diff options
Diffstat (limited to 'slackbook/html/filesystem-structure-permissions.html')
| -rw-r--r-- | slackbook/html/filesystem-structure-permissions.html | 314 |
1 files changed, 314 insertions, 0 deletions
diff --git a/slackbook/html/filesystem-structure-permissions.html b/slackbook/html/filesystem-structure-permissions.html new file mode 100644 index 00000000..0f951e77 --- /dev/null +++ b/slackbook/html/filesystem-structure-permissions.html @@ -0,0 +1,314 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<meta name="generator" content="HTML Tidy, see www.w3.org" /> +<title>Permissions</title> +<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" /> +<link rel="HOME" title="Slackware Linux Essentials" href="index.html" /> +<link rel="UP" title="Filesystem Structure" href="filesystem-structure.html" /> +<link rel="PREVIOUS" title="Filesystem Structure" href="filesystem-structure.html" /> +<link rel="NEXT" title="Links" href="filesystem-structure-links.html" /> +<link rel="STYLESHEET" type="text/css" href="docbook.css" /> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> +</head> +<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084" +alink="#0000FF"> +<div class="NAVHEADER"> +<table summary="Header navigation table" width="100%" border="0" cellpadding="0" +cellspacing="0"> +<tr> +<th colspan="3" align="center">Slackware Linux Essentials</th> +</tr> + +<tr> +<td width="10%" align="left" valign="bottom"><a href="filesystem-structure.html" +accesskey="P">Prev</a></td> +<td width="80%" align="center" valign="bottom">Chapter 9 Filesystem Structure</td> +<td width="10%" align="right" valign="bottom"><a href="filesystem-structure-links.html" +accesskey="N">Next</a></td> +</tr> +</table> + +<hr align="LEFT" width="100%" /> +</div> + +<div class="SECT1"> +<h1 class="SECT1"><a id="FILESYSTEM-STRUCTURE-PERMISSIONS" +name="FILESYSTEM-STRUCTURE-PERMISSIONS">9.2 Permissions</a></h1> + +<p>Permissions are the other important part of the multiuser aspects of the filesystem. +With these, you can change who can read, write, and execute files.</p> + +<p>The permission information is stored as four octal digits, each specifying a different +set of permissions. There are owner permissions, group permissions, and world +permissions. The fourth octal digit is used to store special information such as set user +ID, set group ID, and the sticky bit. The octal values assigned to the permission modes +are (they also have letters associated with them that are displayed by programs such as +<tt class="COMMAND">ls</tt> and can be used by <tt class="COMMAND">chmod</tt>):</p> + +<div class="TABLE"><a id="AEN3142" name="AEN3142"></a> +<p><b>Table 9-1. Octal Permission Values</b></p> + +<table border="0" frame="void" class="CALSTABLE"> +<col width="3*" /> +<col width="1*" align="CENTER" /> +<col width="1*" align="CENTER" /> +<thead> +<tr> +<th>Permission Type</th> +<th>Octal Value</th> +<th>Letter Value</th> +</tr> +</thead> + +<tbody> +<tr> +<td>“sticky” bit</td> +<td>1</td> +<td>t</td> +</tr> + +<tr> +<td>set user ID</td> +<td>4</td> +<td>s</td> +</tr> + +<tr> +<td>set group ID</td> +<td>2</td> +<td>s</td> +</tr> + +<tr> +<td>read</td> +<td>4</td> +<td>r</td> +</tr> + +<tr> +<td>write</td> +<td>2</td> +<td>w</td> +</tr> + +<tr> +<td>execute</td> +<td>1</td> +<td>x</td> +</tr> +</tbody> +</table> +</div> + +<p>You add the octal values for each permission group. For example, if you want the group +permissions to be “read” and “write”, you would use +“6” in the group portion of the permission information.</p> + +<p><tt class="COMMAND">bash</tt>'s default permissions are:</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="SCREEN"> +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /bin/bash</kbd> +-rwxr-xr-x 1 root bin 477692 Mar 21 19:57 /bin/bash +</pre> +</td> +</tr> +</table> + +<p>The first dash would be replaced with a “d” if this was a directory. The +three permission groups (owner, group, and world) are displayed next. We see that the +owner has read, write, and execute permissions (<var class="LITERAL">rwx</var>). The +group has only read and execute (<var class="LITERAL">r-x</var>). And everyone else has +only read and execute (<var class="LITERAL">r-x</var>).</p> + +<p>How would we set permissions on another file to resemble <tt +class="COMMAND">bash</tt>'s? First, let's make an example file:</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="SCREEN"> +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">touch /tmp/example</kbd> +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /tmp/example</kbd> +-rw-rw-r--- 1 david users 0 Apr 19 11:21 /tmp/example +</pre> +</td> +</tr> +</table> + +<p>We will use <tt class="COMMAND">chmod</tt>(1) (which means “change mode”) +to set the permissions on the example file. Add the octal numbers for the permissions you +want. For the owner to have read, write, and execute, we would have a value of <var +class="LITERAL">7</var>. Read and execute would have <var class="LITERAL">5</var>. Run +those together and pass them to <tt class="COMMAND">chmod</tt> like this:</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="SCREEN"> +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod 755 /tmp/example</kbd> +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /tmp/example</kbd> +-rwxr-xr-x 1 david users 0 Apr 19 11:21 /tmp/example +</pre> +</td> +</tr> +</table> + +<p>Now you may be thinking, “Why didn't it just create a file with those +permissions in the first place?” Well the answer is simple. <tt +class="COMMAND">bash</tt> includes a nice little built-in called <tt +class="COMMAND">umask</tt>. This is included with most Unix shells as well, and controls +what file permissions are assigned to newly created files. We discussed <tt +class="COMMAND">bash</tt> built-ins to some degree in <a +href="shell-bash.html#SHELL-BASH-ENVIRONMENT">Section 8.3.1</a>. <tt +class="COMMAND">umask</tt> takes a little getting used to. It works very similar to <tt +class="COMMAND">chmod</tt>, only in reverse. You specify the octal values you do not wish +to have present in newly created files. The default umask value is <var +class="LITERAL">0022</var>.