sections in this module City College of San Francisco - CS260A
Unix/Linux System Administration

Module: Review
module list

Permissions

Permissions on Unix are simple. There are just three: 

For a file, these mean just what you would think. r means you can read the file's contents. w means you can update the file's contents. x means you can attempt to execute the file as a program.

There are three sets of these three permissions for each piece of data on the system. Which set you get depends on who you are with respect to the data. Before we continue, we need to talk about groups:

Groups

Users on a Unix system are divided into groups at the discretion of the system administrator. Traditionally, you were placed in a group as a work group, and this was used to share data with other members of the group easily. Today groups may be assigned by work group, by class in school, by job classification, etc, or even randomly. 

Each user is in one or more groups. One of these groups is your default group. 

Each piece of data on the system has one group. When you create a piece of data, it is owned by you and placed in your default group.

(At CCSF, you are in one group for each of your classes. The group names are created by the CRN number of the class. These groups change each semester. Your default group is one of a handful, and you are assigned to it by random when the account is created. On linux you are normally assigned to a new group as your default group, which is named the same as your login, and possibly to one group that is common among most users.)

Your permissions for a piece of data

As we said, your permissions to access a piece of data depends on who you are with respect to it:

Exactly one of these three sets of permissions applies to each user on the system. These three sets of three permissions each is shown in the permissions block of an ls -l listing. (The permissions of a file are also called the file's mode. That is why the command to change permissions is chmod, or change mode.)

Example:

Malak Samdi (msamdi0) is a student at CCSF. He is a member of three groups:

Malak comes across these three files on Unix:

-rw-r-----   1 gboyd      c76036          48 Oct  3 16:03 homework1
-r--r-xrwx   1 msamdi0    users            2 Oct  3 16:03 password
-rwxr-xr--   1 marie      c76131           0 Oct  3 16:07 submit_quiz

What permissions does he have for each?

Suppose the group of password is changed to b20027. Would it alter his access rights? (no. he is still the owner)

Suppose the owner of password was changed. Would it alter his access rights? Yes. Since he is not in the group users, he now has the permissions of other, or rwx.

Suppose Malak dropped cs110a and was removed from group c76036. Would his permissions to homework1 change? Yes. he now has the permissions of other, or no permissions.

Directory permissions

For directories, the interpretation of r, w, and x changes. This is the most often misunderstood part of Unix permissions. While file permissions govern the content of a file, directory permissions govern the existence, name, and location of (path to) the file.

Think of a directory as a table that contains file names. Then the r and w permissions for a directory mean:

r - you can examine the table. This means list the directory's contents

w - you can create, remove and change the names of entries in the directory (update the table)

The x permission is a bit strange: it allows you to use the directory entries. Without x permission, you cannot access anything in the directory. x permission on a directory is also called search permission, because without it you cannot cd to (or through) the directory. For all practical purposes, deleting the x permission for a directory makes it unusable, and anything in it or in its subdirectories inaccessible.

The w permission is what confuses people so much. w permission to a directory governs whether you can remove or rename files. The resulting rule is the focus of people's misunderstanding:

The ability to remove a file on Unix has nothing to do with the file's permissions!

Let's reexamine our previous example:

$ ls -ld
drwxr-x---   2 gboyd      cisdept         96 Oct  3 16:07 .
$ ls -l
total 4
-rw-r-----   1 gboyd      c76036          48 Oct  3 16:03 homework1
-r--r-xrwx   1 msamdi0    users            2 Oct  3 16:03 password
-rwxr-xr--   1 marie      c76131           0 Oct  3 16:07 submit_quiz
$

In this directory, a few things are surprising:

$ rm submit_quiz
submit_quiz: 754  mode ? (y/n)

This cryptic question is telling you that you are about to remove submit_quiz even though its permissions (754 here) indicate it is not writable by you. Unless you answer y, the file will not be removed.

This verification message can be a problem if the rm command is in a shell script. In this case, the hapless user will be presented with the verification question, possibly referring to a file that he or she doesn't even know exists. It can also be a problem when removing a structure recursively, as the verification message will appear for each object that is not writable but can be removed. To avoid these problems, add the -f option (force) to the rm command:

$ rm -f submit_quiz
$ ls -l submit_quiz
submit_quiz not found
$

Changing owner and group

The owner of a piece of data can change its owner and group, although, depending on what system you are on, there may be restrictions. On System5-derived systems, the owner can change the owner and group without restrictions. On BSD-derived systems, such as linux, only root can use chown to change the owner, and a normal user can only change the group of her data between groups that she is a member of.

chown newowner files-and-directories

chgrp newgroup files-and-directories

Remember, by changing the owner of a piece of data you are transferring control of that data to someone else. While you still may be able to delete it (if you have write permission to the directory it is in), you can not change its owner or permissions again, as you no longer own it!

Never change the owner of a directory!

Changing Permissions

If you are the owner of a piece of data you can change its permissions. The program to change permissions is chmod, which comes from change mode, since a file's permissions are also called its mode.

