mirror of
git://slackware.nl/current.git
synced 2024-12-29 10:25:00 +01:00
315 lines
11 KiB
HTML
315 lines
11 KiB
HTML
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
||
|
<head>
|
||
|
<meta name="generator" content="HTML Tidy, see www.w3.org" />
|
||
|
<title>Permissions</title>
|
||
|
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
|
||
|
<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
|
||
|
<link rel="UP" title="Filesystem Structure" href="filesystem-structure.html" />
|
||
|
<link rel="PREVIOUS" title="Filesystem Structure" href="filesystem-structure.html" />
|
||
|
<link rel="NEXT" title="Links" href="filesystem-structure-links.html" />
|
||
|
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
|
||
|
</head>
|
||
|
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
|
||
|
alink="#0000FF">
|
||
|
<div class="NAVHEADER">
|
||
|
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
|
||
|
cellspacing="0">
|
||
|
<tr>
|
||
|
<th colspan="3" align="center">Slackware Linux Essentials</th>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td width="10%" align="left" valign="bottom"><a href="filesystem-structure.html"
|
||
|
accesskey="P">Prev</a></td>
|
||
|
<td width="80%" align="center" valign="bottom">Chapter 9 Filesystem Structure</td>
|
||
|
<td width="10%" align="right" valign="bottom"><a href="filesystem-structure-links.html"
|
||
|
accesskey="N">Next</a></td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<hr align="LEFT" width="100%" />
|
||
|
</div>
|
||
|
|
||
|
<div class="SECT1">
|
||
|
<h1 class="SECT1"><a id="FILESYSTEM-STRUCTURE-PERMISSIONS"
|
||
|
name="FILESYSTEM-STRUCTURE-PERMISSIONS">9.2 Permissions</a></h1>
|
||
|
|
||
|
<p>Permissions are the other important part of the multiuser aspects of the filesystem.
|
||
|
With these, you can change who can read, write, and execute files.</p>
|
||
|
|
||
|
<p>The permission information is stored as four octal digits, each specifying a different
|
||
|
set of permissions. There are owner permissions, group permissions, and world
|
||
|
permissions. The fourth octal digit is used to store special information such as set user
|
||
|
ID, set group ID, and the sticky bit. The octal values assigned to the permission modes
|
||
|
are (they also have letters associated with them that are displayed by programs such as
|
||
|
<tt class="COMMAND">ls</tt> and can be used by <tt class="COMMAND">chmod</tt>):</p>
|
||
|
|
||
|
<div class="TABLE"><a id="AEN3142" name="AEN3142"></a>
|
||
|
<p><b>Table 9-1. Octal Permission Values</b></p>
|
||
|
|
||
|
<table border="0" frame="void" class="CALSTABLE">
|
||
|
<col width="3*" />
|
||
|
<col width="1*" align="CENTER" />
|
||
|
<col width="1*" align="CENTER" />
|
||
|
<thead>
|
||
|
<tr>
|
||
|
<th>Permission Type</th>
|
||
|
<th>Octal Value</th>
|
||
|
<th>Letter Value</th>
|
||
|
</tr>
|
||
|
</thead>
|
||
|
|
||
|
<tbody>
|
||
|
<tr>
|
||
|
<td>“sticky” bit</td>
|
||
|
<td>1</td>
|
||
|
<td>t</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td>set user ID</td>
|
||
|
<td>4</td>
|
||
|
<td>s</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td>set group ID</td>
|
||
|
<td>2</td>
|
||
|
<td>s</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td>read</td>
|
||
|
<td>4</td>
|
||
|
<td>r</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td>write</td>
|
||
|
<td>2</td>
|
||
|
<td>w</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td>execute</td>
|
||
|
<td>1</td>
|
||
|
<td>x</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
|
||
|
<p>You add the octal values for each permission group. For example, if you want the group
|
||
|
permissions to be “read” and “write”, you would use
|
||
|
“6” in the group portion of the permission information.</p>
|
||
|
|
||
|
<p><tt class="COMMAND">bash</tt>'s default permissions are:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /bin/bash</kbd>
|
||
|
-rwxr-xr-x 1 root bin 477692 Mar 21 19:57 /bin/bash
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>The first dash would be replaced with a “d” if this was a directory. The
|
||
|
three permission groups (owner, group, and world) are displayed next. We see that the
|
||
|
owner has read, write, and execute permissions (<var class="LITERAL">rwx</var>). The
|
||
|
group has only read and execute (<var class="LITERAL">r-x</var>). And everyone else has
|
||
|
only read and execute (<var class="LITERAL">r-x</var>).</p>
|
||
|
|
||
|
<p>How would we set permissions on another file to resemble <tt
|
||
|
class="COMMAND">bash</tt>'s? First, let's make an example file:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">touch /tmp/example</kbd>
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /tmp/example</kbd>
|
||
|
-rw-rw-r--- 1 david users 0 Apr 19 11:21 /tmp/example
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>We will use <tt class="COMMAND">chmod</tt>(1) (which means “change mode”)
|
||
|
to set the permissions on the example file. Add the octal numbers for the permissions you
|
||
|
want. For the owner to have read, write, and execute, we would have a value of <var
|
||
|
class="LITERAL">7</var>. Read and execute would have <var class="LITERAL">5</var>. Run
|
||
|
those together and pass them to <tt class="COMMAND">chmod</tt> like this:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod 755 /tmp/example</kbd>
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /tmp/example</kbd>
|
||
|
-rwxr-xr-x 1 david users 0 Apr 19 11:21 /tmp/example
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>Now you may be thinking, “Why didn't it just create a file with those
|
||
|
permissions in the first place?” Well the answer is simple. <tt
|
||
|
class="COMMAND">bash</tt> includes a nice little built-in called <tt
