{"id":376,"date":"2020-08-18T19:23:47","date_gmt":"2020-08-18T20:23:47","guid":{"rendered":"http:\/\/www.linux-tutorial.info\/?page_id=77"},"modified":"2020-08-22T19:26:17","modified_gmt":"2020-08-22T20:26:17","slug":"this-is-the-page-title-toplevel-209","status":"publish","type":"page","link":"http:\/\/www.linux-tutorial.info\/?page_id=376","title":{"rendered":"Permissions"},"content":{"rendered":"\nPermissions<\/title>\n<p>\nAll this time we have been talking about finding and executing commands, but\nthere is one issue that I haven’t mentioned. That is the concept of\n<glossary>permissions<\/glossary>.\nTo access a file, you need to have permission to do so. If you want to read a\nfile, you need to have read permission. If you want to write to a file, you need\nto have write permission. If you want to execute a file, it must have execute\npermission.\n<\/p>\n<question id=\"76\" text=\"What command changes the permissions on a file?\" \/>\n<question id=\"34\" text=\"Which of the following is not a Linux file type?\" \/>\n<p>\nPermissions are set on a file using the <command>chmod<\/command> command or when the file is\ncreated (the details of which I will save for later). You can read the\npermissions on a file by using either the <keyinput>l<keyinput> command or\n<keyinput>ls -l<keyinput>. At the beginning\nof each line will be ten characters, which can either be dashes or letters. The\nfirst position is the type of the file, whether it is a regular file (-), a\ndirectory (d), a <glossary>block device<\/glossary>\nfile (b), and so on. Below are some examples of the various file types.\n<\/p>\n<question id=\"440\" text=\"The owner of this file<br \/><pre>-rw-rw-r- 1 jimmo support 1988 Sep 15 10:05 letter.txt<\/pre><br \/> is support.” \/>\n<question id=\"441\" text=\"The group of this file<br \/><pre>-rw-rw-r- 1 jimmo support 1988 Sep 15 10:05 letter.txt<\/pre><br \/> is support.” \/>\n<p>\n<img decoding=\"async\" src=\"perms.png\" width=548 HEIGHT=105 BORDER=0 usemap=\"#perms_map\">\n<map name=\"perms_map\">\n<area shape=\"RECT\" coords=\"101,1,119,102\" href=\"popup#Links#This column shows how many links this file has. For directories the value is always 2.\">\n<area shape=\"RECT\" coords=\"121,0,156,102\" href=\"popup#File Owner#This is the name of the user who owns this file.\">\n<area shape=\"RECT\" coords=\"176,1,226,103\" href=\"popup#File Group#This is the name if the group of the file.\">\n<area shape=\"RECT\" coords=\"249,15,281,47\" href=\"popup#Major and Minor Number#For device nodes, you see the major and minor number and not the file size.\">\n<area shape=\"RECT\" coords=\"252,52,283,63\" HREF=\"popup#Directory Size#For directories you see the size of the file containing the directory <i>not<\/i> the total of all files in the directory.”>\n<area shape=\"RECT\" coords=\"248,0,285,104\" href=\"popup#File size#This is the size of the file in bytes.\">\n<area shape=\"RECT\" coords=\"302,0,414,103\" href=\"popup#Modification time#This is the time the file was last changed. Files older than six months show the year instead of the time.\">\n<area shape=\"RECT\" coords=\"432,86,541,99\" href=\"popup#Symbolic link#The arrow tells us that this is a symbolic link.\">\n<area shape=\"RECT\" coords=\"434,17,490,48\" href=\"popup#Device nodes#Typically only device nodes are in the \/dev directory.\">\n<area shape=\"RECT\" coords=\"432,2,545,100\" href=\"popup#File Name#This is the name of the file or directory.\">\n<area shape=\"RECT\" coords=\"1,1,77,99\" href=\"popup#File permissions#The first character tells us what kind of file this is and the remaining nine characters are the permissions. (see the text for details)\">\n<\/map>\n<p>\n<icaption>Image – Various file types. (<b>interactive<\/b>)<\/icaption>\n<question id=\"442\" text=\"What kind of file is this?<br \/><pre>brw-rw---- 1 root disk 1,1 Mar 8 07:34 \/dev\/hda1<\/pre>” \/>\n<question id=\"443\" text=\"What kind of file is this?<br \/><pre>crw-rw---- 1 root disk 4,1 Mar 8 07:34 \/dev\/tty<\/pre>” \/>\n<\/p>\n<p>\n– – regular file<br \/>\nc – character device<br \/>\nb – block device<br \/>\nd – directory<br \/>\np – named pipe<br \/>\nl – symbolic link<br \/>\n<\/p>\n<p>\nWe’ll get into the details of these files as we move along. If you are\ncurious about the format of each entry, you can look at the ls <glossary>man-page<\/glossary>.