Difference between revisions of "UNIX file system permissions tutorial"

From assela Pathirana
Jump to navigationJump to search
 
(47 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Checking and Understanding Permissoins==
[[Image:DSC_0063.JPG|thumb|450px]]
==Checking and Understanding Permissions==


Every user on a Unix system has a unique username, and is a member of at least one group (the primary group for that user). This group information is held in the password file (/etc/passwd). A user can also be a member of one or more other groups. The auxiliary group information is held in the file /etc/group. Only the administrator can create new groups or add/delete group members (one of the shortcomings of the system).
Access permissions of every file and folder in a UNIX system is controlled by a system based on two identification numbers: user-identification number (UID) and group identification number (UID). Every file or folder should belong to a UID and GID. In practice is it hard to remember these numbers, so the accepted way is to map a user-name and a group-name to each number. In a typical stand-aloone, UNIX computer, all UIDs along with these mappings are listed in the UNIX file /etc/passwd. A typical entry of passwd file is like the following:<nowiki>
</nowiki><pre><nowiki>alex:x:503:100:Dr. Alexander the Great:/home/alex:/bin/bash</nowiki></pre> The fields of this entry (seperated by colons, ''':'''), relevant to this discussion are:
# ''alex'': username (a short name to identify the user, which is normally used in place of UID). Typically a lowercase, single word.
<!--# ''x'': Not important. Had a historical role. -->
# ''503'' : UID
# ''100'' : GID of the primary group the user belongs to.
# ''Dr. Alexander the Great'' : A descriptive name
<!-- # ''/home/alex'': The home directory of the user
# ''/bin/bash'': The default shell of the user. -->
The primary administrative user -- ''root'', present in every UNIX system has UID 0. <nowiki>
</nowiki><pre><nowiki>root:x:0:0:root:/root:/bin/bash</nowiki></pre>


Every directory and file on the system has an owner, and also an associated group. It also has a set of permission flags which specify separate read, write and execute permissions for the 'user' (owner), 'group', and 'other' (everyone else with an account on the computer) The 'ls' command shows the permissions and group associated with files when used with the -l option. On some systems (e.g. Coos), the '-g' option is also needed to see the group information.
There is another file, /etc/group, lising all the GIDs with their descriptive names. A typical entry is like:<nowiki>
</nowiki><pre><nowiki>kings:x:100:alex,ramses,menes</nowiki></pre>. The important fields are:
# ''kings'' : The name of the group (A lowercase word)
# ''100'' : GID
# ''alex,ramses,menes'' : users that are members of this group


An example of the output produced by 'ls -l' is shown below.
It is possible for a user to belong to more than one group. However, there is only one primary group for a user.  


  drwx------ 2 richard staff  2048 Jan  2 1997  private
Unless [[GID for directories|specific steps]] are taken beforehand, any files or directories created by a user belong to that ueser and that users primary group.
  drwxrws--- 2 richard staff  2048 Jan  2 1997  admin
  -rw-rw---- 2 richard staff 12040 Aug 20 1996  admin/userinfo
  drwxr-xr-x 3 richard user   2048 May 13 09:27 public


Understanding how to read this output is useful to all unix users, but especially people using group access permissions.
===Checking permissions===
 
The ls -l command lists files with a number of details in UNIX systems. Following is an example of the output of the command
;Field 1: a set of ten permission flags.  
<pre>
;Field 2: link count (don't worry about this)
drwx------  2 alex  kings  4096 Feb 21 13:47 backup
;Field 3: owner of the file
-rw-rw-r--  1 alex  kings  4010 Mar 22 16:55 backup.tar.gz
;Field 4: associated group for the file
-rwx------  1 alex  kings  20372 Mar 14 14:04 battle-plans
;Field 5: size in bytes
drwxrwxr-x  2 alex  kings  4096 Mar 23 11:46 GMTstore
;Field 6-8: date of last modification (format varies, but always 3 fields)
drwxrwsr-x  2 alex  greeks  4096 Apr  4 14:00 hands
;Field 9: name of file (possibly with path, depending on how ls was called)
lrwxrwxrwx  1 alex  kings    27 Feb 20 14:32 images -> /opt/images
 
-rwxr--r--  1 root  root  45458 Mar 23 11:55 install_gmt
The permission flags are read as follows (left to right)
</pre>
 
