Unix permissions are simple and flexible once you understand the basics.
There are two basic ways of dealing with Unix permissions, the first is numeric. Numeric notation is consider more complex by new administrators but generally faster by older administrators. It also works on some very old versions of Unix where the newer more simplified notation doesn't.
Before we can seriously examine permission we need to understand what we're looking at, so lets take a look at a directory entry:
core ~$ ls -al
drwxr-xr-x 2 ralph users 4096 2009-03-31 14:43 .
drwxr-xr-x 16 root users 4096 2009-10-22 09:28 ..
-rw-r--r-- 1 ralph users 6 2009-01-28 13:07 file.1
-rwxr-x--- 1 ralph users 521 2009-01-28 13:23 test.sh
core ~$
So what does all of this information mean? The left most column made up of the -rwxds characters are the permissions, and in order the first item is the "special" column, the next 3 are the owners permissions, the next 3 are the groups permissions, and the final 3 are "everyone elses" permissions. Next you see the owner and group for the item and then the size of the file followed by the date and time the file was last modified and finally you see the name of the item itself. So for starters lets take a good look at file.1
-rw-r--r-- means there are no special items set on this file, the owner has read(r) and write access. The group has only read(r) access and everyone else may also read(r) the file.
The only complex part of grasping how this works is understanding that this is all basically a single byte of octal/binary information. For unix permissions execute permissions (x) are set with a value of 1, write permissions (w) are set with a value of 2, and read permissions (r) are set with a value of four. So to calculate what the a numerical permissions are you would simply add up the values. A - character means, none or nothing and is equal to 0. So... Special: - 0, Owner: rw- 6, Group: r-- 4, r-- 4 or 0644 or 644 in shorthand. The special value determines the type of file, a - is a normal file, a d a directory, a l a link. There is also the sticky bit which you may occasionally see set. Typically the special portion can be left off and it is assumed to be zero.
Permissions become especially tricky when you consider directory, a r bit on a directory means you can read the contents of the directory, an w means you can create, modify, and delete items from the directory and x means you can change to the directory. So often times if you don't want your users to for example be able to ls the /home directory you might set it at 711 which would allow anyone to change into the directory and access sub directories of it that they have rights to but not able to get a directory listing.
On newer versions of *nix there is also a shorthand version 'chmod t+bits' for an example 'chmod o+rw filename' would give the owner read-write access to the file. Alternately 'chmod g-rwx filename' would give group no access at all to a particular file.
There are also advanced bits which can be set like the setuid and sticky bit, but those range beyond the details of this article itself and are more rarely used and can easily be dangerous normal system operations and security.
0 comments:
Post a Comment