File permissions
The permission mask is used to determine what, if any
access each level or class of user has to each
file on a Unix system. The permission mask is one of
the data elements stored in the inode table
entry for the file.
access each level or class of user has to each
file on a Unix system. The permission mask is one of
the data elements stored in the inode table
entry for the file.
Every file has protection or permission
attributes for 3
classifications or levels of system user, i.e.
attributes for 3
classifications or levels of system user, i.e.
- User (u)
- Group (g)
- Other (o)
These permissions are displayed using the
ls -l
command.
Group
<->
- rwx r-x r-x 1 bin 114688 Jun 23 1987 /bin/csh
<-> <->
User Other
The permission mask is divided into three areas,
also called levels of permission. The left most
group of three permissions are those permissions
that apply to the user, or individual who
owns the file. (We refer to this individual as
the "user" rather than the "owner" because the third
field, "other" starts with the letter "o", and we
don't want to get confused.)
In this case, ownership is determined by the user
identification number assigned when the file is created.
Don't worry about the user identification number at this
point, we'll look closely at it when we look at how your
user record is created and stored. This number is the UID
or "User Identification Number", the third field
in /etc/passwd.
also called levels of permission. The left most
group of three permissions are those permissions
that apply to the user, or individual who
owns the file. (We refer to this individual as
the "user" rather than the "owner" because the third
field, "other" starts with the letter "o", and we
don't want to get confused.)
In this case, ownership is determined by the user
identification number assigned when the file is created.
Don't worry about the user identification number at this
point, we'll look closely at it when we look at how your
user record is created and stored. This number is the UID
or "User Identification Number", the third field
in /etc/passwd.
The second three permissions are those assigned to all
the individuals who share the same group identification
number as the user. This is the fourth field in /etc/passwd.
the individuals who share the same group identification
number as the user. This is the fourth field in /etc/passwd.
The third set of three permissions are those assigned to the
"other" users. Anyone who has a valid login ID on the system,
but is not the user of the file, nor in the users group is
considered "other".
In other words, the nine bit permission mask is divided into
three, three bit permission sub masks one for user,
one for group, and one for everyone else other.
"other" users. Anyone who has a valid login ID on the system,
but is not the user of the file, nor in the users group is
considered "other".
In other words, the nine bit permission mask is divided into
three, three bit permission sub masks one for user,
one for group, and one for everyone else other.
Each permission sub mask, or level of permission, is
divided into three different individual permissions. The
left most permission r allows the file to be read,
the center permission w allows the file to be written,
and the right most permission in each level x allows
the file to be executed.
divided into three different individual permissions. The
left most permission r allows the file to be read,
the center permission w allows the file to be written,
and the right most permission in each level x allows
the file to be executed.
The actual meaning of the write and execute permissions
have slightly different meaning depending on whether the file
is a regular file or a directory. In the case of a regular file
writing simply means that the contents of the file can be modified.
Executing a regular file means that the command line interpreter
will attempt to run the text contained within the file as if it were
instructions.
have slightly different meaning depending on whether the file
is a regular file or a directory. In the case of a regular file
writing simply means that the contents of the file can be modified.
Executing a regular file means that the command line interpreter
will attempt to run the text contained within the file as if it were
instructions.
In the case of a directory file, writing means that the contents of
the directory can be changed, files added or deleted. Execute
permission on a directory file allows the use of file matching
meta- characters to search within the directory. If you think
about it, writing is actually the same for a directory or
regular file because both are simply ASCII files.
the directory can be changed, files added or deleted. Execute
permission on a directory file allows the use of file matching
meta- characters to search within the directory. If you think
about it, writing is actually the same for a directory or
regular file because both are simply ASCII files.
The figure below shows the permissions mask:
8 7 6 5 4 3 2 1 0
|-------|-------|------|
| USER GROUP OTHER |
| r w x | r w x | r w x|
|----------------------|
There are two different methods a user
may employ to alter the permission mask on
a file.
The owner of a file may change the permission
bits using an octal representation of the
required permissions. If you choose this method
remember that you must specify the whole
permissions mask, (all 9 bits),
not just one individual permission.
You will need to use the octal representation
for each of the three different levels of
permission. That means the permission mask you
will specify will be 3 octal numbers.
Since each octal number can be represented by 3
bits, each bit can represent one permission.
Each bit position corresponds to one permission
value. A three bit number has the following
positional values:
4 2 1 read write execute
The following table shows each of the 7 possible
permission combinations for one of the three levels
of permissions. Remember, you will need
to use three (3) octal numbers.
Octal Binary Permission 0 000 no permissions 1 001 execute 2 010 write 3 011 write + execute 4 100 read 5 101 read + execute 6 110 read + write 7 111 read + write + execute
The code example below shows how the octal values can
be used to modify the permissions mask on a file. For
this example, please note that both ringo and lennon
are in the same group.
ringo % chmod 710 /usr/ringo ringo % ls -lg /usr/ringo drwx--x--- 1 ringo beatles 512 Nov 24 18:00 /ringo ringo % chmod 740 /usr/ringo/help ringo % ls -lg /usr/ringo/help -rwxr----- 1 ringo beatles 1511 Nov 24 18:21 /usr/ringo/help lennon % cp ~ringo/help . lennon %Refer to the table above to
interpet the octal values.
The first command gives full permission to the
directories owner (ringo), execute permission
to the group and no
permissions to anyone not a member of the owners
group (beatles). Members of the
owners group may access a directory (usually for
a known filename) but may not list the files in
owners directory.
The second command gives full permission to the
directories owner (ringo)allows group
members (e.g. lennon) and the
owner to read the file but denys any access
to "other".
Alternatively symbolic notation may be used,
e.g. to grant or deny read, write, or execute permission
to the user, group and others permission masks.
Usually this method is used to modify only one (1)
permission, for one level. For example, giving
execute permission to the owner of a file, or removing
read permission from the group.
The table below shows the three levels of
permission, and the three permissions for each level.
In the following code snippet, the first line grants readLevel Permissions u - user r - read w - write e
- executeg - group r - read w - write e
- executeo - other r - read w - write e
- execute
permission for other, to the file john/sgtpepper
The second line removes write access from both the group
and other for the same file.lennon % chmod o+r john/sgtpepper lennon % chmod go-w john/sgtpepper
Notice that in each case, the remaining permissions for the file
were not changed . Normally, you would use this second method to
alter one or two permissions, and the first method, octal, to change
several permissions at one time.
Security of file contents (as opposed to
access) can be achieved using the crypt
program or other encryption tools like
pgp
or the Unix crypt
command. (Consult your system documentation man crypt
access) can be achieved using the crypt
program or other encryption tools like
pgp
or the Unix crypt
command. (Consult your system documentation man crypt