slackware-current/slackbook/html/filesystem-structure-permissions.html
Patrick J Volkerding 5a12e7c134 Slackware 13.0
Wed Aug 26 10:00:38 CDT 2009
Slackware 13.0 x86_64 is released as stable!  Thanks to everyone who
helped make this release possible -- see the RELEASE_NOTES for the
credits.  The ISOs are off to the replicator.  This time it will be a
6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD.
We're taking pre-orders now at store.slackware.com.  Please consider
picking up a copy to help support the project.  Once again, thanks to
the entire Slackware community for all the help testing and fixing
things and offering suggestions during this development cycle.
As always, have fun and enjoy!  -P.
2018-05-31 22:41:17 +02:00

314 lines
11 KiB
HTML

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Permissions</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
<link rel="UP" title="Filesystem Structure" href="filesystem-structure.html" />
<link rel="PREVIOUS" title="Filesystem Structure" href="filesystem-structure.html" />
<link rel="NEXT" title="Links" href="filesystem-structure-links.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">Slackware Linux Essentials</th>
</tr>
<tr>
<td width="10%" align="left" valign="bottom"><a href="filesystem-structure.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 9 Filesystem Structure</td>
<td width="10%" align="right" valign="bottom"><a href="filesystem-structure-links.html"
accesskey="N">Next</a></td>
</tr>
</table>
<hr align="LEFT" width="100%" />
</div>
<div class="SECT1">
<h1 class="SECT1"><a id="FILESYSTEM-STRUCTURE-PERMISSIONS"
name="FILESYSTEM-STRUCTURE-PERMISSIONS">9.2 Permissions</a></h1>
<p>Permissions are the other important part of the multiuser aspects of the filesystem.
With these, you can change who can read, write, and execute files.</p>
<p>The permission information is stored as four octal digits, each specifying a different
set of permissions. There are owner permissions, group permissions, and world
permissions. The fourth octal digit is used to store special information such as set user
ID, set group ID, and the sticky bit. The octal values assigned to the permission modes
are (they also have letters associated with them that are displayed by programs such as
<tt class="COMMAND">ls</tt> and can be used by <tt class="COMMAND">chmod</tt>):</p>
<div class="TABLE"><a id="AEN3142" name="AEN3142"></a>
<p><b>Table 9-1. Octal Permission Values</b></p>
<table border="0" frame="void" class="CALSTABLE">
<col width="3*" />
<col width="1*" align="CENTER" />
<col width="1*" align="CENTER" />
<thead>
<tr>
<th>Permission Type</th>
<th>Octal Value</th>
<th>Letter Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>&#8220;sticky&#8221; bit</td>
<td>1</td>
<td>t</td>
</tr>
<tr>
<td>set user ID</td>
<td>4</td>
<td>s</td>
</tr>
<tr>
<td>set group ID</td>
<td>2</td>
<td>s</td>
</tr>
<tr>
<td>read</td>
<td>4</td>
<td>r</td>
</tr>
<tr>
<td>write</td>
<td>2</td>
<td>w</td>
</tr>
<tr>
<td>execute</td>
<td>1</td>
<td>x</td>
</tr>
</tbody>
</table>
</div>
<p>You add the octal values for each permission group. For example, if you want the group
permissions to be &#8220;read&#8221; and &#8220;write&#8221;, you would use
&#8220;6&#8221; in the group portion of the permission information.</p>
<p><tt class="COMMAND">bash</tt>'s default permissions are:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /bin/bash</kbd>
-rwxr-xr-x 1 root bin 477692 Mar 21 19:57 /bin/bash
</pre>
</td>
</tr>
</table>
<p>The first dash would be replaced with a &#8220;d&#8221; if this was a directory. The
three permission groups (owner, group, and world) are displayed next. We see that the
owner has read, write, and execute permissions (<var class="LITERAL">rwx</var>). The
group has only read and execute (<var class="LITERAL">r-x</var>). And everyone else has
only read and execute (<var class="LITERAL">r-x</var>).</p>
<p>How would we set permissions on another file to resemble <tt
class="COMMAND">bash</tt>'s? First, let's make an example file:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">touch /tmp/example</kbd>
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /tmp/example</kbd>
-rw-rw-r--- 1 david users 0 Apr 19 11:21 /tmp/example
</pre>
</td>
</tr>
</table>
<p>We will use <tt class="COMMAND">chmod</tt>(1) (which means &#8220;change mode&#8221;)
to set the permissions on the example file. Add the octal numbers for the permissions you
want. For the owner to have read, write, and execute, we would have a value of <var
class="LITERAL">7</var>. Read and execute would have <var class="LITERAL">5</var>. Run
those together and pass them to <tt class="COMMAND">chmod</tt> like this:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod 755 /tmp/example</kbd>
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /tmp/example</kbd>
-rwxr-xr-x 1 david users 0 Apr 19 11:21 /tmp/example
</pre>
