Previous Section
 < Day Day Up > 
Next Section


Controlling Access to Directories and Files: chmod

Each file and directory in Linux contains a set of permissions that determine who can access them and how. You set these permissions to limit access in one of three ways: You can restrict access to yourself alone, you can allow users in a predesignated group to have access, or you can permit anyone on your system to have access. You can also control how a given file or directory is accessed.

Permissions

A file or directory may have read, write, and execute permissions. When a file is created, it is automatically given read and write permissions for the owner, enabling you to display and modify the file. You may change these permissions to any combination you want. A file could also have read-only permission, preventing any modifications.

Permission Categories

Three different categories of users can have access to a file or directory: the owner, the group, an all others not belonging to that group. The owner is the user who created the file. Any file you create, you own. You can also permit a group to have access to a file. Often, users are collected into groups. For example, all the users for a given class or project could be formed into a group by the system administrator. A user can grant access to a file to the members of a designated group. Finally, you can also open up access to a file to all other users on the system. In this case, every user not part of the file's group could have access to that file. In this sense, every other user on the system makes up the "others" category. If you want to give the same access to all users on your system, you set the same permissions for both the group and the others. That way, you include both members of the group (group permission) and all those users who are not members (others permission).

Read, Write, Execute Permissions

Each category has its own set of read, write, and execute permissions. The first set controls the user's own access to his or her files—the owner access. The second set controls the access of the group to a user's files. The third set controls the access of all other users to the user's files. The three sets of read, write, and execute permissions for the three categories—owner, group, and other—make a total of nine types of permissions.

The ls command with the -l option displays detailed information about the file, including the permissions. In the following example, the first set of characters on the left is a list of the permissions set for the mydata file:

$ ls -l mydata
-rw-r--r-- 1 chris weather 207 Feb 20 11:55 mydata

An empty permission is represented by a dash, -. The read permission is represented by r, write by w, and execute by x. Notice there are ten positions. The first character indicates the file type. In a general sense, a directory can be considered a type of file. If the first character is a dash, a file is being listed. If the first character is d, information about a directory is being displayed.

The next nine characters are arranged according to the different user categories. The first set of three characters is the owner's set of permissions for the file. The second set of three characters is the group's set of permissions for the file. The last set of three characters is the other users' set of permissions for the file.

Permissions on GNOME

On GNOME, you can set a directory or file permission using the Permissions panel in its Properties window. Right-click the file or directory entry in the file manager window and select Properties. Then select the Permissions panel. Here you will find a table of boxes with columns for Read, Write, and Execute along with rows for Owner, Group, and Other. Check the appropriate box for the permission you want. Normally, the Read and Write boxes for owner permission will already be set. You can specify the group you want access provided to from the Group drop-down menu. This displays the groups a user belongs to.

chmod

You use the chmod command to change different permission configurations. chmod takes two lists as its arguments: permission changes and filenames. You can specify the list of permissions in two different ways. One way uses permission symbols and is referred to as the symbolic method. The other uses what is known as a "binary mask" and is referred to as either the absolute or the relative method. Table 28-4 lists options for the chmod command.

Note 

When a program is owned by the root, setting the user ID permission will give the user the ability to execute the program with root permissions. This can be a serious security risk for any program that could effect changes—such as rm, which removes files.

Ownership

Files and directories belong to both an owner and a group. A group usually consists of a collection of users, all belonging to the same group. In the following example, the mydata file is owned by the user robert and belongs to the group weather.

-rw-r--r-- 1 robert weather 207 Feb 20 11:55 mydat
Table 28-4: File and Directory Permission Operations

Command or Option

Execution

chmod

Changes the permission of a file or directory.

Options

 

+

Adds a permission.

-

Removes a permission.

=

Assigns entire set of permissions.

r

Sets read permission for a file or directory. A file can be displayed or printed. A directory can have the list of its files displayed.

w

Sets write permission for a file or directory. A file can be edited or erased. A directory can be removed.

x

Sets execute permission for a file or directory. If the file is a shell script, it can be executed as a program. A directory can be changed to and entered.

u

Sets permissions for the user who created and owns the file or directory.

g

Sets permissions for group access to a file or directory.

o

Sets permissions for access to a file or directory by all other users on the system.

a

Sets permissions for access by the owner, group, and all other users.

s

Sets User ID and Group ID permission; program owned by owner and group.

t

Sets sticky bit permission; program remains in memory.

chgrp groupname filenames

Changes the group for a file or files.

chown user-name filenames

Changes the owner of a file or files.

ls -l filename

Lists a filename with its permissions displayed.

ls -ld directory

Lists a directory name with its permissions displayed.

ls -l

Lists all files in a directory with its permissions displayed.

