Difference between revisions of "UNIX file system permissions tutorial"
| Line 1: | Line 1: | ||
| ==Checking and Understanding  | ==Checking and Understanding Permissions== | ||
| Access permissions of every file and folder in a UNIX system is controlled by a system based on two identification numbers: {{wp|User identifier (Unix)}} | |||
| Every user on a Unix system has a unique username, and is a member of at least one group (the primary group for that user). This group information is held in the password file (/etc/passwd). A user can also be a member of one or more other groups. The auxiliary group information is held in the file /etc/group. Only the administrator can create new groups or add/delete group members (one of the shortcomings of the system). | Every user on a Unix system has a unique username, and is a member of at least one group (the primary group for that user). This group information is held in the password file (/etc/passwd). A user can also be a member of one or more other groups. The auxiliary group information is held in the file /etc/group. Only the administrator can create new groups or add/delete group members (one of the shortcomings of the system). | ||
| Line 14: | Line 16: | ||
| Understanding how to read this output is useful to all unix users, but especially people using group access permissions. | Understanding how to read this output is useful to all unix users, but especially people using group access permissions. | ||
| ;Field 1: a set of ten permission flags.   | ;Field 1: a set of ten permission flags. | ||
| ;Field 2: link count (don't worry about this) | ;Field 2: link count (don't worry about this) | ||
| ;Field 3: owner of the file | ;Field 3: owner of the file | ||
| Line 26: | Line 28: | ||
| <table> | <table> | ||
| <tr><th>position</th> <th>Meaning</th></tr> | <tr><th>position</th> <th>Meaning</th></tr> | ||
| <tr><td>1</td>       <td>directory flag, 'd' if a directory, '-' if a normal file,   | <tr><td>1</td>       <td>directory flag, 'd' if a directory, '-' if a normal file, | ||
| something else occasionally may appear here for special devices.</td></tr> | something else occasionally may appear here for special devices.</td></tr> | ||
| <tr><td>2,3,4</td>  <td>read, write, execute permission for User (Owner) of file</td></tr> | <tr><td>2,3,4</td>  <td>read, write, execute permission for User (Owner) of file</td></tr> | ||
| Line 39: | Line 41: | ||
| <tr><td>x</td> <td>file is executable (only for programs and shell scripts - not useful for data files).    | <tr><td>x</td> <td>file is executable (only for programs and shell scripts - not useful for data files).    | ||
|      Execute permission on a directory means you can list the files in that directory</td></tr> |      Execute permission on a directory means you can list the files in that directory</td></tr> | ||
| <tr><td>s</td> <td>in the place where 'x' would normally go is called the set-UID or   | <tr><td>s</td> <td>in the place where 'x' would normally go is called the set-UID or | ||
|           set-groupID flag.</td></tr> |           set-groupID flag.</td></tr> | ||
| </table> | </table> | ||
| Line 54: | Line 56: | ||
| set-groupID property. | set-groupID property. | ||
| </td></tr></table> | </td></tr></table> | ||
| == Setting default file permissions == | == Setting default file permissions == | ||
Revision as of 01:35, 4 April 2006
Checking and Understanding Permissions
Access permissions of every file and folder in a UNIX system is controlled by a system based on two identification numbers: User identifier (Unix)
Every user on a Unix system has a unique username, and is a member of at least one group (the primary group for that user). This group information is held in the password file (/etc/passwd). A user can also be a member of one or more other groups. The auxiliary group information is held in the file /etc/group. Only the administrator can create new groups or add/delete group members (one of the shortcomings of the system).
Every directory and file on the system has an owner, and also an associated group. It also has a set of permission flags which specify separate read, write and execute permissions for the 'user' (owner), 'group', and 'other' (everyone else with an account on the computer) The 'ls' command shows the permissions and group associated with files when used with the -l option. On some systems (e.g. Coos), the '-g' option is also needed to see the group information.
An example of the output produced by 'ls -l' is shown below.
drwx------ 2 richard staff 2048 Jan 2 1997 private drwxrws--- 2 richard staff 2048 Jan 2 1997 admin -rw-rw---- 2 richard staff 12040 Aug 20 1996 admin/userinfo drwxr-xr-x 3 richard user 2048 May 13 09:27 public
Understanding how to read this output is useful to all unix users, but especially people using group access permissions.
- Field 1
- a set of ten permission flags.
- Field 2
- link count (don't worry about this)
- Field 3
- owner of the file
- Field 4
- associated group for the file
- Field 5
- size in bytes
- Field 6-8
- date of last modification (format varies, but always 3 fields)
- Field 9
- name of file (possibly with path, depending on how ls was called)
The permission flags are read as follows (left to right)
| position | Meaning | 
|---|---|
| 1 | directory flag, 'd' if a directory, '-' if a normal file, something else occasionally may appear here for special devices. | 
| 2,3,4 | read, write, execute permission for User (Owner) of file | 
| 5,6,7 | read, write, execute permission for Group | 
| 8,9,10 | read, write, execute permission for Other | 
| value | Meaning | 
| - | in any position means that flag is not set | 
| r | file is readable by owner, group or other | 
| w | file is writeable. On a directory, write access means you can add or delete files | 
| x | file is executable (only for programs and shell scripts - not useful for data files). Execute permission on a directory means you can list the files in that directory | 
| s | in the place where 'x' would normally go is called the set-UID or set-groupID flag. | 
On an executable program with set-UID or set-groupID, that program runs with the effective permissions of its owner or group.
| For a directory, the set-groupID flag means that all files created inside that directory will inherit the group of the directory. Without this flag, a file takes on the primary group of the user creating the file. This property is important to people trying to maintain a directory as group accessible. The subdirectories also inherit the set-groupID property. | 
Setting default file permissions
When a user creates a file or a directory, the initial permissoins of those are determined by the 'uname' value which is set by
- uname command
- users initialization file
- system-wide initialization file
Typically the default configuration is equivalent to typing 'umask 22' which produces permissions of:
-rw-r--r-- for regular files, or drwxr-xr-x for directories.
In other words, user has full access, everyone else (group and other) has read access to files, lookup access to directories.
When working with group-access files and directories, it is common to use 'umask 2' which produces permissions of:
-rw-rw-r-- for regular files, or drwxrwxr-x for directories.
For private work, use 'umask 77' which produces permissions:
-rw------- for regular files, or drwx------ for directories.
umask Unmasked
umask is a ocatal number between 000 and 777, directly affecting the resulting file and directory permissions. The three numbers from left, governs the permissions for user, group and others respectively. Each number relates to the respective chmod value as follows.
umask File Directory 0 6 7 1 6 6 2 4 5 3 4 4 4 2 3 5 2 2 6 0 1 7 0 0
Some common umask settings in a more understandable way.
The results shown in the table can be obtained from this bash script.
  umask   file   dirs          files           dirs
    022    759    648     -rw-r--r--     drwxr-xr-x
    027    754    643     -rw-r-----     drwxr-x---
    002    775    664     -rw-rw-r--     drwxrwxr-x
    006    771    660     -rw-rw----     drwxrwx--x
    007    770    659     -rw-rw----     drwxrwx---
    077    714    603     -rw-------     drwx------
Checking umask
The umask command can be used to check the current umask values. There are two ways to use this. Either
umask -p
to get the numeric umask value or
umask -S
to get a more human readable output. The results of these commands are like,
umask 0022
and
u=rwx,g=rx,o=rx
, respectively.
A note on source
This article has used sections from several outside sources.
I have assumed that I am not violating a copyright by doing so. Please contact me if this is not the case.
- Please use this e-mail address 3tv-assela@pathirana.net to contact me, if needed.
 