</td>
</tr>
</table>
<p>Now you may be thinking, &#8220;Why didn't it just create a file with those
permissions in the first place?&#8221; Well the answer is simple. <tt
class="COMMAND">bash</tt> includes a nice little built-in called <tt
class="COMMAND">umask</tt>. This is included with most Unix shells as well, and controls
what file permissions are assigned to newly created files. We discussed <tt
class="COMMAND">bash</tt> built-ins to some degree in <a
href="shell-bash.html#SHELL-BASH-ENVIRONMENT">Section 8.3.1</a>. <tt
class="COMMAND">umask</tt> takes a little getting used to. It works very similar to <tt
class="COMMAND">chmod</tt>, only in reverse. You specify the octal values you do not wish
to have present in newly created files. The default umask value is <var
class="LITERAL">0022</var>.</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">umask</kbd>
0022
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">umask 0077</kbd>
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">touch tempfile</kbd>
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l tempfile</kbd>
-rw-------- 1 david users 0 Apr 19 11:21 tempfile
</pre>
</td>
</tr>
</table>
<p>See the man page for <tt class="COMMAND">bash</tt> for more information.</p>
<p>To set special permissions with <tt class="COMMAND">chmod</tt>, add the numbers
together and place them in the first column. For example, to make it set user ID and set
group ID, we use 6 as the first column:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod 6755 /tmp/example</kbd>
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /tmp/example</kbd>
-rwsr-sr-x 1 david users 0 Apr 19 11:21 /tmp/example
</pre>
</td>
</tr>
</table>
<p>If the octal values confuse you, you can use letters with <tt
class="COMMAND">chmod</tt>. The permission groups are represented as:</p>
<div class="INFORMALTABLE"><a id="AEN3246" name="AEN3246"></a>
<table border="0" frame="void" class="CALSTABLE">
<col />
<col />
<tbody>
<tr>
<td>Owner</td>
<td>u</td>
</tr>
<tr>
<td>Group</td>
<td>g</td>
</tr>
<tr>
<td>World</td>
<td>o</td>
</tr>
<tr>
<td>All of the above</td>
<td>a</td>
</tr>
</tbody>
</table>
</div>
<p>To do the above, we would have to use several command lines:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod a+rx /tmp/example</kbd>
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod u+w /tmp/example</kbd>
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod ug+s /tmp/example</kbd>
</pre>
</td>
</tr>
</table>
<p>Some people prefer the letters over the numbers. Either way will result in the same
set of permissions.</p>
<p>The octal format is often faster, and the one you see most often used in shell
scripts. Sometimes the letters are more powerful however. For example, there's no easy
way to change one group of permissions while preserving the other groups on files and
directories when using the octal format. This is trivial with the letters.</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /tmp/</kbd>
-rwxr-xr-x 1 alan users 0 Apr 19 11:21 /tmp/example0
-rwxr-x--- 1 alan users 0 Apr 19 11:21 /tmp/example1
----r-xr-x 1 alan users 0 Apr 19 11:21 /tmp/example2
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod g-rwx /tmp/example?</kbd>
-rwx---r-x 1 alan users 0 Apr 19 11:21 /tmp/example0
-rwx------ 1 alan users 0 Apr 19 11:21 /tmp/example1
-------r-x 1 alan users 0 Apr 19 11:21 /tmp/example2
</pre>
</td>
</tr>
</table>
<p>We mentioned set user ID and set group ID permissions in several places above. You may
be wondering what this is. Normally when you run a program, it is operating under your
user account. That is, it has all the permissions that you as a user have. The same is
true for the group. When you run a program, it executes under your current group. With
set user ID permissions, you can force the program to always run as the program owner
(such as &#8220;root&#8221;). Set group ID is the same, but for the group.</p>
<p>Be careful with this, set user ID and set group ID programs can open major security
holes on your system. If you frequently set user ID programs that are owned by <tt
class="USERNAME">root</tt>, you are allowing anyone to run that program and run it as <tt
class="USERNAME">root</tt>. Since <tt class="USERNAME">root</tt> has no restrictions on
the system, you can see how this would pose a major security problem. In short, it's not
bad to use set user ID and set group ID permissions, just use common sense.</p>
</div>
<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="filesystem-structure.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="filesystem-structure-links.html"
accesskey="N">Next</a></td>
</tr>
<tr>
<td width="33%" align="left" valign="top">Filesystem Structure</td>
<td width="34%" align="center" valign="top"><a href="filesystem-structure.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Links</td>
</tr>
</table>
</div>
</body>
</html>