A group can also consist of one user, however, normally the user who creates the file. Each user on the system, including the root user, is assigned their own group, of which they are the only member, ensuring access only by that user. In the next example, the report file is owned by the robert user and belongs to that user's single user group, robert.

-rw-r--r-- 1 robert robert 305 Mar 17 12:01 report

The root user, the system administrator, owns most of the system files that also belong to the root group, of which only the root user is a member. Most administration files, like configuration files in the /etc directory, are owned by the root user and belong to the root group. Only the root user has permission to modify them, whereas normal users can read and, in the case of programs, also execute them. In the next example, root user owns the fstab file in /etc directory, which also belongs to the root user group.

-rw-r--r-- 1 root root 621 Apr 22 11:03 fstab

Certain directories and files located in the system directories are owned by a service, rather than the root user, because the services need to change those files directly. This is particularly true for services that interact with remote users, such as Internet servers. Most of these files are located in the /var directory. Here you will find files and directories managed by services like the Squid proxy server and the Domain Name Server (named). In this example, the Squid proxy server directory is owned by the squid user and belongs to the squid group.

drwxr-x--- 2 squid squid 4096 Jan 24 16:29 squid

Changing a File's Owner or Group: chown and chgrp

Although other users may be able to access a file, only the owner can change its permissions. If, however, you want to give some other user control over one of your file's permissions, you can change the owner of the file from yourself to the other user. The chown command transfers control over a file to another user. This command takes as its first argument the name of the other user. Following the username, you list the files you are transferring. In the next example, the user gives control of the mydata file to user robert:

$ chown robert mydata
$ ls -l mydata
-rw-r--r-- 1 robert weather 207 Feb 20 11:55 mydata

You can also, if you wish, change the group for a file, using the chgrp command. chgrp takes as its first argument the name of the new group for a file or files. Following the new group name, you list the files you want changed to that group. In the next example, the user changes the group name for today and weekend to the forecast group. The ls -l command then reflects the group change.

$ chgrp forecast today weekend
$ ls -l
-rw-rw-r-- 1 chris forecast 568 Feb 14 10:30 today
-rw-rw-r-- 1 chris forecast 308 Feb 17 12:40 weekend

You can combine the chgrp operation in the chown command by attaching a group to the new owner with a colon.

$ chown george:forecast tomorrow
-rw-rw-r-- 1 george forecast 568 Feb 14 10:30 tomorrow

Setting Permissions: Permission Symbols

The symbolic method of setting permissions uses the characters r, w, and x for read, write, and execute, respectively. Any of these permissions can be added or removed. The symbol to add a permission is the plus sign, +. The symbol to remove a permission is the minus sign, -. In the next example, the chmod command adds the execute permission and removes the write permission for the mydata file for all categories. The read permission is not changed.

$ chmod +x-w mydata

Permission symbols also specify each user category. The owner, group, and others categories are represented by the u, g, and o characters, respectively. Notice the owner category is represented by a u, and can be thought of as the user. The symbol for a category is placed before the plus and minus signs preceding the read, write, and execute permissions. If no category symbol is used, all categories are assumed, and the permissions specified are set for the user, group, and others. In the next example, the first chmod command sets the permissions for the group to read and write. The second chmod command sets permissions for other users to read. Notice no spaces are between the permission specifications and the category. The permissions list is simply one long phrase, with no spaces.

$ chmod g+rw mydata
$ chmod o+r mydata

A user may remove permissions as well as add them. In the next example, the read permission is set for other users, but the write and execute permissions are removed:

$ chmod o+r-wx mydata

Another permission character exists, a, which represents all the categories. The a character is the default. In the next example, the two commands are equivalent. The read permission is explicitly set with the a character denoting all types of users: other, group, and user.

$ chmod a+r mydata
$ chmod +r mydata

One of the most common permission operations is setting a file's executable permission. This is often done in the case of shell program files. The executable permission indicates a file contains executable instructions and can be directly run by the system. In the next example, the file lsc has its executable permission set and then executed:

$ chmod u+x lsc
$ lsc
main.c lib.c
$

Absolute Permissions: Binary Masks

Instead of the permission symbols in Table 28-4, many users find it more convenient to use the absolute method. The absolute method changes all the permissions at once, instead of specifying one or the other. It uses a binary mask that references all the permissions in each category. The three categories, each with three permissions, conform to an octal binary format. Octal numbers have a base 8 structure. When translated into a binary number, each octal digit becomes three binary digits. A binary number is a set of 1 and 0 digits. Three octal digits in a number translate into three sets of three binary digits, which is nine altogether— and the exact number of permissions for a file.

