|
Introduction | Getting Started | Things to Remember | Unix chmod | Unix vi Reference
Unix
Unix Utilities: chmod and File Permissions
The Unix operating
system was initially designed to be an open system--information sharing
was meant to be as painless as possible. To facilitate the easy exchange
of information, the chmod command was written to set the privileges different
classes of users would have to a user's files and directories. This document
is designed to explain file privileges, how to check them, and how to
change file permissions with the chmod command. As with almost every command
under Unix, additional help maybe found using the manual pages for chmod.
To do this, type
man umask
at the dunx1%
prompt. This handout was prepared using the man pages available on dunx1,
as well as Unix in a Nutshell by O'Reilly and Associates.
File Permissions
Unix allows
for three different types of permissions to be set on any file or directory.
These privileges are the ability to read, write, or execute the file
as a command. These permissions can be set for the owner of the file
(called the user), the users in the same group as the owner of the file,
or for the rest of the users on the machine (called the world). As you
can probably guess, permissions mean just what they represent. Permissions
on files work slightly different than those for directories.
The Read Permission
The first permission,
and perhaps the most important, is the read permission. When the read
permission is set on a file, the user may examine the contents of the
file. They can use utilities such as more or cat to view the file. They
can make copies of the file. They can even open the file with an editor
(such as vi) in read only mode. What a user with only the read privilege
can not do is issue the file name as a command or modify the file. When
referring to a directory, the read privilege will allow the user to
look into the directory, but they cannot delete or modify any files
or directories they may find. A user will not be able to cd (change
directory) into read only directory.
The Write Permission
When working
with files, the write permission usually works hand in hand with the
read permission. By itself, the write privilege will allow the user
to overwrite a file as well as remove the file. Attempts to modify the
file with a text editor will cause an error message to appear stating
"permission denied." The editor will open a blank file with the same
name as the "protected" file. You may edit this file all you wish, but
if you try to save it the editor will prompt you that the file already
exists, do you wish to overwrite the file? If you tell it "yes," you
will lose the contents of the original filename. When working with a
directory, the write privilege by itself grants no privileges. It must
be combined with the execute privilege before it has any meaning. This
will be discussed after we talk about the execute privilege.
The Execute Privilege
The execute
privilege set on a file allows a user to issue the file's name as a
command. If the file is a binary file, it will be executed by Unix.
If the file is a text file, Unix will assume the file is a shell script
and attempt to interpret its contents as shell commands. In either case,
the execute privilege allows the user to try and do something by using
the filename as a command. The execute privilege has special context
in relation to a directory. If a directory has only the execute privilege
set, it will allow the user to change directory (cd) into the directory,
but not read the directory's contents or allow the addition of or modification
of files. When combined with the write permission, it will allow a user
to save files into the directory and modify or delete them, but will
not allow the user to read the directories contents. One of the most
common privilege sets for a directory is to give read and execute privileges
to a user. Read and execute will allow the user to cd into the directory,
as well as read its contents, but not modify anything or create new
files there. It is a good way of allowing users to see and move around
within your directories, but not erase any vital information or fill
your directories with files to consume your disk quota.
Determining File Permissions
Determining
your files' and directories' privileges is not a difficult matter. In
fact, you probably already are familiar with the command. The command
ls -l will show your files in the long format. The ten characters are
the files permissions. For example:
dunx1(89)% ls -l
drwxr-xr-x 2 jminarik 512 Mar 4 10:50 bin/
-rw-rw-rw- 1 jminarik 103 Feb 2 14:06 filter_errors
-rw------- 1 jminarik 8538 Mar 4 16:16 fun
drwx------ 2 jminarik 512 Mar 4 08:08 manuals/
The first item
returned, the bin directory, has the following permissions: the owner
(jminarik), has full read, write and execute privileges, the group jminarik
is part of and the rest of the machine's users (the world) have read
and execute privileges. To determine the privileges, you must break
these first 10 characters into 4 subsets. The first subset is simply
the first character. In our bin dir above, that is a "d." The "d" signifies
that bin is a directory (which is actually redundant with the "/" after
the name bin). In this first position could also be a "-" (dash or hyphen).
