Welcome to the Cisco Academy for Vision Impaired Linux Wiki. |
Main /
UnderstandingPermissionsUnderstanding PermissionsEach file or directory has a set of permissions: properties that control access to the file. Because directories are also files, the concept of permissions applies to them as well. Permissions' ClassesThree distinct entities have rights to a file. They are user, group and others. You will see some tutorials that refer to these three classes of users as owner, group and everyone, and often, other is referred to as world. The terms are synonymous. Furthermore, thinking in terms of user, group and other helps you better remember the command line options for changing permissions. The user is the person who owns the file. Typically, it is the user ID who created the file, but that's not always the case. When a username is first created, files are also created for the new user and system utilities can also have their own user accounts that own specific files. The "chown" command is run to change who owns a file or collection of files. A file is always owned by some user. The group is a concept that enables one category of users to work effectively with a specific collection of files. In our college, staff and students are distinct groups, though if a student trains to be a tutor, they may obtain entrance in to the staff group as well. In a business, sales, development, support and manufacturing may have their own groups. On many home systems, each user has their own group , until a system administrator sets up other groups as needed. The system also has groups with device names (like CDRom or audio) to control who can access those devices. The concept of Other opens a file to a wider group of people than those who can log directly in to the system. World permissions are important for accessing web-based content on a Linux system. Remember whenever you see the word World or Everyone to substitute the term Other in your mind, so you can remember that the permission-changing option begins with the letter O. Types of PermissionsThere are three kinds of permissions available to the three entities discussed above. These three permissions are read, write and execute. The read permission lets files be open and their content reviewed. However with read permission only, the user is unable to change the file. Users can also not change a files date and time, nor delete it. If a user has read-only permission to access a directory, they can list it, but he cannot open, remove or add files to it. The write permission enables a file to be opened and its content manipulated. Users can edit, append and even delete content. A file's date and time can also be changed, and the file can be removed entirely. If write permission is given to a directory, the users with this permission can add files and rename them. The execute permission enables a program to be run, or a script to be executed. If the file is a directory, execute permission enables a user to open it to list the files it contains. With three different classes of users, and three different levels of permissions, access rights can be a bit complex. The Support group, for example can have read access to the accounting groups files, but they will not be allowed to change them in any way. This lets them look up customer account information but prevents them from inadvertently modifying it. For another example, a user might be able to execute a script in a system directory like /usr/bin, but they will not be able to read or write to it, and thus they are prevented either from examining the code or altering it. On another type of system, users might be encouraged to add programs to improve the system, so they will have full access to /usr/bin but Others outside will have no access. Permissions are not just used to prevent security breaches. They can also be used to protect your personal backup files or to prevent you from altering an important configuration file on your system by mistake. When a student finishes their homework. they could change it to read-only so it won't accidentally get deleted when they're cleaning up and removing old practice files. Viewing PermissionsTo display permissions, use the command ls -l (L stands for long.) The listing begins with the permissions for each file as a set of codes starting in the leftmost columns of the display. In column 1, a minus sign (also called dashor hyphen ) displays if the item is simply a plain file. The indicator d is displayed if the item is a directory, and the indicator l is displayed if the item is a link, to be discussed later. Following the indicator in column 1, columns 2 3 and 4display the user permissions. Dash indicates the permission does not exist. The permission's code indicates it does. Permissions are listed in the order of read, write and execute. The code r indicates read permission. The letter w is for write permission. The code for execute is x. If instead of an r w or x in the corresponding column, a hyphen sign is displayed, that permission is absent. r-- means the user has only read permission. rw- means the user can both read and write but not execute. --x means execute is the only permission available to that user. Using the same format in columns 5 6 and 7, the directory listing displays permissions for the group. The codes are again r w and x and they are replaced by a dash if the corresponding permission is absent. Last of all for columns 8, 9 and 10, permissions using the same indicators, are displayed for others' access. You will often see --- in these columns, indicating that nobody outside can access these files. It is also common to see r-- indicating everyone can read the files but cannot manipulate them in any way. Reading these indicators with speech at first can be overwhelming. But like all complex things, practice makes perfect. You can use your review cursor to slowly traverse and absorb a file' permissions. You can use your screen reader's virtual buffer to capture directory listings to the clipboard. You can work with a braille display or use redirection to send a directory listing to a file and emboss it in computer Braille. Magnification can also help to examine the permission codes in detail. The best way to practice is to simply explore a system and type ls -l in a variety of directories. Do not expect it to be second nature at first. Changing PermissionsUse the chmod command to alter a file's permissions. Begin by typing chmod followed by a space. Next you specify the permissions, and lastly you end