|
||
|
class="COMMAND">umask</tt>. This is included with most Unix shells as well, and controls
|
||
|
what file permissions are assigned to newly created files. We discussed <tt
|
||
|
class="COMMAND">bash</tt> built-ins to some degree in <a
|
||
|
href="shell-bash.html#SHELL-BASH-ENVIRONMENT">Section 8.3.1</a>. <tt
|
||
|
class="COMMAND">umask</tt> takes a little getting used to. It works very similar to <tt
|
||
|
class="COMMAND">chmod</tt>, only in reverse. You specify the octal values you do not wish
|
||
|
to have present in newly created files. The default umask value is <var
|
||
|
class="LITERAL">0022</var>.</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">umask</kbd>
|
||
|
0022
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">umask 0077</kbd>
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">touch tempfile</kbd>
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l tempfile</kbd>
|
||
|
-rw-------- 1 david users 0 Apr 19 11:21 tempfile
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>See the man page for <tt class="COMMAND">bash</tt> for more information.</p>
|
||
|
|
||
|
<p>To set special permissions with <tt class="COMMAND">chmod</tt>, add the numbers
|
||
|
together and place them in the first column. For example, to make it set user ID and set
|
||
|
group ID, we use 6 as the first column:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod 6755 /tmp/example</kbd>
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /tmp/example</kbd>
|
||
|
-rwsr-sr-x 1 david users 0 Apr 19 11:21 /tmp/example
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>If the octal values confuse you, you can use letters with <tt
|
||
|
class="COMMAND">chmod</tt>. The permission groups are represented as:</p>
|
||
|
|
||
|
<div class="INFORMALTABLE"><a id="AEN3246" name="AEN3246"></a>
|
||
|
<table border="0" frame="void" class="CALSTABLE">
|
||
|
<col />
|
||
|
<col />
|
||
|
<tbody>
|
||
|
<tr>
|
||
|
<td>Owner</td>
|
||
|
<td>u</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td>Group</td>
|
||
|
<td>g</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td>World</td>
|
||
|
<td>o</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td>All of the above</td>
|
||
|
<td>a</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
|
||
|
<p>To do the above, we would have to use several command lines:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod a+rx /tmp/example</kbd>
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod u+w /tmp/example</kbd>
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod ug+s /tmp/example</kbd>
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>Some people prefer the letters over the numbers. Either way will result in the same
|
||
|
set of permissions.</p>
|
||
|
|
||
|
<p>The octal format is often faster, and the one you see most often used in shell
|
||
|
scripts. Sometimes the letters are more powerful however. For example, there's no easy
|
||
|
way to change one group of permissions while preserving the other groups on files and
|
||
|
directories when using the octal format. This is trivial with the letters.</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /tmp/</kbd>
|
||
|
-rwxr-xr-x 1 alan users 0 Apr 19 11:21 /tmp/example0
|
||
|
-rwxr-x--- 1 alan users 0 Apr 19 11:21 /tmp/example1
|
||
|
----r-xr-x 1 alan users 0 Apr 19 11:21 /tmp/example2
|
||
|
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod g-rwx /tmp/example?</kbd>
|
||
|
-rwx---r-x 1 alan users 0 Apr 19 11:21 /tmp/example0
|
||
|
-rwx------ 1 alan users 0 Apr 19 11:21 /tmp/example1
|
||
|
-------r-x 1 alan users 0 Apr 19 11:21 /tmp/example2
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>We mentioned set user ID and set group ID permissions in several places above. You may
|
||
|
be wondering what this is. Normally when you run a program, it is operating under your
|
||
|
user account. That is, it has all the permissions that you as a user have. The same is
|
||
|
true for the group. When you run a program, it executes under your current group. With
|
||
|
set user ID permissions, you can force the program to always run as the program owner
|
||
|
(such as “root”). Set group ID is the same, but for the group.</p>
|
||
|
|
||
|
<p>Be careful with this, set user ID and set group ID programs can open major security
|
||
|
holes on your system. If you frequently set user ID programs that are owned by <tt
|
||
|
class="USERNAME">root</tt>, you are allowing anyone to run that program and run it as <tt
|
||
|
class="USERNAME">root</tt>. Since <tt class="USERNAME">root</tt> has no restrictions on
|
||
|
the system, you can see how this would pose a major security problem. In short, it's not
|
||
|
bad to use set user ID and set group ID permissions, just use common sense.</p>
|
||
|
</div>
|
||
|
|
||
|
<div class="NAVFOOTER">
|
||
|
<hr align="LEFT" width="100%" />
|
||
|
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
|
||
|
cellspacing="0">
|
||
|
<tr>
|
||
|
<td width="33%" align="left" valign="top"><a href="filesystem-structure.html"
|
||
|
accesskey="P">Prev</a></td>
|
||
|
<td width="34%" align="center" valign="top"><a href="index.html"
|
||
|
accesskey="H">Home</a></td>
|
||
|
<td width="33%" align="right" valign="top"><a href="filesystem-structure-links.html"
|
||
|
accesskey="N">Next</a></td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td width="33%" align="left" valign="top">Filesystem Structure</td>
|
||
|
<td width="34%" align="center" valign="top"><a href="filesystem-structure.html"
|
||
|
accesskey="U">Up</a></td>
|
||
|
<td width="33%" align="right" valign="top">Links</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|
||
|
|