Rights and ownerships

Written by Dennis Leeuw
License: GPL

Every operating system that supports one or more user needs a way to tell which user has rights on which file. This is not to make things more complicated, but to prevent one user from viewing another users data, without permission. So what we are actually talking about is permissions. You may have the permission to read or write to some file, or you may not.

Linux shows the rights on the file with the ls -al command. An example may look like this:

drwxrwxrwx  11 leeuw    users     4096 May  7 12:09 doc
-rw-------   1 leeuw    users   240447 Jul  5  2000 mbox
drwxr-xr-x   2 leeuw    users     4096 Nov 30 15:15 naming
drwx------   2 leeuw    users     4096 Apr 26 11:29 nsmail
drwxr-xr-x   4 leeuw    users     4096 Dec 14 16:43 pictures
drwxr-xr-x   3 leeuw    users     4096 Oct 18  2000 pilot
-rw-r--r--   1 leeuw    users   172858 Apr  5 13:28 scripts.tar.gz
drwxr-xr-x   2 leeuw    users     4096 Jan 18 16:34 sysadmin
drwxr-xr-x   4 leeuw    users     4096 May  7 11:27 tools
Here we see 9 colomns of data in 9 rows. The rows are read from left to right and we are currently only concerned with colomns 1, 3 and 4.

Who am I

Let's start with the first line, colomns 3 and 4. These say that the name under which the directory is created is leeuw, so the directory belongs to me. And that the directory also belongs to the group users. When I logon to the system I type a username and a password. This username is in my case leeuw. Next to that the system apperently uses groups to which users can be long and the system administrator has put me in the group users.

Let's see what more I can find out about myself on the system.

With the command whoami it is possible to show who I am:

appel:~ > whoami
leeuw
and with id I can even see to which groups I belong:
appel:~ > id
uid=514(leeuw) gid=100(users) groups=100(users),220(writers)
This shows that next to the group users I also belong to the group writers.

With this last command there are a couple of new things that are shown. First there are the abbreviations uid (user identifier) and gid (group identifier), and behind these we see numbers and names. Computers can only work in numbers while people remember names better then numbers. That's why every name is associated with a number. Ofcourse there is a way to map names to numbers and vice versa. To show how this is done, try:

apple:~ > grep leeuw /etc/passwd
leeuw:x:514:100:Dennis Leeuw:/home/leeuw:/bin/bash

where you ofcourse substitute leeuw with your own username. Do this also for /etc/group:

appel:~ > grep leeuw /etc/group 
writers:x:220:leeuw
appel:~ > grep 100 /etc/group
users:x:100:

Now it probably gets clearer. The /etc/passwd file shows that leeuw has user id 514 and belongs to group 100. Next the /etc/group shows that leeuw belongs to group writers and that group 100 is named users. Well we knew this already from the id command, but now we know why.

Permissions

Type Owner Group Other
d rwx rwx rwx

The first colomn from our ls -al command shows the rights. The complete string drwxrwxrwx consists of four parts as shown above. The type field shows the type of file we are talking about. Since everything in a Unix-like operating system is a file, also a directory is a file. So to distinguish a directory from a "real" file the first field shows a d for directory and a - (dash) for a file. Other types are:

-normal file
ddirectory
lsymbolic link
bblock device
ccharacter device

The next three fields define the rights. Unix-like systems have two ways of identifying people. First the username and second the group to which you belong. Everything else is called the other. This way of identifying people is reflected in the way permissions are given. You can give permission on a owner-basis, group-basis and other-basis. Ofcourse are the rights of owners stronger then that of groups, which are then again stronger then that of the world.

For each type of user (owner, group, other) you can assign three possible actions:

read (r)
This indicates if a file can be read by a user
write (w)
Determens if you have the ability to write to a file
execute (x)
This gives you the ability to execute (run) a program or to enter a directory.

I think the read and right permissions are self explaining and am afraid execute would too, except for one point: If you want to execute a program that program has first to be loaded from harddisk into memory. Then it is executed, so you need the read permission too, and the same goes for directories, only for another reason. It is not useful to be able to enter a directory without being able to view it's contents.

A smart reader would probably have asked him- or herself one question already, if computers only understand numbers, what's then the trick with rwx?

Answer: they are converted to numbers. Actually the rwx-permissions are bits. So you are setting bits when setting permisions. If I have three bits for rwx, like 111. Or for r-x, you would have 101, but it would probably be clearer to explain this by a couple of examples.

First we are gonna create a test directory and file.

appel:~ > mkdir test
appel:~ > cd test
appel:~/test > touch file1
appel:~/test > ls -al
total 8
drwxr-xr-x   2 leeuw    users        4096 May  8 15:44 .
drwxr-x---  43 leeuw    users        4096 May  8 15:44 ..
-rw-r--r--   1 leeuw    users           0 May  8 15:44 file1

file1 is created with ownership leeuw and group users, but let's assume that this file should belong to the group writers, the other group I belong to.

appel:~/test > chown leeuw.writers file1
appel:~/test > ls -al
total 8
drwxr-xr-x   2 leeuw    users        4096 May  8 15:44 .
drwxr-x---  43 leeuw    users        4096 May  8 15:44 ..
-rw-r--r--   1 leeuw    writers         0 May  8 15:44 file1

According to the permissions the file is now read/write-able for me (the owner) and readable for the group writers and the world, this is not what we want. It should be editable by the co-writers, but should currently not be accessable to others, so we need to change these permissions. Where we used chown (change owner) for the ownership, we use chmod for the permissions. chmod understands a bit notation and a human readable notation. We are will start with the human readable one.

appel:~/test > chmod g+w file1
appel:~/test > ls -al
total 8
drwxr-xr-x   2 leeuw    users        4096 May  8 15:44 .
drwxr-x---  43 leeuw    users        4096 May  8 15:44 ..
-rw-rw-r--   1 leeuw    writers         0 May  8 15:44 file1
appel:~/test > chmod o-r file1
appel:~/test > ls -al
total 8
drwxr-xr-x   2 leeuw    users        4096 May  8 15:44 .
drwxr-x---  43 leeuw    users        4096 May  8 15:44 ..
-rw-rw----   1 leeuw    writers         0 May  8 15:44 file1

What we did was we assigned write permissions (+w) for the group (g) and after that we removed the read (-r) permissions for other (o). We could have done this also with a chmod and a decimal bit patern. First some explanation:

The lowest bit is the x-bit and the highest the r-bit. That means that to set the x bit you'll have a 2^0 decimal value which is equal to 1, for the w bit you have 2^1 which is a decimal value of 2 and for the r-bit it comes to 2^2 which is 4.

By summation of the different values one can assign a setting per owner, group and other. That means that a chmod 750 file1 would assign rwxr-x--- to file1. The 7 is the owner rights which is composed of 4+2+1, the 5 is the group right which is composed of 4+1 and the 0 is the other right, which means no bit is set.

Now check for yourself what the chmod value for file1 should be for it's current setting of rw-rw----.

Default settings

When we created file1, after the touch, we saw that it was created as user leeuw, with group users and a permission setting of rw-r--r--. There is some way the system has to know how to create a file with these settings. A system that creates default world-readable files is not what you want in a very security sensitive environment, in my case it is no problem, it is my workstation with just two accounts and no network connection, so I don't worry about it. But it might be wise to change the default behaviour.

When you login to your system a shell is started, on GNU/Linux systems this is usually bash, which reads a settings file called /etc/profile. In this file is an entry called umask. Try the following:

appel:~/test > cat /etc/profile| grep umask
umask 022
This might look a bit different on your system. My system umask is set to 022. The special think about umask is that it never sets the x-bit by default and the everything else is the inverse of the chmod decimals, so a 0 means rw and a 2 means r. What happens is that the umask is AND with 777 for directories and AND with 666 for files (where 777 and 666 are the "default" permissions when no umask is used) and creates the default permissions. So a umask of 027 creates rw-r----- as the default permissions. The easiest way to do the math is subtracting the umask setting from the default permissions.

If you want to experiment with this you could use the umask command, as used in your /etc/profile to change the default behaviour. Try the following and watch the results:

appel:~/test > umask 025
appel:~/test > touch test
appel:~/test > umask 027
appel:~/test > touch test2
appel:~/test > ls -al
total 8
drwxr-xr-x   2 leeuw    users        4096 May  8 16:50 .
drwxr-x---  43 leeuw    users        4096 May  8 15:44 ..
-rw-rw----   1 leeuw    writers         0 May  8 15:44 file1
-rw-r---w-   1 leeuw    users           0 May  8 16:50 test
-rw-r-----   1 leeuw    users           0 May  8 16:50 test2