UNIX files permissions come in classes and types. There are three classes: user, group, others and three types (read, write, execute). The classes are groups of users, while the types are permissions granted to those users. UNIX permissions also come in two types of notation, Symbolic and Octal.
In order to change access modes (read,write or execute) granted to the any User class, we can use the ‘chmod’ command. The chmod command allows a user to set permissions on a directory or file in symbolic or octal notion. The owner of the file is the only one allowed to chmod a file or directory unless you are the ‘root’ user.
CHMOD using Symbolic Notation
For Symbolic notation they are broken up in the three sets of the characters represented the permission granted to each user class. The characters ‘r’ is for the ability to read a file, while the ‘w’ character signifies the ability to modify or write a file. The ‘x’ character for execution of a file. The character ‘-’ denotes no permission granted for the file or directory to that user, group or any others.
User classes
u – User Class (Owner of the file) g – Group Class (Users in the files or directories Group Class) o – Others Class (All other users not in the Group Class) a – All Classes (applies to all Users Classes)
File Access Types
r – Read access to the file or directory w – Modify access to the file or directory x – Execute access to the file or directory
Let say you created a file with with the default permission set and you want to give the Group Class execute permissions.
-rw-rw-rw- 1 sam sam 164 Mar 28 18:30 file2.txt
To change the permissions for the Group class with chmod you would specify which User Class you want to modify and then the permissions you want to grant to that Class. The ‘+’ means to add to, while the ‘-’ mean to take away from.
sam@asus:~/unix% chmod g+x file2.txt sam@asus:~/unix% ls -l -rw-rwxrw- 1 sam sam 164 Mar 28 18:30 file2.txt sam@asus:~/unix%
What the ‘g+x’ means is to grant ‘execute’ permissions to the files Group Class. You can have multiple combinations of the permissions you want set with the chmod command. For instance, lets say we would like to remove all read and write permissions from the Group Class and Others class.
sam@asus:~/unix% chmod go-rw file2.txt sam@asus:~/unix%
The ‘go-rw’ means that all users in the Group and Others class will lose their ability to read and modify the file. Now only the owner of the file has permissions on the file. The file permissions should now look like this: ‘-rw-------’.
sam@asus:~/unix% ls -l -rw------- 1 sam sam 164 Mar 28 18:30 file2.txt sam@asus:~/unix%
You can also ‘chain’ the permission modes by separating each user class by a comma ‘,’ which should give us a resulting file permission of ‘-rwxrw-r--’.
sam@asus:~/unix% ls -l -rw---x--- 1 sam sam 164 Mar 28 18:30 file2.txt sam@asus:~/unix% chmod u=rwx,g=rw,o=r file2.txt sam@asus:~/unix% ls -l -rwxrw-r-- 1 sam sam 164 Mar 28 18:30 file2.txt sam@asus:~/unix%
What the ‘u=rwx’ says is grant the owner of this file read/write/execute permissions on the file. The ‘g=rw’ means assign read/write permissions to the users Group Class. While the ‘o=r’ says assign all others who are not in the users group read permission only.
A short cut you can use which is provided by the chmod command is the ‘a’ or all option. Instead of having to write a long chain of permissions for every user class, you can simply issue a command like so:
sam@asus:~/unix% chmod a-wx,a+r file2.txt sam@asus:~/unix% ls -l -r--r--r-- 1 sam sam 164 Mar 28 18:30 file2.txt sam@asus:~/unix%
What this command does is remove from all users the ability to write and execute the file, while giving all users the ability to read the file. The resulting permissions set are ‘-r--r--r--’.
Setting directory permissions with chmod
You still have the three ‘rwx’ characters, but the mean something different. Its important to realize files which are in a directory may not have the same permissions as that directory.
Directory Permission Access Types
r – allows a user to view the directories contents w – allows a user to create and delete files in the directory x – determines if the user can enter (cd) into the directory or run a program or script
Allowing users to ‘cd’ in to a directory
sam@asus:~/unix% ls -l drwxrwxr-x 3 sam sam 4096 Mar 28 21:18 docs sam@asus:~/unix%
If you look at the permissions on this directory, it is the default permission set when a directory is created. We want to change it so the Others class of users may not ‘cd’ in to the directory.
sam@asus:~/unix% chmod o-x docs/ sam@asus:~/unix% ls -l drwxrwxr-- 3 sam sam 4096 Mar 28 21:18 docs sam@asus:~/unix%
We removed the ability for users in the Others class to enter in to the directory with the ‘o-x’ option. Now we’ll try to change in to the directory with a user in the Others class.
sam@asus:~/unix% su test test@asus:/home/sam/unix$ cd docs bash: cd: docs: Permission denied test@asus:/home/sam/unix$
Thats the difference between the file access type of ‘x’ and the directory version. The 'x' also grants or denies the ability for a user to execute scripts in the directory.