\n<\/p>\n<p>\nThe next nine positions are broken into three groups. Each group consists of three\ncharacters indicating the permissions. They are, in order, read(r), write(w), and execute(x). The first\nset of characters indicates what <glossary>permissions<\/glossary>\nthe owner of the file has. The second set of characters\nindicates the <glossary>permissions<\/glossary>\nfor the group of that file. The last set of characters indicates\nthe <glossary>permissions<\/glossary> for everyone else.\n<\/p>\n<p>\nIf a particular permission has not been given, a dash (-) will appear here. For\nexample, rwx means all three <glossary>permissions<\/glossary>\nhave been given. In our example above,\nthe <glossary>symbolic link<\/glossary>\n<command>\/usr\/bin\/vi<\/command> has read, write, and execute <glossary>permissions<\/glossary>\nfor everyone. The <glossary>device nodes<\/glossary>\n<device>\/dev\/tty1<\/device> and <device>\/dev\/hda1<\/device> have <glossary>permissions<\/glossary>\nrw- for the owner and group, meaning only read and write, but not execute\n<glossary>permissions<\/glossary> have\nbeen given. The directory <directory>\/bin<\/directory> has read and execute <glossary>permissions<\/glossary>\nfor everyone (r-x), but only the owner can write to it (rwx).\n<\/p>\n<question id=\"33\" text=\"To change into a directory it must have what permissions\" \/>\n<concept id=\"90\" description=\"To change into a directory you actually need 'execute' permissions on the directory.\" \/>\n<question id=\"446\" text=\"What command would you use to set the permissions on a directory so that the group can change into it.\" \/>\n<question id=\"\" type=\"tf\" text=\"To write a file to a directory you need both execute and write permissions.\" \/>\n<concept id=\"\" description=\"To write a file to a directory you need at least write permissions for that directory.\" \/>\n<p>\nFor directories, the situation is slightly different than for regular files.\nIf you do not have read permission on a directory, you cannot read the contents\nof that directory. Also, if you do not have write permission on a directory, you\ncannot write to it. This means that you cannot create a new file in that directory.\nExecute <glossary>permissions<\/glossary>\non a directory mean that you can search it or list its contents. That is, if the\nexecution bit is not set on a directory but the read bit is, you can see what\nfiles are in the directory but cannot execute any of the files or even change\ninto that directory. If you have execution permission but no read permission,\nyou can execute the files, change directories, but not see what is in the\nfiles.\n<\/p>\n<concept id=\"\" description=\"In general, if you have write permissions on a directory, you can also delete files in that directory.\" \/>\n<question id=\"\" type=\"TF\" text=\"In general, if you have write permissions on a directory, you can also delete files in that directory.\" \/>\n<question id=\"\" type=\"mc\" text=\"What permissions are necessary to remove a file?\" \/>\n<p>\nWrite permission on a directory also has an interesting side effect. Because\nyou need to have write permission on a directory to create a new file, you also\nneed to have write permission to remove an existing file. Even if you do not\nhave write permission on the file itself, if you can write to the directory, you\ncan erase the file.\n<\/p>\n<question id=\"35\" text=\"A directory is stored on the hard disk like any other file.\" \/>\n<concept id=\"91\" description=\"A directory is stored on the hard disk like any other file.\" \/>\n<p>\nAt first this sounds odd. However, remember that a directory is nothing more\nthan a file in a special format. If you have write permission to a\ndirectory-file, you can remove the references to other files, thereby removing\nthe files themselves.\n<\/p>\n<p>\nIf we were to set the <glossary>permissions<\/glossary>\nfor all users so that they could read, write, and execute a file, the command would look\nthis:\n<\/p>\n<question id=\"444\" text=\"What command would you use to change add write permissions on a file for the group and others?\" \/>\n<question id=\"445\" text=\"What command would you use to change the permissions on a file so only the owner can read and write it and the group can only read it?