Earlier in this chapter, when you tried to cd to
root's login directory, you received the following message:
[sam@halloween sam]$cd /root
bash: /root: Permission denied
[sam@halloween sam]$ |
That was one demonstration of Linux's security features. Linux, like
UNIX, is a multi-user system, and file permissions are one way the
system protects against malicious tampering.
One way to gain entry when you are denied permission is to
su to root, as you learned earlier. This is
because whoever knows the root password has complete access.
[sam@halloween sam]$su
Password: your root password
[root@localhost sam]#cd /root
[root@localhost /root]# |
But switching to superuser is not always convenient, or wise, since it is
easy to make mistakes and alter important configuration files.
All files and directories are "owned" by the person who created them. You
created the file sneakers.txt (see the Section called Using Redirection) in your login
directory, so sneakers.txt "belongs" to you.
That means you can specify who is allowed to read the file, write to the
file, or (if it is an application instead of a text file) who can execute
the file.
Reading, writing, and executing are the three main settings in
permissions. Since users are placed into a group when their accounts are
created, you can also specify whether certain groups can read, write to,
or execute a file.
Take a closer look at sneakers.txt with the
ls command using the -l (long)
option (see Figure 11-9).
[sam@halloween sam]$ls -l sneakers.txt
-rw-rw-r-- 1 sam sam 150 Mar 19 08:08 sneakers.txt |
There is a lot of detail provided here. You can see who can read (r)
and write to (w) the file, as well as who created the file (sam), and to
which group the owner belongs (sam). Remember that, by default, the
name of your group is the same as your login name.
Other information to the right of the group includes file size, date and
time of file creation, and file name.
The first column shows current permissions; it has ten
slots. The first slot represents the type of file. The remaining nine
slots are actually three sets of permissions for three different
categories of users.
Those three sets are: the owner of the file, the group in which the file
belongs, and "others," meaning users and groups not yet specified.
- (rw-) (rw-) (r--) 1 sam sam
| | | |
type owner group others
|
The first item, which specifies the file type, can show one of the
following:
Beyond the first item, in the following three sets, you will see one of the
following:
When you see a dash in owner, group, or others, it means that
particular permission has not been granted. Look again at the first
column of sneakers.txt and identify its
permissions.
[sam@halloween sam]$ls -l sneakers.txt
-rw-rw-r-- 1 sam sam 150 Mar 19 08:08 sneakers.txt
[sam@halloween sam]$ |
The file's owner (in this case, sam) has permission to read and
write to the file. The group, sam, has permission to read and write to
sneakers.txt, as well. It is not a program, so
neither the owner or the group has permission to execute it.
Use the chmod command to change permissions
easily. This example shows how to change the permissions on
sneakers.txt with the chmod
command.
The original file looks like this, with its initial permissions
settings:
-rw-rw-r-- 1 sam sam 150 Mar 19 08:08 sneakers.txt |
If you are the owner of the file or are logged into the root account you
can change any permissions for the owner, group, and others.
Right now, the owner and group can read and write to the file.
Anyone outside of the group can only read the file
(r--).
 | Caution |
|---|
| | Remember that file permissions are a security feature. Whenever you
allow anyone else to read, write to, and execute files, you are
increasing the risk of files being tampered with, altered, or
deleted. As a rule, you should only grant read and write
permissions to those who truly need them.
|
In the following example, you want to allow everyone to write to the
file, so they can read it, write notes in it, and save it. That means
you will have to change the "others" section of the file permissions.
Take a look at the file first. At the shell prompt, type:
The previous command displays this file information:
-rw-rw-r-- 1 sam sam 150 Mar 19 08:08 sneakers.txt |
Now, type the following:
The o+w command tells the system you want to give
others write permission to the file sneakers.txt.
To check the results, list the file's details again. Now, the
file looks like this:
-rw-rw-rw- 1 sam sam 150 Mar 19 08:08 sneakers.txt |
Now, everyone can read and write to the file (Figure 11-10).
To remove read and write permissions from
sneakers.txt use the chmod
command to take away both the read and write permissions.
By typing go-rw, you are telling the system to
remove read and write permissions for the group and for others from the
file sneakers.txt.
The result will look like this:
-rw------- 1 sam sam 150 Mar 19 08:08 sneakers.txt |
Think of these settings as a kind of shorthand when you want
to change permissions with chmod, because all you
really have to do is remember a few symbols and letters with the
chmod command.
