Users and File Permissions | Beginning SUSE Linux: From Novice to Professional

The concept of users and permissions is as important to SUSE Linux as the idea of a central and all-encompassing file system. In fact, the two are implicitly linked.

When initially installing Linux, you should have created at least one user account. By now, this will have formed the day-to-day login that you use to access Linux and run programs. (Remember that you should use the root account only for essential maintenance work; if you're using it for day-to-day work, stop doing so immediately!)

Although you might not realize it, as a user, you also belong to a group. In fact, every user on the system belongs to a group. Under SUSE Linux, all ordinary users belong to a group called users by default (under other versions of Linux, you might find that you belong to a group based on your username).

Note

Groups are yet another reminder of SUSE Linux's Unix origins. Unix is often used on huge computer systems with hundreds or thousands of users. By putting each user into a group, the system administrator's job is a lot easier. When controlling system resources, the administrator can control groups of users rather than hundreds of individual users. On most home user PCs, the concept of groups is a little redundant, because there's normally a single user, or at most, two or three. However, the concept of groups is central to the way that Linux handles files.

A standard user account under SUSE Linux is normally limited in what it can do. This is set when the account is first set up. As a standard user, you can save files to your own private area of the disk, located in the /home directory, as shown in Figure 15-2, but usually nowhere else. You can move around the file system, but some directories are strictly out of bounds. In a similar way, some files can be opened as read-only, so you cannot save changes to them. All of this is achieved using file permissions.

image from book
Figure 15-2. Your personal directory within home is your area on the hard disk. This is enforced via file permissions.

Every file and directory is owned by a user. In addition, files and directories have three separate settings that indicate who within the Linux system can read them, who can write to them, and, if the file in question is "runnable" (usually a program or a script), who can run it ("execute" it). In the case of directories, it's also possible to set who can browse them, as well as who can write files to them. If you try to access a file or directory for which you don't have permission, you'll be turned away with an "access denied" error message.

Viewing Permissions

When you issue the ls -l command, each file is listed on an individual line. Here's an example of one line of a file listing from my test PC:

-rw-r--r--  2 knthomas users 673985982 2004-07-07 17:19 myfile

The r, w, and – symbols on the very left of the listing indicate the file permissions. The permission list usually consists of the characters r (for read), w (for write), x (for execute), or -(meaning none are applicable).

They're followed by a number indicating the link count, which you can ignore. After this is listed the owner of the file (knthomas in the example) and the group that he belongs to (users). This is followed by the file size (in bytes), then the date and time the file was last accessed, and finally the filename itself appears.

The file permissions part of the listing might look confusing, but it's actually quite simple. To understand what's going on, you need to split it into groups of four, as illustrated in Figure 15-3.

image from book
Figure 15-3. The file permissions part of a file listing can be broken down into four separate parts.

The four groups are as follows:

Type of file: This character represents the file type. A standard data file is indicated with a dash (-). Most files on your system fall into this category. A d shows that the entry is not a file, but a directory. Table 15-2 lists the file type codes.

Table 15-2. File Type Codes
Code	File Type
-	Standard file
d	Standard directory
l	Symbolic link (a shortcut to another file)
p	Named pipe (a file that acts as a conduit for data between two programs)
s	Socket (a file designed to send and receive data over a network)
c	Character device (a hardware device driver, usually found in /dev)
b	Block device (a hardware device driver, usually found in /dev)

User permissions: Next come the permissions of the person who owns the file. The three characters indicate what the person who owns the file can do with it. The owner of a file is usually the user who created it, although it's also possible to change the owner later on. In this example, you see rw-. This means that the owner of the file can read (r) and write (w) the file. In other words, he can look at it and also save changes to it. However, there's a dash afterwards, and this indicates that the user cannot execute the file. If this were possible, there would be an x in this spot instead.
Group permissions: After the owner's permissions are the permissions given to members of that user's group. This is indicated by another three characters in the same style as those for user permissions. In our example, the group's permission is r--, which means that the group members can read the file but don't have permission to write to it, since there's a dash where the w would normally appear. In other words, as far as they're concerned, the file is read-only.
Everyone else's permissions: The last set of permissions indicates the permissions of everyone else on the system (other users in other groups). In our example, they can only read the file (r); the two dashes afterwards indicate that they cannot write to the file or execute it.

As you might remember from Windows, programs are stored as files on your hard disk, just like standard data files. On Linux, program files need to be explicitly marked as being executable. This is indicated in the permission listing by an x. Therefore, if there's no x in a file's permissions, it's a good bet that the file in question isn't a program or script (although this isn't always true for various technical reasons). To make matters a little more confusing, if the entry in the list of files is a directory (indicated by a d), then the rules are different. In this case, an x indicates that the user can access that directory. If there's no x, then the user's attempts to browse to that directory will be met with an "access denied" message.

Instead of the x in the list of permissions for a directory, you might sometimes see a t. This means that the only people who can delete or alter a file in that directory are the users who created the file in the first place. This is a useful option to have in some circumstances.

