ch22_15.htm

the unix power tools

<HTML
><!--Distributed by F --><HEAD
><TITLE
>[Chapter 22] 22.15 Juggling Permissions </TITLE
><META
NAME="DC.title"
CONTENT="UNIX Power Tools"><META
NAME="DC.creator"
CONTENT="Jerry Peek, Tim O'Reilly &amp; Mike Loukides"><META
NAME="DC.publisher"
CONTENT="O'Reilly &amp; Associates, Inc."><META
NAME="DC.date"
CONTENT="1998-08-04T21:40:36Z"><META
NAME="DC.type"
CONTENT="Text.Monograph"><META
NAME="DC.format"
CONTENT="text/html"
SCHEME="MIME"><META
NAME="DC.source"
CONTENT="1-56592-260-3"
SCHEME="ISBN"><META
NAME="DC.language"
CONTENT="en-US"><META
NAME="generator"
CONTENT="Jade 1.1/O'Reilly DocBook 3.0 to HTML 4.0"><LINK
REV="made"
HREF="mailto:online-books@oreilly.com"
TITLE="Online Books Comments"><LINK
REL="up"
HREF="ch22_01.htm"
TITLE="22. File Security, Ownership, and Sharing"><LINK
REL="prev"
HREF="ch22_14.htm"
TITLE="22.14 Add Users to a Group to Deny Permission "><LINK
REL="next"
HREF="ch22_16.htm"
TITLE="22.16 Copying Permissions with cpmod "></HEAD
><BODY
BGCOLOR="#FFFFFF"
TEXT="#000000"
><DIV
CLASS="htmlnav"
><H1
><IMG
SRC="gifs/smbanner.gif"
ALT="UNIX Power Tools"
USEMAP="#srchmap"
BORDER="0"></H1
><MAP
NAME="srchmap"
><AREA
SHAPE="RECT"
COORDS="0,0,466,58"
HREF="index.htm"
ALT="UNIX Power Tools"><AREA
SHAPE="RECT"
COORDS="467,0,514,18"
HREF="jobjects/fsearch.htm"
ALT="Search this book"></MAP
><TABLE
WIDTH="515"
BORDER="0"
CELLSPACING="0"
CELLPADDING="0"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_14.htm"
TITLE="22.14 Add Users to a Group to Deny Permission "
><IMG
SRC="gifs/txtpreva.gif"
SRC="gifs/txtpreva.gif"
ALT="Previous: 22.14 Add Users to a Group to Deny Permission "
BORDER="0"></A
></TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="171"
><B
><FONT
FACE="ARIEL,HELVETICA,HELV,SANSERIF"
SIZE="-1"
>Chapter 22<BR>File Security, Ownership, and Sharing</FONT
></B
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_16.htm"
TITLE="22.16 Copying Permissions with cpmod "
><IMG
SRC="gifs/txtnexta.gif"
SRC="gifs/txtnexta.gif"
ALT="Next: 22.16 Copying Permissions with cpmod "
BORDER="0"></A
></TD
></TR
></TABLE
>&nbsp;<HR
ALIGN="LEFT"
WIDTH="515"
TITLE="footer"></DIV
><DIV
CLASS="SECT1"
><H2
CLASS="sect1"
><A
CLASS="title"
NAME="UPT-ART-9004"
>22.15 Juggling Permissions </A
></H2
><P
CLASS="para"
><A
CLASS="indexterm"
NAME="AUTOID-24589"
></A
>Like any security feature, 
UNIX permissions occasionally get in your way.
When you want to let people use your apartment, you have to make
sure you can get them a key; and when you want to let someone into your 
files, you have to make sure they have read and write access.</P
><P
CLASS="para"
>In the ideal world,
each file would have a list of users who can access it, 
and the file's owner could just add or delete users from 
that list at will.
Some secure versions of UNIX are configured this way,
but standard UNIX systems don't provide that degree of 
control.
Instead, we have to know how to juggle UNIX file
permissions to achieve our ends.</P
><P
CLASS="para"
>For example, suppose I have a file called <EM
CLASS="emphasis"
>ch01</EM
> that
I want edited by another user, <EM
CLASS="emphasis"
>val</EM
>.
