|
Understanding
UNIX permissions and chmod
This ius a topic that has been beaten
to death both in books and on-line. For
some reason, it seems that it is one of
the most common misunderstandings that
people have to face when learning how
to write and/or configure their first
cgi programs. This tutorial aims to
clarify the concepts involved. Note
that we will be referring to UNIX in a
generic sense in this article. Most of
what we are going to discuss here
applies to all UNIX flavours. (such as
Linux, SVR4, BSD etc.) It is also a
good idea to type man chmod to check
for the specific details on your
system, too.
Users
A UNIX system serves many users. Users
are an abstraction that denotes a
logical entity for assignment of
ownership and operation privileges over
the system. A user may correspond to a
real-world person, but also a type of
system operation. So, in my system, I
have user 'nick' that corresponds to
me, but I also have user 'www' which
corresponds to the privileges necessary
to operate the local webserver. UNIX
doesn't care about what the user means
for me. It just knows what belongs to
any given user and what each user is
allowed to do with any given thing
(file, program, device, etc) on the
system. UNIX identifies each user by a
User ID (UID) and the username (or
login) such as 'nick' and 'www' is just
an alias to the UID that makes humans
more comfortable.
Groups
Users can be organized in groups. A
user may belong to one or more groups
of users. The concept of groups serves
the purpose of assigning sets of
privileges for a given resource and
sharing them among many users that need
to have them. (perhaps because they are
all members of a project working team
and they all need access to some common
project files) So, on my system user
'nick' and user 'www' both belong to
the group 'perlfect'. This way, they
can have some shared privileges over
the files for this site. User 'nick'
needs them to edit the site, and user
'www' needs them to manage the
webserver that will be publishing the
site.
Ownership
Every file in UNIX has an owner user
and an owner group. So, for any file in
the system, user 'nick' may have one of
the following ownership
relations: *
nick
owns the file, i.e. the file's owner is
'nick'.
* nick
is a member of the group that owns the
file, i.e. the file's owner group is
'perlfect'.
* nick
is neither the owner, nor belonging to
the group that owns the file
Permissions
Every file on the system has
associated with it a set of
permissions. Permissions tell UNIX what
can be done with that file and by whom.
There are three things you can (or
can't) do with a given file: *
read
it,
* write
(modify) it and
* execute
it.
Unix
permissions specify which of the above
operations can be performed for any
ownership relation with respect to the
file. In simpler terms, what can the
owner do, what can the owner group do,
and what can everybody else do with the
file. For any given ownership relation,
we need three bits to specify access
permissions: the first to denote read
(r) access, the second to denote (w)
access and the third to denote execute
(x) access. We have three ownership
relations: 'owner', 'group' and 'all'
so we need a triplet for each,
resulting in nine bits. Each bit can be
setor clear. (not set) We mark a set
bit by it's corresponding operation
letter (r, w or x) and a clear bit by a
dash (-) and put them all on a row. An
example might be rwxr-xr-x.What this
means is that the owner can do anything
with the file, but group owners and the
rest of the world can only read or
execute it. Usually in UNIX there is
also another bit that precedes this
9-bit pattern. You do not need to know
about it, at least for the time
being.
So if
you try ls -l on the command prompt you
will get something like the
following:
[nick@thekla src]$ ls -l
-rwxr-xr-x 1 nick users 382 Jan 19
11:49 bscoped.pl drwxr-xr-x 3 nick
users 1024 Jan 19 11:19 lib/ -rwxr-xr-x
1 nick users 1874 Jan 19 10:23
rcp.cgi
The first column here shows the
permission bit pattern for each file.
The third column shows the owner, and
the fourth column shows the owner
group. By the time, the information
provided by ls -l should be enough for
you to figure out what each user of the
system can do with any of the files in
the directory.
Directories
Another interesting thing to note is
that lib/ which is a directory has
permissions, too. Permissions take a
different meaning for directories.
Here's what they mean:
* read
determines if a user can view the
directory's contents, i.e. do ls in
it.
* write
determines if a user can create new
files or delete file in the directory.
(Note here that this essentially means
that a user with write access toa
directory can delete files in the
directory evenif he/she doesn't have
write permissions for the file! So be
careful with this.)
* execute
determines if the user can cd into the
directory.
chmod
To set/modify a file's permissions you
need to use the chmod program. Of
course, only the owner of a file may
use chmod to alter a file's
permissions. chmod has the following
syntax: chmod [options] mode
file(s)
The
'mode' part specifies the new
permissions for the file(s) that follow
as arguments. A mode specifies which
user's permissions should be changed,
and afterwards which access types
should be changed. Let's say for
example:
chmod a-x rcp.cgi
This
means that the execute bit should be
cleared (-) for all users. (owner,
group and the rest of the world) The
permissions start with a letter
specifying what users should be
affected by the change, this might be
any of the following: *
u the
owner user
* g
the owner group
* o
others (neither u, nor g)
* a
all users
This
is followed by a change instruction
which consists of a +(set bit) or
-(clear bit) and the letter
corresponding to the bit that should be
changed.
Let's
see some examples:
$ ls -l
rcp.cgi -rwxr-xr-x 1 nick users 1874
Jan 19 10:23 rcp.cgi* $ chmod a-x
rcp.cgi $ ls -l rcp.cgi -rw-r--r-- 1
nick users 1874 Jan 19 10:23 rcp.cgi $
chmod g+w rcp.cgi $ ls -l rcp.cgi
-rw-rw-r-- 1 nick users 1874 Jan 19
10:23 rcp.cgi $ chmod ug+x rcp.cgi $ ls
-l rcp.cgi -rwxrwxr-- 1 nick users 1874
Jan 19 10:23 rcp.cgi* $ chmod ug-wx
rcp.cgi $ ls -l rcp.cgi -r--r--r-- 1
nick users 1874 Jan 19 10:23
rcp.cgi
Strange numbers...
You might have encountered things
like chmod 755 somefile and of course
you will be wondering what this is. The
thing is, that you can change the
entire permission pattern of a file in
one go using one number like the one in
this example. Every mode has a
corresponding code number, and as we
shall see there is a very simple way to
figure out what number corresponds to
any mode.
Every
one of the three digits on the mode
number corresponds to one of the three
permission triplets. (u, g and o) Every
permission bit in a triplet corresponds
to a value: 4 for r, 2 for w, 1 for x.
If the permission bit you add this
value to the number of the permission
triplet. If it is cleared, then you add
nothing. (Some of you might notice that
in fact, the number for a triplet is
the octalvalue corresponding to the
three-bit pattern - if you don't know
what an octal value is, it doesn't
really matter, just follow the
intstructions) So if a file has
rwxr-xr-x permissions we do the
following calculation:
Triplet
for u: rwx => 4 + 2 + 1 = 7
Triplet for g: r-x => 4 + 0 + 1 =
5
Tripler for o: r-x => 4 + 0 + 1 =
5
Which makes : 755
So,
755 is a terse way to say 'I don't mind
if other people read or run this file,
but only I should
be able to modify it'and 777 means
'everyone has full access to this
file'
|