You might sometimes see a set of permissions like rws. The s stands for setuid. Like x, it indicates that the file is executable, except, in this case, it means that the file will be run with the permissions of the person who owns it, rather than the user who is executing it. In other words, if user frank tries to run a program owned by knthomas that has the execute permission set as s, that program will be run as if knthomas were running it. This is very useful, because the root user can use this trick to make programs that require root access usable by ordinary users, although this brings with it obvious security risks.

File permissions can be difficult to understand, so let's look at a few real-world examples. We'll assume that we're logged in to Linux as the user knthomas throughout.

Typical Data File Permissions

Here's the first example:

-rw-rw----  2 knthomas users 1450 2004-07-07 09:19 myfile2

You see immediately that this file is owned by user knthomas because that username appears directly after the permissions. You also see that this user is a member of the group users.

Reading the file permissions from left to right, you see that the initial character is a dash. That indicates that this is an ordinary file and has no special characteristics. It's also not a directory.

After that is the first part of the permissions, rw-. These are the permissions for owner of the file, knthomas. You're logged in as that user, so this file belongs to you, and these permissions apply to you. You can read and write the file, but not execute it. Because you cannot execute the file, you can infer that this is a data file rather than a program (there are certain exceptions to this rule, but we'll ignore them for the sake of simplicity).

Following this is the next part of the file permissions, rw-. This tells you what other members of your group can do with the file. It's fairly useless information if you're the only user of your PC but, for the record, you're told that anyone else belonging to the group called users can also read and write the file, but not execute it.

Note

If there is more than one user on your computer, then the group permissions are clearly important. SUSE Linux adds all new users to the group users by default. In this example, any user on the PC can read and write to this file, which is not always desirable. The next section describes how file permissions can be changed to prevent this happening.

Finally, the last three characters tell you the permissions of everyone else on the system. The three dashes (---) mean that they have no permissions at all regarding the file. There's a dash where the r normally appears, so they cannot even read it. The dashes afterwards tell you they cannot write to the file or execute it. If they try to do anything with the file, they'll get a "permission denied" error.

Permissions on a User's Directory

Here's example number two:

drwxr-xr-x  7 knthomas users 824 2004-07-07 10:01 mydirectory

The list of permissions starts with d, which tells you that this isn't a file but a directory. After this is the list of permissions for the owner of the directory (knthomas), who can read files in the directory and also create new ones there. The x indicates that you can access this directory, as opposed to being turned away with an "access denied" message. You might think being able to access the directory is taken for granted if the user can read and write to it, but that's not the case.

Next are the permissions for the group members. They can read files in the directory but not write any new ones there (although they can modify files already in there, provided the permissions of the individual files allow this). Once again, there's an x at the end of their particular permission listing, which indicates that the group members can access the directory.

Following the group's permissions are those of everyone else. They can read the directory and browse it, but not write new files to it, as with the group users' permissions.

Permissions on a Directory Owned by Root

Here's the last example:

drwx------  25 root  root  1000 2004-08-06 15:44 root

You can see that the file is owned by root. Remember that in this example you're logged in as knthomas and your group is users.

The list of permissions starts with a d, so you can tell that this is actually a directory. After this, you see that the owner of the directory, root, has permission to read, write, and access the directory.

Next are the permissions for the group: three dashes. In other words, members of the group called root have no permission to access this directory in any way. They cannot browse it, create new files in it, or even access it.

Following this are the permissions for the rest of the users. This includes you, because you're not the user root and don't belong to its group. The three dashes means you don't have permission to read, write, or access this directory.

Switching Users

It's possible to switch users on the fly while you're working at the shell. On my test PC, I have an additional user account called frank. While logged in as any user, I can temporarily switch to this user by typing the following command, which stands for substitute user:

su frank

I'll then be asked for user frank's password. Once this is typed, I will effectively have logged in as user frank. Any files I create will be saved with frank's ownership.

When the su command is used on its own, the shell will assume I want to become root user. This is a handy way of quickly switching to root in order to undertake system administration tasks. If a dash is added, su –, then I also take on the root user's $PATH, meaning I can access certain essential system tools. In both cases, I can log out of the user I've temporarily switched into by typing exit.

Remember to keep an eye on the command prompt. This will tell you which user you're currently logged in as.

Altering Permissions

Changing permissions of files and directories is easy and can be done using the chmod command. For example, if you want to change a file so that everyone on the system can read and write to it, type the following:

chmod a+rw myfile

In other words, you're adding add read and write (rw) permissions for all users (a).

Here's another example:

chmod a-w myfile

This tells Linux that you want to take away (-) the ability of all users (a) to write (w) to the file. However, you want to leave the other permissions as they are. You can substitute a with g to change group permissions instead.

The most useful use of chmod is in making a program file that you've downloaded executable. Due to the way the Internet works, if you download a program to install on your computer, it can lose its executable status while in transit. In this case, issue the following command:

chmod +x myprogram

Because nothing is specified before the +x, the shell assumes that the changes to be applied to the file are for the current user only.

To change the owner of a file, use the chown command. For example, to set the owner of myfile as frank, type this command:

chown frank myfile

The chown command is handy if you create or download a file as root and want to make it accessible by your standard user login.

It goes without saying that standard users can change permissions only if they're already the owner of the file. Otherwise, you won't have permission! However, the root user has powers to change file permissions and ownership of all files, regardless of who owns them.