Difference between revisions of "UNIX file system permissions tutorial"

From assela Pathirana
Jump to navigationJump to search
Line 13: Line 13:
</nowiki><pre><nowiki>root:x:0:0:root:/root:/bin/bash</nowiki></pre>
</nowiki><pre><nowiki>root:x:0:0:root:/root:/bin/bash</nowiki></pre>


An example of the output produced by 'ls -l' is shown below.
There is another file, /etc/group, lising all the GIDs with their descriptive names. A typical entry is like:<nowiki>
</nowiki><pre><nowiki>kings:x:100:alex,ramses,menes</nowiki></pre>. The important fields are:
# ''kings'' : The name of the group (A lowercase word)
# ''100'' : GID
# ''alex,ramses,menes'' : users that are members of this group


  drwx------ 2 richard staff  2048 Jan  2 1997  private
It is possible for a user to belong to more than one group. However, there is only one primary group for a user.
  drwxrws--- 2 richard staff  2048 Jan  2 1997  admin
  -rw-rw---- 2 richard staff 12040 Aug 20 1996  admin/userinfo
  drwxr-xr-x 3 richard user   2048 May 13 09:27 public


Understanding how to read this output is useful to all unix users, but especially people using group access permissions.
Unless [[GID for directories|specific steps]] are taken beforehand, any files or directories created by a user belong to that ueser and that users primary group.  


;Field 1: a set of ten permission flags.
===Checking permissions===
;Field 2: link count (don't worry about this)
The ls -l command lists files with a number of details in UNIX systems. Following is an example of the output of the command
;Field 3: owner of the file
<pre>
;Field 4: associated group for the file
drwx------  2 alex  kings  4096 Feb 21 13:47 backup
;Field 5: size in bytes
-rw-rw-r--  1 alex  kings  4010 Mar 22 16:55 backup.tar.gz
;Field 6-8: date of last modification (format varies, but always 3 fields)
-rwx------  1 alex  kings  20372 Mar 14 14:04 battle-plans
;Field 9: name of file (possibly with path, depending on how ls was called)
drwxrwxr-x  2 alex  kings  4096 Mar 23 11:46 GMTstore
drwxrwsr-x  2 alex  greeks  4096 Apr  4 14:00 handh
lrwxrwxrwx  1 alex  kings    27 Feb 20 14:32 images -> /opt/images
-rw-rw-r--  1 root  root  45458 Mar 23 11:55 install_gmt
</pre>
Following is a description of the fields relevent to the present discussion.
;drwx------ : permission string.
;alex  : owning user
;kings : owning group
;backup: filename


The permission flags are read as follows (left to right)
The permission flag is a set of ten positions each describing an aspect of the file's permissions.  
 
{|
<table>
|----
<tr><th>position</th> <th>Meaning</th></tr>
|Position | Possible values|
<tr><td>1</td>      <td>directory flag, 'd' if a directory, '-' if a normal file,
|----
something else occasionally may appear here for special devices.</td></tr>
|}
<tr><td>2,3,4</td>  <td>read, write, execute permission for User (Owner) of file</td></tr>
<tr><td>5,6,7</td>  <td>read, write, execute permission for Group</td></tr>
 
<tr><td>8,9,10</td> <td>read, write, execute permission for Other</td></tr>
<tr><th>value</th> <th>Meaning</th></tr>
<tr><td>-</td> <td>in any position means that flag is not set</td></tr>
<tr><td>r</td> <td>file is readable by owner, group or other</td></tr>
<tr><td>w</td> <td>file is writeable.  On a directory, write access means you can add or delete files</td></tr>
 
<tr><td>x</td> <td>file is executable (only for programs and shell scripts - not useful for data files). 
    Execute permission on a directory means you can list the files in that directory</td></tr>
<tr><td>s</td> <td>in the place where 'x' would normally go is called the set-UID or
        set-groupID flag.</td></tr>
</table>
 
On an executable program with set-UID or set-groupID, that program runs with the effective permissions of its owner or group.
 
