File Permissions in UNIX Operating SystemsHopefully simple enough for the *nix newbieby decker tgrey |
|
The IntroductionFirst off, what are file permissions anyways? UNIX (or lovingly nix) operating systems are multi-user, so a method of allowing users access to different files had to be devised. Each file is assigned two different owners, a User Owner and a Group Owner. Every file then is given 3 options to turn off or on for both User Owners and Group Owners, and an extra set called Other, which represents every other user on the system. These options, in order are Read, Write, and Execute. Readable and Writeable are, i hope, pretty straight forward. Executable might need a little explaining. On a normal file executable means just that. this is for binary pragram files, like ".exe" files in windows, or special scripts designed to use an interpreter program. With a directory, executable gives permission to "enter" into the directory. If a directory isn't executeable, reading the files inside it becomes impossible, since you can't enter the directory. What is a User Owner?User Owner permissions apply to only one user, the one that matches it's name (technically it's number, but don't worry about that). If a file has a User Owner of "tgrey", then the user permissions will apply only to the user named tgrey. this allows you to make a file "read only", "executeable", etc. What is a Group Owner?Group Owners allow us to establish a group of trusted users that have a seperate set of permissions. These users are listed in the file "/etc/group". By adding users to our group, they inherit the group permissions associated with the file. For example, in my group file i have my group, tgrey. it appears as this: tgrey:x:501:To add a user named "foo" to my list of group priviledged users i would change that to: tgrey:x:501:fooThen to add another user, this time named "bar", i would add bar, seperated by a comma like this: tgrey:x:501:foo,barThis would mean any file that was Group Readable would be readable by both users "foo" and "bar". A first exampleHere is an example. "ls -l" lists the files in the useful "long format". bash-2.05$ ls -l index.html -rwx------ 1 tgrey tgrey 10062 Aug 20 22:57 index.html The section with two names, "tgrey tgrey", tells you the User Owner and the Group Owner. The first "-" is a special reserved permission that is turned off. It would contain things like a "d" if the entry was a directory, or an "l" if it were a link. Then the normal permissions begin... The "r" represents Readble is turned on for the User Owner. The "w" means Writeable is on for the User Owner. The "x" means Executable is on for the User Owner. Those permissions are followed by Group and Other permissions, which are all represented as "-" because they are turned off. Here is another example: bash-2.05$ ls -l index.html -rwxr-x--- 1 tgrey tgrey 10062 Aug 20 22:57 index.htmlThis file is readable, writeable, and executable by user "tgrey", and only readable and executable by all users that are members of the tgrey group. AbbreviationsThe three different types of permissions are abbreviated as "u" for User, "g" for Group, and "o" for Other. The modes are abbreviated the same as they display, with "r","w", and "x". The abbreviations can further be combined, like "ug" means User and Group, and "rw" means Readable and Writeable. Additionally, if you want all User, Group, and Other, you can user "a", which is short for "all". For example: "-rw-rw----" would be "ug+rw". And another: "-r--r--r--" would be "a+r". While these are handy and easy to remember, they lack slightly in the ability to do complex in one fast abbreviation. Another example: "-rwxr-x---" would have to be both "u+rwx" and "g+rx". To accompolish this in one phrase, a more specific notation is needed. Octal NotationAnother way to abbreviate permissions is with numbers. In this method "r" is replaced with 4, "w" is replaced with 2, and "x" is replaced with 1. This is the same pattern as in binary counting (1,2,4,8,16,32,64...), allowing the numbers to be added to create a composite number. remember that in binary (on pc's at least) the numbers count right to left. For example if a file were "-rwxr-x---" it would be notated in octal as 750. Here's how you do it. First seperate the perssions into User,Group, and Other. User permissions are "rwx", or 421. add these together, 4+2+1, and you get 7. Group permissions are only "r-x", or 401. together they total 5. Other has no permissions, so 0+0+0 is 0. Then you just combine them. 7, 5, and 0 become 750. How to change ownershipschown is a command that changes both User Owner and Group Owner of files. It is used like this: chown user:group fileBoth User Owner and Group Owner are optional (only one or the other is needed), but if you want to specify just the group, the colon is necesarry to tell it there was no User Owner specified. For example, to change the group owner of "index.html" to "apache": bash-2.05$ chown :apache index.htmlOr to change both the user and group owners to "apache" bash-2.05$ chown apache:apache index.htmlTo change it to be owned by user "tgrey" and group "apache", the command would be: bash-2.05$ chown tgrey:apache index.htmlSince the file "index.html" was already owned by group "apache", we could just change the user owner like this: bash-2.05$ chown tgrey index.htmlAlso chown can take multiple files, this will change 2 files ownerships: bash-2.05$ chown tgrey:apache index.html oldindex.htmlAnother useful way to use chown is "recursively". by adding a "-R" to the command, it tells chown to recurse directories, meaning change every directory and file in the directory you specified. To change all files and directories (and files in those directories) in my public web directory the command would be: bash-2.05$ chown -R tgrey:apache /home/tgrey/public_html/www How to change permissionschmod is very similar to chown, except it changes permissions instead of ownerships. chmod mode fileLike chown, it is pretty flexible. You can use either abbreviated modes or octal notation, and can specify more than one file to be changed. Also like chown, the "-R" option recurses into a directory. To turn all permissions for a file on you would have 3 possible commands that all would work: bash-2.05$ chmod 777 index.html bash-2.05$ chmod ugo+rwx index.html bash-2.05$ chmod a+rwx index.htmlOr to turn them off, octal would be all zeros, and in abbreviations you would use a "-" to remove bits instead of "+" to add them. bash-2.05$ chmod 000 index.html bash-2.05$ chmod ugo-rwx bash-2.05$ chmod a-rwxTo make the file readable and writeable by User Owner and only readable by Group Owner: bash-2.05$ chmod 640 index.htmlThe difference between octal and abbreviation modes with chmod is that octal allows you to specify exactly what you want, where abbrevs only allow you to change specific ones. To do the same mode as "640" with abbreviations, you would have to do both of the following: bash-2.05$ chmod ug+r index.html bash-2.05$ chmod u+w index.htmlAnd even then, it didn't specifically turn off the other bits. If they had been accidentally set, they would remain on. Abbreviations are faster to remember, but octal can become suprisingly easy too, after a little practice... |
links: Page Top Intro What is a user owner What is a group owner A first example Abbreviations Octal notation Changing ownerships Changing permissions |