I tell her that the
file is <EM
CLASS="emphasis"
>/books/ptools/ch01</EM
>, but she reports to me that 
she can't access it.</P
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>val % <CODE
CLASS="userinput"
><B
>cd /books/ptools</B
></CODE
>
val % <CODE
CLASS="userinput"
><B
>more ch01</B
></CODE
>
ch01: Permission denied</PRE
></BLOCKQUOTE
></P
><P
CLASS="para"
>The reason <EM
CLASS="emphasis"
>val</EM
> can't read the file is that it is set
to be readable only by me.
<EM
CLASS="emphasis"
>val</EM
> can check the permissions on the file using the
<EM
CLASS="emphasis"
>-l</EM
> option to the <EM
CLASS="emphasis"
>ls</EM
> command:<A
CLASS="indexterm"
NAME="AUTOID-24606"
></A
></P
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>val % <CODE
CLASS="userinput"
><B
>ls -l ch01</B
></CODE
>
-rw-------  1 lmui       13727 Sep 21 07:43 ch01</PRE
></BLOCKQUOTE
></P
><P
CLASS="para"
><EM
CLASS="emphasis"
>val</EM
> asks me (<EM
CLASS="emphasis"
>lmui</EM
>) to give her read and write
permission on the file.
Only the file owner and <EM
CLASS="emphasis"
>root</EM
> can
change permission for a file. Now, what's the best way to give <EM
CLASS="emphasis"
>val</EM
> access to <EM
CLASS="emphasis"
>ch01</EM
>?</P
><P
CLASS="para"
>The fastest and most sure-fire way to give another user permission
is to extend read and write permission to everyone:</P
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>lmui % <CODE
CLASS="userinput"
><B
>chmod 666 ch01</B
></CODE
>
lmui % <CODE
CLASS="userinput"
><B
>ls -l ch01</B
></CODE
>
-rw-rw-rw-  1 lmui       13727 Sep 21 07:43 ch01</PRE
></BLOCKQUOTE
></P
><P
CLASS="para"
>But this is sort of like leaving your front door wide 
open so your cat can get in and out.
It's far better to extend read and write access to a
common group instead of to the entire world.
I try to give <EM
CLASS="emphasis"
>val</EM
>
access to the file by giving group read and write access:</P
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>lmui % <CODE
CLASS="userinput"
><B
>chmod 660 ch01</B
></CODE
>
lmui % <CODE
CLASS="userinput"
><B
>ls -l ch01</B
></CODE
>
-rw-rw----  1 lmui       13727 Sep 21 07:43 ch01</PRE
></BLOCKQUOTE
></P
><P
CLASS="para"
>But <EM
CLASS="emphasis"
>val</EM
> reports that it still doesn't work:</P
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>val % <CODE
CLASS="userinput"
><B
>more ch01</B
></CODE
>
ch01: Permission denied</PRE
></BLOCKQUOTE
></P
><P
CLASS="para"
>What happened?
Well, I gave read and write permission to the 
file's group, but <EM
CLASS="emphasis"
>val</EM
> doesn't belong to that group.
You can find out the group a file
belongs to using the <EM
CLASS="emphasis"
>-lg</EM
> option to <EM
CLASS="emphasis"
>ls</EM
>
(this is the default on System V when you type <CODE
CLASS="literal"
>ls&nbsp;-l</CODE
>):</P
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>val % <CODE
CLASS="userinput"
><B
>ls -lg ch01</B
></CODE
>
-rw-rw----  1 lmui     power          13727 Sep 21 07:43 ch01</PRE
></BLOCKQUOTE
></P
><TABLE
CLASS="para.programreference"
BORDER="1"
><TR
><TH
VALIGN="TOP"
><A
CLASS="programreference"
HREF="examples/index.htm"
TITLE="groups"
>groups</A
><BR></TH
><TD
VALIGN="TOP"
><A
CLASS="indexterm"
NAME="AUTOID-24644"
></A
>
You can use the <EM
CLASS="emphasis"
>groups</EM
> command
(the GNU version is on the CD-ROM)
to find out what groups 
a user belongs to:</TD
></TR
></TABLE
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>% <CODE
CLASS="userinput"
><B
>groups val</B
></CODE
>
val : authors ora
% <CODE
CLASS="userinput"
><B
>groups lmui</B
></CODE
>
lmui : authors power wheel ora</PRE
></BLOCKQUOTE
></P
><P
CLASS="para"
>The <EM
CLASS="emphasis"
>ch01</EM
> file belongs to group <EM
CLASS="emphasis"
>power</EM
>.