Following is a description of the fields relevent to the present discussion.
<table>
;'''drwx------''' : permission string.  
<tr><th>position</th> <th>Meaning</th></tr>
;'''alex''' : owning user
<tr><td>1</td>       <td>directory flag, 'd' if a directory, '-' if a normal file,
;'''kings''' : owning group
something else occasionally may appear here for special devices.</td></tr>
;'''backup''': filename
<tr><td>2,3,4</td> <td>read, write, execute permission for User (Owner) of file</td></tr>
<tr><td>5,6,7</td>  <td>read, write, execute permission for Group</td></tr>


<tr><td>8,9,10</td> <td>read, write, execute permission for Other</td></tr>
The permission flag is a set of ten positions each describing an aspect of the file's permissions.
<tr><th>value</th> <th>Meaning</th></tr>
{|-
<tr><td>-</td> <td>in any position means that flag is not set</td></tr>
|----
<tr><td>r</td> <td>file is readable by owner, group or other</td></tr>
|'''Position'''
<tr><td>w</td> <td>file is writeable.  On a directory, write access means you can add or delete files</td></tr>
| '''    Possible values'''
|----
|1
| d : This is a directory. - : this is a normal file. (Occationaly some other things can appear)
|----
| 2
| r : owner is permitted read this file. - : He/she can't
|----
| 3
| w : owner is permitted to overwrite/append to this file. - : can't
|----
| 4
| x : owner is permitted to execute (run) this file, by calling it by its name. - : can't. (See the examples as well)
|----
|5-7
|: Permissions for group members (meaning same as above).
|----
|8-10
|: Permissions for all others (Not owner, not group members).
|----
|}
;Note:
:* To access a directory (to change directory by cd command or to list it's contents by ls -l <directory-name>) the execution flag (x) should be set.


<tr><td>x</td> <td>file is executable (only for programs and shell scripts - not useful for data files)
;Examples:
    Execute permission on a directory means you can list the files in that directory</td></tr>
:* '''drwx------''' (backup) : This is a directory, user can read, write and execute (since this is a directory this is needed to access the directory) , group (kings) can't do anything, others can't do anything.
<tr><td>s</td> <td>in the place where 'x' would normally go is called the set-UID or
:* '''-rwx------''' (battle-plans) : This is a regular file. Only user has access.
        set-groupID flag.</td></tr>
:* '''drwxrwxr-x''' (GMTstore) : This directory can be accessed, changed by members of group (kings), but others can not change it.
</table>
:* '''-rwxr--r--''' (install_gmt): Evrybody can read. But only owner can write. Owner can also execute this by calling it by filename. e.g.<nowiki>
</nowiki><pre><nowiki>./install_gmt #at bash prompt</nowiki></pre>  
:* '''drwxrwsr-x''' (hands): This directory is said to be GID-set, which is done by <nowiki>
</nowiki><pre><nowiki>chmod u+s hands</nowiki></pre> and indicated by the presence of '''s''' at the permission flag. This means, whatever files created in this folder by anybody (of course they should be permitted to do that, in this case that means 1. owner, 2. group members and 3. root) belongs to the group '''greeks'''.
:* '''lrwxrwxrwx''' (images) : See the right-most end of the row. <nowiki>
</nowiki><pre><nowiki>images -> /opt/images</nowiki></pre> indicates this is a symbolic link. These are special 'files' which can not be set permissions. Instead 'target' of the link (images in /opt folder in this case) should have desired permissions.


On an executable program with set-UID or set-groupID, that program runs with the effective permissions of its owner or group.
==Setting permissions chmod==
chmod command is used to change the ownership of exising files. There are two ways of using the command.
===Symbolic mode===
:* example: <nowiki>
</nowiki><pre><nowiki>chmod g+rx READEME.info</nowiki></pre> Here, the members of the group('''g''') is '''granted'''('''+''') read('''r''') and execute('''x''') permissoins.
===Numeric mode===
Permissions of each class (user, group or others) are handled by an [[wikipedia:Octal Number|Octal Number]]. Three ocatal numbers written togather (e.g. 644) fully specify the file permissions of a file.
{{box|See wikipedia article [[wikipedia:File_system_permissions|File_system_permissions]] for more information. Some of the text here is from that article.}}