with the name of the file. Specifying permissions to chmod can be accomplished using two methods whose syntax is different. The symbolic method lets you change one permission property without affecting the others. The octal or numeric method is quicker to type and lets you specify all the permissions for an entity with a single number. Symbolic MethodThe format of this method is chmod category permissions file where category is specified by u for user, g for group and o for others. You can also specify a for all categories. Next permissions are specified using the same codes in the directory listing, r for read, w for write and x for execute. A hyphen disables the permission. A plus enables the permission and an equals sign leaves it untouched. You might want to leave a permission alone simply because you are writing a script that should not alter certain permissions or because you don't want to figure out what a particulars file permission is. For example, if a directory contains some files that have execute permission turned on and others have it turned off, but you want to change write permissions, you may not want to alter the execute permission on any of those files. You can specify the codes u for user g for group or o for other in any order. You can also specify the r for read, w for write and x for execute in any order. However the plus, equals sign or dash must follow the u g or o but it must precede the r w or x. You can also use a comma to specify multiple sets of permissions, for example, if you are changing one set of permissions for a group and another set for Other. For a simple example, if you want to simply add execute permission to a file, for its user (owner) , type chmod u+x filename The u indicates that you are working with the user. The +x means you are enabling the execute permission. If you wanted to disable write permission for the user, you'd type chmod u-w filename Say, instead, you wanted to turn off other (world) access rights, so that outsiders could neither read, write or execute a file, you'd type chmod o-r-w-x filename You can also type chmod o-rwx filename You can also use a comma to separate entities. If you wanted to turn off write permission for both the user and group, you'd type chmod u-w,g-w Octal MethodSpecify 4 for read, 2 for write and one for execute. Add the numbers together to get the permissions you need. For example four plus two is six, so six indicates read and write permission but not execute. With the octal method, you always specify permissions for user group and other. chmod 777 filename gives everyone all rights to a file chmod 444 filename gives everyone read-only permissions. and chmod 754 filename gives the user all rights, the group read and execute and others have only read-only access. As an exercise, guess what chmod 751 does. Though we haven't yet discussed globbing, it is important to mention that chmod can be used on a group of files as in chmod u+r,g-r *.txt this would give the user read-only permission while denying the group read permission to a selection of files that end in .txt. chmod 322 dave* would give the following permissions to all files beginning witgh Dave: write and execute for the files owners, write permission for the group and write permission for the world. Extra PermissionsIt is also possible to supply four numbers to chmod, and chmod knows that if you supply four rather than three that the first number is for setting an extra permission. Chmod asumes if three digits are supplied that there is a leading zero. In everyday usage, these extra permissions are not given, and chmod is typically written with only three digits. However if the first (most significant) digit is not a zero, then these extra permissions are being added. This digit can specify extra permissions for User ID, Group ID and the sticky bit. The user ID is 4, group ID is 2 and sticky bit is 1. So 7 turns them all on and zero, the default, turns them all off. For example, 3 turns on the group ID and the sticky bit, and 6 turns on the user and group IDS. The User ID bit gives a user permission to execute a file even when they are not the owner. If this bit is set on a directory, then any file created in that directory will be owned by the user who created the directory. So though you could edit a file not owned by you if its user ID bit was set, you would not become its owner permanently and if you create files in a directory with the user ID bit set, then those files still won't belong to you, but rather to the directory's owner. The group ID does the same thing for the group that owns a file; if turned on, it lets outsiders from another group execute the file temporarily. And if a directory is owned by a group, the outsiders can create files there, but they belong to the group who owns the directory, and not the outsider who created those files. Notice, that only files created are affected by the user ID and group ID bits. Files copied in to a directory still retain their original owners. The sticky bit lets only the user who created the file delete it regardless of who owns it now. More examples of how we practiced with these special extra permissions on directories are explained in Lecture 18?. The Umask CommandUmask sets the default on any file that's created. Files can be created without permissions being specified, such as when you do so in an editor, and Umask ensures that permissions are set according to plan. By default, umask in Ubuntu is set to 0022 but that's easily changed with the umask command. Umask Examplesumask 0022 umask 0007 Masks off: no special permissions, no user permissions, no group permissions, and all world permissions. Files cannot be accessed by the general public. umask 0077 Only you, the user have permission to read, write or execute a file. Umask affects every file you create, no matter where. Though umask affects files globally, it locally can be established for the shell you currently log in to. Each time you type a umask command you change the umask. Each time you log in, if the system is set to default to a particular umask, such as in a system-wide profile or .bashrc, then that will be the umask in effect. And, by default, unless you lock files down on your system the default umask enables all files in user directories to be world-readable. Sometimes you'll want files to be world-readable; for example web pages need to be readable by both apache and the users' browsers. Other times, users' files should be safeguarded more thoroughly than the default umask allows. |