In this case the name listed is just a regular file. Other characters
may exist here, but these are the two most common. The remaining nine
characters are broken down into three subsets of three. These correspond
to the permissions given to the file's owner, then the owner's group,
and finally the privileges enjoyed by the rest of the world. Breaking
up these ten characters we would see:
| d |
rwx |
r-x |
r-x |
| type |
owner |
group |
world |
As can be seen,
each subset has the same format. The first character of the subset will
be an "r" or a "-", denoting whether the file is readable or not. The
second character will either be a "w" or a "-", signifying write permissions.
The final character is usually an "x" or a "-", denoting the file's
executionability. For example:
rwxr-xr--
Signifies the owner has read, write and execute permissions, the owner's
group has read and execute, and the rest of the world has only read
permissions.
rwx---rwx
Signifies the owner has read, write and execute permissions, the owner's
group has no privileges, and the rest of the world has full read, write
and execute. Note that the group members of the owner have no privileges
even though the world has full privileges. This is because Unix determines
privileges from smallest group to largest. In other words, Unix first
checks to see if the user is the owner, if not, it checks for group,
and then finally checks the world permissions. Once Unix finds that
a user is the owner or within the owner's group, it stops checking.
Changing Permissions: chmod
Changing permissions
on a file or directory is done with the chmod command. This command
can be issued from the Unix prompt, and has two modes of operation.
The first mode is longer, but perhaps more easily remembered than the
second. The first mode for chmod has the format:
chmod who operation permissions file(s)
Where who represents
the class of user being affected by the operation and permissions being
those set for the file or list of files provided at the end of the command.
The options available for the who, operation and permissions are:
chmod [ugoa] [+-=] [rwxugo]
In the first group, the who group, we determine which user type is affected. The
ugoa represent:
u: The owner of the file (user)
g: The owner's group
o: The rest of the world (other)
a: The following change affects all three groups
In the second group, the operator group, the symbols denote:
+: Add the following permission to the file(s) listed
-: Remove the following permission for the file(s) listed
=: Set the permissions equal to the following. Ignore all previous permissions
The final group is the permissions list. "rwx" represent read, write and execute. The
"ugo" are usually used with the = operator to:
u: Set the permissions to those of the owner
g: Set the permissions to those of the group
o: Set the permissions to those of the group
Some examples of these commands are:
chmod u +rwx fax
Add the read, write and execute privileges to the user.
chmod g=o fax
Change the group's permissions to be exactly like those others have.
chmod a=rx fax
Change permissions for everyone to read and execute.
The second mode
for chmod is symbolic mode. Symbolic mode is shorter, but may require
more thought by the user. It contains only two strings, plus the file
or list of files. For example:
chmod XXX filename
The XXX represents
the permissions given to the user, the group and the world for the file
filename. Each 'X' represents a digit from 0 through 7. The first 'X'
represents the user's permissions, the second the user's group's permission,
and finally, the world's permissions. This ordering is the same as the
ordering shown by the ls -l command. What the individual digits represent
are:
0 No privileges
1 Execute
2 Write
4 Read
Using the logic
of the command, chmod 440 fax would give read permissions to the user
(the owner) and his or her group, and no privileges to the world. chmod
101 would give execute privileges to the user and the world, but no
privileges to the user's group. To add multiple permissions for either
the user, group or the world, we must add the three positive values
above to reach the appropriate permission. For example, 1 plus 2 equals
3, so therefore 3 is equal to execute and write privileges. 1 plus 2
plus 4 equal 7, so 7 equals read, write and execute. For purposes of
brevity, the following are all the permissions using this symbolic mode:
0 No privileges
4 Read
1 Execute
5 Execute and Read
2 Write
6 Read and Write
3 Execute and Write
7 Read, Write and Execute
Some examples showing the results using ls -l for the following commands:
chmod 700 fax equals -rwx------
chmod 333 fax equals --wx-wx-wx
chmod 007 fax equals -------rwx
chmod 123 fax equals ---x-w--wx
chmod 456 fax equals -r--r-xrw-
Practicing with
the chmod command in both its forms may be beneficial. For all of the
options available with the chmod or ls commands, please refer to the
manual pages or the reference guide, Unix in a Nutshell, by O'Reilly
& Associates, or any other manual which you might own.
Continue with Unix vi Reference or Return to Workshops
|
