File and Directory Permissions


Refer to the files in Listing 13.1. It's now time to examine the permissions strings for these files and directories more carefully. The first thing you should notice is that for directories, the first bit in the string is a d. This is simply a flag and doesn't really indicate permissions that can be controlled; this flag is, however, a useful means of distinguishing between files and directories.

The rest of the bits in the string are fairly straightforward: three groups of three, showing respectively the read, write, and execute permissions for the user owner, the group owner, and all other users. For instance, contents.html (with the permissions string -rw-rw-r--) is readable and writable by both the user and group owners, and all other users can only read it. Table 13.1 describes all 10 fields in the permissions string and what their possible values mean.

Note that a directory must have the "execute" bit set in order for its contents to be viewable; for directories, viewing a directory's contents or moving into it counts as "executing" it.

The Relationship Between File and Directory Permissions

Table 13.2 shows the relationship between a user, a group to which the user belongs, and the permissions that the directory offers to the user and group, depending on its mode.

Table 13.2. Capabilities Granted by the Various Types of File Permissions
 

Directory Writable by User

Directory Writable by Group

Directory Writable by Other

Create file

Yes

Yes

No

Delete file owned/writable by user

Yes

Yes

No

Delete file owned/writable by group

Yes

Yes

No

Delete file owned/writable by other

Yes

Yes

No

Rename file owned/writable by user

Yes

Yes

No

Rename file owned/writable by group

Yes

Yes

No

Rename file owned/writable by other

Yes

Yes

No

Modify file owned/writable by user

Yes

Yes

Yes

Modify file owned/writable by group

Yes

Yes

Yes

Modify file owned/writable by other

No

No

No


Any time you try to delete (rm) a file for which you do not have write permissions, you'll see a prompt similar to the following:

# rm file.txt override rw-r--r-- bob/users for 1.uu? y


Note that you still might not have permission to delete the file! The override prompt appears any time you try to delete a file that isn't yours, regardless of whether you'll be successful if you type y. You can suppress the override prompt with rm -f.

A file that can be deleted can be renamed because you use the mv (move) command to rename a file in FreeBSD, and mv operates by copying the file and then deleting it. A file that can be read can be copied.

Beyond the standard permissions that apply to the user, group, and others, a few additional file modes have special meanings. You'll learn about these modes in the following sections, which discuss mechanisms for changing file permissions.

Using chmod to Change File and Directory Permissions

Now that you know how to read permissions on a file or directory, it's time to learn how to set them. The command for setting permissions is chmod (change mode). A file's permissions set is often referred to as its mode.

The chmod command can operate in two waysnumerically or symbolicallydepending on your preference.

Changing Modes Numerically

The most direct way to change permissions is by setting a three-digit, octal (base-8) number that uniquely specifies the permissions for each type of ownership. Each digit refers to a certain ownership mode that controls the permissions corresponding to the user, group, and others, respectively (you'll learn about a fourth digit later in this section). You can grant a single permission bit to a file or a combination of the available bits. A mode digit is constructed by adding together the numbers corresponding to the permission bits you want to grant. The available bits are shown in Table 13.3.

Table 13.3. Permissions Mode Bits and Their Meanings

Bit

Meaning

0

No permissions

1

Execute (for directories, search)

2

Write

4

Read


Using this scheme, you can specify a mode of "read and write" with 6, a mode of "read and execute" with 5, or a mode of "read, write, and execute" with 7.

Combine these digits into a three-digit number indicating the three different user contexts of the permissions, and you've got a numeric way of specifying the standard permissions for a file. Table 13.4 shows a few common examples.

Table 13.4. Some Complete Numeric Permissions Modes

Mode

String

Meaning

755

-rwxr-xr-x

Read/write/execute by user; read/execute by group and others

644

-rw-r--r--

Read/write by user; read-only by group and others

600

-rw-------

Read/write by user; no access for group and others


Note

The textual permissions string is derived from the binary representation of the octal permissions. For example, 755 octal is 111101101 binary; if you "and" this number with the full permissions string rwxrwxrwx, you get rwxr-xr-x. Here you can see why permission attributes are referred to as "bits"it's because they literally are, with a 0 or 1 value indicating whether each field applies.


You can then apply the permissions to a file or directory, like so:

# chmod 755 testscript.sh


But that's only three of the four digits available in FreeBSD's permissions system. The fourth, "most significant" (leftmost) digit controls some extra features that address specific behaviors of files and directories under special circumstances. Here are the bits that make up this fourth digit and what they do:

  • 0 Indicates normal permissions.

  • 1 The sticky bit. This can only be set (with any effect) on directories, making them into "append-only" directories to which files can only be added, not deleted. Within a directory with this bit set, a regular user can only delete or rename files if he owns them and if he has write permissions for the directory. This does not apply to executable files.

  • 2 Set group ID (setgid). If this bit is set on an executable file, it will be executed with the effective group permissions of the file's group owner rather than those of the user executing it. A file can only be made setgid by the super-user.

  • 4 Set user ID (setuid). If this bit is set on an executable file, it will be executed with the effective user permissions of the file's user owner rather than those of the user executing it. A file can only be made setuid by the super-user.

This fourth digit is the highest-value digit (in other words, the leftmost one), so in the earlier example where we showed what the permissions of 755 mean, we could have used the equivalent value 0755. We use the same method to construct the value for that digit as we do for the other digits, so the value 3755 would create a directory with the sticky bit and the setgid bit set, in addition to the regular 755 permissions.

Changing Modes Symbolically

The octal numeric permissions system is designed for the utmost efficiency in access and storageit's a direct reflection of how the permissions bits are stored in the filesystem, and thus it's optimized for being read by a computer, not a human. As clever and efficient as this system is, it's helpful to have a method for setting modes that's easier for us mere mortals to remember. Fortunately, we have a symbolic method for doing just that.

Instead of giving chmod a number, you can give it between one and three alphanumeric flags in a single string. This string can be formatted in a number of ways, but we'll briefly cover the most common usages here.

Note

See man chmod for complete coverage of the flexible syntax of chmod and its symbolic modes.


Table 13.5 shows some examples of symbolic modes. Each is made up of a string of characters. The first character or substring specifies the ownership mode(s), the second character indicates the modification you're making (+, -, or =), and the third is the permission bit(s) you're applying.

Table 13.5. Symbolic Permissions Modes

Mode String

Meaning

go+w

Adds "write" permissions to the group owner and others.

+x

Adds "execute" permissions for everyone.

o-r

Removes "read" permissions for others.

ugo=rw

Sets "read" and "write" permissions for everyone.

a=rw

Same as ugo=rw. The a refers to "all" fields.

+t

Adds the sticky bit (super-user only).

+s

Adds both the setuid and setgid bits (super-user only).


To set the file file.txt so that it is "group writable," use the following command:

# chmod g+w file.txt


This symbolic method lends itself more readily to memory than the numeric method, and it will probably be a much easier way for you to perform most of your typical chmod operations.

Tip

The -R option works on chmod, too, the same as with chown and chgrp.





FreeBSD 6 Unleashed
FreeBSD 6 Unleashed
ISBN: 0672328755
EAN: 2147483647
Year: 2006
Pages: 355
Authors: Brian Tiemann

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net