\" \/>\n<p>\n<commandexample command=\"chmod\">chmod 777 filename<\/commandexample>\n<\/p>\n<p>\nYou can also use symbolic <glossary>permissions<\/glossary>\nto accomplish the same thing. We use the letters u, g, and o to specify the\nuser(owner), group, and others for this file, respectively. The\n<glossary>permissions<\/glossary> are then r for read, w for write, and x for\nexecute. So to set the <glossary>permissions<\/glossary> so\nthat the owner can read and write a file, the command would look like this:<\/p>\n<p>\n<commandexample command=\"chmod\">chmod u=rw filename<\/commandexample>\n<\/p>\n<p>\nNote that in contrast to the absolute numbers, setting the <glossary>permissions<\/glossary>\nsymbolically is additive. So, in this example, we would just change the user’s <glossary>permissions<\/glossary>\nto read and write, but the others would remain unchanged. If we changed the command to this\n<\/p>\n<p>\n<commandexample command=\"chmod\">chmod u+w filename<\/commandexample>\n<\/p>\n<p>\nwe would be adding write permission for the user of that file. Again, the\npermissions for the others would be unchanged.\n<\/p>\n<p>\nTo make the permissions for the group and others to be the same as for the user, we could set it like\nthis\n<\/p>\n<p>\n<commandexample command=\"chmod\">chmod go=u filename<\/commandexample>\n<\/p>\n<p>\nwhich simply means “change the mode so that the <glossary>permissions<\/glossary>\nfor the group and others equals the user.” We also could have set them all explicitly in\none command, like this\n<\/p>\n<p>\n<commandexample command=\"chmod\">chmod u=rw,g=rw,o=rw filename<\/commandexample>\n<\/p>\n<p>\nwhich has the effect of setting the permissions\nfor everyone to read and write. However, we don’t need to write that much.\n<\/p>\n<p>\nCombining the commands, we could have something that looks like this:\n<\/p>\n<question id=\"\" type=\"mc\" text=\"Which command would give the owner read-write permissions, but the group only read permissions?\" \/>\n<p>\n<commandexample command=\"chmod\">chmod u=rw, go=u filename<\/commandexample>\n<\/p>\n<p>\nThis means “set the <glossary>permissions<\/glossary>\nfor the user to read and write, then set the <glossary>permissions<\/glossary>\nfor group and others to be equal to the user.”\n<\/p>\n<p>\nNote that each of these changes is done in sequence. So be\ncareful what changes are made. For example, let’s assume we have a file that is\nread-only for everyone. We want to give everyone write permission for it, so we\ntry\n<\/p>\n<p>\n<commandexample command=\"chmod\">chmod u+w,gu=o filename<\/commandexample>\n<\/p>\n<p>\nThis is a typo because we meant to say\n<keyinput>go=u<keyinput>. The effect is that we added read <glossary>permissions<\/glossary>\nfor the user, but then set the permissions on the group and user to the same as others.\n<\/p>\n<p>\nWe might want to try adding the write <glossary>permissions<\/glossary>\nlike this:<\/p>\n<p>\n<commandexample command=\"chmod\">chmod +w filename<\/commandexample>\n<\/p>\n<p>\nThis works on some systems, but not some Linux distributions that I have\nseen. According to the <glossary>man-page<\/glossary>,\nthis will not change those <glossary>permissions<\/glossary> where\nthe bits in the UMASK are set. (More on this later. See the chmod\n<glossary>man-page<\/glossary> for details.)<\/p>\n<p>\nTo get around this, we use a to specify all users. Therefore,\nthe command would be\n<\/p>\n<p>\n<commandexample command=\"chmod\">chmod a+w filename<\/commandexample>\n<\/p>\n<p>\nThere are a few other things that you can do with <glossary>permissions<\/glossary>.\nFor example, you can set a program to\nchange the <glossary>UID<\/glossary>\nof the process when the program is executed. For example, some\nprograms need to run as root to access other files. Rather than giving the user\nthe root password, you can set the program so that when it is executed, the\nprocess is run as root. This is a Set-UID, or <glossary>SUID<\/glossary>\nprogram. If you want to run a\nprogram with a particular group ID, you would use the SGID program with the s\noption to chmod, like this\n<\/p>\n<p>\n<commandexample command=\"chmod\">chmod u+s program<\/commandexample>\n<\/p>\n<p>\nor\n<\/p>\n<p>\n<commandexample command=\"chmod\">chmod g+s program<\/commandexample>\n<\/p>\n<p>\nAs in other cases, you can set permissions nurmerically, using the octal mode of the permissions. Since the SUID or SGID permissions are not part of the standard “rwx”, you need to add an extra digit, so you need four places. For SUID, you use the digit 4 and SGID you use 2. So, in the previous example, to make the file SUID, you might have this:\n<\/p>\n<question id=\"\" type=\"MC\" text=\"What command would change the permissions on 'command' so that it is SUID?