|
In Simple Terms
Contents
- 1. Managing Permissions: umask and chmod
1.
Managing Permissions: umask and chmod
- 1.1. CHMOD
- 1.2. UMASK
Let's face it, security and privacy are big issues. Users of your system are going to want to know that their files are safe from prying eyes. They want to be protected automatically and comprehensively, with each new file protected as it is created. Incorrectly set permissions on a file may allow unwanted access, cause programs to function improperly, or deny access to legitimate users.
There are three categories of people: the owner of the file, members of the group that has shared access, and everyone else that doesn't fit into one of the previous groups. For short, these categories are ``user'', ``group'', and ``other'', respectively. Access to a file is dependant upon which category you belong to. The ``user'' category has the highest precedent, followed by ``group'', then ``other''. The category you are first matched up with determines which file permissions you apply to, even if subsequent categories are more lenient. For example, you could restrict a group member's access to read a file even though the ``other'' category has read access. This is because the ``group'' category has higher precedence so the ``other'' category never gets looked at.
When giving permissions to a category, there are three types available: read, write, and execute. Read access allows you to view or print the contents of a file. Write access allows you to edit, modify, or delete the file. Execute access allows you to run the file, provided it is a program. In the case of a directory, execute permissions are required to change directories to it. Read, write and execute permissions are set separately for each category.
1.1.
CHMOD
Individual file permissions are set with the command chmod. The file system uses a number and column scheme (actually it's ``octal'') to represent the particular permissions and the category that they apply to.
An ls -l will display the permissions of all the files in the current directory.
>ls -l
total 21
drwxr-xr-x 2 chrisc bsdbook 512 Mar 21 00:50 articles
-rw-rw-r-- 1 chrisc bsdbook 926 Mar 21 16:01 blueball.gif
-rw-r--r-- 1 chrisc bsdbook 1901 Mar 21 23:50 book.html
-rw-rw-r-- 1 chrisc bsdbook 7100 Mar 21 15:57 botbar_raw.gif
-rw-rw-r-- 1 chrisc bsdbook 2088 Mar 21 15:57 bsd.gif
drwxrwxr-x 3 chrisc bsdbook 512 Mar 22 00:02 cgi-bin
drwxrwxr-x 2 chrisc bsdbook 2560 Mar 21 15:50 docs
-rw-rw-r-- 1 chrisc bsdbook 0 Mar 22 00:15 file
-rw-rw-r-- 1 chrisc bsdbook 2865 Mar 21 15:47 umask.sgml
^^^^^^^^^^ These are the permissions.
There are four columns and four numbers (if you count zero). The columns represent the categories that the permissions apply to and the numbers are the three types of permissions, the fourth being zero or no permissions.
The Columns:
|Column1 | Column2 | Column3 | Column4|
|Special | Owner | Group | Others |
The Numbers:
In Column 1 only: 4 |Set User ID On Execution.
2 |Set Group ID On Execution.
1 |Set the Sticky Bit.
0 |Remove all Special options.
In Columns 2-4: 4 |Grant Read Permissions.
2 |Grant Write Permissions.
1 |Grant Execute Permissions.
0 |Remove all permissions from column.
chmod xxxx filename (Where xxxx represents the permission numbers.)
If you specify fewer than four digits when setting permissions it will assume that you are starting from column 4 and work backwards, in other words chmod 22 filename will set the read permissions of the file to ``write'' for group and others. chmod 24 filename and chmod 0024 filename are exactly the same. This however will remove all permissions from the user and special options. A common command to use is chmod 644 filename for standard files and chmod 755 filename for executable files. You can have no more than 4 digits, each corresponding to a column.
You can set both read and write permissions to a column by adding the numbers together. Write(2) + Read(4) = Both Read and Write(6). In the ls -l above, the file ``bsd.gif'' has been set to mode 664 using the command chmod 664 bsd.gif
-rw-rw-r-- 1 chrisc bsdbook 2088 Mar 21 15:57 bsd.gif
1 {Special}
^2^ {Owner}
^3^ {Group}
^4^ {Other}
A 'd' in the Special column would indicate it is a directory. Directories must have execute permissions enabled in order for a user to change directories to it. A '-' in the first field signifies an ordinary file, in the other fields
it signifies a lack of permissions, or a permissions of '0'.
chmod can also modify permissions to files using a ``first letter'' or ``symbolic'' short notation. This style of using chmod works exactly the same as the Column and Number Scheme and is very simple to use.
Permissions Types:
r Read
w Write
x Execute
Affected Area: (column)
u User
g Group
o Others
a All
Method Affected:
+ Add to
- Remove from
= Set equal to
To add execute permissions to all areas of the file ``bsd.gif'',
you would use chmod a+x bsd.gif
To remove read permissions from ``Others'' use
chmod o-r bsd.gif.
Having two ways to modify the permissions of a file is very useful. The ``octal'' method is very good for setting permissions to a known and exact value, while the ``symbolic'' method is useful for adding permissions without recalculating the total value. Example: chmod +x bsd.gif would add execute permissions without us recalculating what the final permissions would be.
1.2.
UMASK
When a file is created the default permissions are set at 666 or 777 in the case of a binary file, giving full permissions to everyone! The command umask is used to set the default permissions that a file gets when it is created.
Umask does just the opposite job of chmod. It removes permissions from the default values at creation time based on the number and column scheme.
Therefore to have your files set to read and write by ``Owner'', but read only by ``Group'' and ``Others'', you would use a umask of 22. The line
umask 22
can be put in your .login file (or .profile for bash users) and automatically set every time you login.
The Default Permissions: 666
Your Umask Values: 22
____
Your New Default Permissions: 644
Now every time you create a file it will have the New Default permissions.
A umask of 77 would give you Default permissions of 600 (or 700 if it was a binary), giving only the owner read and write access to the file.
Now you can control the initial permissions of files and modify those permissions
later to suit your needs.
Chris Coleman
| 
