lsg17.htm

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<P>Linux handles access to all files and directories on the filesystem through the permission block. The permission block is part of the i-node table's entries for each file and directory. You can display the permission block for a file or directory by doing a long directory listing.



<BR>



<P>The first column of the long directory listing is the permission block. It is always composed of 10 characters. Each file and directory, regardless of its type, on a Linux system has a permission block associated with it. The permission block is made up of two different types of information. The first character is a file type indicator, and the next nine characters are the access permissions themselves. The following sections look at these two types of information in a little more detail.



<BR>



<BR>



<A NAME="E69E125"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Understanding File Types</B></FONT></CENTER></H4>



<BR>



<P>Linux uses the first character in the permission block to indicate the type of entry the i-node table contains. Because Linux doesn't differentiate between files and directories in the i-node table, this character is the only way for the operating system to know whether the entry refers to a regular file or a directory. Directories are not physical entities on a Linux system; they are instead an organizational scheme used to make the user's life easier. The i-node table entries for a file and directory look very similar.



<BR>



<P>Linux supports a number of valid file types, each of which has a single character value that is used in the first character of the permission block. The most common file type characters that Linux uses are the following:



<BR>







<TABLE  BORDERCOLOR=#000040 BORDER=1 CELLSPACING=2 WIDTH="100%" CELLPADDING=2 >



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



-



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



ordinary file</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



b



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



block mode device</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



c



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



character mode device</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



d



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



directory</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



l



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



link</FONT>



</TABLE><P>Some versions of Linux and UNIX support other file types(such as s for special), but these types are seldom encountered and are of no real interest as far as permissions are concerned.



<BR>



<P>Most files on the Linux system are ordinary files. An ordinary file can be data, an application, a text file, or any file that contains information (whether directly readable by the user or not). The ordinary files are indicated by a hyphen in the file type block. Any file users create is an ordinary file.



<BR>



<P><A HREF="lsg06.htm">Chapter 6</A>, &quot;Devices and Device Drivers,&quot; looked at the difference between block and character mode devices, which are indicated by a b or c file type. These files are composed of instructions that let Linux talk to peripherals. Most device file types are stored in the directory /dev by convention, although they can exist anywhere in the filesystem. When Linux encounters a file with either of these two file types, it knows how to read the file for input and output control.



<BR>



<P>The directory file type indicates that the entry in the i-node table refers to a directory and not a file. All directories on the system are really empty files as far as Linux is concerned, but they can be logically assembled into the usual directory structure based on the i-node table entries.



<BR>



<P>Links are sometimes identified in the file type character as an <I>l</I>, although not all operating system versions support this character. If your version of Linux doesn't use the l file type to indicate a link, you will have to rely on the second column of output from a long directory listing that shows the number of links the entry has.



<BR>



<BR>



<A NAME="E69E126"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Understanding Access Permissions</B></FONT></CENTER></H4>



<BR>



<P>All UNIX systems (including Linux) control access to files and directories using permissions that are read from the permission block. Access to a file or directory can be one of three possible values. These values are given by a single character as shown in the following list:



<BR>







<TABLE  BORDERCOLOR=#000040 BORDER=1 CELLSPACING=2 WIDTH="100%" CELLPADDING=2 >



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



r



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



read</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



w



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



write</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



x



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



execute</FONT>



</TABLE><P>If you have read access to a file, you can display the contents of the file (using any utility like cat or more) or read the file into an application (such as a word processor or a database). If you have write permission to a file, you can modify the contents and save the changes over the old file. If you have execute permission, you can execute the file, assuming it is a binary file or shell script. If the file is ASCII and you execute it, nothing much will happen except a few error messages.



<BR>



<P>These three permission values are combined into a three-character block in the order given above (in other words, rwx for read, write, and execute). If a permission is not accessible, a hyphen is used in that permission's place to show that it is absent. In other words, the permission block r-x indicates that the file has read and execute permission, but not write permission. Similarly, the permission block --- indicates that the file has no access permissions and cannot be read, written to, or executed.