<EM
CLASS="emphasis"
>val</EM
> isn't a member of this group, but
both <EM
CLASS="emphasis"
>lmui</EM
> and <EM
CLASS="emphasis"
>val</EM
> are in the <EM
CLASS="emphasis"
>authors</EM
> group. To give <EM
CLASS="emphasis"
>val</EM
> access to the file <EM
CLASS="emphasis"
>ch01</EM
>, therefore,
I need to put the file in group <EM
CLASS="emphasis"
>authors</EM
>.
To do that,
I use the 
<SPAN
CLASS="link"
><EM
CLASS="emphasis"
>chgrp</EM
> (<A
CLASS="linkend"
HREF="ch01_23.htm"
TITLE="File Access Permissions "
>1.23</A
>)</SPAN
>
command:</P
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
>lmui % <CODE
CLASS="userinput"
><B
>chgrp authors ch01</B
></CODE
>
lmui % <CODE
CLASS="userinput"
><B
>ls -lg ch01</B
></CODE
>
-rw-rw----  1 lmui     authors        13727 Sep 21 07:43 ch01</PRE
></BLOCKQUOTE
></P
><P
CLASS="para"
>Now <EM
CLASS="emphasis"
>val</EM
> can read and write the file.
(On
System V systems, she may need to run 
<SPAN
CLASS="link"
><EM
CLASS="emphasis"
>newgrp</EM
> (<A
CLASS="linkend"
HREF="ch22_13.htm"
TITLE="Groups and Group Ownership "
>22.13</A
>)</SPAN
>
first.)</P
><DIV
CLASS="sect1info"
><P
CLASS="SECT1INFO"
>- <SPAN
CLASS="authorinitials"
>LM</SPAN
></P
></DIV
></DIV
><DIV
CLASS="htmlnav"
><P
></P
><HR
ALIGN="LEFT"
WIDTH="515"
TITLE="footer"><TABLE
WIDTH="515"
BORDER="0"
CELLSPACING="0"
CELLPADDING="0"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_14.htm"
TITLE="22.14 Add Users to a Group to Deny Permission "
><IMG
SRC="gifs/txtpreva.gif"
SRC="gifs/txtpreva.gif"
ALT="Previous: 22.14 Add Users to a Group to Deny Permission "
BORDER="0"></A
></TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="171"
><A
CLASS="book"
HREF="index.htm"
TITLE="UNIX Power Tools"
><IMG
SRC="gifs/txthome.gif"
SRC="gifs/txthome.gif"
ALT="UNIX Power Tools"
BORDER="0"></A
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_16.htm"
TITLE="22.16 Copying Permissions with cpmod "
><IMG
SRC="gifs/txtnexta.gif"
SRC="gifs/txtnexta.gif"
ALT="Next: 22.16 Copying Permissions with cpmod "
BORDER="0"></A
></TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="172"
>22.14 Add Users to a Group to Deny Permission </TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="171"
><A
CLASS="index"
HREF="index/idx_0.htm"
TITLE="Book Index"
><IMG
SRC="gifs/index.gif"
SRC="gifs/index.gif"
ALT="Book Index"
BORDER="0"></A
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="172"
>22.16 Copying Permissions with cpmod </TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="515"
TITLE="footer"><IMG
SRC="gifs/smnavbar.gif"
SRC="gifs/smnavbar.gif"
USEMAP="#map"
BORDER="0"
ALT="The UNIX CD Bookshelf Navigation"><MAP
NAME="map"
><AREA
SHAPE="RECT"
COORDS="0,0,73,21"
HREF="../index.htm"
ALT="The UNIX CD Bookshelf"><AREA
SHAPE="RECT"
COORDS="74,0,163,21"
HREF="index.htm"
ALT="UNIX Power Tools"><AREA
SHAPE="RECT"
COORDS="164,0,257,21"
HREF="../unixnut/index.htm"
ALT="UNIX in a Nutshell"><AREA
SHAPE="RECT"
COORDS="258,0,321,21"
HREF="../vi/index.htm"
ALT="Learning the vi Editor"><AREA
SHAPE="RECT"
COORDS="322,0,378,21"
HREF="../sedawk/index.htm"
ALT="sed &amp; awk"><AREA
SHAPE="RECT"
COORDS="379,0,438,21"
HREF="../ksh/index.htm"
ALT="Learning the Korn Shell"><AREA
SHAPE="RECT"
COORDS="439,0,514,21"
HREF="../lrnunix/index.htm"
ALT="Learning the UNIX Operating System"></MAP
></DIV
></BODY
></HTML
>