Here is a list of what the shorthand represents:
- Identities
u — the user who owns the file (that is,
the owner)
g — the group to which the user belongs
o — others (not the owner or the owner's group)
a — everyone or all
(u, g, and
o)
- Permissions
r — read access
w — write access
x — execute access
- Actions
+ — adds the permission
- — removes the permission
= — makes it the only permission
Want to test your permissions skills? Remove all permissions from
sneakers.txt — for everyone.
Now, see if you can read the file:
[sam@halloween sam]$ cat sneakers.txt
cat: sneakers.txt: Permission denied
[sam@halloween sam]$ |
Removing all permissions, including your own, successfully locked the file. But since the file belongs to you, you can always change its
permissions back (see Figure 11-11).
[sam@halloween sam]$ chmod u+rw sneakers.txt
[sam@halloween sam]$ cat sneakers.txt
buy some sneakers
then go to the coffee shop
then buy some coffee
bring the coffee home
take off shoes
put on sneakers
make some coffee
relax!
[sam@halloween sam]$ |
Here are some common examples of settings that can be used with
chmod:
g+w — adds write access for the group
o-rwx — removes all permissions for others
u+x — allows the file owner to execute the file
a+rw — allows everyone to read and write to
the file
ug+r — allows the owner and group to read the
file
g=rx — lets the group only read and execute (not
write)
By adding the -R option, you can change permissions
for entire directory trees.
Because you can not really "execute" a directory as you would an
application, when you add or remove
execute permission for a directory, you are really allowing (or denying)
permission to search through that directory.
To allow everyone read and write access to every file in the example directory
tigger, type:
If you do not allow others to have execute permission to
tigger, it will not matter who has read or write
access. No one will be able to get into the directory
unless they know the exact filename they want.
For example, type:
to remove everyone's execute permissions.
Here is what happens now when you try to cd to into
tigger:
[sam@halloween sam]$cd tigger
bash: tigger: Permission denied
[sam@halloween sam]$ |
Next, restore your own and your group's access.
Now, if you check your work with ls -dl you will
see that only others will be denied access to the
tigger directory.
Remember the reference to the shorthand method of
chmod? Here is another way to change
permissions, although it may seem a little complex at first.
Go back to the original permissions for
sneakers.txt (type ls -l
sneakers.txt ).
-rw-rw-r-- 1 sam sam 150 Mar 19 08:08 sneakers.txt |
Each permission setting can be represented by a numerical value:
When these values are added together, the total is used to set specific
permissions. For example, if you want read and write permissions, you
would have a value of 6; 4 (read) + 2 (write) = 6.
For sneakers.txt, here are the numerical permissions
settings:
- (rw-) (rw-) (r--)
| | |
4+2+0 4+2+0 4+0+0 |
The total for the user is six, the total for the group is six, and the
total for others is four. The permissions setting is read as
664.
If you want to change sneakers.txt so those in
your group will not have write access, but can still read the file,
remove the access by subtracting two (2) from that set of numbers.
The numerical values, then, would become six, four, and four (644).
To implement these new settings, type:
Now verify the changes by listing the file. Type:
The output should be:
-rw-r--r-- 1 sam sam 150 Mar 19 08:08 sneakers.txt |
Now, neither the group nor others have write permission
to sneakers.txt. To return the group's write access
for the file, add the value of w (2) to the second set of
permissions.
 | Warning |
|---|
| | Setting permissions to 666 will allow everyone to read and
write to a file or directory. Setting permissions to 777 allows
everyone read, write, and execute permission. These permissions could allow tampering
with sensitive files, so in general, it is not a good idea to use these
settings.
|
Here is a list of some common settings, numerical values and their
meanings:
-rw------- (600) — Only the
owner has read and write permissions.
-rw-r--r-- (644) — Only the
owner has read and write permissions; the group and others have read
only.
-rwx------ (700) — Only the owner
has read, write and execute permissions.
-rwxr-xr-x (755) — The owner has
read, write and execute permissions; the group and others have only
read and execute.
-rwx--x--x (711) — The owner has
read, write and execute permissions; the group and others have only
execute.
-rw-rw-rw- (666) — Everyone can
read and write to the file. (Be careful with these permissions.)
-rwxrwxrwx (777) — Everyone can
read, write, and execute. (Again, this permissions setting can be
hazardous.)
Here are some common settings for directories:
drwx------ (700) — Only the user
can read, write in this directory.
drwxr-xr-x (755) — Everyone can
read the directory, but its contents can only be changed by the
user.