sam@asus:~/unix% ls -l drwxrwxr-- 2 sam sam 4096 Apr 1 19:20 docs sam@asus:~/unix% ls -l docs/ -rw-rw-r-x 1 sam sam 0 Apr 1 19:20 script.sh sam@asus:~/unix% su test test@asus:/home/sam/unix$ docs/script.sh bash: docs/script.sh: Permission denied test@asus:/home/sam/unix$
Even though we have 'x' permissions on the file in the directory, we still can not execute it because of the directory 'x' permission not being set. This is because the 'x' permission also grants or denies a user the ability to execute a file or script in the current directory.
Listing the contents of a directory
The ‘r’ directory access type allows or disallows a user to list the contents of a directory.
sam@asus:~/unix% ls -l drwxrwxr-x 3 sam sam 4096 Mar 28 21:18 docs sam@asus:~/unix% chmod o-r docs/ sam@asus:~/unix% ls -l drwxrwx--x 2 sam sam 4096 Apr 1 16:10 docs sam@asus:~/unix% su test test@asus:/home/sam/unix$ cd docs/ test@asus:/home/sam/unix/docs$ ls -l ls: cannot open directory '.': Permission denied test@asus:/home/sam/unix/docs$
The ability to create or delete a file in a directory.
sam@asus:~/unix% chmod o-w docs/ sam@asus:~/unix% ls -l drwxrwxr-x 2 sam sam 4096 Apr 1 16:10 docs sam@asus:~/unix% ls -l docs/file.txt -rw-rw-rw- 1 sam sam 0 Apr 1 16:10 docs/file.txt sam@asus:~/unix%
This directory has the ‘write’ permission missing for the Others user class, but the file gives the Others class write permissions. What this means is that users in the Others class can not create or delete files in the directory. They can modify an already created file like ‘file.txt’ but they can not modify a file by creation or deletion.
test@asus:/home/sam/unix$ cd docs/ test@asus:/home/sam/unix/docs$ touch file2.txt touch: cannot touch 'file2.txt': Permission denied test@asus:/home/sam/unix/docs$ echo "TEST" >file.txt test@asus:/home/sam/unix/docs$ cat file.txt TEST test@asus:/home/sam/unix/docs$ rm file.txt rm: cannot remove 'file.txt': Permission denied test@asus:/home/sam/unix/docs$
CHMOD using Octal Notaion
chmod also allows for the setting of permission in octal notation. In Octal Notation there is a three digit octal code which breaks down in to the various user classes. The first digit represents the owner of the file. The second digit represents the Group Class and the third digit signifies the Others class.
The way Octal Notation Permission are granted is they are added up from a list of numbers which tell us what type of permission is to be applied. There are eight codes which can be applied in any combination of three codes (755, 777, etc) to the resulting file or directory.
0 – 000 - none 1 – 001 - execute 2 – 010 - write 3 – 011 - write and execute 4 – 100 - read 5 – 101 - read and execute 6 – 110 - read and write 7 – 111 - read, write and execute
In octal notation each of the three digits represents some binary value which corresponds to the permission types of Read, Write and Execute. The binary value ‘1’ says that the permission is allowed or granted, while the ‘0’ says the permissions are not granted to the file.
Another utility which is help when you are using Octal Notation is the ‘stat’ command. The stat command has the ability to show many different aspects of a file. Today we will be using the ‘%a’ format specifier which shows us the access rights of the file in Octal Notation.
sam@asus:~/unix% stat --format=%a file2.txt 444 sam@asus:~/unix%
This is helpful when you see a directory that has its permissions in Symbolic Notation and you want to set absolute permissions in Octal. If we stat the file again using the '%A' format specifier, we will receive the result in Symbolic notation.
sam@asus:~/unix% stat --format=%A file2.txt -r--r--r-- sam@asus:~/unix%
So lets say we want to give the 'file2.txt' a permission of ‘775’ octal, if we reference the chart above we see that ‘7’ equates to read/write/execute permissions. The first 7 represents the Owner of the file. The second integer is again a ‘7’ which permits read/write/execute permissions to the Group class of users. While the last integer is a ‘5’ which indicated read and execute permissions for everyone else.
sam@asus:~/unix% chmod 775 file2.txt sam@asus:~/unix% ls -l file2.txt -rwxrwxr-x 1 sam sam 164 Mar 28 18:30 file2.txt sam@asus:~/unix%
We see here that the file change from an Octal permission of '444' which translated symbolically to ‘-r--r--r--’ to ‘-rwxrwxr-x’ which is '775' in Octal Notation
No comments:
Post a Comment