|
| FAQ Article: Unix Ownership/Permissions explained |
Ok, we really need to cover this in order to do a few other topics in the future, so best to get this out of the way - sorry for all those that already know all of what I am about to say
If you don't know, or have never used *nix style operating systems, and are purely a Windows, Mac, BeOS (or whatever!) user - then I would urge you to take the time to get a shell account on a *nix system somewhere (telnet to sdf.lonestar.org on port 23, they provide basic free shell accounts) and to play with the information I am giving you, rather than just disregarding it.
First, we will need to talk about basic unix system privileges. On *nix operating systems, such as Linux, FreeBSD, Solaris (just to name a few), access to files is controlled by the file mode setting of a file. The mode specifies who (user/owner, group, other) can have access to a file and what type of access (read, write, execute) to the file is allowed.
The "User" is the owner of the file (and I will refer to the User as Owner from now on), the "Group" is a particular group of users that the file belongs to, and "Other" corresponds to everyone that is not the User or a member of the Group. For any given ownership relation, we need three bits to specify access permissions: the first to denote read (r) access, the second to denote write (w) access and the third to denote execute (x) access.
Therefore, an easy way to denote the access that the Owner has to a file would be "rwx" (which means the Owner has Read, Write, and eXecute access to the particular file). So - how would we denote access if say, the Owner had read access, and execute access - but no write access? Simple, we use a dash to denote that they don't have write access as so "r-x". Simple!
Now, we have three ownership issues of a file to cover remember - 'owner' permissions, 'group' permissions and 'all' permissions - so we need a "rwx" triplet for each, resulting in nine bits. As an example - lets say that Owner, Group, and All (everyone) has access to Read, Write, and Execute a particular file - we denote this as:
rwxrwxrwx
Just to make this clearer...a breakdown of that would be:
| Owner | Group | All (Everyone) | | Read | Write | Execute | Read | Write | Execute | Read | Write | Execute | | r | w | x | r | w | x | r | w | x |
Another example, lets say that the Owner has full access to a file -
but Group and All can only read the file. How do we denote this? Like so:
| Owner | Group | All (Everyone) | | Read | Write | Execute | Read | Write | Execute | Read | Write | Execute | | r | w | x | r | - | - | r | - | - |
So our end string is "rwxr--r--". Make sense? I hope so! if not, re-read now! Ok - so now, lets say you have your unix shell account open in a telnet window - or you are sitting there at a *nix terminal somewhere - how do you find out the permissions/ownership that a specific file or directory has? We use the "ls" command.
For those that don't know, ls is basically the equivalent to you typing "dir" from a dos prompt...except ls has some nicer options. So, here is an example of me typing ls:
[wang@server mydirectory]# ls
myfile.php index.htm anotherdir
Ok...so that got me a listing of the files in the current directory I was in - but I don't see anything to tell me the permissions on each file/directory in there. To get this information, we have to use ls with an extra parameter "ls -l" - which tells it to show us a long listing, like so:
[wang@server mydirectory]# ls -l
total 6
-rw-r--r-- 1 wang wheel 872 Apr 25 16:26 myfile.php
-rw-r--r-- 1 wang wheel 680 Apr 25 16:26 index.htm
drwxr-xr-x 2 wang wheel 512 Apr 3 13:40 anotherdir
ah! thats more like it. Ok, immediately you will notice that it shows one file/directory per line - along with the permissions of that file/directory, it's owner's username, the group name, the size, the date/time, and the file/dir name.
You will also notice something different about the permissions - two of them have a "-" in front of the normal permissions system I explained, and one has a "d" in front. This is easy - this is the way we tell what is a directory and what isn't - if it has a "d" in front of the permission listing, it's a directory - if it has a "-", it's a file of some kind. If you look at the first line, the listing for the file "myfile.php" - we can see it has permissions "rw-r--r--" - which as we have already determined means that the owner (who is listed as "wang" in that output) has read and write access, but group and all only have read access. "wheel" is the name of group which that file/directory belongs to.
We also need to mention that permissions on a directory don't mean exactly the same thing as the permissions on files I explained. When dealing with permissions in relation to a directory, Read means you can view the directories contents (i.e. do an ls in it), Write means you can create/edit/delete files within the directory, and Execute determines whether a user can "cd" into a directory (i.e. move into it, just like cd in dos).
Now you know how permissions are represented for files/directories - and what they mean...but how do we set/alter them? and are there other ways of representing them? Well, yes.