You can use the octal digits as a mask to set the different file permissions. Each octal digit applies to one of the user categories. You can think of the digits matching up with the permission categories from left to right, beginning with the owner category. The first octal digit applies to the owner category, the second to the group, and the third to the others category. The actual octal digit you choose determines the read, write, and execute permissions for each category. At this point, you need to know how octal digits translate into their binary equivalents.

Calculating Octal Numbers

A simple way to calculate the octal number makes use of the fact that any number used for permissions will be a combination derived from adding in decimal terms the numbers 4, 2, and 1. Use 4 for read permission, 2 for write, and 1 for execute. The read, write, execute permission is simply the addition of 4 + 2 + 1 to get 7. The read and execute permission adds 4 and 1, to get 5. You can use this method to calculate the octal number for each category. To get 755, you would add 4 + 2 + 1 for the owner read, write, and execute permission, 4 + 1 for the group read and execute permission, and 4 + 1 again for the other read and execute permission.

Binary Masks

When dealing with a binary mask, you need to specify three digits for all three categories, as well as their permissions. This makes a binary mask less versatile than the permission symbols. To set the owner execute permission on and the write permission off for the mydata file and retain the read permission, you need to use the octal digit 5 (101). At the same time, you need to specify the digits for group and other users access. If these categories are to retain read access, you need the octal number 4 for each (100). This gives you three octal digits, 544, which translate into the binary digits 101 100 100.

$ chmod 544 mydata

Execute Permissions

One of the most common uses of the binary mask is to set the execute permission. You can create files that contain Linux commands, called shell scripts. To execute the commands in a shell script, you must first indicate the file is executable—that it contains commands the system can execute. You can do this in several ways, one of which is to set the executable permission on the shell script file. Suppose you just completed a shell script file and you need to give it executable permission to run it. You also want to retain read and write permission but deny any access by the group or other users. The octal digit 7 (111) will set all three permissions, including execute (you can also add 4-read, 2-write, and 1-execute to get 7). Using 0 for the group and other users denies them access. This gives you the digits 700, which are equivalent to the binary digits 111 000 000. In this example, the owner permission for the myprog file is set to include execute permission:

$ chmod 700 myprog

If you want others to be able to execute and read the file, but not change it, you can set the read and execute permissions and turn off the write permission with the digit 5 (101). In this case, you would use the octal digits 755, having the binary equivalent of 111 101 101.

$ chmod 755 myprog

Directory Permissions

You can also set permissions on directories. The read permission set on a directory allows the list of files in a directory to be displayed. The execute permission enables a user to change to that directory. The write permission enables a user to create and remove his or her files in that directory. If you allow other users to have write permission on a directory, they can add their own files to it. When you create a directory, it is automatically given read, write, and execute permission for the owner. You may list the files in that directory, change to it, and create files in it.

Like files, directories have sets of permissions for the owner, the group, and all other users. Often, you may want to allow other users to change to and list the files in one of your directories, but not let them add their own files to it. In this case, you would set read and execute permissions on the directory, but not write permission. This would allow other users to change to the directory and list the files in it, but not to create new files or to copy any of their files into it. The next example sets read and execute permission for the group for the thankyou directory, but removes the write permission. Members of the group may enter the thankyou directory and list the files there, but they may not create new ones.

$ chmod g+rx-w letters/thankyou

Just as with files, you can also use octal digits to set a directory permission. To set the same permissions as in the preceding example, you would use the octal digits 750, which have the binary equivalents of 111 101 000.

$ chmod 750 letters/thankyou

Displaying Directory Permissions

The ls command with the -l option lists all files in a directory. To list only the information about the directory itself, add a d modifier. In the next example, ls -ld displays information about the thankyou directory. Notice the first character in the permissions list is d, indicating it is a directory.

$ ls -ld thankyou
drwxr-x--- 2 chris 512 Feb 10 04:30 thankyou

Parent Directory Permissions

If you have a file you want other users to have access to, you not only need to set permissions for that file, you also must make sure the permissions are set for the directory in which the file is located. To access your file, a user must first access the file's directory. The same applies to parents of directories. Although a directory may give permission to others to access it, if its parent directory denies access, the directory cannot be reached. Therefore, you must pay close attention to your directory tree. To provide access to a directory, all other directories above it in the directory tree must also be accessible to other users.