</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="SCREEN"> +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">umask</kbd> +0022 +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">umask 0077</kbd> +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">touch tempfile</kbd> +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l tempfile</kbd> +-rw-------- 1 david users 0 Apr 19 11:21 tempfile +</pre> +</td> +</tr> +</table> + +<p>See the man page for <tt class="COMMAND">bash</tt> for more information.</p> + +<p>To set special permissions with <tt class="COMMAND">chmod</tt>, add the numbers +together and place them in the first column. For example, to make it set user ID and set +group ID, we use 6 as the first column:</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="SCREEN"> +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod 6755 /tmp/example</kbd> +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /tmp/example</kbd> +-rwsr-sr-x 1 david users 0 Apr 19 11:21 /tmp/example +</pre> +</td> +</tr> +</table> + +<p>If the octal values confuse you, you can use letters with <tt +class="COMMAND">chmod</tt>. The permission groups are represented as:</p> + +<div class="INFORMALTABLE"><a id="AEN3246" name="AEN3246"></a> +<table border="0" frame="void" class="CALSTABLE"> +<col /> +<col /> +<tbody> +<tr> +<td>Owner</td> +<td>u</td> +</tr> + +<tr> +<td>Group</td> +<td>g</td> +</tr> + +<tr> +<td>World</td> +<td>o</td> +</tr> + +<tr> +<td>All of the above</td> +<td>a</td> +</tr> +</tbody> +</table> +</div> + +<p>To do the above, we would have to use several command lines:</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="SCREEN"> +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod a+rx /tmp/example</kbd> +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod u+w /tmp/example</kbd> +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod ug+s /tmp/example</kbd> +</pre> +</td> +</tr> +</table> + +<p>Some people prefer the letters over the numbers. Either way will result in the same +set of permissions.</p> + +<p>The octal format is often faster, and the one you see most often used in shell +scripts. Sometimes the letters are more powerful however. For example, there's no easy +way to change one group of permissions while preserving the other groups on files and +directories when using the octal format. This is trivial with the letters.</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="SCREEN"> +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls -l /tmp/</kbd> +-rwxr-xr-x 1 alan users 0 Apr 19 11:21 /tmp/example0 +-rwxr-x--- 1 alan users 0 Apr 19 11:21 /tmp/example1 +----r-xr-x 1 alan users 0 Apr 19 11:21 /tmp/example2 +<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod g-rwx /tmp/example?</kbd> +-rwx---r-x 1 alan users 0 Apr 19 11:21 /tmp/example0 +-rwx------ 1 alan users 0 Apr 19 11:21 /tmp/example1 +-------r-x 1 alan users 0 Apr 19 11:21 /tmp/example2 +</pre> +</td> +</tr> +</table> + +<p>We mentioned set user ID and set group ID permissions in several places above. You may +be wondering what this is. Normally when you run a program, it is operating under your +user account. That is, it has all the permissions that you as a user have. The same is +true for the group. When you run a program, it executes under your current group. With +set user ID permissions, you can force the program to always run as the program owner +(such as “root”). Set group ID is the same, but for the group.</p> + +<p>Be careful with this, set user ID and set group ID programs can open major security +holes on your system. If you frequently set user ID programs that are owned by <tt +class="USERNAME">root</tt>, you are allowing anyone to run that program and run it as <tt +class="USERNAME">root</tt>. Since <tt class="USERNAME">root</tt> has no restrictions on +the system, you can see how this would pose a major security problem. In short, it's not +bad to use set user ID and set group ID permissions, just use common sense.</p> +</div> + +<div class="NAVFOOTER"> +<hr align="LEFT" width="100%" /> +<table summary="Footer navigation table" width="100%" border="0" cellpadding="0" +cellspacing="0"> +<tr> +<td width="33%" align="left" valign="top"><a href="filesystem-structure.html" +accesskey="P">Prev</a></td> +<td width="34%" align="center" valign="top"><a href="index.html" +accesskey="H">Home</a></td> +<td width="33%" align="right" valign="top"><a href="filesystem-structure-links.html" +accesskey="N">Next</a></td> +</tr> + +<tr> +<td width="33%" align="left" valign="top">Filesystem Structure</td> +<td width="34%" align="center" valign="top"><a href="filesystem-structure.html" +accesskey="U">Up</a></td> +<td width="33%" align="right" valign="top">Links</td> +</tr> +</table> +</div> +</body> +</html> + |