ch01_23.htm

the unix power tools

<HTML
><!--Distributed by F --><HEAD
><TITLE
>[Chapter 1] 1.23 File Access Permissions </TITLE
><META
NAME="DC.title"
CONTENT="UNIX Power Tools"><META
NAME="DC.creator"
CONTENT="Jerry Peek, Tim O'Reilly &amp; Mike Loukides"><META
NAME="DC.publisher"
CONTENT="O'Reilly &amp; Associates, Inc."><META
NAME="DC.date"
CONTENT="1998-08-04T21:31:28Z"><META
NAME="DC.type"
CONTENT="Text.Monograph"><META
NAME="DC.format"
CONTENT="text/html"
SCHEME="MIME"><META
NAME="DC.source"
CONTENT="1-56592-260-3"
SCHEME="ISBN"><META
NAME="DC.language"
CONTENT="en-US"><META
NAME="generator"
CONTENT="Jade 1.1/O'Reilly DocBook 3.0 to HTML 4.0"><LINK
REV="made"
HREF="mailto:online-books@oreilly.com"
TITLE="Online Books Comments"><LINK
REL="up"
HREF="ch01_01.htm"
TITLE="1. Introduction"><LINK
REL="prev"
HREF="ch01_22.htm"
TITLE="1.22 How UNIX Keeps Track of Files: Inodes "><LINK
REL="next"
HREF="ch01_24.htm"
TITLE="1.24 The Superuser (Root) "></HEAD
><BODY
BGCOLOR="#FFFFFF"
TEXT="#000000"
><DIV
CLASS="htmlnav"
><H1
><IMG
SRC="gifs/smbanner.gif"
ALT="UNIX Power Tools"
USEMAP="#srchmap"
BORDER="0"></H1
><MAP
NAME="srchmap"
><AREA
SHAPE="RECT"
COORDS="0,0,466,58"
HREF="index.htm"
ALT="UNIX Power Tools"><AREA
SHAPE="RECT"
COORDS="467,0,514,18"
HREF="jobjects/fsearch.htm"
ALT="Search this book"></MAP
><TABLE
WIDTH="515"
BORDER="0"
CELLSPACING="0"
CELLPADDING="0"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch01_22.htm"
TITLE="1.22 How UNIX Keeps Track of Files: Inodes "
><IMG
SRC="gifs/txtpreva.gif"
SRC="gifs/txtpreva.gif"
ALT="Previous: 1.22 How UNIX Keeps Track of Files: Inodes "
BORDER="0"></A
></TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="171"
><B
><FONT
FACE="ARIEL,HELVETICA,HELV,SANSERIF"
SIZE="-1"
>Chapter 1<BR>Introduction</FONT
></B
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch01_24.htm"
TITLE="1.24 The Superuser (Root) "
><IMG
SRC="gifs/txtnexta.gif"
SRC="gifs/txtnexta.gif"
ALT="Next: 1.24 The Superuser (Root) "
BORDER="0"></A
></TD
></TR
></TABLE
>&nbsp;<HR
ALIGN="LEFT"
WIDTH="515"
TITLE="footer"></DIV
><DIV
CLASS="SECT1"
><H2
CLASS="sect1"
><A
CLASS="title"
NAME="UPT-ART-1026"
>1.23 File Access Permissions </A
></H2
><P
CLASS="para"
><A
CLASS="indexterm"
NAME="UPT-ART-1026-IX-FILES-ACCESS-PERMISSIONS"
></A
><A
CLASS="indexterm"
NAME="UPT-ART-1026-IX-PERMISSIONS"
></A
><A
CLASS="indexterm"
NAME="UPT-ART-1026-IX-ACCESS-PERMISSIONS"
></A
>Under UNIX, access to files is based on the concept of users and
groups.</P
><P
CLASS="para"
><A
CLASS="indexterm"
NAME="UPT-ART-1026-IX-USER-IDS-UIDS-FILE-ACCESS"
></A
><A
CLASS="indexterm"
NAME="AUTOID-2113"
></A
>Every &quot;user&quot; on a system has a unique account with a unique login name and a
unique
<SPAN
CLASS="link"
>UID (<A
CLASS="linkend"
HREF="ch38_03.htm"
TITLE="Managing Processes: Overall Concepts "
>38.3</A
>)</SPAN
>
(user ID number).