Ownership Permissions

In addition to the read/write/execute permissions, you can also set ownership permissions for executable programs. Normally, the user who runs a program owns it while it is running, even though the program file itself may be owned by another user. The Set User ID permission allows the original owner of the program to own it always, even while another user is running the program. For example, most software on the system is owned by the root user but is run by ordinary users. Some such software may have to modify files owned by the root. In this case, the ordinary user would need to run that program with the root retaining ownership so that the program could have the permissions to change those root-owned files. The Group ID permission works the same way, except for groups. Programs owned by a group retain ownership, even when run by users from another group. The program can then change the owner group's files. There is a potential security risk involved in that you are essentially giving a user some limited root-level access.

Ownership Permissions Using Symbols

To add both the User ID and Group ID permissions to a file, you use the s option. The following example adds the User ID permission to the pppd program, which is owned by the root user. When an ordinary user runs pppd, the root user retains ownership, allowing the pppd program to change root-owned files.

# chmod +s /usr/sbin/pppd

The Set User ID and Set Group ID permissions show up as an s in the execute position of the owner and group segments. Set User ID and Group ID are essentially variations of the execute permission, x. Read, write, and User ID permission would be rws instead of just rwx.

# ls -l /usr/sbin/pppd
-rwsr-sr-x 1 root root 184412 Jan 24 22:48 /usr/sbin/pppd

Ownership Permissions Using the Binary Method

For the ownership permissions, you add another octal number to the beginning of the octal digits. The octal digit for User ID permission is 4 (100) and for Group ID, it is 2 (010) (use 6 to set both—110). The following example sets the User ID permission to the pppd program, along with read and execute permissions for the owner, group, and others:

# chmod 4555 /usr/sbin/pppd

Sticky Bit Permission Using Symbols

The sticky bit permission symbol is t. The sticky bit shows up as a t in the execute position of the other permissions. A program with read and execute permission with the sticky bit would have its permissions displayed as r-t.

# chmod +t /home/dylan/myreports
# ls -l /home/dylan/myreports
-rwxr-xr-t 1 root root 4096 /home/dylan/myreports

Sticky Bit Permissions

One other special permission provides for greater security on directories, the sticky bit. Originally the sticky bit was used to keep a program in memory after it finished execution to increase efficiency. Current Linux systems ignore this feature. Instead, it is used for directories to protect files within them. Files in a directory with the sticky bit set can only be deleted or renamed by the root user or the owner of the directory.

Sticky Bit Permission Using the Binary Method

As with ownership, for sticky bit permissions, you add another octal number to the beginning of the octal digits. The octal digit for the sticky bit is 1 (001). The following example sets the sticky bit for the myreports directory.

# chmod 1755 /home/dylan/myreports

The next example would set both the sticky bit and the User ID permission on the newprogs directory. The permission 5755 has the binary equivalent of 101 111 101 101.

# chmod 5755 /usr/bin/newprogs
# ls -l /usr/bin/newprogs
drwsr-xr-t 1 root root 4096  /usr/bin/newprogs

Permission Defaults: umask

Whenever you create a file or directory, it is given default permissions. You can display the current defaults or change them with the umask command. The permissions are displayed in binary or symbolic format as described in the following sections. The default permissions include any execute permissions that would be applied to a directory. Execute permission for a file is turned off by default when you create it. This is because standard data files do not use the executable permissions (for a file that you want to be executable like a script, you will have to manually set its execute permission). To display the current default permissions, use the umask command with no arguments. The -S option uses the symbolic format.

$ umask -S
u=rwx,g=rx,o=rx

This default umask provides rw-r--r-- permission for standard files and adds execute permission for directories, rwxr-xr-x.

You can set a new default by specifying permissions in either symbolic or binary format. To specify the new permissions, use the -S option. The following example denies others read permission, while allowing user and group read access, which results in permissions of rwxr-x---.

$ umask -S  u=rwx,g=rx,o=

When you use the binary format, the mask is the inverse of the permissions you want to set. So to set both the read and execute permission on and the write permission off, you would use the octal number 2, a binary 010. To set all permissions on, you would use an octal 0, a binary 000. The following example shows the mask for the permission defaults rwx, rx, and rx (rw, r, and r for files).

$ umask
0022

To set the default to only deny all permissions for others, you would use 0027, using the binary mask 0111 for the other permissions.

$ umask 0027


Previous Section
 < Day Day Up > 
Next Section
This HTML Help has been published using the chm2web software.