Permissions


The UNIX file system is designed to support multiple users. When many users are sharing one file system, it is important to be able to restrict access to certain files. The system administrator wants to prevent other users from changing important system files, for example, and many users have private files that they want to restrict others from viewing. File permissions are designed to address these needs.

Permissions for Files

There are three classes of file permissions, for the three classes of users: the owner (or user) of the file, the group the file belongs to, and all other users of the system. The first three letters of the permissions field, as seen in the output from ls -l, refer to the owner’s permissions; the second three letters refer to the permissions for members of the file’s group; and the last three to the permissions for any other users.

In the entry for the file named notes in the ls -l example shown in the preceding section, the first three letters, rwx, show that the owner of the file can read (r) it, write (w) to it, and execute (x) it. The second group of three characters, r-x, indicates that members of the group can read and execute the file but cannot write to it. The last three characters, r-x, show that all others can also read and execute the file but not write to it.

If you have read permission for a file, you can view its contents. Write permission means that you can alter its contents. Execute permission means that you can run the file as a program.

Special Permissions

There are a few other codes that occasionally appear in permission fields. For example, the letter s can appear in place of an x in the user’s or group’s permission field. This s refers to a special kind of execute permission that is relevant primarily for programmers and system administrators (discussed in Chapters 12 and 13). From a user’s point of view, the s is essentially the same as an x in that place. Also, the letter l may appear in place of an r, w, or x. This means that the file will be locked when it is accessed, so that other users cannot access it while it is being used. This and other aspects of permissions and file security are discussed in Chapter 12.

Permissions for Directories

For directories, read permission allows users to list the contents of the directory. Write permission allows users to create or remove files or directories inside that directory, and execute permission allows users to change to this directory using the cd command or use it as part of a pathname.

In the ls -l example shown earlier, your permission settings on the Letters directory allow other users on the system to list its contents with ls (read permission), and to change to the directory (execute permission). The settings do not allow them to create or delete files in Letters (write permission).

The chmod Command

In the ls -l example, all of the files and directories have the same permissions set. Anyone on the system can read or execute any of them, but other users are not allowed to write, or alter, these files. Normally you don’t want all your files set up this way. You will often want to restrict other users from being able to view your files, for example. At times, you may want to allow members of your work group to edit certain files, or even make some files public to anyone on the system.

The UNIX System allows you to set the permissions of each file you own. Only the owner of a file or the superuser can alter the file permissions. You can independently manipulate each of the permissions to allow or prevent reading, writing, or executing by yourself, your group, or all users.

To alter a file’s permissions, you use the chmod (change mode) command. You specify the changes you want to make with a sort of code. First, show which set of permissions you are changing with u for user, g for group, or o for other. Second, specify how they should be changed with + (to add permission) or (to subtract permission). Third, list the permissions to alter: r for read, w for write, or x for execute. Finally, specify the file or files that the changes refer to.

The following example shows the permissions for the file quotations, changes the permissions using the chmod command, and shows the result:

 $ ls -1 quotations -rwxr-xr-x         1   nate   group1  346  Apr 27 03:32  quotations $ chmod go-rx quotations $ ls -1 quotations -rwx               1   nate   group1  346  Apr 27 03:32  quotations

As you can see, the chmod command removed () both read and execute (rx) permissions for group and others (go). Essentially, you just said, “change mode for group and other by subtracting read and execute permissions on the quotations file.”

You can also add permissions with the chmod command:

 $ chmod ugo+rwx quotations $ ls -1 quotations -rwxrwxrwx         1   nate   group1   346   Apr   27 03:32   quotations

Here, chmod adds (+) read, write, and execute (rwx) permissions for user, group, and other (ugo) for the file quotations. When changing permissions for everyone like this, you can use a (all) as an abbreviation for ugo. Note that there cannot be any spaces between letters in the chmod options.

Setting Absolute Permissions

The form of the chmod command using the ugo+/-rwx notation enables you to change permissions relative to their current setting. As the owner of the file, you can add or take away permissions as you please. Another form of the chmod command lets you set the permissions directly by using a numeric code to specify them.

This code represents a file’s permissions by three digits: one for owner permissions, one for group permissions, and one for others. These three digits appear together as one three-digit number. For example, the following command sets read, write, and execute permissions for the owner only and allows no one else to do anything with the file:

 $ chmod 700 quotations $ ls -1 quotations -rwxrwxrwx         1   nate   group1   346   Apr   27 03:32   quotations

The following table shows how permissions are represented by this code:

 

Owner

Group

Other

Read

4

0

0

Write

2

0

0

Execute

1

0

0

Sum

7

0

0

Each digit in the “700” represents the permissions granted to quotations. Each column of the table refers to one of the users-owner, group, or other. If a user has read permission, you add 4; to set write permission, you add 2; and to set execute permission, you add 1. The sum of the numbers in each column is the code for that user’s permissions.