\" \/>\n<question id=\"\" type=\"MC\" text=\"What command would change the permissions on 'command' so that it is SGID?\" \/>\n<p>\n<commandexample command=\"chmod\">chmod 4755 program<\/commandexample>\n<\/p>\n<p>\n<\/p>\n<p>\nThere are a few other special cases, but I will leave it up to you to check out the chmod <glossary>man-page<\/glossary>\nif you are interested.\n<\/p>\n<p>\nWhen you create a file, the access <glossary>permissions<\/glossary>\nare determined by their file creation mask. This is defined by the UMASK <glossary>variable<\/glossary>\nand can be set using the umask command. One thing to keep in mind is that this\nis a <glossary>mask<\/glossary>. That is, it masks out\npermissions rather than assigning them. If you remember, <glossary>permissions<\/glossary>\non a file can be set using the chmod command and a three-digit value. For example\n<\/p>\n<p>\n<commandexample command=\"chmod\">chmod 600 letter.john<\/commandexample>\n<\/p>\n<p>\nexplicitly sets the <glossary>permissions<\/glossary>\non the file letter.john to 600 (read and write permission for the user and nothing for\neveryone else). If we create a new file, the <glossary>permissions<\/glossary>\nmight be 660 (read\/write for user and group). This is determined by the UMASK. To understand\nhow the UMASK works, you need to remember that the <glossary>permissions<\/glossary>\nare <glossary>octal<\/glossary>\nvalues,\nwhich are determined by the <glossary>permissions<\/glossary>\nbits. Looking at one set of permissions\nwe have\n<\/p>\n<table cellspacing=0 BORDER=0 CELLPADDING=4 WIDTH=138>\n<tr><td><i>bit:<\/i><td><i>2<\/i><td><i> 1<\/i><td><i>0<\/i>\n<tr><td><i>value:<\/i><td><i> 4<\/i><td><i>2<\/i><td><i>1<\/i>\n<tr><td><i>symbol:<\/i><td><i>r<\/i><td><i>w<\/i><td><i> x<\/i>\n<\/table>\n<p>\nwhich means that if the bit with value 4 is set (bit 2), the file can be\nread; if the bit with value 2 is set (bit 1), the file can be written to; and if\nthe bit with value 1 is set (bit 0), the file can be executed. If multiple bits\nare set, their values are added together. For example, if bits 2 and 1 are set\n(read\/write), the value is 4+2=6. Just as in the example above, if all three are\nset, we have 4+2+1=7. Because there are three sets of <glossary>permissions<\/glossary>\n(owner, group, others), the <glossary>permissions<\/glossary>\nare usually used in triplets, just as in the chmod\nexample above.\n<\/p>\n<question id=\"\" type=\"mc\" text=\"What does the UMASK do?\" \/>\n<p>\nThe UMASK value <em>masks<\/em> out the bits. The\npermissions that each position in the UMASK masks out are the same as the file\npermissions themselves. So, the left-most position masks out the owner\npermission, the middle position the group, and the right most masks out all\nothers. If we have UMASK=007, the <glossary>permissions<\/glossary>\nfor owner and group are not\ntouched. However, for others, we have the value 7, which is obtained by setting\nall bits. Because this is a <glossary>mask<\/glossary>,\n all bits are unset. (The way I remember this\nis that the bits are inverted. Where it is set in the UMASK, it will be unset in\nthe <glossary>permissions<\/glossary>, and vice versa.)\n<\/p>\n<p>\nThe problem many people have is that the <glossary>umask<\/glossary>\ncommand does <em>not<\/em> force <glossary>permissions<\/glossary>,\nbut rather <em>limits<\/em> them. For example, if we had UMASK=007, we could assume\nthat any file created\nhas <glossary>permissions<\/glossary>\nof 770. However, this depends on the program that is creating\nthe file. If the program is creating a file with <glossary>permissions<\/glossary>\n777, the <glossary>umask<\/glossary> will\nmask out the last bits and the <glossary>permissions<\/glossary>\nwill, in fact, be 770. However, if\nthe program creates <glossary>permissions<\/glossary>\nof 666, the last bits are still masked out.\nHowever, the new file will have <glossary>permissions<\/glossary>\nof 660, <em>not<\/em> 770.