<BR>



<P>These permissions are used for directories, too, although their meanings are slightly different. Read permission for a directory means you can display the contents of the directory listing (using ls, for example). Write permission for a directory means you can add files to the directory. Execute permission means you can change into that directory (using cd). The permission block r-x on a directory, for example, means you can display the directory's contents and change into that directory, but you can't add a new file to the directory.



<BR>



<P>These three permissions are set for each of three different levels of access. There is a permission block for the owner of the file (called the user), another for anyone in the owner's group (called the group), and another for everyone else on the system (called other or world). The three-character blocks for read-write-execute permission are combined for the three groups (user, group, and other) to produce the nine-character permission block you see in the long directory listing.



<BR>



<P>Once you get used to thinking in terms of user, group, and other, you can easily read the file permissions blocks. For example, the file permission block



<BR>



<BR>



<PRE>



<FONT COLOR="#000080">rw-r--r--</FONT></PRE>



<P>means that the user (owner of the file) has read and write permission, the group (second block of three characters) has read permission only, and everyone else on the system (other) has only read permission also. In the following example, the permission block



<BR>



<BR>



<PRE>



<FONT COLOR="#000080">rwxr-xr--</FONT></PRE>



<P>means that the owner can read, write, and execute the file. Anyone in the same group as the owner can read and execute the file. Finally, anyone else on the system can read the file but can't make changes or execute it.



<BR>



<P>The same approach applies for directories. For example, if a directory has the following permission block



<BR>



<BR>



<PRE>



<FONT COLOR="#000080">rwxr-xr-x</FONT></PRE>



<P>the owner of the directory can change into the directory, add files, and display the contents of the directory. Everyone else on the system (in the owner's group and everyone else) can display the contents of the directory (with an ls command, for example) and change into the directory (using cd), but they can't add files to the directory.



<BR>



<BR>



<A NAME="E69E127"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Using Default Permissions</B></FONT></CENTER></H4>



<BR>



<P>When you save a file or create a new directory, it is assigned a default set of permissions. These permissions are set for each user according their file creation mask, called the umask (user's permission mask) by UNIX. Every user on the system has a umask setting, either one that's set for them in their startup files (.profile, .cshrc, and so on) or the system's default umask setting.



<BR>



<P>You can display the current value of your umask setting by entering the umask command at any shell prompt:



<BR>



<PRE>



<FONT COLOR="#000080">$ umask



022</FONT></PRE>



<P>The three-number block returned by the umask command is the current umask setting. (Some systems return a four-number block, the first number of which is always zero. In this case, only the last three numbers are of any importance for the umask.) The three numbers are octal representations of the read-write-execute permissions you see in a file's permission block. The numbers have the following meaning:



<BR>







<TABLE  BORDERCOLOR=#000040 BORDER=1 CELLSPACING=2 WIDTH="100%" CELLPADDING=2 >



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



0



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



read and write (and execute for directories)</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



1



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



read and write (not execute for directories)</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



2



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



read (and execute for directories)</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



3



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



read</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



4



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



write (and execute for directories)</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



5



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



write</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



6



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



execute</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



7



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



no permissions</FONT>



</TABLE><P>Using this list, you can see that the umask setting of 022 means that the user has read and write permission for his own files (0), the group has read permission (the first 2), and everyone else on the system has read permission(the second 2). Whenever a user creates a file with this umask setting, the permission block will look like the following:



<BR>



<BR>



<PRE>



<FONT COLOR="#000080">rw-r--r--</FONT></PRE>



<P>As mentioned earlier, Linux uses a system default umask setting when a user logs in unless the user's setting is explicitly changed, either on the command line or in one of the startup files. If you want to change the umask value, use the umask command with the three-digit permission setting you want. For example, the command



<BR>



<BR>



<PRE>



<FONT COLOR="#000080">umask 077</FONT></PRE>



<P>sets the permissions to give the owner read and write permission and to withold permissions from everyone else on the system. This umask value can be very useful for restricting access to files.



<BR>



<P>If you want to temporarily change your umask setting, enter the umask command and the new setting at the shell prompt. The new values will be in effect until you change them again. If you want to permanently change your umask setting, add a line like the preceding one to your shell's startup file (.profile, .cshrc, and so on).



<BR>



<BR>



<A NAME="E69E128"></A>



<H4 ALIGN=CENTER>



<CENTER>