It is possible, and sometimes convenient, to
create accounts that are shared by groups of people. For example, in a
transaction processing application, all of the order-entry personnel
might be assigned a common login name (as far as UNIX is concerned,
they only count as one user). In a research and development
environment, certain administrative operations might be easier if
members of a team shared the same account, in addition to their own
accounts. However, in most situations each person using the system
has one and only one user ID, and vice versa.</P
><P
CLASS="para"
>Every user may be a member of one or more &quot;groups.&quot;
[3]<A
CLASS="indexterm"
NAME="AUTOID-2121"
></A
><A
CLASS="indexterm"
NAME="AUTOID-2123"
></A
><A
CLASS="indexterm"
NAME="AUTOID-2125"
></A
>
The user's
entry in the master password file
(<SPAN
CLASS="link"
><EM
CLASS="emphasis"
>/etc/passwd</EM
> (<A
CLASS="linkend"
HREF="ch36_03.htm"
TITLE="Changing the Field Delimiter "
>36.3</A
>)</SPAN
>)
defines his
&quot;primary group membership.&quot;
The
<SPAN
CLASS="link"
><EM
CLASS="emphasis"
>/etc/group</EM
> (<A
CLASS="linkend"
HREF="ch22_13.htm"
TITLE="Groups and Group Ownership "
>22.13</A
>)</SPAN
>
file defines the
groups that are available and can also assign other users to these
groups as needed. For example, I am a member of three groups: <EM
CLASS="emphasis"
>staff</EM
>,
<EM
CLASS="emphasis"
>editors</EM
>, and <EM
CLASS="emphasis"
>research</EM
>. My primary group is <EM
CLASS="emphasis"
>staff</EM
>;
the <EM
CLASS="emphasis"
>group</EM
> file says that I am also a member of the <EM
CLASS="emphasis"
>editors</EM
>
and <EM
CLASS="emphasis"
>research</EM
> groups. We call <EM
CLASS="emphasis"
>editors</EM
> and <EM
CLASS="emphasis"
>research</EM
>
my &quot;secondary groups.&quot; The system administrator is responsible for
maintaining the <EM
CLASS="emphasis"
>group</EM
> and <EM
CLASS="emphasis"
>passwd</EM
> files. You don't need to
worry about them unless you're administering your own system.</P
><BLOCKQUOTE
CLASS="footnote"
><P
CLASS="para"
>[3] In Berkeley and other newer UNIX systems, users have the access privileges
of all groups they belong to, all at the same time.
In other UNIX systems, you use a command like <EM
CLASS="emphasis"
>newgrp</EM
> to change
the group you currently belong to.</P
></BLOCKQUOTE
><P
CLASS="para"
>Every file belongs to one user and one group. When a file is first
created, its owner is the user who created it; its group is
<SPAN
CLASS="link"
> the user's primary group or the group of the directory it's created in . (<A
CLASS="linkend"
HREF="ch22_05.htm"
TITLE="Group Permissions in a Directory with the setgid Bit "
>22.5</A
>, <A
CLASS="linkend"
HREF="ch22_13.htm"
TITLE="Groups and Group Ownership "
>22.13</A
>)</SPAN
>
For example, all files I create are owned by the user
<EM
CLASS="emphasis"
>mikel</EM
> and the group <EM
CLASS="emphasis"
>staff</EM
>. As the file's owner, I am allowed to
use the<A
CLASS="indexterm"
NAME="AUTOID-2146"
></A
>
<EM
CLASS="emphasis"
>chgrp</EM
> command
to change the file's
group.
On filesystems that don't have
<SPAN
CLASS="link"
>quotas (<A
CLASS="linkend"
HREF="ch24_17.htm"
TITLE="Disk Quotas "
>24.17</A
>)</SPAN
>,
I can also use the<A
CLASS="indexterm"
NAME="AUTOID-2150"
></A
>
<EM
CLASS="emphasis"
>chown</EM
> command
to change the file's owner.
(To change ownership on systems with quotas, see article
<A
CLASS="xref"
HREF="ch22_21.htm"
TITLE="How to Change File Ownership Without chown"
>22.21</A
>.)
For example, to change the file <EM
CLASS="emphasis"
>data</EM
> so that it
is owned by the user <EM
CLASS="emphasis"
>george</EM
> and the group <EM
CLASS="emphasis"
>others</EM
>, I give
the commands:</P
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>% <CODE
CLASS="userinput"
><B
>chgrp others data</B
></CODE
>
% <CODE
CLASS="userinput"
><B
>chown george data</B
></CODE
></PRE
></BLOCKQUOTE
></P
><P
CLASS="para"
>If you need to change both owner and group, change the group first!
You won't have permission to change the group after you aren't the owner.
Some versions of <EM
CLASS="emphasis"
>chown</EM
> can change both owner and group at the same
time:</P
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>% <CODE
CLASS="userinput"
><B
>chown george.others data</B
></CODE
></PRE
></BLOCKQUOTE
></P
><TABLE
CLASS="para.programreference"
BORDER="1"
><TR
><TH
VALIGN="TOP"
><A
CLASS="programreference"
HREF="examples/index.htm"
TITLE="chown"
>chown</A
><BR><A
CLASS="programreference"
HREF="examples/index.htm"
TITLE="chgrp"
>chgrp</A
><BR></TH
><TD
VALIGN="TOP"
>&#13;If you need <EM
CLASS="emphasis"
>chown</EM
> or <EM
CLASS="emphasis"
>chgrp</EM
> for some reason, the GNU
versions are on the CD-ROM.</TD
></TR
></TABLE
><P
CLASS="para"
><A
CLASS="indexterm"
NAME="UPT-ART-1026-IX-MODE-BITS"
></A