<table >
Each of these digits is the sum of its component bits (see also [[wikipedia:Binary numeral system|this article]])As a result, specific bits add to the sum as it is represented by a numeral:
<tr><td>
*The read bit adds 4 to its total,
For a directory, the set-groupID flag means that all files created
*The write bit adds 2 to its total, and
inside that directory will inherit the group of the directoryWithout
*The execute bit adds 1 to its total.
this flag, a file takes on the primary group of the user creating the
These values never produce ambiguous combinations; each sum represents a specific set of permissions.
file.  This property is important to people trying to maintain a
directory as group accessible. The subdirectories also inherit the
set-groupID property.
</td></tr></table>


These are the examples from the [[#Symbolic_notation|Symbolic notation]] section given in octal notation:
*<tt>"-rwxr-xr-x"</tt> would be represented as <tt>755</tt> in three-digit octal.
*<tt>"-rw-rw-r--"</tt> would be represented as <tt>664</tt> in three-digit octal.
*<tt>"-r-x------"</tt> would be represented as <tt>500</tt> in three-digit octal.
*<tt>"-rw-------"</tt> would be represented as <tt>600</tt> in three-digit octal.


== umask -- The default file permissions ==
* example: <nowiki>
</nowiki><pre><nowiki>chmod 644 README.info</nowiki></pre> Here, the permissions of the file is set, so that
*# owner has read, write permissions
*# group and others have read permissions.
* Meaning of symbolic mode numbers are described
*Note that numeric permissions are absolute (i.e. They dictate all the permission settings) whereas symbolic settings are cumulative (i.e. They manage certain permissions while leaving others as they are).


Each user has a default set of permissions which apply to all files created by that user, unless the software explicitly sets something else. This is often called the 'umask', after the command used to change it. It is either inherited from the login process, or set in the .bashrc file which configures an individual account, or it can be run manually.
== Setting default file permissions ==
{{box|See [[wikipedia:Bash#Bash_startup_scripts|this article]] on initialization files of bash shell}}
When a user creates a file or a directory, the initial permissoins of those are determined by the 'uname' value which is set by
# '''uname''' command
# user's '''initialization file'''
# '''system-wide initialization file'''


Typically the default configuration is equivalent to typing 'umask 22' which produces permissions of:
Typically the default configuration is equivalent to typing 'umask 22' which produces permissions of:
Line 78: Line 133:


==umask Unmasked==
==umask Unmasked==
umask is a [[wikipedia:octal number]] between 000 and 777, directly affecting the resulting file and directory permissions. The three numbers from left, governs the permissions for user, group and others respectively. Each number relates to the respective chmod value as follows.  
{{wbox|Never take the umask command lightly! If you accidentally set umask 002, every single file you (or any of your programs!) create after that will be writable by everybody in your group!!}}
<pre>
umask is a [[wikipedia:octal number|ocatal number]] between 000 and 777, directly affecting the resulting file and directory permissions. The three numbers from left, governs the permissions for user, group and others respectively. Each number relates to the respective chmod value as follows. <nowiki>
</nowiki><pre><nowiki>
umask File Directory
umask File Directory
0 6 7
0 6 7
Line 89: Line 145:
6 0 1
6 0 1
7 0 0
7 0 0
</pre>
</nowiki></pre>
Some common umask settings in a more understandable way.  
{{box|The results shown in the table can be obtained from [[File_permission_demonstration_script|this bash script]]. }}
<pre>
Some common umask settings in a more understandable way. <nowiki>
          umask           file          dirs          files          dirs
</nowiki><pre><nowiki>
            022           759           648    drwxr-xr-x    -rw-r--r--
  umask   dirs   files         files          dirs
            027           754           643    drwxr-x---     -rw-r-----
    022   759   648    -rw-r--r--     drwxr-xr-x
            002           775           664     drwxrwxr-x     -rw-rw-r--
    027   754   643    -rw-r-----     drwxr-x---
            006           771           660    drwxrwx--x    -rw-rw----
    002   775   664    -rw-rw-r--     drwxrwxr-x
            007           770           659    drwxrwx---     -rw-rw----
    006   771   660    -rw-rw----     drwxrwx--x
            077           714           603    drwx------     -rw-------
    007   770   659    -rw-rw----     drwxrwx---
</pre>
    077   714   603    -rw-------     drwx------
</nowiki></pre>


==Checking umask==
===Checking umask===
The umask command can be used to check the current umask values. There are two ways to use this. Either <nowiki>
The umask command can be used to check the current umask values. There are two ways to use this. Either <nowiki>
</nowiki><pre><nowiki>
</nowiki><pre><nowiki>
Line 113: Line 170:
</nowiki><pre><nowiki>umask 0022</nowiki></pre> and <nowiki>
</nowiki><pre><nowiki>umask 0022</nowiki></pre> and <nowiki>
</nowiki><pre><nowiki>u=rwx,g=rx,o=rx</nowiki></pre>, respectively.
</nowiki><pre><nowiki>u=rwx,g=rx,o=rx</nowiki></pre>, respectively.
==Sticky Bit==
<nowiki>
</nowiki><pre><nowiki>
$ ls -l / |grep tmp
drwxrwxrwt    9 root root    4096 May 19 08:35 tmp
</nowiki></pre>
Note the '<tt>t</tt>' in the last position instead of familiar <tt>x</tt> or <tt>-</tt>. This is called sticky bit. Over time, the use of this tools has [[wikipedia:sticky_bit|changed quite a bit]]. We shall only deal with its modern use, i.e. use in conjunction with directories here.
When sticky bit is set for a directory by <nowiki>
</nowiki><pre><nowiki>
#chmod +t /bar #Note: Usually root does this
</nowiki></pre> Any file created in that folder can be removed or moved only by creator, even if others have write permission in the folder.
This is quite useful in setting up shared folders like <tt>/tmp</tt> (Operating system needs to write many files to <tt>/tmp</tt> as many users. However, other users should not be allowed to delete them at will.)
==Changing permissions of a while directory tree==
The <tt>-R</tt> option used together with <tt>chmod</tt> can change permissions of a whole directory tree. This can be useful for example when a user wants to grant read access to a whole folder to a group member. This can be achieved by
<pre>
chmod g+rx <foldername>
</pre>
But, the problem would be, the execute permission. Directories need <tt>x</t>, otherwise they can not be accessed. But, it is not valid to set executable bit (<tt>x</tt>) of a file, unless it is an executable file (e.g. a script, compiled program , etc.). In such situations <tt>X</tt> notation can be useful:
<pre>
chmod g+rX foo
</pre>
It applies execute permissions to the directory <tt>foo</tt> and all its sub-directories regardless of their current permissions and applies execute permissions to the file under <tt>foo</tt> if only they already have at least 1 execute permission  (user, group or others) bit already set.


==A note on source==
==Acknowlegements==
;Note: This article has used sections from several outside sources.  
This article was inspired by several outside sources. Certain portions of those articles have been incoroporated in above text.  
:#[http://www.dartmouth.edu/~rc/help/faq/permissions.html Computing at Dartmouth College].
#[http://www.dartmouth.edu/~rc/help/faq/permissions.html Computing at Dartmouth College].
:#[http://www.linuxforum.com/shell/umask/66-24.php linuxforms].  
#[http://www.linuxforum.com/shell/umask/66-24.php linuxforms].  
I have assumed that I am not violating a copyright by doing so.
Please contact me if this is not the case.
::{{contact_me}}
----
----
[[Category:Unix]]
[[Category:Unix]]

Latest revision as of 14:16, 18 November 2007

DSC 0063.JPG

Checking and Understanding Permissions

Access permissions of every file and folder in a UNIX system is controlled by a system based on two identification numbers: user-identification number (UID) and group identification number (UID). Every file or folder should belong to a UID and GID. In practice is it hard to remember these numbers, so the accepted way is to map a user-name and a group-name to each number. In a typical stand-aloone, UNIX computer, all UIDs along with these mappings are listed in the UNIX file /etc/passwd. A typical entry of passwd file is like the following: 

alex:x:503:100:Dr. Alexander the Great:/home/alex:/bin/bash

The fields of this entry (seperated by colons, :), relevant to this discussion are:

  1. alex: username (a short name to identify the user, which is normally used in place of UID). Typically a lowercase, single word.
  2. 503 : UID
  3. 100 : GID of the primary group the user belongs to.
  4. Dr. Alexander the Great : A descriptive name

The primary administrative user -- root, present in every UNIX system has UID 0. 

root:x:0:0:root:/root:/bin/bash

There is another file, /etc/group, lising all the GIDs with their descriptive names. A typical entry is like: 

kings:x:100:alex,ramses,menes

. The important fields are:

  1. kings : The name of the group (A lowercase word)
  2. 100 : GID
  3. alex,ramses,menes : users that are members of this group

It is possible for a user to belong to more than one group. However, there is only one primary group for a user.

Unless specific steps are taken beforehand, any files or directories created by a user belong to that ueser and that users primary group.

Checking permissions

The ls -l command lists files with a number of details in UNIX systems. Following is an example of the output of the command 

drwx------  2 alex  kings   4096 Feb 21 13:47 backup
-rw-rw-r--  1 alex  kings   4010 Mar 22 16:55 backup.tar.gz
-rwx------  1 alex  kings  20372 Mar 14 14:04 battle-plans
drwxrwxr-x  2 alex  kings   4096 Mar 23 11:46 GMTstore
drwxrwsr-x  2 alex  greeks  4096 Apr  4 14:00 hands
lrwxrwxrwx  1 alex  kings     27 Feb 20 14:32 images -> /opt/images
-rwxr--r--  1 root  root   45458 Mar 23 11:55 install_gmt

Following is a description of the fields relevent to the present discussion.

drwx------
permission string.
alex
owning user
kings
owning group
backup
filename

The permission flag is a set of ten positions each describing an aspect of the file's permissions.

Position Possible values
1 d : This is a directory. - : this is a normal file. (Occationaly some other things can appear)
2 r : owner is permitted read this file. - : He/she can't
3 w : owner is permitted to overwrite/append to this file. - : can't
4 x : owner is permitted to execute (run) this file, by calling it by its name. - : can't. (See the examples as well)
5-7 : Permissions for group members (meaning same as above).
8-10 : Permissions for all others (Not owner, not group members).
Note
  • To access a directory (to change directory by cd command or to list it's contents by ls -l <directory-name>) the execution flag (x) should be set.
Examples
  • drwx------ (backup) : This is a directory, user can read, write and execute (since this is a directory this is needed to access the directory) , group (kings) can't do anything, others can't do anything.
  • -rwx------ (battle-plans) : This is a regular file. Only user has access.
  • drwxrwxr-x (GMTstore) : This directory can be accessed, changed by members of group (kings), but others can not change it.
  • -rwxr--r-- (install_gmt): Evrybody can read. But only owner can write. Owner can also execute this by calling it by filename. e.g. 
    ./install_gmt #at bash prompt
  • drwxrwsr-x (hands): This directory is said to be GID-set, which is done by 
    chmod u+s hands
    and indicated by the presence of s at the permission flag. This means, whatever files created in this folder by anybody (of course they should be permitted to do that, in this case that means 1. owner, 2. group members and 3. root) belongs to the group greeks.
  • lrwxrwxrwx (images) : See the right-most end of the row. 
    images -> /opt/images
    indicates this is a symbolic link. These are special 'files' which can not be set permissions. Instead 'target' of the link (images in /opt folder in this case) should have desired permissions.

Setting permissions chmod

chmod command is used to change the ownership of exising files. There are two ways of using the command.

Symbolic mode

  • example: 
    chmod g+rx READEME.info
    Here, the members of the group(g) is granted(+) read(r) and execute(x) permissoins.

Numeric mode

Permissions of each class (user, group or others) are handled by an Octal Number. Three ocatal numbers written togather (e.g. 644) fully specify the file permissions of a file.

Green info.gif

See wikipedia article File_system_permissions for more information. Some of the text here is from that article.

Each of these digits is the sum of its component bits (see also this article). As a result, specific bits add to the sum as it is represented by a numeral:

  • The read bit adds 4 to its total,
  • The write bit adds 2 to its total, and
  • The execute bit adds 1 to its total.

These values never produce ambiguous combinations; each sum represents a specific set of permissions.

