Saturday, April 25, 2009

File Permissions

About File Permissions


Each file in Linux inherits a set of properties. One vital set of properties is the file's permissions. Permissions determine what any particular user (or group of users) is able to do that file. File permissions help prevent unwanted deletion and safeguard your data. In order to use Linux's file permissions, you need to understand Linux's categories of users and groups.
Categories of Users

You are asked to enter a login name and password when you first log into Linux. When we talk of a user, we refer to the account issuing commands to the operating system at the time and not to the actual person operating the computer. As soon as Linux authenticates your login name and password you "become" that user and operate using that user account.

Users belong to one or more groups. (The SuperUser allocates Users to particular groups.) Each user has a default group.

Linux organises users into three broad categories (the values in brackets are Linux's accepted abbreviations):

1. user (u) The owner of the file. A user who creates a file automatically owns it. Only the owner and the SuperUser (alias root) can change the permissions of a file.
2. group (g) The group of a file. One group of users is given special access to a file. This is determined by the file owner.
3. others (o) All other users on the system. In other words, every account except the file's owner, or users in the file's group.

File access attributes

Each file has a set of attributes specifying what the user in each category (user, group, others) can do with the file. Here are the three types of access available in Linux:

1. read (r) This category of users can display, but not necessarily alter, the file.
2. write (w) This category of users can alter the file (but not necessarily read it.)
3. execute (x) This category of user can execute (i.e. run) the file.

Displaying file permissions

You can display a file's permissions by executing the ls -l command. Here is a sample output:

lloy0076@localhost bin2dec]$ ls -l
total 23
-rw-r----- 1 lloy0076 root 286 Aug 28 02:17 b2d.lex
-rwxr-xr-x 1 lloy0076 root 20390 Aug 28 02:17 b2d
-rw-r--r-- 1 lloy0076 root 49 Aug 27 22:08 Makefile

You can see the file permissions in the left-most column. The first character is usually a `-' or `d'. This actually refers to the type of the file, and does not refer to the file permissions; a `-' indicates the file is a "normal" file, and a `d' indicates the it is a directory. Other letters indicate files with special meanings to Linux. The next nine characters refer to file permissions.

The first three (of the nine permission characters) shows what access to the file is permitted for the owner; the next three shows the permissions for anyone in the file's group; and the last three are for those classified as other. A letter (r, w or x) indicates that the permission for that particular user, group or other is set, and a `-' indicates that the permission is not available.

Schematically you could represent it like this:

- rwx rwx rwx
type user group other


The b2d.lex file is owned by the user lloy0076, who can read and write it; anyone in the root group can read the file; and nobody else is permitted any access at all. The b2d file is also owned by lloy0076, who has read, write and execute permission on it. Anyone in the "root" group has read and execute permissions for the file; and so does everyone else.
Changing file permissions

To change permissions use the command chmod from the command-line. You must be the owner of the file (or you must be the SuperUser.) Take care when changing a file's permissions and be especially careful when you are working with any system files.

The basic format for chmod is:

* chmod [OPTION]... MODE... FILE...

FILE is a file or directory, which will have its permissions set. MODE is the permissions being set on the [FILE].

You can use a number of OPTIONs with chmod. Two useful ones are:

* -v chmod produces verbose output; useful to see exactly what chmod is doing
* -R chmod will descend (recursively) into all subdirectories, changing all file permissions contained within. This means that it will iterate through all the files in all the specified FILE's subdirectories (if it has any) changing them at it goes. This option should be used with care.

You use the `+', '-' or '=' action symbols to add, subtract or set file permissions. Here is how you do it:

1. Specify the category of users with the abbreviations for the categories (u, g or o). A special category ,'a', also exists which means all users. You can add these together like ug, which means the user and the group
2. Specify an appropriate action symbol ('+', '-' or '=')
3. Specify a file access attribute (r, w, or x). As with the specification for users, you can add these together like rw, which means read and write permissions

Here are two examples of how to use chmod on a file called `test'; for our purposes we will assume that `test' has absolutely no access permited at the start:

1. chmod ug+rx test This gives read and execute permissions to the user and group, the permissions are now -r-xr-x---
2. chmod a-x test This removes execute permissions from all users, after these two steps, the permissions are -r--r-----
3. chmod u=x test This sets execute permission, and removes all others, for the owner. After these three steps the permissions are ---xr-----

An easy way to determine what the mode string, ug+rx for example, means is by actually saying it fully out loud. This example would be user; group; add; read permissions; execute permission. Although it is terrible English, it should be plain what this particular mode is trying to achieve.

info chmod and man chmod are both good reference points for chmod. Whilst chmod also understands another way of specifying modes - the octal method - I find it easier to explain this method to new Linux Users. The octal method is adequately explained in the man pages for chmod.

No comments: