Written by Dennis Leeuw
License: GPL
Every operating system that supports one or more user needs a way to tell which user has rights on which file. This is not to make things more complicated, but to prevent one user from viewing another users data, without permission. So what we are actually talking about is permissions. You may have the permission to read or write to some file, or you may not.
Linux shows the rights on the file with the ls -al command. An example may look like this:
drwxrwxrwx 11 leeuw users 4096 May 7 12:09 doc -rw------- 1 leeuw users 240447 Jul 5 2000 mbox drwxr-xr-x 2 leeuw users 4096 Nov 30 15:15 naming drwx------ 2 leeuw users 4096 Apr 26 11:29 nsmail drwxr-xr-x 4 leeuw users 4096 Dec 14 16:43 pictures drwxr-xr-x 3 leeuw users 4096 Oct 18 2000 pilot -rw-r--r-- 1 leeuw users 172858 Apr 5 13:28 scripts.tar.gz drwxr-xr-x 2 leeuw users 4096 Jan 18 16:34 sysadmin drwxr-xr-x 4 leeuw users 4096 May 7 11:27 toolsHere we see 9 colomns of data in 9 rows. The rows are read from left to right and we are currently only concerned with colomns 1, 3 and 4.
Let's start with the first line, colomns 3 and 4. These say that the name under which the directory is created is leeuw, so the directory belongs to me. And that the directory also belongs to the group users. When I logon to the system I type a username and a password. This username is in my case leeuw. Next to that the system apperently uses groups to which users can be long and the system administrator has put me in the group users.
Let's see what more I can find out about myself on the system.
With the command whoami it is possible to show who I am:
appel:~ > whoami leeuwand with id I can even see to which groups I belong:
appel:~ > id uid=514(leeuw) gid=100(users) groups=100(users),220(writers)This shows that next to the group users I also belong to the group writers.
With this last command there are a couple of new things that are shown. First there are the abbreviations uid (user identifier) and gid (group identifier), and behind these we see numbers and names. Computers can only work in numbers while people remember names better then numbers. That's why every name is associated with a number. Ofcourse there is a way to map names to numbers and vice versa. To show how this is done, try:
apple:~ > grep leeuw /etc/passwd leeuw:x:514:100:Dennis Leeuw:/home/leeuw:/bin/bash
where you ofcourse substitute leeuw with your own username. Do this also for /etc/group:
appel:~ > grep leeuw /etc/group writers:x:220:leeuw appel:~ > grep 100 /etc/group users:x:100:
Now it probably gets clearer. The /etc/passwd file shows that leeuw has user id 514 and belongs to group 100. Next the /etc/group shows that leeuw belongs to group writers and that group 100 is named users. Well we knew this already from the id command, but now we know why.
Type | Owner | Group | Other |
d | rwx | rwx | rwx |
The first colomn from our ls -al command shows the rights. The complete string drwxrwxrwx consists of four parts as shown above. The type field shows the type of file we are talking about. Since everything in a Unix-like operating system is a file, also a directory is a file. So to distinguish a directory from a "real" file the first field shows a d for directory and a - (dash) for a file. Other types are:
- | normal file |
d | directory |
l | symbolic link |
b | block device |
c | character device |
The next three fields define the rights. Unix-like systems have two ways of identifying people. First the username and second the group to which you belong. Everything else is called the other. This way of identifying people is reflected in the way permissions are given. You can give permission on a owner-basis, group-basis and other-basis. Ofcourse are the rights of owners stronger then that of groups, which are then again stronger then that of the world.
For each type of user (owner, group, other) you can assign three possible actions:
I think the read and right permissions are self explaining and am afraid execute would too, except for one point: If you want to execute a program that program has first to be loaded from harddisk into memory. Then it is executed, so you need the read permission too, and the same goes for directories, only for another reason. It is not useful to be able to enter a directory without being able to view it's contents.
A smart reader would probably have asked him- or herself one question already, if computers only understand numbers, what's then the trick with rwx?
Answer: they are converted to numbers. Actually the rwx-permissions are bits. So you are setting bits when setting permisions. If I have three bits for rwx, like 111. Or for r-x, you would have 101, but it would probably be clearer to explain this by a couple of examples.
First we are gonna create a test directory and file.
appel:~ > mkdir test appel:~ > cd test appel:~/test > touch file1 appel:~/test > ls -al total 8 drwxr-xr-x 2 leeuw users 4096 May 8 15:44 . drwxr-x--- 43 leeuw users 4096 May 8 15:44 .. -rw-r--r-- 1 leeuw users 0 May 8 15:44 file1
file1 is created with ownership leeuw and group users, but let's assume that this file should belong to the group writers, the other group I belong to.
appel:~/test > chown leeuw.writers file1 appel:~/test > ls -al total 8 drwxr-xr-x 2 leeuw users 4096 May 8 15:44 . drwxr-x--- 43 leeuw users 4096 May 8 15:44 .. -rw-r--r-- 1 leeuw writers 0 May 8 15:44 file1
According to the permissions the file is now read/write-able for me (the owner) and readable for the group writers and the world, this is not what we want. It should be editable by the co-writers, but should currently not be accessable to others, so we need to change these permissions. Where we used chown (change owner) for the ownership, we use chmod for the permissions. chmod understands a bit notation and a human readable notation. We are will start with the human readable one.
appel:~/test > chmod g+w file1 appel:~/test > ls -al total 8 drwxr-xr-x 2 leeuw users 4096 May 8 15:44 . drwxr-x--- 43 leeuw users 4096 May 8 15:44 .. -rw-rw-r-- 1 leeuw writers 0 May 8 15:44 file1 appel:~/test > chmod o-r file1 appel:~/test > ls -al total 8 drwxr-xr-x 2 leeuw users 4096 May 8 15:44 . drwxr-x--- 43 leeuw users 4096 May 8 15:44 .. -rw-rw---- 1 leeuw writers 0 May 8 15:44 file1
What we did was we assigned write permissions (+w) for the group (g) and after that we removed the read (-r) permissions for other (o). We could have done this also with a chmod and a decimal bit patern. First some explanation:
The lowest bit is the x-bit and the highest the r-bit. That means that to set the x bit you'll have a 2^0 decimal value which is equal to 1, for the w bit you have 2^1 which is a decimal value of 2 and for the r-bit it comes to 2^2 which is 4.
By summation of the different values one can assign a setting per owner, group and other. That means that a chmod 750 file1 would assign rwxr-x--- to file1. The 7 is the owner rights which is composed of 4+2+1, the 5 is the group right which is composed of 4+1 and the 0 is the other right, which means no bit is set.
Now check for yourself what the chmod value for file1 should be for it's current setting of rw-rw----.
When we created file1, after the touch, we saw that it was created as user leeuw, with group users and a permission setting of rw-r--r--. There is some way the system has to know how to create a file with these settings. A system that creates default world-readable files is not what you want in a very security sensitive environment, in my case it is no problem, it is my workstation with just two accounts and no network connection, so I don't worry about it. But it might be wise to change the default behaviour.
When you login to your system a shell is started, on GNU/Linux systems this is usually bash, which reads a settings file called /etc/profile. In this file is an entry called umask. Try the following:
appel:~/test > cat /etc/profile| grep umask umask 022This might look a bit different on your system. My system umask is set to 022. The special think about umask is that it never sets the x-bit by default and the everything else is the inverse of the chmod decimals, so a 0 means rw and a 2 means r. What happens is that the umask is AND with 777 for directories and AND with 666 for files (where 777 and 666 are the "default" permissions when no umask is used) and creates the default permissions. So a umask of 027 creates rw-r----- as the default permissions. The easiest way to do the math is subtracting the umask setting from the default permissions.
If you want to experiment with this you could use the umask command, as used in your /etc/profile to change the default behaviour. Try the following and watch the results:
appel:~/test > umask 025 appel:~/test > touch test appel:~/test > umask 027 appel:~/test > touch test2 appel:~/test > ls -al total 8 drwxr-xr-x 2 leeuw users 4096 May 8 16:50 . drwxr-x--- 43 leeuw users 4096 May 8 15:44 .. -rw-rw---- 1 leeuw writers 0 May 8 15:44 file1 -rw-r---w- 1 leeuw users 0 May 8 16:50 test -rw-r----- 1 leeuw users 0 May 8 16:50 test2