These are the examples from the Symbolic notation section given in octal notation:

  • "-rwxr-xr-x" would be represented as 755 in three-digit octal.
  • "-rw-rw-r--" would be represented as 664 in three-digit octal.
  • "-r-x------" would be represented as 500 in three-digit octal.
  • "-rw-------" would be represented as 600 in three-digit octal.
  • example: 
    chmod 644 README.info
    Here, the permissions of the file is set, so that
    1. owner has read, write permissions
    2. group and others have read permissions.
  • Meaning of symbolic mode numbers are described
  • Note that numeric permissions are absolute (i.e. They dictate all the permission settings) whereas symbolic settings are cumulative (i.e. They manage certain permissions while leaving others as they are).

Setting default file permissions

Green info.gif

See this article on initialization files of bash shell

When a user creates a file or a directory, the initial permissoins of those are determined by the 'uname' value which is set by

  1. uname command
  2. user's initialization file
  3. system-wide initialization file

Typically the default configuration is equivalent to typing 'umask 22' which produces permissions of: 

 -rw-r--r-- for regular files, or
 drwxr-xr-x for directories.

In other words, user has full access, everyone else (group and other) has read access to files, lookup access to directories.

When working with group-access files and directories, it is common to use 'umask 2' which produces permissions of: 

 -rw-rw-r-- for regular files, or
 drwxrwxr-x for directories.

For private work, use 'umask 77' which produces permissions: 

 -rw------- for regular files, or
 drwx------ for directories.

umask Unmasked

Red warning.gif

Never take the umask command lightly! If you accidentally set umask 002, every single file you (or any of your programs!) create after that will be writable by everybody in your group!!

umask is a ocatal number between 000 and 777, directly affecting the resulting file and directory permissions. The three numbers from left, governs the permissions for user, group and others respectively. Each number relates to the respective chmod value as follows. 

	umask	File	Directory
	0	6	7
	1	6	6
	2	4	5
	3	4	4
	4	2	3
	5	2	2
	6	0	1
	7	0	0
Green info.gif

The results shown in the table can be obtained from this bash script.

Some common umask settings in a more understandable way. 

  umask   dirs   files          files           dirs
    022    759    648     -rw-r--r--     drwxr-xr-x
    027    754    643     -rw-r-----     drwxr-x---
    002    775    664     -rw-rw-r--     drwxrwxr-x
    006    771    660     -rw-rw----     drwxrwx--x
    007    770    659     -rw-rw----     drwxrwx---
    077    714    603     -rw-------     drwx------

Checking umask

The umask command can be used to check the current umask values. There are two ways to use this. Either 

umask -p

to get the numeric umask value or 

umask -S

to get a more human readable output. The results of these commands are like, 

umask 0022

and 

u=rwx,g=rx,o=rx

, respectively.

Sticky Bit

$ ls -l / |grep tmp
drwxrwxrwt    9 root root     4096 May 19 08:35 tmp

Note the 't' in the last position instead of familiar x or -. This is called sticky bit. Over time, the use of this tools has changed quite a bit. We shall only deal with its modern use, i.e. use in conjunction with directories here.

When sticky bit is set for a directory by 

#chmod +t /bar #Note: Usually root does this

Any file created in that folder can be removed or moved only by creator, even if others have write permission in the folder.

This is quite useful in setting up shared folders like /tmp (Operating system needs to write many files to /tmp as many users. However, other users should not be allowed to delete them at will.)

Changing permissions of a while directory tree

The -R option used together with chmod can change permissions of a whole directory tree. This can be useful for example when a user wants to grant read access to a whole folder to a group member. This can be achieved by 

chmod g+rx <foldername>

But, the problem would be, the execute permission. Directories need x</t>, otherwise they can not be accessed. But, it is not valid to set executable bit (x) of a file, unless it is an executable file (e.g. a script, compiled program , etc.). In such situations X notation can be useful: 

 
chmod g+rX foo

It applies execute permissions to the directory foo and all its sub-directories regardless of their current permissions and applies execute permissions to the file under foo if only they already have at least 1 execute permission (user, group or others) bit already set.

Acknowlegements

This article was inspired by several outside sources. Certain portions of those articles have been incoroporated in above text.

  1. Computing at Dartmouth College.
  2. linuxforms.
Retrieved from "https://assela.pathirana.net/index.php?title=UNIX_file_system_permissions_tutorial&oldid=3813"