There are two ways to use chmod:

chmod symbolic

Although less-often used, chmod symbolic is easier to understand. The syntax looks like

chmod [classes]opperms   files-and-directories

There are no spaces allowed in this permissions string. Multiple strings may be combined in a single chmod command by using commas between them.

Let's look at some examples:

chmod u+r file1 add r permission for the user chmod o+x dir1 add x permission for other
chmod g-r,u+x file1 delete r permission for group
and add x permission for user
chmod a=r file1 set the permissions to r--
for user, group and other

If the permissions changes in a chmod string overlap, they are applied from left to right:

chmod a=rw,g-w file1 means set the permissions to rw-rw-rw-, then delete w for group, resulting in rw-r--rw-

chmod also has an option -R to apply the chmod command recursively. This is of limited use, as you often want to change the permissions of files and directories separately.

chmod absolute

The absolute form of chmod uses a three-digit octal number to represent all of the permissions. The first octal (base 8) digit represents the user's permissions, the middle, the group, and the last, other's permissions. Each octal number is the sum of read (4), write (2) and execute (1), where the value is added if the permission is set. (Each of 4,2,1 is a single binary digit, where a value of 1 is "on" and 0 is "off"). Thus

permission binary value octal value permission binary value octal value
rw-rw-r-- 110110100 664 rwxr-xr-- 111101100 754
------rwx 000000111 7 --x--x--x 001001001 111

There are not any exercises to support chmod, as this is review. Practice with it yourself on some dummy files.

umask

When data is created its permissions are set. After that, the only way to modify the permissions is through chmod. The permissions are determined by taking the default permissions, then applying umask to deny certain permissions.

the default permissions are either

umask is a setting in the user's process that acts as a filter to turn off (deny) permissions when data is created. Each bit set in umask denies that permission in the result. Thus, a umask value of 077 denies all permissions for group and other in the files being created.

Let's take our previous set of example files

-rw-r-----   1 gboyd      c76036          48 Oct  3 16:03 homework1
-r--r-xrwx   1 msamdi0    users            2 Oct  3 16:03 password
-rwxr-xr--   1 marie      c76131           0 Oct  3 16:07 submit_quiz

With a umask of 027, which is a common setting, what are the permissions resulting from the following commands:

cp homework1 homework2 - The permissions of the new file homework2 is the same as homework1 since the permissions that are denied by umask are already not set in homework1.

cp password password1 - The permissions 457 of password are modified by umask when copying to password1 as follows: user permissions are unchanged (umask digit 0 denies no permissions); group permissions are unchanged (umask digit 2 denies write permission, which is not set in password's group permissions (r-x=5)); other permissions (7) are completely denied by the umask digit 7. Result: 450.  It is important to notice here that umask calculations are not subtractions!

mkdir dir1 - The permissions of dir1 without umask would be set to all possible (777). umask modifies them to 750.

Using a different umask value of 143, which is unusual, lets try a few more:

cp submit_quiz submit_quiz1 - The permissions 754 of submit_quiz are modified as follows: user permissions are set to rw- because the x permission is denied by the umask digit of 1; group permissions are set to --x because the r permission is denied by the umask digit of 4; other permissions are not modified, since the umask digit of 3 denies write and exectute, and neither of these permissions are set.

cp password homework1 - Since the file homework1 already existed, its permissions are unaltered by the copy. Remember, permissions are only set when the data is created! If you overwrite an existing file, the permissions are unaltered!

querying umask

You can inquire about the current value of umask by just typing umask

-bash$ umask
0077
-bash$ 

Note that the umask value is indicated as four digits. There are actually 12 permissions bits, not nine (3 times rwx), but the most significant bits are only used in special cases. Thus, your umask value will always have this most significant digit 0. The umask values we have been discussing, e.g., 143 above, could also be written 0143. The umask value shown in this example (0077), is the same as 077, or, indeed, as 77.

Using umask with chmod symbolic

If you recall, we said that it is not necessary to specify a class when using chmod symbolic. In this case, the class is all classes indicated by umask. For example, if your umask is 077, the command

chmod +w file1

will add w permission only for the user, since umask indicates that w permission for group and other should be denied.

Preserving permissions

If you want to copy some data on a Unix system and want to preserve the permissions during the copy, you can take either the traditional approach of setting your umask to 0 first, or the more modern approach of adding the -p option to the copy command (cp).

Additional permissions

There are actually twelve permissions bits, rather than 9, and, when queried, umask will show four octal digits. The most significant bits of permissions (the most significant octal digit) are special permissions that are only used in special circumstances. These will be covered in a later section. 

Besides the traditional permissions, most linux filesystems support file attributes. If so, the file permissions block output by ls -l will have a trailing period. These filesystems can also usually support access control lists, which allow specific  permissions to be set for lists of users or groups. If a file or directory has an access control list, the trailing period to the right of the permissions block in the output of ls -l will be a + instead. Extended permissions and ACLs are covered in a later section.


Prev This page was made entirely with free software on Linux:  
  Kompozer
and Openoffice.org    
Next

Copyright 2016 Greg Boyd - All Rights Reserved.