Let’s look at another example. The next table shows how the command

 $ chmod 754 quotations $ ls -1 quotations -rwxr-xr--1   nate   group1   346   Apr   27 03:32   quotations

sets read, write, and execute permissions for the owner, read and execute permissions for the group, and read-only permission for other users:

 

Owner

Group

Other

Read

4

4

4

Write

2

0

0

Execute

1

1

0

Sum

7

5

4

Setting Permissions for Groups of Files

You can use wildcards to set permissions for groups of files and directories. For example, the following command will remove read, write, and execute permissions for both group and others for all files, except hidden files, in the current directory:

 $ chmod go-rwx *

To set the permissions for all files in the current directory so that the files can be read, written, and executed by the owner only, type

 $ chmod 700 *

Another feature of chmod is the -R (recursive) option, which applies changes to all of the files and subdirectories in a directory For example, the following makes all of the files and subdirectories in Email readable by you:

 $ chmod -R u+r Email

Using umask to Set Permissions

The chmod command allows you to alter permissions on a file-by-file basis. The umask command allows you to do this automatically when you create any file or directory Everyone has a default umask setting that is either set up either by the system administrator or included in a shell configuration file. (These configuration files are described in the next chapter.)

With the umask command, you specify the permissions that will be given to all files created after issuing the command. This means you will not have to worry about the file permissions for each individual file you create. Unfortunately, using umask to specify permissions is a little bit complicated. There are two rules to remember:

  • umask uses a numeric code for representing absolute permissions just as chmod does. For example, 777 means read, write, and execute permissions for user, group, and others (rwxrwxrwx).

  • You specify the permissions you want by telling umask what to subtract from the full permissions value, 777 (rwxrwxrwx).

For example, after you issue the following command, all new files in this session will be given permissions of rwxr-xr-x:

 $ umask 022

In this example, we want the new files to have the permission value 755. When we subtract 755 from 777, we get 022. This is the “mask” we used for the command.

To make sure that no one other than yourself can read, write, or execute your files, you can run the umask command at the beginning of your login session by putting the following line in your .profile file (sometimes, this file will be called .login or .bash_profile; see Chapter 4 for details):

 umask 077

This is similar to using chmod 700 or chmod go-rwx, but this will apply to all files you create after the umask command is issued.

Changing the Owner of a File

Every file has an owner. When you create a file, you are automatically its owner. The owner usually has broader permissions for manipulating the file than other users.

Sometimes you need to change the owner of a file; for example, if you take over responsibility for a file that previously belonged to another user. Even if someone else “gives” you a file by moving it to your directory that does not make you the owner. One way to become the owner of a file is to make a copy of it-when you make a copy, you are the owner of the new file.

However, changing ownership by copying only works when the new owner copies the file from the old owner, which requires the new owner to have read permission on the file. A simpler and more direct way to transfer ownership is to use the chown (change owner) command.

The chown command takes two arguments: the login name of the new owner and the name of the file. The following makes liz the new owner of the file contact_info:

 $ chown liz contact_info

Only the owner of a file (or the superuser) can use chown to change its ownership.

Like chmod, newer versions of chown include a -R (recursive) option that you can use to change ownership of all of the files in a directory. If Project is one of your directories, you can make liz its owner (and owner of all of its files and subdirectories) with the following command:

 $ chown -R liz Project

Changing the Group of a File

Groups are meant to help sets of users who need to share files more closely than other users on the system. For example, all the students taking a particular class may belong to the same group, so that they can more easily share files when they collaborate on projects. Groups are defined and edited by the system administrator (for details, see Chapter 13).

Every file belongs to a group. Sometimes, such as when new groups are set up on a system or when files are copied to a new system, you may want to change the group to which a particular file belongs. This can be done using the chgrp (change group) command. The chgrp command takes two arguments, the name of the new group and the name of the file. The following command changes data_file so that it belongs to the group students:

 $ chgrp students data_file $ ls -1 data_file -rwxrwx            1   liz   students   812   Jan   27 11:20   data_file

Note that only the owner of a file (or the superuser) can change the group to which this file belongs.

You can use the -R (recursive) option of chgrp to change the group to which all the files in a directory belong. It works just like the -R option of chown.




UNIX. The Complete Reference
UNIX: The Complete Reference, Second Edition (Complete Reference Series)
ISBN: 0072263369
EAN: 2147483647
Year: 2006
Pages: 316

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net