\nSome programs, like the C compiler, do generate files with the execution bit\n(bit 0) set. However, most do not. Therefore, setting the UMASK=007 does not\nforce creation of executable programs, unless the program creating the file does\nitself).\n<\/p>\n<p>\nLets look at a more complicated example. Assume we have\nUMASK=047. If our program creates a file with <glossary>permissions<\/glossary>\n777, then our UMASK\ndoes nothing to the first digit, but masks out the 4 from the second digit,\ngiving us 3. Then, because the last digit of the UMASK is 7, this masks out\neverything, so the <glossary>permissions<\/glossary>\nhere are 0. As a result, the permissions for the\nfile are 730. However, if the program creates the file with <glossary>permissions<\/glossary>\n666, the\nresulting <glossary>permissions<\/glossary>\nare 620. The easy way to figure out the effects of the\nUMASK are to subtract the UMASK from the default <glossary>permissions<\/glossary>\nthat the program\nsets. (Note that all negative values become 0.)<\/p>\n<p>\nAs I mentioned, one way the UMASK is set is through the <glossary>environment<\/glossary>\n<glossary>variable<\/glossary> UMASK. You can change it\nanytime using the <glossary>umask<\/glossary>\ncommand. The syntax is simply\n<\/p>\n<p>\n<commandexample command=\"umask\">umask <new_umask><\/commandexample>\n<\/p>\n<p>\nHere the <new_umask> can either be the numeric\nvalue (e.g., 007) or symbolic. For example, to set the <glossary>umask<\/glossary>\nto 047 using the symbolic notation, we have\n<\/p>\n<p>\n<commandexample command=\"umask\">umask u=,g=r,o=rwx<\/commandexample>\n<\/p>\n<p>\nThis has the effect of removing no <glossary>permissions<\/glossary>\nfrom the user, removing read permission from the group, and removing all\n<glossary>permissions<\/glossary> from others.\n<\/p>\n<p>\nBeing able to change the permissions on a file is often not enough. What if the\nonly person that should be able to change a file is not the owner? Simple! You\nchange the owner. This is accomplished with the chown command, which has the\ngeneral syntax: <p>\n<commandexample command=\"chown\">chown new_owner filename<\/commandexample>\n<p>\nWhere “new_owner” is the name of the user account we want to sent the owner of\nthe file to, and “filename” is the file we want to change. In addition, you\ncan use chown to change not only the owner, but the group of the file as well.\nThis has the general syntax:\n<\/p>\n<question id=\"447\" text=\"What single command would you use to change the owner of a file to jimmo and the group to support?\" \/>\n<p>\n<commandexample command=\"chown\">chown new_owner.new:group filename<\/commandexample>\n<\/p>\n<question id=\"448\" text=\"What command would you use to set the permissions of FILE2 to the same as FILE1?\" \/>\n<p>\nAnother useful trick is the ability to set the owner and group to the same ones\nas another file. This is done with the <keyinput>–reference=<keyinput> option, which sets to the\nname of the file you are referencing. If you want to change just the group, you\ncan use the <command>chgrp<\/command> command, which has the same basic syntax as\n<command>chown<\/command>. Not that both <command>chgrp<\/command> and <command>chmod<\/command>\ncan also take the <keyinput>–reference=<\/keyinput> option. Further, all three\nof these commands take the <keyinput>-R<\/keyinput> option, which recursively changes the permissions,\nowner or group.\n","protected":false},"excerpt":{"rendered":"<p>Permissions All this time we have been talking about finding and executing commands, but there is one issue that I haven’t mentioned. That is the concept of permissions. To access a file, you need to have permission to do so. … <a href=\"http:\/\/www.linux-tutorial.info\/?page_id=376\">Continue reading <span class=\"meta-nav\">→<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-376","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=\/wp\/v2\/pages\/376","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=376"}],"version-history":[{"count":1,"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=\/wp\/v2\/pages\/376\/revisions"}],"predecessor-version":[{"id":656,"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=\/wp\/v2\/pages\/376\/revisions\/656"}],"wp:attachment":[{"href":"http:\/\/www.linux-tutorial.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}