<table >
<tr><td>
For a directory, the set-groupID flag means that all files created
inside that directory will inherit the group of the directory.  Without
this flag, a file takes on the primary group of the user creating the
file.  This property is important to people trying to maintain a
directory as group accessible.  The subdirectories also inherit the
set-groupID property.
</td></tr></table>


== Setting default file permissions ==
== Setting default file permissions ==

Revision as of 05:17, 4 April 2006

Checking and Understanding Permissions

Access permissions of every file and folder in a UNIX system is controlled by a system based on two identification numbers: user-identification number (UID) and group identification number (UID). Every file or folder should belong to a UID and GID. In practice is it hard to remember these numbers, so the accepted way is to map a user-name and a group-name to each number. In a typical stand-aloone, UNIX computer, all UIDs along with these mappings are listed in the UNIX file /etc/passwd. A typical entry of passwd file is like the following: 

alex:x:503:100:Dr. Alexander the Great:/home/alex:/bin/bash

The fields of this entry (seperated by colons, :), relevant to this discussion are:

  1. alex: username (a short name to identify the user, which is normally used in place of UID). Typically a lowercase, single word.
  2. 503 : UID
  3. 100 : GID of the primary group the user belongs to.
  4. Dr. Alexander the Great : A descriptive name

The primary administrative user -- root, present in every UNIX system has UID 0. 

root:x:0:0:root:/root:/bin/bash

There is another file, /etc/group, lising all the GIDs with their descriptive names. A typical entry is like: 

kings:x:100:alex,ramses,menes

. The important fields are:

  1. kings : The name of the group (A lowercase word)
  2. 100 : GID
  3. alex,ramses,menes : users that are members of this group

It is possible for a user to belong to more than one group. However, there is only one primary group for a user.

Unless specific steps are taken beforehand, any files or directories created by a user belong to that ueser and that users primary group.

Checking permissions

The ls -l command lists files with a number of details in UNIX systems. Following is an example of the output of the command 

drwx------  2 alex  kings   4096 Feb 21 13:47 backup
-rw-rw-r--  1 alex  kings   4010 Mar 22 16:55 backup.tar.gz
-rwx------  1 alex  kings  20372 Mar 14 14:04 battle-plans
drwxrwxr-x  2 alex  kings   4096 Mar 23 11:46 GMTstore
drwxrwsr-x  2 alex  greeks  4096 Apr  4 14:00 handh
lrwxrwxrwx  1 alex  kings     27 Feb 20 14:32 images -> /opt/images
-rw-rw-r--  1 root  root   45458 Mar 23 11:55 install_gmt

Following is a description of the fields relevent to the present discussion.

drwx------
permission string.
alex
owning user
kings
owning group
backup
filename

The permission flag is a set of ten positions each describing an aspect of the file's permissions.

Possible values|

Setting default file permissions

When a user creates a file or a directory, the initial permissoins of those are determined by the 'uname' value which is set by

  1. uname command
  2. users initialization file
  3. system-wide initialization file

Typically the default configuration is equivalent to typing 'umask 22' which produces permissions of: 

 -rw-r--r-- for regular files, or
 drwxr-xr-x for directories.

In other words, user has full access, everyone else (group and other) has read access to files, lookup access to directories.

When working with group-access files and directories, it is common to use 'umask 2' which produces permissions of: 

 -rw-rw-r-- for regular files, or
 drwxrwxr-x for directories.

For private work, use 'umask 77' which produces permissions: 

 -rw------- for regular files, or
 drwx------ for directories.

umask Unmasked

umask is a ocatal number between 000 and 777, directly affecting the resulting file and directory permissions. The three numbers from left, governs the permissions for user, group and others respectively. Each number relates to the respective chmod value as follows. 

	umask	File	Directory
	0	6	7
	1	6	6
	2	4	5
	3	4	4
	4	2	3
	5	2	2
	6	0	1
	7	0	0

Some common umask settings in a more understandable way.

Green info.gif

The results shown in the table can be obtained from this bash script. 

  umask   file   dirs          files           dirs
    022    759    648     -rw-r--r--     drwxr-xr-x
    027    754    643     -rw-r-----     drwxr-x---
    002    775    664     -rw-rw-r--     drwxrwxr-x
    006    771    660     -rw-rw----     drwxrwx--x
    007    770    659     -rw-rw----     drwxrwx---
    077    714    603     -rw-------     drwx------

Checking umask

The umask command can be used to check the current umask values. There are two ways to use this. Either 

umask -p

to get the numeric umask value or 

umask -S

to get a more human readable output. The results of these commands are like, 

umask 0022

and 

u=rwx,g=rx,o=rx

, respectively.

A note on source

This article has used sections from several outside sources.

  1. Computing at Dartmouth College.
  2. linuxforms.

I have assumed that I am not violating a copyright by doing so. Please contact me if this is not the case.

Please use this e-mail address 3tv-assela@pathirana.net to contact me, if needed.
(Confused about the strange letters in the e-mail address? Wondering whether to put this address to your contact list? Please read Site FAQ)
Retrieved from "https://assela.pathirana.net/index.php?title=UNIX_file_system_permissions_tutorial&oldid=1860"