwallen). The letter g is associated with group. The final set of three characters marks the permissions of everyone else. The letter u is associated with others.

Now let’s break down the components of the permission string:

• r – read permission
• w – write permission
• x – executable permission

Changing permissions

Let’s say you have a file, test, that is a script that needs to be executed. The default ownership of this file is:

-rw-rw—-

Now let’s say you want both the owner (in this case jlwallen) and anyone belonging to the group (in this case jlwallen) to be able to execute this script. Remember, execute is x and you want to give x permission to o and g. To do this you use the chmod command like so:

chmod og+x test

The above command would add executable permission to owner and group. The new listing would look like:

-rwxrwx—

Now both the owner and anyone belonging to the group jlwallen can execute this script.

The GUI way

Figure 1

You can change permissions of a file with the help of the Nautilus file manager. Open up the file manager and navigate to where you have the test file saved. Right click the icon of that file (or listing if you are not in icon view mode) and select Permissions. From within this new window click on the Permissions tab (see Figure 1).

As you can see, changing permissions for this file is just a matter of selecting the necessary entry from the Access drop-down associated with either Owner, Group, or Others. However, you will notice that these drop-downs only have two entries: Read or Read and Write. In the case of our test file we would want to check the “Allow executing file as program” checkbox to make this file executable. The only drawback to this method is you can not specify who has execute permissions. If you mark a file executable it will be so for all.

Figure 2

With the KDE file manager, Dolphin, you can get a bit more fine grain with your permissions. When you right click a file in Dolphin select Properties and then click on the Permissions tab. In this tab is an Advanced Permissions button. Click that and a smaller window will open (see Figure 2) where you can select precisely what each class (owner, group, other) has what permissions. Make your choices and click OK.

Final thoughts

Although the GUI tools are helpful for the new users, having real control over file permissions should be handled through the command line. But for those who absolutely do not want to use the command line, there are options for you. You will certainly want to get familiar with permissions. Knowing how to navigate file permissions will save you a lot of time and hassle when using the Linux operating system.

The six integrity levels are Trusted Installer, System (operating system processes), High (administrators), Medium, (non-administrators), Low (temporary Internet files) and Untrusted. As you can see even an administrator is not able to change the integrity level of files and folders that belong to Trusted Installers or System.

A command line tool is available that makes it quite easy to change the integrity level of files and folders. It is called CHML and available at a website that explains the process in detail.

The command “chml filename” displays the integrity level of that file. Modifying files and folders is only possible if changes are made in the Group Policy Editor:

• Open gpedit.msc
• Navigate to Computer Configuration / Windows Settings / Local Policies / User Rights Assignment
• In the right-hand pane, you’ll see an entry “Modify an object label;” open it
• By default, there are no user accounts listing with this privilege. Add your user account.
• Close the Group Policy Editor
• Log off, then back on to finish getting the new privilege on your logon token

The basic command to change the integrity level of files or folders in Windows Vista is chml -i:u, l, m, h, or s. Only one letter is obviously selected which stand for Untrusted, Low, Medium, High, or System.

Three additional options are available. The -nr, -nw and -nx options deny read, write and execute rights.

I did find the reference to Windows Integrity Levels at the Donation Coder forum where Skrommel was kind enough to create an Autohotkey Script that would add the functionality to the right-click menu.