Part 3 of the Linux Newbie Administrator Guide
3.2.6 I have file permission problems. How do file ownership and permissions work?
(continued after the ads...)
|
File owners. Each file (or directory) belongs to an owner (normally a login name) and to a group. The owner is typically the person who created (or copied) the file. The group often consists of one person--the owner, and has a name identical to that of the owner, but it does not need to be so. A file can be removed (erased) only by the owner of the file, or a member of the group that owns the file, or the root. Other users, however, may be able to modify or erase the contents of the file if they are given permission to do so--read on. The owner and group that owns the file will be shown in the output from the ls -l command (="list in the long format"). For example, the command: ls -l junk produced this output on my screen: -rwx------ 1 yogin inca 27 Apr 24 14:12 junk This shows the file "junk", belonging to the owner "yogin" and to the group "inca". The ownership of a file can be changed using the commands chown (change owner) and chgrp (change group), which are normally executed by root: chown peter junk chgrp peter junk ls -l junk After executing the above 3 lines, the command ls-l junk produces this output on my screen: -rwx------ 1 peter peter 27 Apr 25 20:27 junk Changing file ownership comes handy if you move/copy files around as root for use by other users. At the end of your housekeeping you typically want to hand the file ownership over to the proper user. File permissions. Now, an owner of a file can make the file accessible in three modes: read (r), write (w) and execute (x) to three classes of users: owner (u), members of a group (g), others on the system (o). You can check the current access permissions using: ls -l filename If the file is accessible to all users (owner, group, others) in all three modes (read, write, execute) it will show: -rwxrwxrwx Skip the first "-" (it shows the type of file, and is "-" for normal files, "d" for directories, "l" for links, "c" for character devices, "b" for block devices, "p" for named pipes i.e. FIFO files, "f" for stacks i.e. LIFO files). After the initial "-" character, the first triplet shows the file permission for the owner of the file, the second triplet shows the permissions for the group that owns the file, the third triplet shows the permissions for other users. A "no" permission is shown as "-". Here is an output from the ls -l command on a file that is owned by root, for which the owner (root) has all permissions, but the group and others can only read and execute: drwxr-xr-x 2 root root 21504 Apr 24 19:27 dev The first letter "d" shows that the file is actually a directory. You can change the permissions on a file which you own using the command chmod (="change mode"). For example, this command will add the permission to read the file "junk" to all (=user+group+others): chmod a+r junk In the command above, instead of "a" (="all"), I could have used "u", "g" or "o" (="user", "group" or "others"). Instead of "+" (="add the permission"), I could have used "-" or "=" ("remove the permission" or "set the permission"). Instead of "r" (="read permission"), I could have used "w" or "x" ("write permission" or "execute permission"). Second example. This command will remove the permission to execute the file "junk" from others: chmod o-x junk Instead of letters, one can also use numbers to specify the permissions. To understand how it works, look at this: execute=1
0 = no
permissions at all(neither to write, nor to read nor to execute)(common)
chmod 770 junk will give the owner and the group the completto of permissions, but no permissions to others. The command: chmod 666 junk gives all three classes of users (owner, group, others) the permissions to read and write (but not execute) the example file named "junk". Please note the "666". It is quite often used and, for at least one person I know, it is proof that Linux (any UNIX for that matter) is the work of the devil >:-0. This command: chmod 411 junk would give the owner the permission to read only, and the group and others to execute only. This one does not seem useful, but might be funny, at least for those North American Linux users who dial 411 (telephone number) for directory assistance. Mail me if you can think of any other funny permissions (perhaps 007?). The numerical way of representing file permissions is called "octal" because the numbers have the base 8 (the decimal system's base is 10). The highest digit in the octal system is 7 (the octal system has eight digits: 0 to 7, analogous to the decimal system having ten digits: 0 to 9). The octal representation is really a convenient notation for the binary representation of file permissions, where each permission is flagged as "set" or "denied" with a one or zero and the total is represented as a string of zeroes and ones, as in this diagram: user class: owner group others example permissions: rwx rw- r-- absent permissions: --- --x -wx binary representation of the permissions: 111 110 100 octal representation of the binary: 7 6 4 Permissions for directories. The meaning of the permissions is different for directories than it is for "normal" files. For normal files: r=permission to read the contents of the file, w=permission to modify the contents of the file, and x=permission to execute the file. For directories: r=permission to list the filenames in the directory, w=permission to create or delete files in the directory, and x=permission to access the directory. Otherwise, the permissions are set the same way for directories as they are for normal files. Default file permissions with umask. When a new file is created, it is given default permissions. On my system, these are: -rw-r--r--This means that files created by a user can be read and written by this user; the group and the others can only read the file. Still, on my default RedHat system, users cannot read the files in the other users' home directories because the permissions on the home directories are: drwx------ I can check the default file permissions given to my newly created files using: umask -S (The option "-S" stands for "symbolic" and tells umask to display the permissions in an easy-to-read form, instead of the default numeric mode.) I can change the default file permissions for newly created files using a command like: umask u=rw,g=,o= which will give the owner the read and write permissions on newly created files (r+w), and no permission to the group and others. Using numbers to set default permissions with umask is more tricky. The number shows the permissions that you take away for users (opposite to chmod). Thus: umask 000 will give full permissions to everybody on newly created files. The next example gives read and write permissions to the owner, and zero permissions for everybody else (seems that's what one might want): umask 177 To make the settings permanent for all users on the system, adjust the appropriate line(s) in the file /etc/profile . Next > 3.2.7 My mp3 player chokes. The sound is kind of interrupted (how to set suid).
|
||