Permissions/access is actually based on an integer number from zero to seven, the "rwxr--r--" representation is really just to make things easier. There is an integer for each set of people accessing the file (user, group, other). The type of access allowed for each number is determined by adding 1 for execute access, 2 for write access, and 4 for read access. Zero indicates no privileges. Therefore, the allowed values are:
| Number | Permission | | 0 | No Access | | 1 | Execute Only | | 2 | Write Only | | 3 | Execute and Write | | 4 | Read Only | | 5 | Execute and Read | | 6 | Read and Write | | 7 | Read, Write, and Execute |
If you are feeling lost and confused, bear with me...the purpose of these numbers will become clearer. You are probably thinking - why tell me these numbers? - well it's just useful to know, and I prefer changing file/directory permissions using numbers ;) - sorry! So, what is the command to actually change permissions? - the answer is "chmod".
First, lets talk about using chmod with the numbers in the table above that I gave. The format to use chmod would be:
chmod <number> <file or dir>
So, a good example would be "chmod 755 blah.pl". Why three digits? well, we are back at the Owner, Group, All permission thing again. Every one of the three digits on the mode number corresponds to one of the three permission triplets. Every permission bit in a triplet corresponds to a value - which, despite my complex looking table, can be easily remembered as: 0 for nothing (dash), 4 for r, 2 for w, 1 for x.
Lets work an example out, lets say we have the permission "rwxr-xr-x" on some file...what chmod string was used to give that file those permissions? Simple:
Triplet for user: rwx => 4 + 2 + 1 = 7
Triplet for group: r-x => 4 + 0 + 1 = 5
Tripler for all: r-x => 4 + 0 + 1 = 5
Which makes : 755
It's not as hard as it looks, and it's not as hard to remember as you might think...it actually becomes second nature. There is, however, an easier way if this really does scare you. chmod can also be used in the format "chmod [options] mode file(s)".
The 'mode' part specifies the new permissions for the file(s) that follow as arguments. A mode specifies which user's permissions should be changed, and afterwards which access types should be changed. Let's say for example:
chmod a-x socktest.pl
This means that the execute bit should be cleared (-) for all users. (owner, group and all) The permissions start with a letter specifying what users should be affected by the change, this might be any of the following:
- u the owner user
- g the owner group
- o Everyone, all (what we described as other users)
- a all users, but referring to user/group/all
This is followed by a change instruction which consists of a +(set bit) or -(clear bit) and the letter corresponding to the bit that should be changed. So, hopefully now you can see where "chmod a-x socktest.pl" came from.
We could also have said "chmod g-x socktest.pl" to only remove the group execute permission, or we could have said "chmod o+r socktest.pl" to give all/everyone else read access to this file.
If you really want to read up more on chmod, please type "man chmod" from a shell prompt to see the manual on it. As a final example, I will show an example of me using chmod on a file "test.txt":
We start with the file test.txt, which the owner "wang" has read/write access to, and group/all only have read access to:
[wang@server ~/test]# ls -l
total 2
-rw-r--r-- 1 wang wang 5 Aug 7 19:43 test.txt
I then decided to give my group write access to test.txt, so I used chmod like so:
[wang@server ~/test]# chmod 664 test.txt
[wang@server ~/test]# ls -l
total 2
-rw-rw-r-- 1 wang wang 5 Aug 7 19:43 test.txt
Then, I gave all/everyone write access too (feeling generous!):
[wang@server ~/test]# chmod o+w test.txt
[wang@server ~/test]# ls -l
total 2
-rw-rw-rw- 1 wang wang 5 Aug 7 19:43 test.txt
Then, I take write access away from the group:
[wang@server ~/test]# chmod g-w test.txt
[wang@server ~/test]# ls -l
total 2
-rw-r--rw- 1 wang wang 5 Aug 7 19:43 test.txt
And then I decide to remove all access from group/all to leave only the owner with access to the file:
[wang@server ~/test]# chmod 600 test.txt
[wang@server ~/test]# ls -l
total 2
-rw------- 1 wang wang 5 Aug 7 19:43 test.txt
|
Posted on: 19-08-2002
Article has been viewed 22914 times
|
| |
| Comments |
|
Comment by rsr - 20-02-2007
when we typle ls -l, in the first line it will show TOTAL 2(some number). what exactly its meaning.
Comment by Wang - 20-02-2007
The total in the output is the total number of blocks being used by the files, including indirect blocks
Post a comment
Please use the form below to post your comments on this article. All comments will be reviewed by the admin before being published publically.
|
| |
|
